Privacy Policy

1. PURPOSE 

Cakto Commerce OÜ, a company duly organized and existing under the laws of Estonia, with its registered business address at Harju maakond, Tallinn, Kesklinna linnaosa, Tartu mnt 67/1-13b, 10115, Estonia (hereinafter referred to as “CAKTO”, “we”, “our” or “us”), recognizes and prioritizes the privacy, protection, and security of Personal Data.
CAKTO understands that safeguarding privacy is essential to preserving trust and demonstrating respect toward its merchants, consumers/buyers, partners, service providers, employees, and any other individuals whose data may be processed in connection with CAKTO’s activities (“Users” and/or “Data Subjects”, as applicable). In addition to complying with applicable laws and regulatory requirements, CAKTO is committed to operating in a manner grounded on the principles of lawfulness, transparency, purpose limitation, adequacy, necessity, data minimization, security, prevention, non-discrimination, and accountability, as well as adopting organizational and technical measures designed to reduce risks and protect data throughout its lifecycle.

This Privacy Policy (the “Policy”) is intended to:

a) Reinforce CAKTO’s commitment to privacy, confidentiality, and the secure processing of Personal Data collected or otherwise processed in the course of its business activities and the provision of its services;

b) Explain in a clear and accessible manner what categories of Personal Data CAKTO may process, the purposes for which such data may be collected and used, the legal bases that may support the processing (where applicable), and the manner in which CAKTO may collect, store, organize, consult, share, transfer, and otherwise process such data;

c) Describe the safeguards and security measures adopted by CAKTO to protect Personal Data against unauthorized access, accidental or unlawful destruction, loss, alteration, improper disclosure, or any form of unlawful or unauthorized processing, recognizing that no system is completely immune to threats and that continuous improvement is an essential element of information security;

d) Set out the choices, controls, and rights that Data Subjects may have in relation to their Personal Data, including how preferences may be managed and how requests can be made regarding access, correction, deletion, objection, restriction, portability, withdrawal of consent, and other rights that may be available under applicable law;

e) Provide transparency regarding CAKTO’s role and operations, including that CAKTO may act, depending on the specific service and context, as a Controller and/or Processor (or equivalent concepts under applicable law), and may rely on third-party service providers and partners—such as payment, anti-fraud, identity verification, hosting, analytics, customer support and compliance providers—strictly as necessary to deliver services, ensure platform integrity, prevent fraud and abuse, comply with legal/regulatory obligations, and protect Users and CAKTO.

CAKTO regularly reviews and updates its internal governance, policies, procedures, and technologies to align with industry best practices in information security and privacy. CAKTO also values feedback and encourages Users to contact us if they have questions, concerns, or suggestions regarding this Policy or how Personal Data is handled.

For privacy-related requests or inquiries, you may contact CAKTO’s Data Protection Officer (“DPO”):

DPO Name: Adriano Alves de Miranda Junior
Email: privacy@cakto.com.br

2. SCOPE 

This Privacy Policy applies to all activities, operations, products, services, systems, platforms, websites, applications, tools, and environments operated, managed, or made available by CAKTO.

This Policy covers, without limitation, the processing of Personal Data relating to:

• Merchants, content providers, suppliers and other users who register, contract, or otherwise use CAKTO’s platform and services;

• Buyers, consumers, end users, or recipients of digital products, services, content, or mentorships made available through the CAKTO platform;

• Employees, contractors, representatives, administrators, officers, and collaborators of CAKTO;

• Business partners, service providers, vendors, payment, compliance, fraud-prevention, identity verification, hosting, analytics, customer support and technology providers; and

• Any other natural persons whose Personal Data may be processed by CAKTO in connection with its business activities (collectively, the “Data Subjects”).

This Policy applies to all services offered by CAKTO that involve the collection, use, storage, consultation, sharing, transfer, or any other form of Processing of Personal Data, regardless of the means used to access such services, including but not limited to websites, mobile applications, APIs, integrations, electronic communications, customer support channels, and operational or compliance procedures.

This Policy applies globally, to the extent permitted and required by applicable law, and is intended to complement—without replacing—any specific privacy notices, contractual clauses, or data protection terms that may be presented in connection with particular services, products, jurisdictions, or processing activities.

CAKTO may amend, update, or revise this Policy from time to time to reflect changes in its practices, technologies, services, business operations, or applicable legal and regulatory requirements. Where changes are material, CAKTO will take reasonable steps to notify Data Subjects through appropriate channels, which may include notices on its websites or platforms, email communications, in-product notifications, or other means reasonably calculated to provide notice.

Unless otherwise expressly stated, any updated version of this Policy shall become effective upon publication. Continued access to or use of CAKTO’s services after the effective date of an updated Policy constitutes acknowledgment and acceptance of the revised terms, to the extent permitted by applicable law.

By accessing, registering for, contracting, or otherwise using CAKTO’s services, Merchants and Buyers acknowledge that they have read, understood, and agreed to the terms of this Policy. Where required by applicable law, CAKTO will obtain specific and express consent for certain Processing activities.

Data Subjects are encouraged to review this Policy periodically to remain informed about how CAKTO processes Personal Data and about any changes that may affect their rights or interests.

3. DEFINITIONS 

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning assigned to them under applicable data protection laws.

Data Processing Agents

The parties involved in the Processing of Personal Data, which may be classified as Controllers or Processors.
The Controller is the natural or legal person that determines the purposes and means of the Processing of Personal Data.
The Processor is the natural or legal person that Processes Personal Data on behalf of the Controller, strictly in accordance with the Controller’s documented instructions.

Anonymization

A technical and organizational process through which Personal Data is rendered irreversibly incapable of being associated, directly or indirectly, with an identified or identifiable individual, such that re-identification is not reasonably possible, even through the use of technical means.

Cookies

Small text files containing a sequence of characters that are created and stored on a user’s Device when visiting a website. Cookies allow websites to recognize Devices, remember user preferences, personalize content, enhance security, and improve user experience. Users may configure their browsers to refuse or notify them about Cookies; however, disabling Cookies may affect the availability or functionality of certain features or services.

Personal Data

Any information relating to an identified or identifiable natural person, including information that can directly or indirectly identify such person, such as name, identification numbers, government-issued documents, contact information, location data, online identifiers, or other elements characteristic of an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Sensitive Personal Data

Personal Data that reveals or relates to racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health data, sexual life or sexual orientation, genetic data, biometric data, or any other data classified as sensitive under applicable data protection laws.

Device

Any electronic equipment used to access CAKTO’s services, including but not limited to desktop computers, laptops, tablets, smartphones, or other internet-enabled devices.

Data Protection Officer (DPO)

The individual designated by CAKTO to oversee compliance with applicable data protection laws, monitor internal data protection practices, advise on data protection obligations, and serve as the primary point of contact between CAKTO, Data Subjects, and regulatory authorities.

IP Address

A numerical identifier assigned to each Device connected to the internet, which may be used to identify the approximate geographic location, network, or access point from which a Device connects to online services.

Geolocation Data

Information that identifies or estimates the geographic position of a Device, including country, state, city, or other location indicators, obtained through technologies such as IP address analysis, GPS, Wi-Fi, or mobile network signals, subject to the Device’s configuration and user permissions.

Economic Group

CAKTO PAY LTDA, a legal entity duly incorporated and existing under the laws of Brazil, including its subsidiaries, affiliates, or entities under common control, where applicable, for the purposes of operational, compliance, or legal obligations.

Data Subject

Any identified or identifiable natural person whose Personal Data is Processed by CAKTO, including but not limited to Merchants, Buyers, end users, collaborators, service providers, applicants, and representatives of legal entities.

Processing

Any operation or set of operations performed on Personal Data, whether by automated or non-automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Users

Any individual or legal entity that accesses, registers for, contracts, or otherwise uses CAKTO’s platform or services, including Merchants, Buyers, and end consumers.

4. COOKIES AND SIMILAR TECHNOLOGIES

CAKTO uses cookies and similar technologies to ensure the proper functioning of the Platform, enhance user experience, improve security, and comply with applicable legal and regulatory obligations.

Cookies are small text files containing a sequence of characters that are stored on a User’s device (such as a computer, smartphone, or tablet) when accessing the Platform. Similar technologies may include pixels, tags, SDKs, or local storage, collectively referred to in this section as “Cookies”.

4.1 Types of Cookies Used

CAKTO may use the following categories of Cookies:

a) Strictly Necessary Cookies (First-Party)
These Cookies are essential for the operation of the Platform and enable core functionalities, such as user authentication, account security, fraud prevention, session management, and transaction processing. Without these Cookies, the Services cannot be properly provided.

b) Functional and Performance Cookies
These Cookies allow the Platform to remember user preferences, improve usability, and enhance performance, helping to ensure a consistent and efficient user experience.

c) Analytics and Measurement Cookies (Third-Party)
CAKTO may use limited third-party Cookies or similar technologies provided by analytics or infrastructure partners to understand how Users interact with the Platform, measure performance, and improve Services. These Cookies are generally used in an aggregated or statistical manner and are not intended to directly identify Users.

d) Security and Compliance Cookies
Certain Cookies may be used to support security controls, fraud detection, anti-money laundering (AML), risk analysis, and compliance with legal and regulatory requirements applicable to CAKTO’s operations.

4.2 Third-Party Cookies

Some Cookies may be placed or managed by third-party service providers acting on behalf of CAKTO, such as hosting providers, analytics services, payment processors, or security vendors.

These third parties may use Cookies in accordance with their own privacy and cookie policies. CAKTO does not control the operation of third-party Cookies and recommends that Users review the relevant policies of such third parties to understand how their data is processed.

4.3 Cookie Management and User Controls

You can configure your browser to not accept Cookies or to notify you when a Cookie is being sent. You may also remove or delete Cookies through your browser settings at any time.

Please note that disabling or removing Cookies may result in certain features or services of the Platform being unavailable, impaired, or limited.

For Cookies placed by third parties, Users should consult the respective third-party providers’ cookie or privacy policies to understand available management options and controls.

4.4 Consent and Legal Basis

Where required by applicable law — including the General Data Protection Regulation (GDPR) and applicable ePrivacy rules — CAKTO will obtain User consent before placing non-essential Cookies on their devices.

The processing of Personal Data through Cookies is based on:

• Legitimate interest, for strictly necessary, security, and operational Cookies; and

• User consent, where required by law, for non-essential Cookies.

5. DATA COLLECTED WHEN ACCESSING CAKTO SERVICES

In accordance with applicable data protection laws, CAKTO is committed to collecting only the data strictly necessary for the provision of its services, while maintaining efficient, secure, and reliable systems for its Merchants, Buyers, and end users.

When you access or use CAKTO’s platform, websites, applications, or related services, certain information may be collected. Such information is generally categorized into the following groups:

5.1. Information provided by merchants and their consumers

CAKTO may collect Personal Data that is voluntarily provided by Merchants and their Consumers during registration, contractual interactions, onboarding procedures, transactions, communications, or the use of any services offered by CAKTO.

This information may include, but is not limited to:

• Full name or business name;

• Email address;

• Telephone number;

• Government-issued identification numbers or documents, where legally required;

• Residential or business address;

• Account credentials;

• Payment-related information, such as cardholder name, masked card details, expiration date, billing address, transaction identifiers, and payment method metadata.

Such data is used primarily to enable transaction processing, user authentication, account management, fraud prevention, regulatory compliance, customer support, and the proper execution of contracts entered into through CAKTO’s platform. In the event of operational issues, disputes, or transaction irregularities, CAKTO may use this information to contact the relevant parties.

Merchants may also be required to provide additional Personal Data, including copies of identification documents, corporate records, or other verification materials, for purposes such as account creation, modification, verification, compliance reviews, or termination of services.

CAKTO may, at its discretion, engage third-party service providers to assist with identity verification, compliance checks, fraud prevention, or risk analysis, provided that such third parties are subject to contractual obligations consistent with the security and confidentiality standards described in this Policy.

Merchants acknowledge and agree that they are solely responsible for the accuracy, completeness, and timeliness of the Personal Data they provide to CAKTO. CAKTO shall not be liable for inaccuracies, outdated information, or damages arising from incorrect or incomplete data submitted by Merchants or their Consumers.

If you contact CAKTO through electronic means, including email or support channels, CAKTO may retain your contact details and a record of such communications. CAKTO may also use such contact information to respond to inquiries, provide operational notices, and, where permitted by law, send information regarding its services. CAKTO does not sell Personal Data to third parties for independent marketing purposes.

Data Subjects may request updates, corrections, deletion of data, or opt out of marketing communications at any time by contacting CAKTO’s Data Protection Officer, as indicated in this Privacy Policy.

5.2. Data collected automatically through the use of cakto services

CAKTO may automatically collect certain data when Users browse, access, or interact with its digital environments. This data generally relates to usage patterns, security, and system performance, and may include the following:

a) Navigation and Interaction Data

Information related to how Users interact with CAKTO’s websites or services, including pages visited, features accessed, timestamps, and interaction logs, which may be used for security monitoring, analytics, and service improvement.

b) Comments and User-Generated Content

When Users submit comments or other content through CAKTO’s platforms, CAKTO may collect the information provided in the submission form, as well as technical data such as IP address and browser details, for purposes including moderation, security, and spam prevention.

c) Media Uploads

If Users upload images or other media files, such files may contain embedded metadata (such as EXIF data). Users are encouraged to remove unnecessary metadata prior to uploading, as such information may be accessible to other Users or system administrators.

d) Cookies and Similar Technologies

CAKTO uses Cookies, pixel tags, and similar technologies to recognize Devices, maintain sessions, store preferences, enhance security, and analyze usage trends. Cookies may be temporary or persistent, and their duration varies depending on their function. Users may manage Cookie preferences through browser settings, although disabling Cookies may limit certain functionalities.

e) Embedded Third-Party Content

CAKTO’s services may include embedded content or integrations provided by third parties. Interaction with such content is subject to the privacy practices of the respective third parties, and CAKTO encourages Users to review applicable third-party privacy policies.

f) Device and Technical Data

Technical information may be collected regarding the Device used to access CAKTO’s services, such as operating system, browser type, language settings, device identifiers, access timestamps, and system logs. Such data is generally aggregated and used for analytics, diagnostics, performance optimization, and security purposes.

g) Geolocation Data

CAKTO may collect approximate geolocation data derived from IP addresses, device settings, or network signals to enhance transaction security, prevent fraud, comply with regulatory requirements, and support customer service operations. The level of precision depends on the Device configuration and User permissions.

6. PERSONAL DATA PROCESSED BY CAKTO

Personal Data collected in accordance with this Privacy Policy is Processed by CAKTO for legitimate, specific, and explicit purposes related to the provision of its services, compliance with legal and regulatory obligations, risk management, and the proper operation of its platform.

Subject to applicable law, CAKTO Processes Personal Data for the following purposes:

a) Performance of contractual obligations, including the execution, administration, and enforcement of agreements entered into with Merchants, Buyers, or other Users;

b) Compliance and verification procedures, including identity verification, onboarding checks, and regulatory validations required under applicable laws, regulations, or industry standards, which may be carried out directly or through authorized third-party service providers;

c) Fraud prevention and financial crime mitigation, including the detection, prevention, investigation, and monitoring of fraudulent activities, money laundering, terrorist financing, and other illicit or unauthorized activities;

d) Provision and operation of services, including enabling access to CAKTO’s platform, processing transactions, managing accounts, and facilitating the use of digital products and services;

e) Customer support and communications, including responding to inquiries, complaints, requests, or operational issues submitted by Users through available communication channels;

f) Security enhancement, including implementing and improving technical, administrative, and organizational measures designed to protect Users, transactions, systems, and data against unauthorized access, misuse, loss, or breaches;

g) Service administration and management, including internal controls, system maintenance, platform monitoring, and operational oversight;

h) Compliance with legal and regulatory obligations, including obligations related to Know Your Customer (KYC), Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), tax reporting, accounting, consumer protection, and other applicable regulatory frameworks;

i) Internal operations, including data analysis, system testing, audits, research, reporting, statistics, and the resolution of technical or operational incidents;

j) Service improvement and optimization, including evaluating usage patterns, performance metrics, and feedback to improve functionality, usability, and overall service quality;

k) Advertising effectiveness analysis, including measuring, analyzing, and understanding the effectiveness of advertising campaigns, where permitted by law, in order to deliver relevant and appropriate communications;

l) Interactive features, enabling Users to participate in interactive functionalities of the platform, where applicable and voluntarily chosen;

m) Provision of related services or offerings, including informing Users about products or services similar to those previously contracted or used, subject to applicable consent and opt-out requirements;

n) Legal proceedings and evidence production, including the establishment, exercise, or defense of legal claims in judicial, administrative, or arbitral proceedings, as well as compliance with lawful requests from competent authorities;

o) Investigations and risk management, including measures to prevent, detect, and combat illegal activities, fraud, financial crimes, and to protect the integrity of CAKTO’s platform, its Users, and the financial system;

p) Marketing and market research, including prospecting, surveys, opinion polls, and analytics, where permitted by law and subject to consent requirements;

q) Account maintenance and updates, including contacting Users to update registration data, comply with legal obligations, or clarify matters related to legal or administrative notifications; and

r) Automated decision-making, including automated processing related to fraud detection, risk assessment, transaction monitoring, and service eligibility, where permitted by law and subject to appropriate safeguards.

All Personal Data provided by Users or collected by CAKTO is treated as confidential and Processed in accordance with applicable data protection laws. CAKTO adopts appropriate technical and administrative measures designed to safeguard Personal Data against unauthorized access, loss, alteration, or unlawful Processing.

Data Subjects may request additional information regarding the Processing of their Personal Data by contacting CAKTO’s Data Protection Officer, in accordance with this Privacy Policy.

7. RETENTION PERIOD OF PERSONAL DATA

CAKTO retains and Processes Personal Data only for the period necessary to fulfill the purposes for which such data was collected, as described in this Privacy Policy, and to comply with applicable legal, contractual, regulatory, and operational obligations.

The duration for which Personal Data is retained may vary depending on the following factors:

a) The nature of the products or services provided, including transactional, contractual, compliance-related, or support-related services;

b) The specific purposes of the Processing, such as fraud prevention, regulatory compliance, dispute resolution, customer support, or service improvement; and

c) Applicable legal, regulatory, and contractual requirements, including retention obligations imposed by financial, tax, consumer protection, anti-money laundering, and data protection laws.

Personal Data will be retained in an identifiable form only for as long as necessary to achieve the lawful purposes outlined above. Thereafter, such data will be securely deleted, destroyed, or anonymized, unless its retention is required or permitted by applicable law.

In particular, Personal Data may be deleted, anonymized, or otherwise rendered inaccessible by CAKTO in the following circumstances:

a) Purpose fulfillment: when the purpose for which the Personal Data was collected or Processed has been fully achieved, and the data is no longer necessary or relevant for such purpose;

b) Consent withdrawal: when the Data Subject withdraws consent, where consent was the applicable legal basis for the Processing, provided that no other legal basis justifies continued retention; and

c) Legal or regulatory determination: when deletion, anonymization, or restriction of Processing is required by a competent authority, court order, or applicable law.

Notwithstanding the foregoing, CAKTO may retain Personal Data for longer periods where necessary to:

• Comply with legal or regulatory retention obligations;

• Establish, exercise, or defend legal claims;

• Fulfill contractual obligations or enforce contractual rights;

• Prevent fraud, abuse, or other unlawful activities; or

• Comply with requests from competent authorities.

During any extended retention period, CAKTO will restrict the Processing of Personal Data to storage, security, and compliance-related purposes, applying appropriate technical and organizational safeguards to protect such data.

8. RIGHTS OF THE DATA SUBJECT

Subject to the applicable data protection laws and regulations, Data Subjects may be entitled to exercise certain rights in relation to their Personal Data Processed by CAKTO. The availability and scope of these rights may vary depending on the jurisdiction, the nature of the Processing, and the applicable legal basis.

8.1 Right of Access

The Data Subject has the right to request confirmation as to whether CAKTO Processes Personal Data relating to them and, where that is the case, to request access to such Personal Data, including information regarding:

• The categories of Personal Data Processed;

• The purposes of the Processing;

• The categories of recipients to whom the Personal Data has been disclosed or will be disclosed;

• The applicable retention periods or the criteria used to determine such periods;

• The existence of any automated decision-making processes, where applicable.

Access may be provided electronically, through secure and appropriate means, or in physical format, as reasonably requested by the Data Subject and permitted by applicable law.

8.2 Right to Rectification

The Data Subject has the right to request the correction, updating, or completion of inaccurate, incomplete, or outdated Personal Data Processed by CAKTO, taking into account the purposes of the Processing.

8.3 Right to Erasure, Anonymization or Restriction

Where permitted by applicable law, the Data Subject has the right to request the erasure, anonymization, or restriction of Processing of their Personal Data, particularly when:

• The Personal Data is no longer necessary for the purposes for which it was collected or Processed;

• The Processing is excessive, unnecessary, or non-compliant with applicable laws;

• Consent has been withdrawn and no other legal basis applies; or

• The Processing is unlawful.

CAKTO may retain or continue to Process certain Personal Data where retention is required or permitted by law, including for compliance, legal defense, fraud prevention, or enforcement of contractual rights.

8.4 Right to Data Portability

Where applicable and technically feasible, the Data Subject has the right to request the portability of their Personal Data to another service provider or controller, in a structured, commonly used, and machine-readable format, in accordance with applicable regulations and subject to the protection of CAKTO’s commercial, industrial, and intellectual property interests.

8.5 Right to Information on Data Sharing

The Data Subject has the right to request information regarding the public or private entities with whom CAKTO shares their Personal Data, including the nature and purpose of such sharing, subject to legal and contractual confidentiality obligations.

8.6 Right to Information Regarding Consent

Where consent is the applicable legal basis for Processing, the Data Subject has the right to receive clear information regarding:

• The option to grant or refuse consent; and

• The potential consequences of refusing consent, including limitations on access to certain services or functionalities.

8.7 Right to Withdraw Consent

Where Processing is based on consent, the Data Subject has the right to withdraw such consent at any time, free of charge. Withdrawal of consent shall not affect the lawfulness of Processing carried out prior to the withdrawal and does not prevent Processing based on other lawful grounds.

8.8 Right to Object to Processing

Where Processing is based on legitimate interest or other legal grounds not requiring consent, the Data Subject may object to the Processing of their Personal Data on grounds relating to their particular situation, where permitted by applicable law.

CAKTO will assess the objection and either cease the Processing or demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the Data Subject, as applicable.

8.9 Right to Lodge a Complaint

The Data Subject has the right to lodge a complaint with the competent data protection authority regarding the Processing of their Personal Data. Notwithstanding this right, CAKTO encourages Data Subjects to contact CAKTO first to allow for clarification and resolution of any concerns.

8.10 Exercise of Rights and Limitations

To exercise any of the rights described herein, the Data Subject may contact CAKTO’s Data Protection Officer through the channel indicated below. CAKTO may request reasonable verification of identity prior to processing the request.

CAKTO will use reasonable efforts to respond to valid requests within the timeframes established by applicable law. Certain requests may be limited or denied where Processing or retention is required to:

• Comply with legal or regulatory obligations;

• Establish, exercise, or defend legal claims;

• Prevent fraud or other unlawful activities;

• Ensure the security and integrity of CAKTO’s systems; or

• Protect the rights of CAKTO, its Merchants, Consumers, or third parties.

Data Protection Officer (DPO)

Name: Adriano Alves de Miranda Junior
Email: privacy@cakto.com.br

This communication channel is dedicated exclusively to matters related to data protection and Data Subject rights.

9. SHARING OF PERSONAL DATA

CAKTO values the privacy of its Users and Processes Personal Data in accordance with applicable data protection laws and recognized market best practices. Personal Data is shared strictly on a need-to-know basis and only for the purposes described in this Privacy Policy.

9.1 Categories of Recipients

CAKTO may share Personal Data with the following categories of recipients, where necessary and lawful:

a) Companies within CAKTO’s Economic Group, for internal administrative, operational, compliance, security, and business continuity purposes;

b) Service providers, suppliers, contractors, and subcontractors engaged to perform services on CAKTO’s behalf, including but not limited to:

• Payment processing and acquiring services;

• Anti-fraud, risk analysis, chargeback prevention, and dispute management;

• Identity verification, KYC, AML, and compliance services;

• Hosting, cloud infrastructure, data storage, and cybersecurity services;

• Customer support, communication, and operational services;

c) Advertising, marketing, and analytics partners, solely to the extent authorized and in accordance with applicable consent requirements;

d) Search engine, analytics, and performance monitoring providers, for the purpose of improving, optimizing, and securing CAKTO’s digital channels and services.

9.2 Additional Disclosure Circumstances

CAKTO may also disclose Personal Data to third parties under the following circumstances:

a) Corporate transactions, including mergers, acquisitions, reorganizations, corporate restructuring, asset sales, or similar events, where the transfer of Personal Data is necessary for business continuity;

b) Legal and regulatory compliance, including compliance with applicable laws, regulations, court orders, subpoenas, or lawful requests from competent authorities;

c) Contractual obligations, where disclosure is necessary to perform, enforce, or comply with agreements entered into with Users, Merchants, or business partners;

d) Fraud prevention, security, and risk management, including the detection, prevention, and investigation of fraud, financial crimes, chargeback abuse, money laundering, terrorist financing, and other unlawful activities;

e) Protection of rights and interests, to safeguard CAKTO’s legal rights, assets, systems, Merchants, Consumers, and third parties, including in judicial, administrative, or arbitral proceedings;

f) Judicial or administrative orders, when disclosure is required by a court order or a request from legally competent authorities;

g) Financial risk assessment and credit analysis, where permitted by law; and

h) Debt collection and recovery, including engagement with collection agencies or legal representatives, where applicable.

9.3 Safeguards and Confidentiality

Any sharing of Personal Data is limited to the minimum necessary and is carried out under strict contractual, technical, and organizational safeguards designed to ensure confidentiality, integrity, and security.

Where CAKTO engages third-party Processors, such entities are contractually bound to:

• Process Personal Data solely in accordance with CAKTO’s documented instructions;

• Implement appropriate security measures; and

• Comply with applicable data protection laws and confidentiality obligations.

10. INTERNATIONAL TRANSACTIONS AND CROSS-BORDER DATA PROCESSING

Due to the international nature of CAKTO’s operations, its Merchant of Record model, and the global infrastructure required to provide the Services, CAKTO may transfer, store, and Process Personal Data in countries other than the country in which the Data Subject is located.

When Users purchase Products or Services through the Platform, CAKTO acts as the Merchant of Record and processes payments, risk assessments, and compliance activities through acquiring banks, payment processors, and service providers located in multiple jurisdictions. As a result, Personal Data — including, but not limited to, identification data, contact information, payment details, transaction records, and device or usage data — may be transferred to, accessed from, or processed in foreign jurisdictions.

Such international transfers may occur, without limitation, for the following purposes:

a) Performance of internal business operations, including administrative activities, compliance, accounting, auditing, risk management, and customer support;
b) Technical support and troubleshooting, including system maintenance, error analysis, platform monitoring, and service continuity;
c) Data hosting, storage, backup, and processing, including the use of cloud-based infrastructure and geographically distributed data centers;
d) Testing, development, research, analytics, and statistical analysis aimed at improving security, fraud detection, performance, and service quality;
e) Fraud prevention, chargeback management, anti-money laundering (AML), counter-terrorism financing (CTF), sanctions screening, and risk analysis; and
f) Performance of contractual obligations, including the execution of agreements entered into with Buyers, Suppliers, Affiliates, and business partners, as well as the delivery of CAKTO’s Products and Services.

10.1 GDPR and International Transfer Safeguards

For Data Subjects located in the European Economic Area (EEA), the United Kingdom, or other jurisdictions that impose restrictions on international transfers of Personal Data, CAKTO ensures that such transfers are conducted in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

Where Personal Data is transferred outside the EEA to countries that have not been recognized by the European Commission as providing an adequate level of data protection, CAKTO relies on appropriate legal safeguards, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Data processing and data transfer agreements imposing GDPR-equivalent obligations on recipients;
• Transfers to jurisdictions subject to adequacy decisions under applicable law; and
• Additional technical and organizational safeguards designed to protect Personal Data against unauthorized access or misuse.

10.2 Responsibility and Security Measures

CAKTO remains responsible for ensuring that Personal Data transferred internationally is protected in accordance with this Privacy Policy and applicable law. CAKTO requires that all recipients of Personal Data Process such data solely for authorized purposes, in accordance with CAKTO’s documented instructions, contractual obligations, and applicable data protection regulations.

Appropriate technical and organizational measures are implemented to safeguard Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access during international transmission and subsequent Processing.

10.3 Legal Basis for Cross-Border Processing

International transfers and Processing of Personal Data are carried out on lawful bases, which may include the necessity of such Processing for the performance of a contract between the Data Subject and CAKTO, compliance with legal or regulatory obligations, CAKTO’s legitimate interests in operating a secure and global payment platform, or other lawful bases permitted under applicable data protection laws.

By using the Services and purchasing Products or Services through the Platform, you acknowledge and understand that cross-border Processing of Personal Data is an essential and integral part of CAKTO’s Merchant of Record operations.

For further information regarding international data transfers or to exercise your rights under applicable data protection laws, Data Subjects may contact CAKTO’s Data Protection Officer, as set forth in this Privacy Policy.

11. FINAL CONSIDERATIONS

CAKTO reserves the right to amend, update, or revise this Privacy Policy at any time, whether as a result of changes in applicable laws or regulations, updates to technological tools, modifications to business practices, or the introduction of new products, services, or functionalities.

Data Subjects are encouraged to regularly review the most current version of this Privacy Policy. Where changes are deemed material, CAKTO will take reasonable steps to notify Users through appropriate means, which may include notices on its websites or applications, email communications, or notifications displayed upon access to CAKTO’s digital channels, prior to such changes taking effect, where required by applicable law.

Personal Data will always be Processed in accordance with the terms of this Privacy Policy and applicable data protection laws. CAKTO shall not materially reduce the rights granted to Data Subjects under this Policy without a valid legal basis and, where required, the Data Subject’s explicit consent.

If any provision of this Privacy Policy is held to be unlawful, invalid, or unenforceable by a competent court or authority, such provision shall be deemed severed from this Policy, and the remaining provisions shall remain in full force and effect to the maximum extent permitted by law.

CAKTO’s failure to enforce any right or provision of this Privacy Policy shall not constitute a waiver of such right or provision, nor shall it affect CAKTO’s ability to enforce such right or provision at a later time, within the applicable legal time limits.

By accessing or using CAKTO’s services, platforms, or digital channels, Users expressly acknowledge that they have read, understood, and agreed to be bound by the Privacy Policy in effect at the time of such use.

Users who do not agree with the terms of this Privacy Policy should refrain from accessing or using CAKTO’s services. Failure or refusal to provide certain Personal Data may result in the inability to access or use specific services, functionalities, or features offered by CAKTO.

This Privacy Policy shall enter into force on the date of its publication and shall remain valid and effective for an indefinite period, until duly amended or replaced in accordance with its terms.

12. LEGAL BASES OF PROCESSING

CAKTO Processes Personal Data strictly in accordance with applicable data protection laws and only where a valid legal basis applies. The legal bases relied upon by CAKTO may vary depending on the nature of the Processing, the relationship with the Data Subject, and the applicable jurisdiction.

The legal bases used by CAKTO include, but are not limited to, the following:

12.1 Consent

CAKTO may Process Personal Data based on the Data Subject’s freely given, informed, and explicit consent, where required by law. This legal basis applies, for example, to:

• Marketing and promotional communications;

• Participation in surveys, research, or optional features; and

• The use of cookies or similar technologies, where consent is required.

Consent may be withdrawn at any time by the Data Subject, free of charge. The withdrawal of consent does not affect the lawfulness of Processing carried out prior to such withdrawal.

12.2 Compliance with Legal or Regulatory Obligations

CAKTO may Process Personal Data where such Processing is necessary to comply with legal or regulatory obligations imposed by applicable laws, including, without limitation:

• Anti-money laundering (AML) and counter-terrorism financing (CTF) regulations;

• Know Your Customer (KYC) requirements;

• Tax, accounting, and financial reporting obligations;

• Retention of transaction, access, and audit logs; and

• Requests from competent regulatory or supervisory authorities.

12.3 Performance of a Contract or Pre-Contractual Measures

CAKTO may Process Personal Data where such Processing is necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into a contract. This includes, but is not limited to:

• Account creation and management;

• Payment processing and transaction execution;

• Delivery of digital products and services;

• Customer support and operational communications; and

• Management of subscriptions, refunds, disputes, and chargebacks.

12.4 Exercise of Rights in Judicial, Administrative, or Arbitral Proceedings

CAKTO may Process Personal Data where such Processing is necessary for the establishment, exercise, or defense of legal rights, including in the context of:

• Judicial, administrative, or arbitral proceedings;

• Compliance investigations and audits;

• Dispute resolution, chargeback management, and enforcement of contractual obligations; and

• Prevention and response to fraud, abuse, or unlawful activities.

12.5 Legitimate Interests

CAKTO may Process Personal Data where such Processing is necessary for the purposes of CAKTO’s legitimate interests, provided that such interests are not overridden by the fundamental rights and freedoms of the Data Subject.

Legitimate interests may include, for example:

• Improving and securing CAKTO’s platforms, systems, and services;

• Fraud detection, prevention, and risk management;

• Business analytics, performance monitoring, and service optimization;

• Internal administrative and operational activities; and

• Direct communications regarding similar products or services, where permitted by law.

In all cases where legitimate interest is relied upon, CAKTO conducts an assessment to balance its interests against the rights and reasonable expectations of the Data Subject and provides appropriate safeguards, including opt-out mechanisms where applicable.