Caixa Caixa

Investor Relations
Menu

Privacy Notice

Privacy Notice

This Privacy Notice explains how CAIXA handles personal data in accordance with the Brazilian General Data Protection Law (LGPD).

By reviewing this Notice, you will understand:

  • how and when CAIXA collects personal data;
  • what types of personal data CAIXA processes;
  • the purposes for which such data is used;
  • with which entities CAIXA may share personal data;
  • your rights as a data subject and how to exercise them.

To better understand the content of this Notice, you may refer to the glossary of key terms provided at the end of the document.

This Notice applies to CAIXA and other companies within the CAIXA Group, except for those that have their own Privacy Notices tailored to their specific products and services.

How CAIXA collects personal data

CAIXA may collect personal data through various means, including:

Directly from you:

  • when opening an account or contracting a banking product or service;
  • when using service channels such as branches, ATMs, lottery units, or banking correspondents;
  • when accessing websites or mobile applications;
  • when using product simulators, such as the mortgage loan simulator;
  • when completing CAIXA forms or registration documents.

From other sources, such as:

  • Credit bureaus, the Brazilian Federal Revenue Service, and the Central Bank of Brazil, for the purpose of validating or supplementing existing registration data;
  • Government agencies, in connection with public services and policies such as the Bolsa Família Program, Unemployment Insurance, and the Worker’s Severance Fund (FGTS).

From devices (mobile phones or computers):

  • through cookies collected during navigation on websites and apps, aimed at improving performance and enabling faster, more personalized browsing.

To learn more about how CAIXA uses cookies and how you can manage or disable them, please refer to the Cookie Notice.

Types of personal data CAIXA uses

The main types of personal data processed by CAIXA include:

  • Registration data: such as name, address, email, date of birth, official identification numbers (e.g., ID, Brazilian Taxpayer Identification Number – CPF, driver’s license, work permit, passport), or civil certificates (e.g., birth, marriage, death);
  • Financial or economic data: such as income, bank account information, or contract numbers;
  • Sensitive personal data: such as health-related information or biometric data (e.g., fingerprints);
  • Third-party data: such as information about partners, legal representatives, or attorneys-in-fact;
  • Other types of personal data: such as geolocation data, user identification data (e.g., login credentials for websites and apps), or cookies.

Purposes for which CAIXA uses personal data

CAIXA processes personal data primarily for the following purposes:

  • To fulfill contractual obligations;
  • To offer financial solutions, products, and services;
  • To provide client support via websites, mobile apps, call centers, or in person;
  • To create or update client records;
  • To respond to inquiries, requests, complaints, or compliments;
  • To verify identity and transaction history in order to prevent unauthorized or illegal activities and combat fraud;
  • To administer public benefits and policies, such as Bolsa Família, Unemployment Insurance, and the FGTS program;
  • To manage, monitor, and analyze risks, including credit risk;
  • To collect overdue debts;
  • To maintain positive and negative credit records;
  • To ensure the safety of clients, employees, partners, and visitors;
  • To manage banking correspondents and lottery outlets;
  • To process lottery prize payments;
  • To conduct property appraisals or monitor construction projects;
  • To sell repossessed movable and immovable assets;
  • To comply with audits and requests from judicial, regulatory, supervisory, and administrative authorities;
  • To comply with court orders and exercise legal rights in judicial, administrative, or arbitration proceedings;
  • To acquire or transfer credit portfolios;
  • To maintain third-party credit operations.

For more specific information regarding the processing of your personal data, you may request a Full Statement through the available customer service channels, as outlined in the section “Your rights as a data subject”.

With whom CAIXA shares personal data

CAIXA may share personal data with public and private entities when necessary to fulfill the purposes described in this Notice.

Key data sharing practices include:

  • With service providers for payment processing, collections, authentication, printing, card issuance, document delivery, and cash transportation, as well as notary offices and other financial institutions;
  • With lottery units, banking correspondents, and other partners to expand customer service channels;
  • With technology, security, and logistics providers to ensure efficient service delivery;
  • With engineering firms for property appraisals or construction project assessments;
  • With real estate and property management companies to administer lease agreements;
  • With airlines, transportation companies, and loyalty program managers to enable product and service usage;
  • With specialized firms for the purchase and sale of credit portfolios;
  • With auction companies for the sale of repossessed assets;
  • With authorities, government agencies, regulators, auditors, actuaries, document custodians, and financial market infrastructure providers to comply with legal and regulatory obligations;
  • With other financial institutions and public agencies to administer public programs such as Bolsa Família, Unemployment Insurance, and FGTS;
  • With credit bureaus to support credit risk management, in accordance with applicable law;
  • With data providers for identity and registration validation;
  • With universities and colleges to operate the Student Financing Fund (FIES);
  • With companies within the CAIXA Group to offer products and services and respond to client requests;
  • With financial institutions participating in Open Finance, subject to client consent;
  • With financial institutions and payment providers to prevent fraud, in accordance with Joint Resolution No. 6 of May 23, 2023, issued by the Central Bank of Brazil and the National Monetary Council.

CAIXA may also transfer personal data internationally to banks, financial institutions, and payment service providers when necessary for business operations such as foreign exchange and international payments.

When sharing personal data with third parties, CAIXA limits the disclosure to only the data strictly necessary for the intended purpose, adhering to high security standards and complying with LGPD requirements.

Retention of personal data

CAIXA retains personal data for a period appropriate to the specific product or service provided.

Even after the data processing ends—such as when an account is closed—CAIXA may retain personal data as permitted by the LGPD, particularly to comply with legal or regulatory obligations.

How CAIXA protects your personal data

At CAIXA, personal data is safeguarded to ensure its appropriate use and compliance with the Brazilian General Data Protection Law (LGPD).

To achieve this, CAIXA employs security tools and technologies, and adheres to industry best practices and standards.

For more information on CAIXA’s privacy and security guidelines, please refer to our  Information Security Policy.

Stay Alert!

CAIXA will only send emails or messages under the following circumstances:

  • You have subscribed to receive information about CAIXA’s products and services;
  • Our Client Service or Ombudsman channels are responding to your inquiries;
  • Services requested by you are being executed;
  • Procedures necessary to fulfill contracts you hold with CAIXA are being carried out.

If you suspect any email, message, or phone call claiming to be from CAIXA, please contact us at 0800 726 0101 or email abuse@caixa.gov.br.

Do your part!

You also play a role in protecting your personal data. Please:

  • Always use official CAIXA channels to communicate;
  • Keep your registration information up to date;
  • Be cautious about the origin of messages and calls claiming to be from CAIXA;
  • Use antivirus software and keep your web browsers updated.

For additional security tips, click here.

Your rights as a data subject

Under the LGPD, you have the following rights:

Confirmation and access

You may request confirmation of whether CAIXA processes your personal data and access such data through:

  • Simplified Statement – provides a summary of the personal data CAIXA holds about you. Delivery is immediate.
  • Detailed Statement – includes the data held, purposes of processing, and other relevant information. Delivery within 15 days of request.

Correction of inaccurate or outdated data

You may request corrections to your personal data via:

  • CAIXA App and Internet Banking – update phone number, email, address, assets, and income;
  • ATMs – update address and phone number;
  • Customer Service (Alô CAIXA) – update mobile number;
  • Branches or Service Points – update personal and sensitive data.

Anonymization, blocking or deletion

You may request anonymization, blocking, or deletion of personal data if it is unnecessary, excessive, or processed in violation of the LGPD. Note: Some requests may be denied due to legal, regulatory, or contractual obligations.

Information on data sharing

You may request a list of public and private entities with which CAIXA has shared your personal data. See Section 4 of this Notice for more details.

Data portability

You may request a Simplified Statement to transfer your personal data to another product or service provider.

Review of automated decisions

You may request a review of decisions made solely through automated processing that affect your interests.

Consent-related rights

When consent is required for data processing, you will be informed of your options and the consequences of not providing consent.

If you have already given consent, you may:

  • Revoke it at any time;
  • Request deletion of data processed based on consent, subject to legal exceptions.

Right to object

You may object to the processing of your personal data when it is based on legal grounds that do not require consent, provided there is a violation of the LGPD.

How to exercise your rights

You may exercise your rights through the following channels:

  • Contact Us;
  • Branches;
  • Client Service (SAC): 0800 726 0101;
  • Ombudsman: 0800 725 7474 (final instance for unresolved issues).

Processing of children’s and adolescents’ data

When processing personal data of children and adolescents, CAIXA ensures that it serves the best interests of the minor and complies with LGPD requirements.

Glossary of key terms used in this Notice

Anonymization

Refers to the process by which personal data is rendered incapable of being linked, directly or indirectly, to an individual, using reasonable and available technical means at the time of processing. Once anonymized, the data is no longer considered personal data under the LGPD.

Consent

A freely given, informed, and unambiguous indication by which the data subject agrees to the processing of their personal data for a specific purpose. In addition to consent, the LGPD allows data processing under other legal bases, such as the performance of a contract.

Cookies

Small files stored on a computer or mobile device during navigation on websites or apps. For more information, refer to CAIXA’s Cookie Notice.

Personal data

Any information that identifies or can be used to identify an individual, such as name, government-issued ID numbers (e.g., ID, Brazilian Taxpayer Identification Number – CPF), address, geolocation data, or IP address.

Sensitive personal data

Personal data related to racial or ethnic origin, religious beliefs, political opinions, union membership, or affiliation with religious, philosophical, or political organizations; data concerning health or sexual life; genetic or biometric data, when linked to a natural person.

Brazilian General Data Protection Law (LGDP) – Law No. 13,709 of August 14, 2018

The Brazilian legislation governing the processing of personal data. It sets out the principles and obligations for individuals, companies, and government entities that process personal data, and defines the rights of data subjects.

Processing of personal data

Any operation performed on personal data, including collection, access, use, processing, storage, and deletion.

Automated processing of personal data

Operations carried out on personal data without human intervention, using computer systems.

Data subject

The natural person to whom the personal data refers. In this Notice, data subjects include clients, beneficiaries of social programs, or any individual interacting with CAIXA.

Questions about this Privacy Notice

You may contact CAIXA’s Data Protection Officer, Jardel Luis Carpes, by emailing encarregado.lgpd@caixa.gov.br.

This Notice will be reviewed periodically and updated whenever there are significant changes in the processing of personal data or as deemed necessary by CAIXA.

Last updated: September 23, 2024