PRIVACY POLICY

This Policy describes how ONEINFINITE PLATFORM S.A.C. ("ONE") collects, uses, retains, shares, and protects the personal data of those who interact with the Platform and the Services. It applies to Entrepreneurs, End Users (buyers), providers, counterparties, and other linked individuals.

1. Roles in Data Processing

Entrepreneur Data: ONE acts as the data controller (owner of the personal data bank).

Data of the Entrepreneur's End Users: the Entrepreneur acts as the data controller, and ONE acts as the data processor on their behalf. The Entrepreneur is responsible for complying with their own obligations regarding information, consent, and the fulfillment of rights toward their Users.

Data Processed by Integrated Providers: Integrated Providers (Coinflow, BlindPay, and others) act as independent data controllers regarding the data they process in accordance with their own terms and policies.

2. Legal Bases for Processing

The processing of personal data is based, as applicable, on one or more of the following bases:

Execution of the contract and provision of the Services.
Compliance with legal, regulatory, or contractual obligations.
Legitimate interest in security, fraud prevention, and risk management.
Express and informed consent of the data subject, when required (in particular, for biometric data and marketing communications).

When processing is based on consent, the data subject may revoke it at any time, free of charge, without affecting the lawfulness of the prior processing or preventing ONE from continuing to process the data under another valid legal basis. ONE retains evidence of consent (date, accepted version, mechanism).

3. Personal Data Collected

The categories of data that ONE may process include:

Identification and contact: name, email address, telephone number, date of birth.
Enhanced identification and official documentation: number and country of issuance of the identity document (DNI, passport, or other), image of the document, address, tax identification number (RUC, CUIT/CUIL, CPF/CNPJ, RFC, or other).
Biometric data: facial image, biometric comparison with the document, and liveness check, collected through providers specialized in the identity verification process. This data qualifies as sensitive data and is processed on the basis of express consent, with enhanced security measures.
Commercial activity: declared economic activity, products or services offered, website, and social networks.
Economic and settlement data: Wallet Address provided to receive Net Funds, operational history of settlements, amounts, commissions, chargebacks, and refunds. The Entrepreneur acknowledges that the Wallet Address and associated operations may be publicly visible on the applicable Blockchain Network, which is beyond ONE's control.
Transactional: information on operations processed or reported by the Integrated Providers (amounts, timestamps, status, payment method, identifiers, anti-fraud results). ONE does not necessarily access the entirety of the financial or anti-fraud data processed by the Integrated Providers under their own responsibility.
Technical and usage: IP address, device identifiers, browser, operating system, logs, approximate geolocation via IP, events within the dashboard, use of APIs, cookies.
Communications: content of emails, chats, tickets, calls, and other transient interactions with ONE.
External sources: information obtained from verification providers, public registries, restrictive lists, anti-fraud providers, public blockchains, and other legitimate sources.

4. Purposes of Processing

ONE processes personal data for the following primary purposes:

To provide, operate, and improve the Platform and the Services (dashboard, APIs, checkouts, integrations).
To manage the registration, onboarding, and verification of Entrepreneurs (identity, representation, activity, liveness check, adverse media, acceptable use, risk assessment).
To facilitate technological coordination with the Integrated Providers (transmission of instructions, traceability, reconciliation).
To detect and prevent fraud, sanctions, misuse, or abuse, as well as to collaborate with the controls that Integrated Providers must perform in accordance with their own regulatory obligations.
To provide technical support, handle inquiries, claims, and audits.
To send operational, contractual, regulatory, or security communications related to the Services.
To comply with legal, regulatory, fiscal, accounting, and contractual obligations, and to respond to requests from competent authorities.
To implement security, backup, and operational continuity measures.
To send commercial or promotional communications, only when there is a valid basis or consent. The data subject may object at any time through the enabled channels, without affecting necessary operational communications.

5. With Whom We Share Data

ONE shares personal data with the following categories of recipients, as necessary:

Group companies and affiliates of ONE, for legitimate corporate and operational purposes.
Providers of technological infrastructure, cloud services, software, support, analytics, monitoring, and cybersecurity.
Integrated Providers and third parties in the operational flow (processors, acquirers, networks, digital asset providers, conversion and settlement providers).
Providers of identity verification, compliance, and fraud prevention.
Administrative, regulatory, judicial, or law enforcement authorities, when there is a legal obligation, valid request, or order from a competent authority.
Advisors, auditors, consultants, investors, or potential acquirers within the framework of claims, legal proceedings, audits, reorganizations, mergers, acquisitions, or corporate transactions.

5.1 Principal Sub-processors

As of the date of this Policy, ONE shares personal data with the following principal providers:

Coinflow
BlindPay
Didit
Amazon Web Services

ONE may incorporate, replace, or discontinue providers based on operational, technical, commercial, or regulatory needs.

6. International Data Transfers

Personal data may be processed, hosted, or transferred to jurisdictions other than that of the data subject. To date, the main destination jurisdictions are the United States of America and the Republic of Poland, depending on the location of the Integrated Providers and technological providers used by ONE.

When required by applicable regulations, ONE adopts appropriate legal mechanisms to protect transfers, including contractual clauses, data processing agreements, and reasonable technical and organizational measures.

7. Cookies and Tracking Technologies

ONE uses cookies, SDKs, pixels, tags, local storage, and similar technologies to enable technical features, authenticate sessions, remember preferences, analyze the functioning of the Platform, and detect security incidents or fraud. Some are first-party and others are provided by third parties.

When the Entrepreneur enables the insertion of third-party pixels or tags (for example, Meta Pixel) on their sales pages through the features of the Platform, such third parties may receive information about the User's navigation. The Entrepreneur shall be responsible for adequately informing their Users and obtaining the corresponding consents.

You can configure your browser or the preferences available on the Platform to reject or limit non-essential cookies, although this could affect the functioning of some features.

8. Data Retention

We retain personal data for the period necessary to fulfill the described purposes and, subsequently, for the time required or permitted by legal, regulatory, fiscal, accounting, evidentiary, security, fraud prevention, or rights defense obligations. Criteria may vary depending on the type of data, the type of data subject, and the jurisdiction.

Even after account closure, certain data may be retained when necessary for regulatory compliance, transactional traceability, handling of claims, or exercise of rights. When no longer necessary, data may be deleted, anonymized, or blocked.

Integrated Providers and other independent third parties may retain personal data pursuant to their own terms and obligations, which is beyond ONE's control.

9. Information Security

ONE implements reasonable administrative, technical, organizational, and physical measures to protect personal data against unauthorized access, loss, alteration, disclosure, or misuse, including access controls, encryption, authentication, monitoring, vulnerability management, and incident response. No system can guarantee absolute security.

ONE's measures apply to the systems and environments under its reasonable control. ONE does not control the security of self-custodied wallets, exchanges, private keys, seed phrases, external credentials, Entrepreneur devices, blockchain networks, or third-party services outside its direct control.

9.1 Notification of Security Incidents

In the event of a security incident that compromises personal data and is likely to generate a risk to the rights and freedoms of data subjects, ONE will notify the National Personal Data Protection Authority of Peru within forty-eight (48) hours from its detection and, where applicable, communicate the incident to the affected data subjects within the same period. ONE will adopt reasonable measures to contain the incident and prevent its recurrence.

10. Rights of the Data Subject

In accordance with applicable regulations, you have the following rights in relation to your personal data. Before handling any request, ONE may require identity verification and, where applicable, verification of the invoked representation.

Access: obtain confirmation as to whether we process your data and access the corresponding information. This right does not extend to third-party data, information linked to anti-fraud controls, sanctions, prevention of illicit activities, or information protected by confidentiality or legal privilege when its disclosure could affect third-party rights, ongoing investigations, or applicable legal restrictions.
Rectification: request the correction of inaccurate or outdated data. It does not apply to historical, accounting, or regulatory records that must be preserved in their original state.
Deletion: request the deletion of your data when appropriate. ONE may retain it when necessary to comply with legal or contractual obligations, attend to authority requirements, prevent fraud, or defend rights.
Objection and restriction of processing: object to processing based on legitimate interest or direct marketing, and request the limitation of processing in the cases provided by law.
Portability: where applicable, receive or transfer your data in a structured, commonly used, and machine-readable format. It does not apply to inferred information, internal evaluations, regulatory reports, or data whose transfer could affect third-party rights or regulatory compliance.
Human review of automated decisions: request human intervention, express your point of view, and contest decisions based exclusively on automated processing that produce significant effects, in accordance with applicable regulations.
Withdrawing consent: when processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.
Complaint before the authority: file complaints before the National Personal Data Protection Authority of Peru or before the competent data protection authority in your jurisdiction.

End Users (buyers) whose data has been processed through the Platform at the initiative of an Entrepreneur must direct their requests, in the first instance, to the corresponding Entrepreneur. ONE may reasonably collaborate with such exercise when technically possible.

11. How to Exercise Your Rights

To exercise any of the described rights, you can send your request to compliance@one.lat indicating your name, identity document, the right you wish to exercise, and a clear description of your request, accompanied by supporting documentation where applicable.

ONE will respond within the timeframes provided by applicable legislation. In the case of particularly complex, multiple, repetitive requests or requests requiring additional verifications, the timeframe may be extended for the period permitted by regulations, which will be communicated to you in a timely manner.

The exercise of rights is free of charge. When authorized by regulations, ONE may charge a reasonable fee or reject, in whole or in part, requests that are manifestly unfounded, excessive, or abusive.

12. Changes to this Policy

ONE may modify or update this Privacy Policy at any time. When changes are material, ONE will communicate them by reasonable means, including notification to the registered email or a prominent notice on the Platform. When required by applicable regulations or the nature of the change, ONE will obtain the data subject's consent again regarding the modified purposes.

13. Minors

ONE's Services are not directed to minors. ONE does not intentionally collect personal data from minors or allow the use of the Platform by persons who do not meet the minimum legal age required.

The Entrepreneur must not upload or make available to ONE personal data of minors without a sufficient legal basis and the required authorizations (including, where applicable, the consent of whoever exercises parental authority or legal representation). If ONE becomes aware of having processed data of minors without the corresponding authorization, it will adopt reasonable measures to delete, block, or anonymize it.

14. Contact

For any inquiry, request, or communication related to this Policy or the processing of your personal data, you can contact ONE through the following channel:

Data Controller: ONEINFINITE PLATFORM S.A.C.

Personal Data Officer: contact via the compliance channel indicated below.

Contact email for privacy, data subject rights, and Personal Data Officer: compliance@one.lat