Global Privacy and Data Protection Compliance

Last updated: January 2, 2026

This English translation is provided for convenience only. In the event of any discrepancy or conflict between versions, the Portuguese version prevails.

1. LGPD Compliance (Brazil)

Arkar is committed to full compliance with Lei nº 13.709/2018 (LGPD – Brazilian General Data Protection Law), which governs the processing of personal data in Brazil.

Principles

The processing of personal data by Arkar is guided by the following principles:

  • Transparency: Ensuring clear, accurate and easily accessible information about data processing.
  • Security: Use of technical and administrative measures capable of protecting personal data.
  • Necessity: Limiting processing to the minimum necessary to achieve its purposes.
  • Prevention: Adoption of measures to prevent damage arising from data processing.
  • Accountability: Demonstration of effective measures capable of proving observance of and compliance with data protection rules.
  • Non-discrimination: Processing may never be carried out for discriminatory, unlawful or abusive purposes.

Legal bases

The processing of personal data by Arkar is grounded on the following legal bases:

  • Performance of a contract: Processing necessary for the provision of the contracted services.
  • Legal obligations (CVM/ANBIMA): Compliance with legal and regulatory obligations of the financial sector.
  • Legitimate interest:Arkar's legitimate interests, subject to the rights of data subjects.
  • Consent:The data subject's free, informed and unequivocal expression of agreement for specific purposes.

Data subject rights

Arkar guarantees data subjects the exercise of the following rights:

  • Access: The right to access your personal data processed by Arkar.
  • Correction: The right to request the correction of incomplete, inaccurate or outdated data.
  • Anonymization: The right to request the anonymization, blocking or deletion of unnecessary or excessive data.
  • Portability: The right to request the portability of data to another service provider.
  • Information about sharing: The right to be informed about the entities with which data is shared.
  • Withdrawal of consent: The right to withdraw consent at any time.
  • Review of automated decisions: The right to request the review of decisions made on the basis of automated processing.

Designated DPO

Arkar has a designated Data Protection Officer (DPO), responsible for acting as a communication channel between the company, data subjects and the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD). Contact: privacy@arkar.ai.

2. GDPR Compliance (European Union)

Arkar is prepared to meet the requirements of the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) where applicable to the processing of data of individuals located in the European Union.

Legal bases for processing

The processing of data of European individuals is grounded on legal bases compatible with the GDPR, including performance of a contract, legitimate interests, compliance with legal obligations and consent.

Rights of European users

Users located in the European Union have the following additional rights:

  • Access: The right to obtain confirmation of and access to the personal data processed.
  • Rectification: The right to rectification of inaccurate data.
  • Erasure ("right to be forgotten"): The right to request the erasure of personal data in certain circumstances.
  • Restriction: The right to restrict the processing of data in certain situations.
  • Portability: The right to receive data in a structured, commonly used and machine-readable format.
  • Objection: The right to object to processing based on legitimate interests.
  • Withdrawal of consent: The right to withdraw consent at any time.
  • Complaint to a supervisory authority: The right to lodge a complaint with a data protection authority.

International transfers

For transfers of European individuals' data outside the European Economic Area, Arkar uses appropriate protection mechanisms, including:

  • Standard Contractual Clauses (SCCs): Contractual clauses approved by the European Commission to ensure adequate protection of the transferred data.
  • Adequacy decisions: Where applicable, transfers to countries recognized by the European Commission as providing an adequate level of data protection.

3. FTC Act Compliance (United States)

Arkar adopts practices consistent with the requirements of the FTC Act (Federal Trade Commission Act) for consumer protection in the United States, including:

  • No deceptive/unfair practices: Commitment to honest and transparent business practices, without misleading statements about data processing or the functionality of the services.
  • Transparency: Clear and accessible disclosure of our data collection, use and sharing practices.
  • Proportionate security measures: Implementation of security controls that are reasonable and proportionate to the sensitivity of the data processed and the risks involved.
  • Internal governance for incident response: Maintenance of internal procedures for the detection, investigation, response to and notification of security incidents.

4. Global Compliance and Governance Framework

Internal policies

Arkar maintains a comprehensive set of internal policies for data governance and privacy, including information security, access management, data retention, incident response and employee training policies.

Information security

Our information security program is aligned with the ISO/IEC 27001 and NIST frameworks, including:

  • Encryption: Data encrypted in transit (TLS/HTTPS) and at rest (AES-256).
  • MFA: Multi-factor authentication required for access to sensitive systems and data.
  • Access segregation: Role-based access control (RBAC) with the principle of least privilege.
  • Monitoring: Continuous system monitoring, intrusion detection and security alerts.
  • Disaster recovery: Business continuity and disaster recovery plans tested regularly.

Responsible AI

Arkar adopts responsible artificial intelligence principles, including:

  • Transparency: Clarity about the use of AI and its limitations.
  • Bias mitigation: Processes to identify and reduce biases in AI models.
  • Human oversight: Mandatory human review of critical AI-assisted decisions.

5. Global Commitment

AreaStandards
LGPDData subject rights, legal bases, DPO protection
GDPRAdvanced controls, secure transfers, expanded rights
FTC ActTransparency, reasonable security, no deception
GlobalGovernance, audits, security, ethics, responsible AI