Connect ISP logo
BACK TO HOME PAGE

ConnectPSP Desenvolvedora de Sistemas S.A. Privacy Policy

Last updated: March 2026

CONNECTPSP DESENVOLVEDORA DE SISTEMAS S.A., a corporation registered with the CNPJ under No. 54.422.446/0001-33, with headquarters at Rua Equador, No. 43, Block 3, Rooms 1508, 1509, and 1510, Santo Cristo, ZIP Code 20.220-410, in the city of Rio de Janeiro, State of Rio de Janeiro (“ConnectPSP”or“Company”), values and respects the privacy of its Customers, Users, and other data subjects. The Company’s commitment to the protection of personal data is central to its operations and is aligned with best practices in information security and applicable legislation.

The purpose of this Privacy Policy (“Policy”) is to transparently describe how ConnectPSP collects, uses, stores, shares, and protects personal data in connection with the use of its technology API, in accordance with the General Personal Data Protection Act and other applicable regulations.

This Policy applies to all personal data processing activities carried out by ConnectPSP in connection with the provision of payment system integration technology services, covering both business customers and end users who interact with platforms integrated with the Company’s API technology.

1. DEFINITIONS 

For the purposes of this Privacy Policy, the terms below shall have the following meanings:

  1. API: A set of technical interfaces provided by ConnectPSP that enable integration between its clients’ digital platforms and partner financial or payment institutions. 
  2. Client: A legal entity that contracts ConnectPSP’s technology services to integrate its digital platform with payment infrastructures operated by financial or payment institutions. 
  3. User: An individual who makes payments or interacts with digital platforms operated by ConnectPSP’s clients and integrated with the Company’s API technology. 
  4. Partner Payment Institutions: Financial institutions and/or payment institutions authorized by the Central Bank of Brazil, contracted directly by Customers, responsible for processing, settling, and executing financial transactions carried out through platforms integrated with ConnectPSP technology. 
  5. Personal Data: Any information relating to an identified or identifiable natural person, as defined by Law No. 13,709/2018 (General Data Protection Law – LGPD). 
  6. Data Processing: Any operation performed on personal data, such as collection, creation, receipt, classification, use, access, reproduction, transmission, processing, storage, deletion, or any other form of data manipulation, as defined by the LGPD. 
  7. LGPD: Law No. 13,709/2018 – General Personal Data Protection Law, which regulates the processing of personal data in Brazil.

2. ABOUT CONNECTPSP:

ConnectPSP is a technology company that develops and provides technological infrastructure for integrating its clients’ digital platforms with financial institutions or payment providers authorized by the Central Bank of Brazil. The Company’s operations focus exclusively on the technological aspects of payment transactions, without direct involvement in the custody or transfer of funds.

The services provided by ConnectPSP include, among others:

  • Generating Pix QR Codes;
  • Integration via API technology with payment and financial institutions;
  • Technical reconciliation of transactions;
  • Operational monitoring of integrations;
  • Technology support for payment operations.

It should be noted that ConnectPSP is not a financial institution or a payment institution under the regulations of the Central Bank of Brazil, as it does not hold financial assets in custody nor does it execute financial transactions on its own behalf. Financial and payment services are provided exclusively by institutions duly authorized by the Central Bank of Brazil, contracted directly by ConnectPSP’s Clients, who act as the parties directly responsible for the financial transactions carried out through their financial infrastructure.

3. APPLICABILITY

This Policy applies to all individuals whose personal data is processed by ConnectPSP in the course of its business activities. These individuals include:

  • Customers;
  • Users;
  • Visitors to our websites, portals, or other digital services.

By using ConnectPSP’s API technology or services, data subjects acknowledge that their personal data may be processed in accordance with this Policy. If a data subject does not agree with the terms described herein, we recommend that they refrain from using the services or contact the Company through its official communication channels for further clarification. 

ConnectPSP acts as a technology provider for platforms operated by its business clients. As such, users who make payments or interact on these platforms are also subject to the privacy policies and terms of use established by the respective clients. ConnectPSP has no control over the privacy practices adopted by Clients on their own platforms; Users are advised to consult the respective policies to understand how their data is handled by these data controllers.

4. DATA COLLECTION

ConnectPSP processes personal data in a manner that is proportionate and appropriate to the purposes for which it was collected, in accordance with the principles of necessity, appropriateness, and transparency set forth in Article 6 of the LGPD. Depending on how API technology is used, the Company may process the following categories of personal data:

4.1. Identification Information

This data allows the data subject to be identified or made identifiable and may include: full name, CPF number, user identifiers assigned by the financial institution’s or payment platform’s system, and transaction identifiers. This data is essential for the provision of technological services and for ConnectPSP’s compliance with applicable legal and regulatory obligations.

4.2. Payment and transaction data

This data is generated or required for the processing and reconciliation of payment transactions and may include: Pix key, transaction amount, date and time of the transaction, transaction identifiers, and payment status. This data is used exclusively for operational and technical reconciliation purposes and is handled in a restricted and secure manner, without unauthorized access by third parties. It is emphasized that the processing and settlement of transactions are carried out exclusively by partner payment institutions. 

4.3. Technical and browsing data

This data is automatically generated through the use of API technology and may include: IP addresses; access logs; device identifiers; and API usage logs. This data is used exclusively for security, operational monitoring, and maintenance of ConnectPSP’s API technology and is not used for profiling or marketing purposes.

5. METHODS OF DATA COLLECTION 

ConnectPSP may collect personal data in various ways, depending on the nature of the operation being carried out, while in all cases adhering to the principles of purpose and transparency set forth in Article 6 of the LGPD. These include:

  • Directly from Customers, when contracting services or performing technical integration between the Customer’s platform and the Company’s API technology. In such cases, Customers provide the data necessary for the performance of the contract and the configuration of the services.
  • Through Clients’ platforms when Users make payments or interact on platforms integrated with the Company’s API technology. In such cases, Users’ transactional and identification data may be transmitted to ConnectPSP strictly for operational purposes.
  • Through Partner Institutions, when payment institutions responsible for processing transactions share data with ConnectPSP for the purposes of technical reconciliation, fraud prevention, and compliance with applicable legal and regulatory obligations.
  • Automatically, when accessing the Company’s API technology, in which case certain technical data is automatically generated and collected for the purposes of operational security and to ensure the proper functioning of the API technology.

6. PURPOSE OF DATA PROCESSING

The personal data processed by ConnectPSP is used strictly for the purposes for which it was collected, in accordance with the principle of purpose set forth in Article 6(I) of the LGPD. The main purposes are:

  • Provision of technology services: the data is used to generate Pix QR codes, enable integration via API technology, reconcile transactions, and monitor the operational aspects of integrations implemented by customers.
  • Security and fraud prevention: The data is used to identify suspicious transactions, monitor irregular activity, and protect the integrity of the API technology and its users.
  • Compliance with legal and regulatory obligations: Processing may occur to comply with applicable legal and regulatory requirements, including to provide operational support to partner payment institutions, comply with orders from competent authorities, and exercise rights in accordance with the law. 
  • Contract performance: The data is used for billing, providing technical support, and conducting operational audits within the scope of the legal relationship established with Customers.

7. LEGAL BASIS FOR PROCESSING

All processing of personal data carried out by ConnectPSP has an appropriate legal basis, in accordance with Articles 7 and 11 of the LGPD. The legal grounds applicable to the processing activities carried out by the Company include:

  • Performance of a contract, where processing is necessary for the performance of services contracted by customers or for the implementation of pre-contractual measures.
  • Compliance with legal or regulatory obligations, where processing is necessary to comply with legal or regulatory requirements applicable to ConnectPSP, as well as to enable partner payment institutions to meet their regulatory obligations in the context of providing technology services.
  • Legitimate interest, where processing is necessary to serve the legitimate interests of ConnectPSP or third parties, provided that these do not override the fundamental rights and freedoms of data subjects, such as in cases involving API security, fraud prevention, and the improvement of the technological services provided.
  • Regular exercise of rights, where processing is necessary for the recognition, defense, or exercise of rights in judicial, administrative, or arbitration proceedings.

8. Data Protection Roles and Data Sharing

Defining the roles of controller and processor within the context of data protection under the LGPD is essential for understanding the responsibilities of each party involved in the processing of personal data. Under Article 5, sections VI and VII, of the LGPD, a controller is a natural or legal person who makes decisions regarding the processing of personal data, while a processor is a natural or legal person who processes personal data on behalf of the controller.

Depending on the operation performed, ConnectPSP may assume different roles. When processing Users’ personal data on behalf of its Clients, in the context of providing contracted technology services, the Company will act as a processor, following the instructions of the Clients, who act as controllers and are responsible for decisions regarding the purposes and means of processing. On the other hand, when processing personal data for its own legitimate purposes, such as security and monitoring of API technology, fraud prevention, compliance with legal and regulatory obligations, and the regular exercise of rights, the Company will act as a data controller, assuming full responsibility for decisions regarding the processing, including the definition of the purposes, the means used, and the security measures adopted.

ConnectPSP may share personal data with third parties only when necessary to fulfill the purposes described in this Policy, in accordance with the principles of necessity, appropriateness, and security. Data may be shared in the following circumstances:

  • Partner payment institutions: Data may be shared with payment institutions authorized by the Central Bank of Brazil to enable transaction processing and compliance with applicable regulatory obligations. This sharing is inherent to the provision of the technological services offered by ConnectPSP and occurs in accordance with the contractual agreements entered into with such institutions, which act as data controllers or processors depending on the nature of the processing performed.
  • Service providers and vendors: Data may be shared with vendors that assist in the provision of the technology services offered by ConnectPSP, such as cloud infrastructure providers, information security tool providers, and technology support service providers. These suppliers act as data processors and are contractually obligated to comply with the provisions of this Policy, ConnectPSP’s internal guidelines, and the requirements of applicable data protection laws.
  • Public and regulatory authorities: Data may be shared with competent government, regulatory, or judicial authorities, including the Central Bank of Brazil, the National Data Protection Authority, and the Financial Activities Control Council, when there is a legal or regulatory obligation to do so, or when necessary for the recognition, defense, or exercise of rights in judicial, administrative, or arbitration proceedings.

ConnectPSP does not sell personal data and does not share information with third parties for advertising or marketing purposes. All sharing of personal data has an appropriate legal basis under the LGPD and is carried out in a manner that is proportionate and limited to what is strictly necessary to achieve the purposes that justify it. 

9. INFORMATION SECURITY

ConnectPSP implements proportionate and appropriate technical and administrative measures to protect personal data against unauthorized access, accidental loss, alteration, improper disclosure, destruction, and other forms of unlawful processing, in accordance with the LGPD and best practices in information security.

Among the security measures implemented, the following stand out:

  • Access control based on profiles and the principle of least privilege;
  • Encryption of data in transit and at rest;
  • Continuous monitoring of logs and security events;
  • The separation of production, validation, and development environments; and
  • The adoption of internal information security and data protection policies.

In the event of a security incident that could pose a significant risk or cause significant harm to data subjects, ConnectPSP will take appropriate measures to mitigate its effects and will issue the notifications required by applicable law and the regulations of the National Data Protection Authority.

10. DATA RETENTION

The personal data processed by ConnectPSP will be stored for the period strictly necessary to fulfill the purposes for which it was collected, in accordance with the principles of necessity and appropriateness, as well as the applicable legal and regulatory time limits set forth in the LGPD.

In determining retention periods, ConnectPSP will consider the following criteria: (i) the duration of the contractual relationship with Customers and the time required to provide services; (ii) the timeframes established by legal or regulatory obligations, including the rules of the Central Bank of Brazil and tax legislation; (iii) the time required for auditing, security, and fraud prevention purposes; and (iv) the statutes of limitations applicable to the recognition, defense, or exercise of rights in judicial, administrative, or arbitration proceedings.

Once the applicable retention period has expired, personal data will be securely deleted or anonymized by ConnectPSP, except in cases where its retention is legally permitted or required, such as to comply with a legal or regulatory obligation, to conduct studies by a research body, or to exercise rights.

11. RIGHTS OF DATA SUBJECTS

The LGPD guarantees data subjects a set of rights that may be exercised at any time, pursuant to Article 18 of the Law. ConnectPSP is committed to responding to data subjects’ requests in a transparent and timely manner and in accordance with applicable law, taking the necessary measures to ensure that these rights can be fully exercised.

Data subjects have the following rights:

  • Confirmation of the processing of your personal data by ConnectPSP;
  • Access to data, including obtaining information about the personal data being processed, its source, purpose, and the criteria used;
  • Correcting incomplete, inaccurate, or outdated data;
  • The anonymization, blocking, or deletion of data that is unnecessary, excessive, or processed in violation of the LGPD;
  • The portability of data to another service or product provider, upon express request;
  • The deletion of personal data processed on the basis of consent, except in the cases where retention is permitted under Article 16 of the LGPD;
  • Obtaining information about the public and private entities with which data was shared;
  • The withdrawal of consent, where the legal basis for the processing is such consent, without prejudice to the lawfulness of processing carried out prior to the withdrawal;
  • Objection to the processing carried out on the basis of one of the grounds for exemption from consent, in the event of a violation of the LGPD.

Requests related to the exercise of data subjects’ rights may be submitted through the privacy channel indicated in Section XIV of this Policy. ConnectPSP will use its best efforts to respond to requests within fifteen (15) days of receipt, in accordance with the regulations issued by the ANPD; this period may be extended in cases of complexity or high volume, subject to prior notification to the data subject.

12. INTERNATIONAL DATA TRANSFERS

ConnectPSP may store and process personal data on technological infrastructure located outside Brazilian territory, such as cloud servers operated by international providers. In such cases, ConnectPSP will adopt appropriate technical and legal measures to ensure the protection of transferred personal data, in strict compliance with Articles 33 through 36 of the LGPD, guaranteeing data subjects a level of protection equivalent to that provided for in Brazilian law.

International transfers of personal data will only be carried out when the required legal conditions are met, including: (i) transfers to countries or international organizations that the ANPD recognizes as providing a level of personal data protection adequate under the LGPD; (ii) the adoption of standard contractual clauses approved by the ANPD; (iii) the existence of duly recognized global corporate rules; or (iv) the use of other safeguards, instruments, or assurance mechanisms approved or recognized by the ANPD. ConnectPSP will maintain records of international transfers carried out and will provide information on the assurance mechanisms adopted whenever requested by data subjects or by the ANPD.

13. POLICY CHANGES

This Privacy Policy may be updated from time to time due to legal or regulatory changes, changes in the services provided by ConnectPSP, or improvements in the Company’s personal data protection practices. The date of the last update will always be indicated in the header of this document to ensure transparency regarding the current version.

Any changes that entail significant modifications to the conditions for processing personal data or to the rights of data subjects will be communicated in advance to Customers and, where applicable, to Users, through ConnectPSP’s official communication channels, a reasonable time before they take effect. The consolidated and updated version of this Policy will be permanently available on the Company’s official channels. Data subjects are encouraged to review this document periodically to stay informed about the privacy and data protection practices adopted by ConnectPSP.

14. CONTACT AND DATA PROTECTION OFFICER (DPO)

Pursuant to Article 41 of the LGPD, ConnectPSP appoints a Data Protection Officer (“DPO”), whose role is to serve as a communication channel between the Company, data subjects, and the National Data Protection Authority, as well as to advise ConnectPSP employees and service providers on the practices to be adopted regarding personal data protection.

For questions, requests, or to exercise rights related to the processing of personal data, data subjects may contact ConnectPSP’s DPO through the following channels:

ConnectPSP Systems Development, Inc.

Email: dpo@connectpsp.com

Address: Rua Equador, No. 43, Block 3, Rooms 1508, 1509, and 1510, Santo Cristo, Rio de Janeiro, RJ, ZIP Code 20220-410.

Hours of operation: 24 hours a day, 7 days a week

ConnectPSP undertakes to respond to requests received within 15 (fifteen) days; this period may be extended in cases of complexity or a high volume of requests, provided the data subject is notified.

BACK TO HOME PAGE