World Foundation Biometric Data Consent Form

You cannot provide your biometric information at the Orb without reading the full disclosure and signing the consent form. You cannot provide your biometric information at the Orb if you are a resident of the state of Illinois, Texas, or Washington or the cities of Portland, Oregon or Baltimore, Maryland.

We are excited that you have decided to expand your participation in the World community! World is an open-source protocol, supported by a global community of developers, individuals, and other contributors. Privacy is in our company’s DNA. We provide a proof of uniqueness and humanness (Proof of Personhood) that requires as little data as possible. No passport, no official documents are required. We do not even want to know your name.

The World Foundation (“Foundation”, “we”, “our”, or “us”) is the steward of the World protocol. Our processing (collection, use, storage, disclosure, and deletion) of your personal data is governed by two documents: the Privacy Notice and this Biometric Data Consent Form. The Privacy Notice covers data collected via our website, application, and other services, while this Biometric Data Consent Form describes how we process your biometric data collected through our Orb device. These documents work together, and both are important for understanding how your privacy is affected by participating in the World project. The Privacy Notice and this Biometric Data Consent Form are incorporated into and governed by the User Terms and Conditions.

Further, we have a privacy by default and by design approach to all jurisdictions where we launch World. We perform prior extensive assessment to local privacy laws before launch and we make our best efforts to be locally compliant even though World is a worldwide project. We will also only use your data for the purposes stated below in Section 2.2 (and Section 3.4 if Data Custody is available in your jurisdiction and you enable it), even if the data privacy laws in your country would not otherwise limit how we use your data.

This Biometric Data Consent Form is comprised of four parts:

1. Background on the World project;

2. Consent to processing of biometric data;

3. Enabling Data Custody; and

4. Data subject rights.

1. Background.

1.1 The World Project.

World is an open source protocol, or system, created to help give everyone access to the global economy. It’s designed to be decentralized, meaning that ultimately its supervision and decision making will rest with its global community of users. Importantly, World, through World ID, can play an important role in demonstrating humanness in an online world populated with increasingly advanced artificial intelligence. World ID verification is free, private and open to every human over the age of 18.

1.2 The Orb.

To implement secure verification, we have developed a proprietary device called the Orb. It confirms you are a “unique human” without requiring you to provide any identity documentation or other information about who you are. The Orb captures a series of high-resolution images of your eyes (specifically, your irises) and face (both your head and shoulders).

1.3. The Controller.

We are the Data Controller of your images and biometric data collected through our Orb: Suite 3119, 9 Forum Lane, Camana Bay, PO Box 144, George Town, Grand Cayman KY1-9006, Cayman Islands. The World Foundation maintains a sole establishment in the European Union in order to enable this data processing without data transfers to the Cayman Islands.

1.4 Risks of Processing Biometric Data.

The data we collect (described above) may or may not be considered personal data or biometric data depending on the applicable laws where you live. However, when it comes to security, we treat them as biometric data and handle them with extra security and care. In this context it is important to be informed about the risks of processing biometric data. Please note that the following is only a high level description of risks associated with the processing of biometric data and not a complete list.

Biometric data is unique to you and immutable. That means that if biometric data is linked to other data the other data can be clearly linked back to you. To prevent this and minimize this risk, we use Zero Knowledge Proofs to ensure that your biometric data is delinked from your World App account, your use of World ID and your transactional wallet.

The particular risks of biometric can realize in the following instances that we try to prevent in the following ways:

• Biometric data can leak due to a cyber attack. We prevent this by above industry standard cybersecurity measures.

• Biometric data can be requested by a government. We prevent this by committing ourselves to challenge any unproportionate and undue requests of governments.

• Biometric data can be abused by the data controller. We prevent this by having the Foundation committed to its non-profit purpose of the World project in its memorandum of association.

2. Consent to the Processing of Biometric Data.

2.1 Data We Collect.

With your consent, we collect the following biometric and personal data using the Orb:

• Images of your irises and your eyes. These images are collected in the visible and near-infrared spectrum. As described in Section 2.3, below, the algorithm is not perfect and may make mistakes, such as erroneously determining that you have already signed up at an Orb.

• Images of your face. These images are also collected in the visible, near-infrared, and far-infrared spectrum. We also collect (3D) depth images. The images are used to confirm you are a living human being, and therefore help detect and prevent fraud, and train the fraud prevention algorithm (together these facial images and the iris images are referred to as “Image Data”).

• Derivatives of the above data. We use complex state of the art algorithms and our own neural networks to create numerical representations (“Derivatives”) of the above images to enable machine comparisons and interactions between them. These derivatives are strings of numbers (e.g., “10111011100…”) that entail features of the images. It is not possible to fully reverse the Derivatives to the original image. Most importantly, we use our custom version of the Daugman Algorithm to calculate such a string of numbers from the iris image (“Iris Code”). We further anonymize this Iris Code to SMPC fragments to ensure that users can only sign-up once.

Important! We are collecting the Image Data to determine whether you are a unique human. In other words, the system is designed to confirm that you are a real human (liveness) and that this is the first time you have visited an Orb (uniqueness). We do not use the Image Data to know who you are (identification).

We anonymize your iris code by breaking it up in fragments stored by trusted parties to a multi party computation. Further information on this can be found here: https://world.org/blog/announcements/worldcoin-foundation-unveils-new-smpc-system-deletes-old-iris-codes

The data we collect (described above) may or may not be considered personal data or biometric data depending on the applicable laws where you live. However, when it comes to security, we treat them as biometric data and handle them with extra security and care. The legal basis to collect the Image Data is your explicit consent. The legal basis to calculate derivatives of the Image Data (like the Iris Code) and anonymize them to actively compare them against our database is your explicit consent.

2.2 What We Do with This Data.

With your consent, we use the above data for the following purposes only (unless you enable Data Custody, described below):

• Calculating Iris Codes;

• Comparing your Iris Code against other Iris Codes; and

• Security and fraud prevention. This includes:

  • Detecting whether a user is a living human being which includes checking whether the detected faces temperature matches the range of normal human body temperatures;

  • Detecting whether a signup shows an unaltered, unobstructed, natural human iris which includes checking whether the face changes during the sign-up; and

  • Detecting whether the person has already appeared in front of the Orb which includes processing locally stored Derivatives of face images.

All calculations of the derivatives take place locally on the Orb.

We do not share the images or derivatives of the images with anyone not working on the World project and not for other purposes than those described above.

2.3 Accuracy.

Our software uses probabilities to determine whether you have signed up at an Orb before. It is not perfect. As a result, it may mistakenly conclude that you have already signed up at an Orb before. At this time, we do not have a way for users to report suspected errors or to contest the algorithm’s determinations. By agreeing to this Biometric Data Consent Form, you provide your consent to this automated decision making.

2.4 Consent to this Biometric Data Consent Form is Not Required to Participate in World.

You do not have to agree to this Biometric Data Consent Form in order to take part in World. You can still create an account and establish a World wallet without providing this consent, though you will still need to agree to the World User Terms and Conditions and read and acknowledge our Privacy Notice. Further, if you choose not to agree to this Biometric Data Consent Form, then you will not be able to participate in certain aspects of World, such as establishing a unique Proof of Personhood.

2.5 Withdrawing your Consent

You can exercise your data subject rights which might include withdrawing your consent by contacting us at:

The World Request Portal, or by writing to World Foundation, Suite 3119, 9 Forum Lane, Camana Bay, PO Box 144, George Town, Grand Cayman KY1-9006, Cayman Islands.

If you withdraw your consent, then we will no longer use your data for the purposes stated above, but all prior actions performed with your consent while it was still active will remain valid. Processing that is not based on consent like storing iris codes is not affected by the withdrawal of consent.

3. Enabling Data Custody.

Please note that Data Custody may be disabled in some jurisdictions due to regulatory requirements. Please check the Addenda section below to confirm if this option is available for you.

3.1 Current Status of the World Project

To improve the accuracy of the system’s eligibility determinations, we need to continue training our algorithm software. “Training” means using images from real people like you to help the software “learn” to distinguish humans from non-humans and differentiate one person from everyone else. As the software is trained and gets better, we will update it from time to time. When that happens, we may need to re-verify your unique digital identity, which would require using your Image Data again.

3.2 Data Custody.

If you consent to this Biometric Data Consent Form, in the App you will be asked to “Enable Data Custody.” If you choose to opt into (optional) Data Custody, you will allow us to:

1. Hold onto Image Data and Derivatives collected and calculated by the Orb;

2. Send the Image Data to our teams in the European Union and the United States; and

3. Use the Image Data to continue developing and improving the software, as described below.

4. Label your Image Data with the perceived and approximated gender, age range, and skin color to train on algorithmic fairness in light of the diversity in the world.

This will likely help you avoid some inconvenience because, if we have your Image Data, then you will not need to return to an Orb to re-verify your digital identity when we update the software. It will also help us because we can then use your Image Data to make the system better and bring World to the world faster. Again, you are not required to Enable Data Custody, but doing so may help you and us, and so is greatly appreciated.

3.3 Data We Collect When You Enable Data Custody.

With your consent to the Biometric Data Consent Form, we collect Image Data images of your irises and images of your face, as described in Section II.1 above. The Image Data we collect does not change if you agree to Data Custody.

3.4 What We Do With the Data When You Enable Data Custody.

When you agree to the Biometric Data Consent Form, we use the above data for the purposes described in Section 2.2. When you also enable Data Custody, we use the data for the following additional purposes:

• Automatically upgrade your Iris Code in the event we update our the algorithm that calculates Iris Codes;

• Optimizing and improving the Iris Code and Derivatives calculation;

• Labeling the collected data;

• Using data to train and select labeling staff;

• Developing and training algorithms to recognize, segment and differentiate among images of human irises and faces;

• Test the algorithms against the human labeled results;

• Detecting and removing bias from our algorithms (such as training on algorithmic fairness by labeling the approximated gender, age range, and skin color);

• Developing, training, and testing a system to detect whether a user is a human presenting a real human eye and whether a signup is valid;

• Developing, training, and testing models that use artificial iris images for further training of algorithms;

• Developing, training, and testing models that improve the Orb performance and user experience; and

• Training and evaluating personnel who work on these systems.

We will never sell your data. We will also not use any data listed in this form to track you or to advertise third parties’ products to you.

4. Whom We Share the Data With

When we share your data outside of our organization, we will always:

• Share it in a secure way;

• Take steps to ensure that it is handled in a manner that is consistent with our commitment to your privacy; and

• Prohibit other companies from using it for their own purposes.

We do share your data in these limited ways:

• With Tools for Humanity: We only disclose data to one of our service providers, Tools for Humanity, and their team members who require access in order to perform their tasks and duties. We only disclose as much data as is needed to perform specific tasks and duties and have a system of strict access control.

5. Transfer of Data, including Possible Risks.

When you enable Data Custody, and therefore consent and agree to us to use your data for the purposes described above in Section 3.4, we generally send the data to our Research and Development (“R&D”) teams, and this may result in your data being transferred outside of the country where it was collected. These teams are currently located in the European Union and the United States. Our Privacy Notice explains how we protect and comply with cross-border data transfer laws. Section 6 of the Privacy Notice laid out the risks related to such cross-border data transfer.

With your consent we store the Image Data in regional buckets in the EU, the US, Brazil, India, Singapore, and South Africa. If you sign up in these jurisdictions your data will be stored there. If you sign-up in other countries your Image Data is stored in one of the buckets based on latency and availability of the network. For example:

• If you sign up in the EEA, Switzerland or the UK, then your Image Data is stored in the EU.

• If you sign up in Kenya, Uganda, Ghana, or Nigeria, then your Image Data may be stored in South Africa or in the EU, depending on the latency at the time of your sign-up.

• If you sign up in Indonesia, then your Image Data may be stored in Singapore or in India, depending on the latency at the time of your sign-up.

• If you sign up in Mexico, then your Image Data may be stored in the US or in Brazil, depending on the latency at the time of your sign-up.

• If you sign up in Chile, Argentina, or Columbia, then your Image Data is likely stored in Brazil.

For Machine Learning purposes all Image Data will then be further transferred and stored in the European Union and the United States.

Below is a list of possible risks that may arise if we transfer your data to the United States, the European Union, or another country. Below we also summarize how we mitigate the respective risks.

• While we do what we can to ensure that our processors or (i.e. “subcontractors”) are contractually obligated to adequately protect your data, these subcontractors may not be subject to the data privacy law of your country. If the subcontractors were to illegally process your data without authorization, then it may be difficult to assert your privacy rights against that subcontractor. We mitigate this risk by having strict data processing agreements with our subcontractors that oblige them to protect the data at a level similar to GDPR level and to fulfill subjects’ requests.

• It’s possible that the data privacy law in your country is inconsistent with the data privacy laws in the U.S. or in the E.U. We always try to adhere to the highest standard of data protection we are subject to. So far, we found this to be GDPR and are treating all data as if it were governed by GDPR.

• It may be possible that your data will be subject to governmental access of officials and authorities. In those cases we have committed ourselves to challenge any invalid, overbroad, or unlawful governmental request to access in court. We further use advanced encryption to hinder unauthorized access.

Please note that this list contains examples, but may not include all possible risk factors.

We will not sell, lease, trade, or otherwise profit from your biometric data.

6. Retention of Data.

If you do not opt in for Data Custody, we will delete your image data shortly after the sign-up. The same is the case for the Data-Bundle you can download for Self-Custody. Iris codes are only stored in an anonymized way. Users can exercise their data subject rights in this portal: https://world.org/requestportal.The following only applies to Data Custody users: We will retain the Data Custody Image Data until the development and improvement of the algorithm has concluded or as required by law or regulation. In any case, we will delete the Image Data upon your request. Additionally, we commit ourselves to delete all Image Data after a maximum of ten years after collection albeit the development of the algorithm and the concomitant deletion of all Image Data will very likely be concluded earlier.

7. Self Custody and Reauthentication (subject to availability in selected jurisdictions)

Where self custody is available, we are sending the images of your face and your eyes and any derivatives of those calculated on the Orb (Data-Bundle) to your phone in an end-to-end encrypted manner (this means we cannot read the data).

We are permanently deleting the Data-Bundle (apart from the iris code) from our systems after sending the Data-Bundle to your phone (at latest we delete this data after one month in cases where e.g. the download failed). For Self Custody, we are processing the following data for the following purposes:

• A picture of your face is taken with your phone (selfie) and converted into a Derivative (Face Template). This Face Template designed for 1:1 comparison allows you to prove that you are the rightful holder of a World ID which might be required by some use cases of World ID in the future. This can help prevent someone else from using your World ID. You will be asked for your consent each time before such a face authentication takes place.

• Allow you a delayed opt-in to Data-Custody and potentially other features, where your data will be sent to a server or database if you choose to do so. You will be asked for your consent before such a delayed Data-Custody opt-in takes place.

8. Data Security and Data Protection Impact Assessments

We have conducted a data protection impact assessment that concludes that the data processing is proportionate and compliant. The key findings and a summary of this document can be found published here. The personal data is protected under the following measures:

• Several factor authentication for all services in internal IT infrastructure

• TLS transfers, encryption at rest, second layers of encryption, decryption keys stored on separate hardware.

• We separate biometric data from other user data, different servers (even different AWS accounts), links between databases are actively removed.

• Strict logging of all internal activity on servers that store biometric data any suspicious activity is immediately flagged.

• Access right control and access right removal (access on need to know basis)

• Internal biometric data processing policy modeled after the Red Cross’s biometric policy.

9. Your Rights

Depending on your jurisdiction, you are usually entitled to certain rights regarding your data. Please read the information below jointly with the Addenda section to know the rights you are entitled to according to your jurisdiction.

These rights apply insofar as we can identify the requestor in our database and insofar as we do not violate other data subject's rights by exercising the requestor’s rights:

• You have the right to obtain from us at any time upon request information about the personal data we process concerning you. You have the right to receive from us the personal data concerning you.

• You have the right to demand that we immediately correct the personal data concerning you if it is incorrect.

• You have the right to demand that we delete the personal data concerning you. These prerequisites provide in particular for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, provided the requirements for deletion under the applicable laws are given (e.g. several jurisdiction’s laws oblige us to retain transaction information for a certain time period)

• You have the right to freely withdraw your consent to any data processing based on consent or to object to the data processing if it is not based on consent.

10. Addenda

In the following, several addenda provide legally required information for the respective markets we operate in. This information forms part of the consent depending on the region the data subject resides in. This information might differ from your location’s information because we block certain services in certain jurisdictions. In case of any inconsistency with the above the more special statement about the particular jurisdiction below prevails:

Please note that the reference to a specific jurisdiction does not mean the World protocol is already available in that jurisdiction, no such reference provides any warranties it will be available soon. The inclusion of specific jurisdictions forms part of World comprehensive ongoing legal assessment of different jurisdictions worldwide and shall be qualified as a work in progress.

ADDENDUM A: EUROPEAN ECONOMIC AREA AND UK

If you are in the European Economic Area or the United Kingdom (“UK”) the following applies to you:

Data Custody Option: available

Self-Custody Feature: available once announced and live.

You have at least the following rights. To exercise your rights available under GDPR, please contact us at our Request Portal. Apart from exceptional cases, we will resolve your request within the statutory deadline of one month. The use of the word GDPR in the following section also entails the UK-GDPR. The use of the word GDPR in the following section also entails the UK-GDPR transposed into UK national law as the UK Data Protection Act of 2018 and retained as part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

• You have the right to obtain from us at any time upon request information about the personal data we process concerning you within the scope of Art. 15 GDPR.

• You have the right to demand that we immediately correct the personal data concerning you if it is incorrect.

• You have the right, under the conditions described in Art. 17 GDPR, to demand that we delete the personal data concerning you. These prerequisites provide in particular for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject.

• You have the right to demand that we restrict processing in accordance with Art. 18 GDPR.

• You have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 GDPR.

• You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Article 6 (1) sentence 1 lit. f GDPR, in accordance with Article 21 GDPR.

• You have the right to contact the competent supervisory authority in the event of complaints about the data processing carried out by the controller. The responsible supervisory authority is: the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutz). In the UK the competent supervisory authority is the Information Commissioner’s Office (ICO).

If the processing of personal data is based on your consent, you are entitled under Art. 7 GDPR to revoke your consent to the use of your personal data at any time with effect for the future, whereby the revocation is just as easy to declare as the consent itself. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

ADDENDUM B: JAPAN

If you reside in Japan, additionally, the following applies to you:

After processing your biometric data to create the Iris Code we are not processing any further personal data from the Orb processing.

Data Custody Option: available

Self-Custody Feature: available.

B1: Information Regarding the Japanese Regulations

We comply with Japanese laws and regulations, including the Act on the Protection of Personal Information of Japan (“APPI”). This section applies to our handling of “personal information” as defined in the APPI in precedence to the other portions of this Biometric Data Consent Form

B2: Data Sharing

Notwithstanding Section 4 of this Biometric Data Consent Form, unless otherwise permitted by applicable laws, we do not disclose, sell, provide, share, or transfer your personal information to any third party.

B3: Security Control Measures

In regard to Sections 6 through Section 8 of this Biometric Data Consent Form, we take necessary and appropriate measures to prevent any leakage or loss of, or damage to, your personal information being handled, and to otherwise maintain the security of personal information, such as by establishing rules for the handling of personal information, regular monitoring of the handling of personal information, regular training of employees in the handling of personal information, prevention of theft or loss of equipment used to handle personal information, and implementation of access controls. We also appropriately supervise our contractors and employees who handle personal information. You can obtain further details about the security control measures in place in relation to the handling of your personal information by contacting us at our Request Portal.

B4: The Statutory Rights under APPI

To exercise your rights provided under the APPI please contact us at our Request Portal

ADDENDUM C: ARGENTINA

If you are domiciled in the Argentine Republic, the following applies to you:

Data Custody Option: available

Self-Custody Feature: available once announced and live.

We inform you that the AGENCY OF ACCESS TO PUBLIC INFORMATION, in its capacity as Control Agency of Law No. 25,326, has the power to hear complaints and claims filed by those whose rights are affected by non-compliance with the rules in force regarding personal data protection.

The Agency can be contacted as follows:

Address: Av. Pte. Gral. Julio A. Roca 710, 5th floor - Autonomous City of Buenos Aires

Postal Code: C1067ABP

Phone number: (54-11) 3988-3968

E-mail: [email protected]

ADDENDUM D: SINGAPORE

If you are a resident of Singapore the following applies to you:

Data Custody Option: available

Self-Custody Feature: available once announced and live.

D1. Collection, use and disclosure of your personal data

If you are a resident of Singapore and with your consent, we will collect, use or otherwise disclose your personal data for each of the purposes as set out in our privacy notice. You may exercise your right to withdraw your consent at any time, but please note that we may not be able to continue providing our services to you depending on the nature and scope of your request. Please also note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

D2. Exercise of your data subject rights

You may control the personal data that we have collected and exercise any of the rights by contacting us at our Request Portal. We aim to respond to your request as soon as we can, typically within 30 days. We will inform you in advance if we are not able to respond to your request within 30 days, or if we are not able to fulfill your request and the reasons.

Where permitted by law, we may charge you an administrative fee to fulfill your request.

D3. Transfer of your personal data to other countries

If you are a resident of Singapore and we have collected your data, we may also transfer your data outside of Singapore from time to time. However, we will always ensure your personal data continues to receive a standard of protection that is at least comparable to that provided under the Singapore Personal Data Protection Act 2012[, such as through the use of ASEAN Model Contractual Clauses].

ADDENDUM E – SOUTH KOREA

If you are a resident of South Korea, the following applies to you.

The Iris Code is considered to be anonymized data under South Korean law. After processing your biometric data -(which does not leave the Orb) to create the Iris Code we are not accessing or otherwise processing any further personal data from the Orb.

Data Custody Option: not available

Self-Custody Feature: not available.

ADDENDUM F - BRAZIL

If you reside in Brazil, if your personal data was collected in Brazil, or if you use our services in Brazil, the following applies to you.

The Iris Code is considered to be anonymized data under the Law No. 13,709/2018 (General Data Protection Law, or “LGPD”). After processing your biometric data to create the Iris Code, we no longer process any further personal data from the Orb registration.

Data Custody Option: available

Self-Custody Feature: available once announced and live.

F1. Biometric Data

Under the LGPD, biometric data is considered sensitive personal information. We will only process this data if you provide us with explicit, specific consent for clearly defined purposes. In certain circumstances, we may process your biometric data without your consent when it's absolutely necessary, such as to comply with legal or regulatory obligations, exercise our rights (including in contracts or legal proceedings), or to prevent fraud and protect the integrity of the data subject.

We employ advanced security measures and techniques to safeguard your personal information, including encryption and anonymization to ensure that your sensitive data is protected and cannot be associated with an individual, as the case may be.

We also aggregate data, combining large datasets to remove individual identifiers or references to a single individual. We use anonymized data or aggregated data for our commercial purpose, such as help us understand user behavior and necessity, improve our services, conduct activities of business intelligence and marketing, detect security threats, and train our algorithms. We also process your biometric data for custody of your personal information, authentication, and creating the Iris Code.

We will only use your biometric data for the purposes mentioned above if you provide us with explicit, specific consent through this Biometric Data Consent Form.

By opting for Self-Custody or Data Custody, as outlined in this Biometric Data Consent Form, your biometric data will be stored on your device. In this case, you must adopt additional safeguards to ensure the security of your biometric data stored on your device, as we do not have access or control over your device's storage system outside of our World App

F.2 International Transfer of Your Personal Data

If the LGPD applies to you, and we have collected your personal data, we may also transfer it outside of the country. However, we will always ensure that your personal data is only transferred to foreign countries or international organizations that provide a level of protection adequate to that provided for in the LGPD, as recognized in adequacy decisions issued by the ANPD. In the absence of an adequacy decision, we will continue to follow a standard of protection that is at least equivalent to that provided for in the LGPD using Standard Contractual Clauses established in the ANPD's regulations or when we obtain your specific and highlighted consent for the international transfer.

WFDCF20241112