Data Privacy Policy

Review History

Version: Date of Review: History: 
1 06/26/2015 Elaboration of Document.
2 07/07/2017 Inclusion of item IV. Concepts and Acronyms, Legal Executive Board in V. Responsibilities and subitem 1.1.10 of VI. Guidelines.


I. Purpose
Guide as to the rules applicable to the preservation of Customer’s data privacy to which Cielo has access due to performance of its activities, stipulating the conditions applicable to their use, availability to third parties and security measures.

II. Scope
All Management (officers, statutory or not, members of the Board of Directors, members of the Fiscal Council, members of the Advisory Committees and other managers) and employees of Cielo and its direct or indirect subsidiaries, as well as service providers and/or suppliers having access to the Company’s customer’s data.

III. Complementary Documentation

  • Cielo’s Code of Ethics
  • Article 5 of Federal Constitution of 1988
  • Complementary Law No. 105/2001 – Confidentiality
  • Agreement for Accreditation to Cielo System
  • In-company rules are continuously improved, approved by appropriate authorities and made available to all employees.

IV. Concepts and Acronyms
Privacy: Right to maintain and control information or set of information, and customer may decide when, why and by whom these data may be obtained and used.

V. Responsibilities

  • Management, employees and third parties:
    – Observe and ensure the compliance with this Policy and, when deemed necessary, prompt the area in charge for consultation on situations involving conflict with this Policy or by means of occurrence of the situations described therein.
  • Prevention and Security Executive Board – Information Security:
    – Keep this Policy updated, so that to ensure that any regulatory/legal amendments to guidelines and general rules set forth herein are observed; and
    – Clarify doubts related to this Policy and its application.
  • Legal Executive Board
    – Clarify doubts related to applicable laws and regulations.

VI. Guidelines

1. Information subject to this Policy

1.1. This Policy applies to information collected as part of the accreditation services provided by Cielo to its clients in the acceptance of electronic forms of payment, including the capture, transport, information processing and settlement of transactions, as well as the offering of other related services and products.

1.2. As to its nature, information may be classified into two groups:

1.1.1. Information provided by customer: information deriving from customer’s registration with Cielo, such as personal information, name, corporate taxpayer’s register (CNPJ)/individual taxpayer’s register (CPF), banking information, e-mail address and telephone number.

1.1.2. Information collected from customer’s use of our services: This is the information related to the use of electronic means of payment, captured by Cielo and conveyed and/or shared with third parties within the context and limit required to process and settle payment electronic transactions or to convey information related to non-financial transactions, purpose of services rendered by the Company.

1.3. Specific privacy practices in relation to other products and services the Company may make available to its customers will be available at Cielo’s website ( or coupled with each product acceptance by customer or third party.

2. Use of information collected

2.1. The information will be collected by ethical and legal means and safekept according to strict security and confidentiality standards. Cielo undertakes to take all the reasonable measures to maintain the absolute secrecy and the strict confidentiality of all information, data or specifications to which it has access or which may know or is aware on its customers’ transactions, holders, card information and means of payment, as well as individuals directly related to customers, to which it has access due to the rendering of services by Cielo (i.e., capture, transportation, processing of information and settlement of transactions, amongst other services), being forbidden to assign and/or allow the access by third parties to this information, except for the assumptions described in this Data Privacy Policy.
2.2. Third parties’ access to information collected by Cielo only occurs within the limit necessary to perform the activities related to the ordinary course of their businesses, including, but not limited to:

2.2.1. Payment arrangement institutions and members of these arrangements;
2.2.2. Funds electronic transfer networks;
2.2.3. Clearance and settlement banks;
2.2.4. Service providers carrying out business transactions and/or processing information to Cielo;
2.2.5. Marketing area partners;
2.2.6. Independent auditors;
2.2.7. Collection agencies, credit protection services and similar;
2.2.8. Competent regulatory agencies.

2.3. The use of information collected by Cielo, in any of the assumptions provided for in item 1 above, only occurs for the performance of Cielo’s activities or offer to customer specific content from the use of information anonymously or on aggregate basis on its area of activity.

2.4. Cielo may share information which are not personally identifiable on an aggregate basis, publicly and with our partners. For instance, we may share public information to show trends on the overall use of our products and services.

2.5. Whenever authorization to use customer’s proprietary information is required for other purposes rather than those defined herein, Cielo will inform customer or third party and will request to respective holders their express consent for the use of information.

3. Relationships with third parties3.1. Cielo requires that all third parties who have access to its information, or information owned by third parties to which Cielo has access due to performance of its activity, to keep under confidentiality the information provided thereto, as well as the information solely used for the purposes expressly allowed. However, Cielo is not responsible for the misuse by these partners and employees of information made available in non-compliance with this Data Privacy Policy and contractual obligations assumed by referred receivers of information with Cielo by means of own instruments.

4. Information security

4.1. Aiming the security of information provided by customers, Cielo has physical, consistent, technical and administrative security processes compatible with sensitivity of information collected, the efficiency of which is periodically assessed by independent auditors. Cielo implements new procedures and continued technological improvements to protect customers’ confidential information. Nonetheless the security measures adopted, Cielo is not responsible for damages resulting from the breach of confidentiality of information due to the occurrence of any fact or situation not imputable to Cielo.

5. Cooperation with regulators

5.1. In the assumption customers’ information shall be released in order to comply with laws, court order or competent authority to inspect the activities developed by Cielo and/or third parties, this information shall be revealed only in the strict terms and within the limits required for its disclosure and holders of information, to the extent as possible, shall be notified on such obligation, so that they take the appropriate protective or remedy measures.

6. Alterations
Employees, suppliers or other stakeholders who observe any deviations to the guidelines of this Policy, may report the fact to the Ethics Channel ( or 0800 775 0808), and may identify themselves or not.
Internally, the failure to comply with the guidelines of this Policy envisages the application of measures to charge the agents who do not comply with this Policy according to related seriousness of such non-compliance.

VI. Consequence Management
Employees, suppliers and other stakeholders that observe any deviations from the guidelines of this Policy may report it through the Ethics Channel ( or 0800 775 0808), anonymously, if they wish.
Internally, noncompliance with the guidelines of this Policy will result in consequence management actions that may range from an orientation on how to cancel or at least minimize any problems created to the dismissal of those responsible.

VIII. General Provisions
It shall be incumbent upon the Company’s Board of Directors to amend this Policy whenever it deems necessary.
This Policy shall take effect on the date of its approval by the Board of Directors and revokes any rules and procedures contrary thereto.