PRIVACY POLICY

At Nuvira, we recognize that trust is the most valuable asset in the digital financial ecosystem. We understand that by using our services, you entrust us with your identity and your assets. Therefore, we have designed this Privacy Policy not only as a legal requirement, but as a commitment to transparency regarding how we manage, protect, and use your personal information. Our privacy framework strictly complies with current legislation in El Salvador, including the Personal Data Protection Law and specialized regulations issued by the National Digital Assets Commission (CNAD) and the Financial Investigation Unit (UIF). Likewise, we align our security standards with international benchmarks such as the General Data Protection Regulation (GDPR) and the ISO/IEC 27701 standard on Information Privacy Management. Below, we detail the terms and conditions under which we process your data. 1. DEFINITIONS To ensure a clear understanding of this document and your rights, we define the technical and legal terms under which our platform operates: ● Personal Data: Any information linked to a natural or legal person that allows them to be identified, directly or indirectly. In the context of Nuvira, this ranges from your name and identity document to digital identifiers such as your IP address, device fingerprint, or advertising identifiers. ● Biometric Data (Sensitive Data): Information resulting from specific technical processing relating to the physical or physiological characteristics of a person, such as facial recognition or liveness checks used during our identity verification process (KYC). These data receive a reinforced level of protection. ● Blockchain Data (Immutable Data): Transactional information (such as public wallet addresses and transaction hashes) which, due to the technological nature of the blockchain, is recorded in a public, decentralized, and immutable manner. Nuvira does not have the technical capacity to delete or modify these records once confirmed on the network. ● Data Subject: You (whether a natural person or a representative of a legal entity) to whom the personal data corresponds and who interacts with Nuvira’s services. ● Processing: Any technical or automated operation performed on your personal data, such as: collection, recording, organization, storage, consultation, processing, transfer, interconnection, and, when permitted by law, its deletion or destruction. ● Consent: The free, specific, informed, and unambiguous manifestation of will by which the Data Subject accepts the processing of their personal data for specific purposes. ● Data Controller: Nuvira, who decides on the database and the purpose of the use of the information. ● Data Processor: Third-party providers (e.g., identity verification providers, cloud infrastructure, or payment correspondents) who process personal data strictly on behalf of and under the orders of Nuvira for the provision of the service. 2. GUIDING PRINCIPLES OF DATA PROCESSING At Nuvira, the handling of your information is not accidental; it is governed by a strict ethical and legal framework. We process your personal data based on the following fundamental principles, aligned with international and local regulations: ● Lawfulness, Fairness, and Transparency: We never process your data in a hidden or arbitrary manner. All processing is supported by a valid legal basis (whether your explicit consent, the execution of a contract, or compliance with a regulatory legal obligation), and we inform you clearly about its use. ● Purpose Limitation: Your data is collected for specified, explicit, and legitimate purposes (such as identity verification or payment processing). We will not subsequently use your information in a manner incompatible with those purposes, nor will we sell it to third parties for unauthorized commercial purposes. ● Data Minimization: We apply the principle of "necessity." We only request and process data that is strictly necessary and adequate to provide the service and comply with financial regulation. We do not collect superfluous information. ● Accuracy and Truthfulness: We adopt reasonable measures to ensure that the data we hold is accurate and, where necessary, kept up to date. You have the right and facility to rectify any erroneous information, except for those records that are immutable by technological nature (such as Blockchain transactions). ● Storage Limitation: We retain your personal data only for the time necessary to fulfill the purpose for which it was collected. Once the business relationship has ended, the data will be kept duly blocked during the periods required by Anti-Money Laundering and Asset Laws, after which it will be securely deleted. ● Integrity and Confidentiality: We process your data under strict technical and organizational security measures (compliant with standards such as ISO 27001) to guarantee its protection against unauthorized or illicit processing, as well as against accidental loss, destruction, or damage. ● Accountability: We not only comply, but we demonstrate compliance. Nuvira maintains activity logs and subjects its processes to periodic reviews to ensure that these principles are effectively applied at every layer of our operation. 3. CATEGORIES OF PROCESSED DATA To ensure the secure provision of our financial and digital asset services, Nuvira collects and processes the following categories of data, always adhering to the principle of minimization (collecting only what is strictly necessary): 3.1. Identification and Contact Data (KYC/KYB) Information you voluntarily provide to us to comply with Due Diligence: ● Identity Data: Full name, document number (DUI, Passport), nationality, date of birth, and gender. ● Contact Data: Residential address, email address, and mobile phone number. ● Biometric Data (Sensitive Category): Facial images and liveness checks captured during the identity verification process. Note: Nuvira processes this data exclusively for security and identity impersonation prevention purposes, and never for racial profiling or incompatible purposes. 3.2. Financial and Transactional Data (Fiat and Crypto) Information necessary to execute and track your operations: ● Banking Data: Account numbers, bank references, and proof of Source of Funds (SoF). ● Socioeconomic Data: Profession, occupation, source of income, and purpose of the business relationship. ● Digital Asset Data: Public wallet addresses, Transaction Hashes (TXID), asset balances, and Blockchain metadata. 3.3. Technical and Navigation Data (Device Fingerprinting) Data collected automatically to ensure platform security and compliance with international sanctions: ● Device identifiers (ID, model, operating system). ● IP address and geolocation data (necessary to ensure operations do not originate from prohibited/sanctioned jurisdictions). ● Access logs and in-app activity. 3.4. Risk Data and External Sources Information legitimately obtained from third parties for the prevention of money laundering and fraud: ● Sanctions Lists: Queries against UN, OFAC (USA), and local UIF databases. ● Blockchain Intelligence: Risk analysis of your external wallets to rule out links to illicit activities (Darknet, Mixers, Hacks). ● Public Sources: Information from public records, official bulletins, or Negative News. 3.5. Exclusion of Other Sensitive Categories Except for the biometric data mentioned strictly for identification, Nuvira DOES NOT request nor collect data related to your racial or ethnic origin, political opinions, religious or philosophical beliefs, union affiliation, genetic data, sexual life, or sexual orientation. 4. PURPOSE OF PROCESSING (WHY DO WE USE YOUR DATA?) All information described above is collected for specific, explicit, and legitimate purposes: 1. Service Provision: Managing the creation of your account, processing your asset buy/sell orders, custody, and transfers. 2. Regulatory Compliance (Compliance): Executing Know Your Customer (KYC) and Know Your Business (KYB) processes required by the Anti-Money Laundering Law and CNAD regulations. 3. Security and Fraud Prevention: Detecting unauthorized access, protecting your funds, and ensuring platform integrity. 4. Risk Management: Evaluating transactional patterns to detect anomalies and deduce financial risk habits. 5. Communication: Keeping you informed about the status of your operations, security updates, or changes to our terms and conditions. 6. Product Improvement: Statistical analysis (anonymized) to optimize user experience and develop new features. 5. RIGHTS OF DATA SUBJECTS Pursuant to the Personal Data Protection Law of El Salvador and international standards, Nuvira guarantees its users the exercise of the rights of Access, Rectification, Cancellation, Opposition, and Portability. However, given the regulated nature of our financial activity, the exercise of these rights is subject to certain legal and technical limitations described below: 5.1. Detail of Your Rights ● Right of Access: You have the power to request confirmation as to whether Nuvira is processing your personal data, to know the origin of such data, the purposes of the processing, and the categories of third parties with whom it has been shared. ● Right of Rectification: You may request the correction of your personal data when it is inaccurate, incomplete, or outdated. ○ Technical Limitation: Due to the immutable nature of Blockchain technology, Nuvira cannot modify, alter, or correct transactional data (such as wallet addresses or hashes) once they have been confirmed on the public blockchain. ● Right of Erasure (Cancellation or "Right to be Forgotten"): You may request the deletion of your data when you consider it is no longer necessary for the collected purpose or when you revoke your consent. ○ Mandatory Legal Exception: Nuvira will NOT proceed with the deletion of data when a legal obligation to retain it exists. In accordance with Anti-Money Laundering and Asset Prevention regulations (instructions from the UIF and CNAD), we are obligated to retain identity (KYC) and transactional records for a minimum period of ten (10) to fifteen (15) years following the termination of the business relationship. In these cases, the data will be blocked (restricted from commercial use) but not deleted until the legal term expires. ● Right to Limitation of Processing: You may request that the use of your data be temporarily stopped while its accuracy or the lawfulness of the processing is verified. ● Right to Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, in order to transmit it to another provider, whenever technically feasible. ● Right to Object: You may oppose the processing of your data for specific purposes at any time, such as the sending of commercial communications or direct marketing. 5.2. Procedure for Exercising Rights To exercise any of these rights, the Data Subject (or their duly accredited legal representative) must send a formal request to our Data Protection Officer (DPO) through the official channels. ● Email: admin@nuvira.io ● Subject: ARCO Rights Request - [Client Name] Nuvira will acknowledge receipt of your request and provide a reasoned response within a maximum period of fifteen (15) business days, which may be extended depending on the complexity of the case, in accordance with applicable regulations. The response will be sent exclusively to the email address registered on our platform to guarantee information security. 6. INFORMATION SECURITY Nuvira implements a Defense in Depth security architecture designed to mitigate risks of data leakage, unauthorized access, and internal manipulation. ● Robust Encryption: All sensitive information is protected using high-level encryption protocols. We use TLS 1.2+ for data in transit (when traveling over the internet) and the AES-256 standard for data at rest (when stored on our servers), ensuring it remains unreadable to unauthorized persons. ● Access Control (Principle of Least Privilege): Access to personal data is strictly restricted to authorized personnel who need it to perform their work. We use Multi-Factor Authentication (MFA) mechanisms for all administrative access and maintain unalterable Audit Logs to track any interaction with the database. ● Secure Development (DevSecOps): We integrate security by design. We conduct periodic vulnerability scans and Penetration Testing (Pen-testing) executed by independent third parties to detect and correct potential breaches before they can be exploited. ● Network and Environment Segregation: Our critical infrastructure is isolated in Virtual Private Networks (VPC) with strict firewall rules. Development and production environments are completely separated to prevent data contamination or operational errors. 6.1. Data Sharing and Transfer At Nuvira, we respect your privacy: we never sell, rent, or trade your personal data. However, for the operational provision of the service, we share strictly necessary information with the following strategic providers: ● Wallet and Custody Infrastructure: We utilize Multi-Party Computation (MPC) technology for the secure creation and management of your deposit addresses. We share technical address and transaction data to guarantee the security of your assets. ● Payment and Banking Processors: To process your conversions between fiat currency (Dollars) and digital assets (Stablecoins), we share data required by US and El Salvador banking regulations (including identity and Source of Funds) with our regulated financial partners. ● Blockchain Risk Monitoring (Chainalysis): We share public wallet addresses and transaction hashes for automated risk analysis, sanctions compliance, and anti-money laundering prevention. ● Cloud Infrastructure Providers (Google Cloud / Supabase): Your data is stored in encrypted form on high-availability servers, under strict confidentiality agreements. 7. DATA RETENTION AND DISPOSAL Nuvira rigorously applies the principle of storage limitation, ensuring that your personal data is not processed for longer than strictly necessary for service purposes or legal requirements. 7.1. Retention Criteria Our retention periods are determined based on two factors: ● Duration of the Business Relationship: While your account is active, we will retain all data necessary to operate. ● Legal Obligations: Once the relationship ends (account closure), we are obligated to retain information for an additional period imposed by financial regulation. 7.2. Regulatory Timeframes in El Salvador Pursuant to Article 21 of the Anti-Money Laundering Law and instructions from the Financial Investigation Unit (UIF), Nuvira is obligated to retain client identification files (KYC), transactional records, and commercial documents for a minimum period of fifteen (15) years starting from the termination of the business relationship or the execution of the transaction. 7.3. Data Blocking (Segregation) Once you request the closure of your account, your data enters a "Blocked" state. This means that: ● Information is removed from operational and commercial systems (no one in Marketing or Support can access it). ● It is stored in a segregated, restricted-access environment, encrypted and protected. ● It remains available exclusively to respond to requests from the UIF, the Attorney General's Office, the CNAD, or competent judges during the 15-year legal period. 7.4. Secure Disposal and Technical Exceptions Once the legal retention period expires: ● Centralized Data: We will proceed with its definitive destruction using secure wiping techniques (compliant with NIST 800-88 standards) or irreversible anonymization, making it impossible to reconstruct your identity. ● Blockchain Data (Immutability Exception): You acknowledge and accept that, due to the decentralized and immutable nature of Blockchain technology, public records of your transactions (wallet addresses, hashes, and amounts) will remain permanently on the blockchain and cannot be deleted or altered by Nuvira, even after your account is closed. 8. INCIDENT MANAGEMENT AND BREACH NOTIFICATION Nuvira maintains an Incident Response Protocol (IRP) designed to detect, contain, and eradicate any threat to information security. In the unlikely event of a security breach (Data Breach) that compromises the confidentiality of your personal data or poses a risk to your rights and freedoms: ● Authority Notification: Nuvira will notify the National Digital Assets Commission (CNAD) and the Financial Investigation Unit (UIF) within 72 hours of detecting the incident, in accordance with applicable regulations. ● User Notification: If the incident poses a high risk to you (e.g., leakage of private keys or identity documents), we will communicate the fact immediately via your registered email, detailing the nature of the breach and the recommended protection measures. 9. VALIDITY AND AMENDMENTS TO THE POLICY Nuvira reserves the right to modify, update, or expand this Privacy Policy at any time to adapt to legislative, regulatory, or technological architecture changes. ● Notification Mechanism: Any substantial change will be notified via the mobile application, the website, or by email with reasonable advance notice prior to its entry into force. ● Tacit Acceptance: The continued use of Nuvira’s services following the notification and entry into force of the changes will imply that you have read, understood, and accepted the new terms. If you do not agree, you must refrain from using the platform and proceed with the request for account closure and withdrawal of funds. 10. GOVERNING LAW AND JURISDICTION This Privacy Policy is governed and interpreted exclusively under the laws of the Republic of El Salvador, including the Personal Data Protection Law, the Digital Assets Issuance Law, and applicable AML/CFT regulations. For the resolution of any controversy, litigation, or claim arising from the interpretation or compliance of this document, the parties expressly waive any other venue or jurisdiction that may correspond to them by reason of their present or future domicile, and submit to the exclusive jurisdiction of the competent Courts of the city of San Salvador.