Privacy Policy

1. Introduction and Scope

Pagos Cube LLC, a Wyoming limited liability company herein referred as “Bloque” (“Pagos Cube,” “Bloque,” “we,” “our,” or “us”), operates the website located at https://www.bloque.app and any related subdomains, sub-sites, and associated web properties operated by or on behalf of Pagos Cube LLC, including, without limitation, https://quote.bloque.app, https://docs.bloque.app, https://app.bloque.app, https://blog.bloque.app, and https://status.bloque.app (collectively, the “Site”), and provides programmable financial-infrastructure products and services (collectively, the “Services”), including, without limitation, the Bloque SDK, the Bloque Pay product, the Bloque MCP Server, the Bloque CLI, the Bloque macOS application, and related developer, sandbox, and integration offerings.

This Privacy Policy describes how we collect, use, disclose, transfer, retain, and otherwise process personal information in connection with:

1. your visit to and use of the Site;
2. your submission of forms on the Site, including, without limitation, the quotation-request form, contact forms, newsletter sign-up forms, careers forms, and beta-program forms;
3. your registration for, access to, and use of any developer, sandbox, or production account that we may make available to you;
4. your participation, or the participation of individuals affiliated with your organization, in the onboarding, identity-verification (KYC/KYB), sanctions-screening, and underwriting processes required to access the Services;
5. your initiation or receipt of payments, transfers, card transactions, and other financial operations through the Services;
6. your communications with us by e-mail, telephone, video call, chat, ticketing system, social-media direct message, or other channels;
7. your participation in marketing programs, beta or design-partner programs, customer-research interviews, case studies, testimonials, surveys, events, webinars, and similar activities; and
8. your application for employment with, or engagement as a contractor by, Pagos Cube LLC.

Important. This Privacy Policy supersedes and replaces in its entirety any prior Privacy Policy published by Pagos Cube LLC, including without limitation the version dated April 27, 2026. The earlier version was scoped to the Site’s quotation-request form only; this Policy expands that scope to cover all of the activities described above. This Policy does not apply to information collected by third parties operating their own products, services, or websites, even where we link to them or our Services are embedded within them; you should review their respective privacy notices.

2. Key Definitions

For purposes of this Privacy Policy:

1. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household, and includes “personal data” as defined under applicable European, U.K., and Latin American data-protection laws.
2. “Sensitive Personal Information” means the subset of Personal Information identified as “sensitive” or as a “special category” of personal data under Applicable Law, including, without limitation, government-issued identifiers (such as social-security numbers, driver’s-license numbers, passport numbers, and national-identity-document numbers), financial-account information, log-in credentials, precise geolocation, biometric information used for identification, and information revealing racial or ethnic origin, religious or philosophical beliefs, health, sex life, sexual orientation, or trade-union membership.
3. “Process” or “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, including, without limitation, collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
4. “Customer” means a person or entity that has entered into a Service Agreement with Pagos Cube LLC and to whom we provide one or more Services.
5. “End User” means an individual end user of a Customer who interacts with the Services because the Customer has embedded or used the Services within its own product or operations (for example, a person to whom one of our Customers issues a card or for whom one of our Customers opens a sub-account).
6. “Service Agreement” means a written agreement (including any data-processing addendum) between Pagos Cube LLC and a Customer that governs the provision of one or more Services. Where this Policy and a Service Agreement (including any data-processing addendum) conflict with respect to Personal Information of End Users, the Service Agreement controls.
7. “Applicable Law” has the meaning given to that term in our Terms of Use.

3. Our Role: Controller or Processor

Our role with respect to Personal Information varies depending on the context in which we collect or receive it. Identifying the correct role is important because it determines which obligations we owe to you and how to exercise your rights.

1. Pagos Cube as “controller” (or equivalent). We act as a controller (or its functional equivalent under Applicable Law, such as “responsable del tratamiento” in Spanish-speaking Latin American jurisdictions and “controlador” under Brazil’s LGPD) when we determine the purposes and means of Processing your Personal Information. This typically includes, without limitation, your interactions with the Site, your submission of forms on the Site, your direct relationship with us as a Customer (including the KYC/KYB and underwriting Processing necessary to onboard you), our marketing and communications activities, customer-success and support interactions, and our recruiting and hiring activities.
2. Pagos Cube as “processor” or “service provider.” We act as a processor or “service provider” (or its functional equivalent under Applicable Law, such as “encargado del tratamiento” or “operador”) when we Process Personal Information of End Users on behalf of, and on the documented instructions of, a Customer that embeds or uses the Services in its own product or operations. In that role, our Processing is governed by the applicable Service Agreement and any data-processing addendum thereto. Where we act as a processor or service provider, End Users should direct privacy-related requests to the relevant Customer in the first instance; we will assist Customers in responding to such requests as required by Applicable Law and the Service Agreement.
3. Independent legal obligations. Notwithstanding our role as a processor or service provider with respect to certain End-User Personal Information, we may also be subject to independent legal obligations under, for example, anti-money-laundering, counter-terrorism-financing, sanctions, tax-reporting, payment-card-industry, and consumer-protection laws. We may Process Personal Information as necessary to comply with those obligations.

4. Categories of Personal Information We Collect

We collect Personal Information from and about you in several ways, depending on how you interact with us. The categories below should be read together with Section 5 (Sources) and Section 6 (Sensitive Personal Information).

4.1 Information you provide directly

1. Identifiers and contact information. First name, last name, prefix or honorific, business or trade name, postal address, e-mail address, telephone number, professional title, employer, social-media handles, country and city of residence or operation, preferred language, and any other identifiers you provide on a form, in correspondence, or through an Account profile.
2. Account and authentication data. Account credentials (such as usernames and passwords), multi-factor-authentication data, application-programming-interface keys, publishable keys, secret keys, JSON Web Tokens, recovery codes, audit logs of authentication events, and similar credentials issued by us to you. We do not store cleartext passwords; passwords are stored in a salted, hashed form.
3. Quotation-request data. The categories of Personal Information described in our prior, narrower Privacy Policy (first name, last name, e-mail address, telephone number, organization name, organization website URL), submitted through the quotation-request form available at https://quote.bloque.app, together with information regarding the products you are interested in, your estimated transaction volume, your intended audience, the identity of your assigned advisor, and the e-mail addresses of any developers or billing/champion contacts that you provide.
4. Know-Your-Customer (KYC) and Know-Your-Business (KYB) data. In order to make certain Services available, Applicable Law and our contractual arrangements with banking and card-network partners require us to verify the identity of individuals and the lawful organization of business entities. For individual Customers, beneficial owners, controllers, and authorized signatories, we collect, depending on jurisdiction: full legal name, date of birth, place of birth, residential address, nationality, government-issued identifier (such as social-security number, individual taxpayer identification number, passport number, national-identity-document number (e.g., cédula de ciudadanía, RFC, CPF, CUIT/CUIL, RUT), or driver’s-license number), image of government-issued identification, biometric data (such as a selfie used for liveness and matching, where supported by Applicable Law), and source-of-funds information. For business Customers, we collect: legal name, trade name, jurisdiction and date of formation, registered and operating addresses, business registration or tax-identification numbers, ownership and control structure (including the identification of beneficial owners and controlling persons), governing documents, financial information, regulatory licenses, and information regarding the nature and expected volume of business.
5. Financial and transactional data. Bank account numbers and routing information, card numbers (handled in accordance with Payment Card Industry Data Security Standard (“PCI-DSS”) requirements through compliant providers), digital-asset wallet addresses, transaction amounts and currencies, counterparty information, payment-rail metadata, merchant-category codes, dates and times of transactions, and similar information relating to payments, transfers, deposits, withdrawals, card authorizations, settlements, refunds, chargebacks, and disputes.
6. Developer-integration data. Webhook endpoints, IP allow-list entries, environment metadata (e.g., sandbox vs. production), application programming interface logs and error traces submitted to us, code samples and configuration files submitted to us for support purposes, and other technical metadata regarding your integration with the Services.
7. Communications data. The contents of, and metadata associated with, your communications with us, including e-mail messages, chat messages, support tickets, video- and audio-call recordings (where lawfully recorded, with notice and any required consents), call transcripts, meeting notes, and your responses to surveys and feedback requests.
8. Marketing and testimonial data. Photographs, videos, audio recordings, written testimonials, quotations, biographical information, and other materials that you submit for, or authorize us to use in, our marketing and communications activities, in each case subject to Section 17 of this Policy and Section 10 of our Terms of Use.
9. Event and program participation data. Information you provide in connection with events, webinars, conferences, meet-ups, hackathons, beta programs, design-partner programs, customer-advisory boards, and similar programs, including registration information, dietary or accessibility preferences (which may constitute Sensitive Personal Information and which we will use only for the stated purpose).
10. Recruiting data. Information you submit in connection with an application for employment or contractor engagement with us, including résumé/CV contents, cover letters, work history, education, references, work-authorization information, demographic information (where voluntarily provided in jurisdictions where such information may lawfully be collected), and the results of any background checks conducted with your consent through authorized providers.

4.2 Information collected automatically

1. Device, browser, and log data. When you visit the Site or use the Services, our servers and those of our service providers automatically collect technical information about your device, browser, and connection, including Internet Protocol (“IP”) address, IP geolocation derived from your IP address (approximate, city- or country-level — not precise), browser type and version, operating system and version, language preference, device identifiers, referring and exit URLs, pages and resources requested, search terms, click data, timestamps, time zone, screen resolution, and crash, performance, and error logs.
2. Cookies and similar technologies. We and our service providers use cookies, web beacons, pixel tags, software development kits, local storage, session storage, and similar technologies to operate the Site and Services, remember your preferences, analyze usage, and improve performance, as described in Section 12 (Cookies and Tracking Technologies). We do not use cookies to engage in cross-context behavioral advertising.
3. Card-network and rail-level data. When a card we have issued is used at a point of sale, our card-network partners transmit to us information about the transaction (merchant name, merchant-category code, location at the merchant-address level, amount, currency, authorization result, and related data). When you initiate or receive a transfer over a local payment rail (such as Bre-B, PSE, Nequi, PIX, SPEI, ACH, or wire) or an on-chain rail (such as Polygon), the operator of the relevant rail transmits to us information about the transaction necessary to settle it.

4.3 Information we receive from third parties

1. Identity-verification and fraud-prevention providers. We rely on specialized providers to verify the identity of individuals and the lawful organization of businesses, and to detect and prevent fraud, money laundering, terrorism financing, and sanctions violations. These providers may return to us, in addition to information you provide, derived verification results, watchlist-screening results (including OFAC and other sanctions-list matches), adverse-media results, document-authentication results, biometric-match scores, and risk scores.
2. Banking partners, card networks, and other financial counterparties. We receive information from banking partners that hold customer funds or that originate or receive payments, from card networks (such as Visa) and card processors, from payment-rail operators, and from other financial counterparties that we use to deliver the Services.
3. Public sources and blockchain analytics. We may receive Personal Information from publicly available sources, including government databases, regulatory and law-enforcement publications, and company registers. Where the Services involve on-chain settlement (e.g., USDT or USDC on Polygon), we may use blockchain-analytics providers to evaluate the origin or destination of digital assets and the risk profile of associated wallet addresses.
4. Customers (where we act as processor). Where we provide Services to a Customer and that Customer’s End Users interact with the Services, the Customer provides to us Personal Information about its End Users. In that case we Process such Personal Information on the Customer’s documented instructions, as described in Section 3(b).
5. Service providers and partners. We may receive information from our service providers (such as analytics, customer-relationship-management, e-mail, support-ticketing, and infrastructure providers), from marketing and lead-generation partners, from event organizers, from referral sources, and from your colleagues who provide your contact information to us in connection with a prospective relationship.
6. Recruiting sources. If you apply for a role with us, we may receive information from recruiters, employment-history verification services, background-check providers (with your consent), and references you provide.

5. Sources of Personal Information

Consistent with Section 4, the principal sources of Personal Information we Process are: (a) you, when you visit the Site, submit a form, communicate with us, register for or use the Services, or apply for a role with us; (b) our Customers, when they enable us to Process Personal Information of their End Users; (c) third-party identity-verification, fraud-prevention, and sanctions-screening providers; (d) banking and card-network partners, payment-rail operators, and other financial counterparties; (e) blockchain networks and blockchain-analytics providers; (f) publicly available sources, including government and regulatory publications and corporate registers; and (g) our service providers and marketing, recruiting, and referral partners.

6. Sensitive Personal Information

Bloque is a regulated financial-infrastructure provider. Operating accounts, issuing payment cards, and moving funds across borders necessarily requires us to Process certain Sensitive Personal Information in order to comply with anti-money-laundering, counter-terrorism-financing, sanctions, tax-reporting, payment-card-industry, and consumer-protection laws, and the contractual requirements of our banking and card-network partners.

The categories of Sensitive Personal Information we may Process include, without limitation:

1. government-issued identifiers, such as social-security numbers, individual taxpayer identification numbers, passport numbers, national-identity-document numbers (e.g., cédula de ciudadanía in Colombia, RFC in Mexico, CPF in Brazil, CUIT/CUIL in Argentina, RUT in Chile), and driver’s-license numbers;
2. images of government-issued identification documents, together with information extracted from those documents;
3. biometric data used for identity verification (such as facial-image data captured for liveness and matching), in each case only with the consents required by Applicable Law and only for the limited purpose of verifying your identity and detecting fraud;
4. financial-account information, including bank-account and routing numbers, payment-card primary account numbers (handled solely through providers and processes designed to comply with PCI-DSS), and digital-asset wallet addresses;
5. log-in credentials, including in combination with passwords or authentication factors enabling access to an Account;
6. the contents of communications when they reveal information of a sensitive nature, to the extent volunteered by you in correspondence; and
7. any other category of Personal Information that Applicable Law in your jurisdiction characterizes as “sensitive,” “special,” “private,” or “datos sensibles.”

Limited purposes. We Process Sensitive Personal Information solely for the purposes set out in Section 7, including, in particular, to verify your identity and the identity of your beneficial owners, to onboard and maintain Customer accounts, to deliver the Services, to comply with our regulatory and contractual obligations, to detect and prevent fraud and other illegal activity, and to defend legal claims. We do not Process Sensitive Personal Information to infer characteristics about you for advertising purposes.

7. Purposes for Which We Process Personal Information

We Process Personal Information for the following business and commercial purposes:

1. Providing the Site and the Services. To operate, maintain, secure, and improve the Site and the Services; to enable account registration, authentication, and the issuance and management of credentials; to provision, operate, and reconcile accounts, cards, wallets, transfers, and other Services; to deliver developer documentation and support; to respond to your inquiries; and to deliver quotations and contractual proposals.
2. Onboarding and ongoing diligence. To verify the identity of individual Customers and the lawful organization of business Customers, to screen Customers and their beneficial owners against applicable sanctions, watch lists, and politically exposed person (“PEP”) databases, to assess risk, to make underwriting and acceptance decisions, and to conduct periodic re-verification.
3. Compliance and risk management. To detect, investigate, prevent, and respond to fraud, money laundering, terrorism financing, sanctions evasion, tax evasion, market manipulation, cybersecurity incidents, and other illegal, unauthorized, or unsafe activity; to comply with our obligations under anti-money-laundering, counter-terrorism-financing, sanctions, tax-reporting, consumer-protection, payment-card-industry, and other Applicable Law; and to comply with lawful requests from governmental and regulatory authorities.
4. Customer support and communications. To respond to your inquiries, support requests, and complaints; to send service-related communications, transactional notices, and security alerts; to provide product updates and disclosures; and to communicate with you regarding changes to our terms, this Policy, or the Services.
5. Marketing and communications. To send you marketing communications about Bloque’s products, features, programs, events, and content, subject to your right to opt out as described in Section 16; to invite you to participate in customer-research interviews, surveys, beta programs, and case studies; and to publish testimonials and other marketing content in accordance with Section 17.
6. Analytics, research, and product development. To analyze usage of the Site and Services; to measure the effectiveness of our marketing; to perform aggregated or de-identified analyses; to develop new products, features, and integrations; and to evaluate user experience and accessibility.
7. Security and integrity. To monitor and secure the Site and Services; to detect, prevent, and respond to security incidents, abuse, and bot activity; to maintain audit logs; and to protect our rights, property, and personnel and those of others.
8. Recruiting and employment. To evaluate applications for employment and engagement, to conduct interviews and assessments, and, with your consent, to conduct background and reference checks.
9. Corporate transactions and reorganizations. To evaluate, negotiate, and complete corporate transactions, including financings, mergers, acquisitions, reorganizations, divestitures, and sales of assets, and to operate the surviving or acquiring entity post-closing.
10. Legal proceedings and claims. To establish, exercise, or defend legal claims; to comply with court orders, subpoenas, and other legal process; and to enforce our contracts, including our Terms of Use and the Service Agreements.

8. Legal Bases for Processing

Where Applicable Law requires us to identify a legal basis for our Processing of Personal Information (including under the GDPR, the U.K. GDPR, Brazil’s LGPD, Colombia’s Law 1581 of 2012, and similar frameworks), we rely on one or more of the following legal bases, as applicable:

1. the performance of a contract with you, or to take steps at your request prior to entering into a contract;
2. your consent, which you may withdraw at any time as described in Section 16 and Sections 20–23 (provided that withdrawal of consent does not affect the lawfulness of Processing carried out prior to such withdrawal);
3. our compliance with a legal obligation to which we are subject, including, without limitation, anti-money-laundering, counter-terrorism-financing, sanctions, tax-reporting, and consumer-protection laws;
4. the protection of the vital interests of you or another natural person, where Applicable Law so permits;
5. the performance of a task carried out in the public interest, where Applicable Law so permits; and
6. the legitimate interests pursued by us or by a third party, including, without limitation, our interest in operating, securing, and improving the Site and the Services, preventing and detecting fraud and other illegal activity, communicating about our products and offerings, and conducting our business — except where such interests are overridden by your interests or fundamental rights and freedoms.

9. How We Disclose Personal Information

We do not sell your Personal Information for monetary or other valuable consideration, and we do not share your Personal Information for cross-context behavioral advertising. We may disclose Personal Information to the following categories of recipients, in each case as necessary for the purposes described in Section 7:

1. Affiliates. Pagos Cube LLC and any present or future entity that controls, is controlled by, or is under common control with Pagos Cube LLC, in each case bound by privacy commitments at least as protective as those set forth in this Policy.
2. Service providers and processors. Cloud-infrastructure providers; software-development and integration providers; customer-relationship-management, e-mail, ticketing, helpdesk, and analytics providers; communications and meeting providers (including providers used to record and transcribe calls); identity-verification, KYC/KYB, biometric, fraud-prevention, and sanctions-screening providers; payment-card processors and tokenization providers; document-storage and e-signature providers; and other vendors that Process Personal Information on our behalf, under written contracts that limit their use of the information to the services they provide to us.
3. Banking, card-network, and rail partners. Chartered depository institutions, electronic-money institutions, money-services businesses, card networks (including Visa), card issuers and program managers, payment-rail operators (including operators of Bre-B, PSE, Nequi, PIX, SPEI, ACH, wire, and similar rails), settlement banks, correspondent banks, and acquirers, in each case as necessary to deliver the Services you have requested.
4. Blockchain networks and blockchain-analytics providers. Where the Services involve on-chain settlement, transaction information may be transmitted to and recorded on a public or permissioned blockchain network, which is by design accessible to the public and not within our control. We may also share information with blockchain-analytics providers for compliance purposes.
5. Professional advisors. Auditors, accountants, lawyers, insurers, and other professional advisors, in each case subject to professional, statutory, or contractual confidentiality duties.
6. Customers (where we act as processor). We disclose End-User Personal Information to the relevant Customer in accordance with the applicable Service Agreement and data-processing addendum.
7. Governmental and regulatory authorities; law enforcement. We disclose Personal Information where required to do so by law, subpoena, court order, or other legal process; in response to lawful requests from public authorities, including to meet national security or law-enforcement requirements; to comply with anti-money-laundering, counter-terrorism-financing, sanctions, tax-reporting, consumer-protection, and similar regulatory regimes; and to defend our rights and the rights of others.
8. Corporate transactions. In connection with, or during the negotiation of, any merger, sale of assets, financing, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy, or similar transaction or proceeding, in each case under appropriate confidentiality protections, and with notice and choice to the extent required by Applicable Law.
9. With your consent. Any other recipient, with your consent or at your direction.

Aggregated and de-identified information. We may aggregate or de-identify Personal Information so that it can no longer reasonably be linked to you, and may use and disclose such information for any lawful business purpose, including for research, analytics, benchmarking, and the development and improvement of our products and Services. We commit to maintaining and using such information in de-identified form and to not attempting to re-identify it, except as permitted by Applicable Law for the purpose of testing whether de-identification has been effective.

10. International Data Transfers

We are headquartered in the United States and our principal hosting and data-processing infrastructure is located in the United States. The Services are designed for, and primarily delivered in, Latin America, and we rely on service providers, banking and card-network partners, and rail operators located across multiple jurisdictions. Accordingly, your Personal Information may be transferred to, stored in, and Processed in, jurisdictions other than your country of residence, including the United States, Mexico, Brazil, Colombia, the European Economic Area, and other Latin American jurisdictions. Privacy laws in these jurisdictions may differ from those in your jurisdiction. By using the Services, or by providing your Personal Information to us, you understand that your Personal Information may be transferred internationally and Processed as described in this Policy.

Where we transfer Personal Information from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not been determined by the relevant authority to provide an adequate level of protection, we rely on appropriate safeguards, including, without limitation, the European Commission’s Standard Contractual Clauses, the U.K. International Data Transfer Agreement or U.K. Addendum, the Swiss-approved Standard Contractual Clauses, your explicit consent, the performance of a contract with you, or another lawful transfer mechanism. Where we transfer Personal Information from Colombia, Mexico, Brazil, Argentina, or Chile to a jurisdiction whose protection level is not deemed adequate under the law of the country of origin, we rely on appropriate safeguards, including binding contractual commitments, your informed consent, and, where applicable, the prior authorization of the competent data-protection authority. Copies of the safeguards we use are available on request to the contact in Section 27.

11. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, regulatory, tax, or reporting requirements, to resolve disputes, and to enforce our agreements, and thereafter as permitted by Applicable Law. The criteria we use to determine retention periods include, without limitation, the nature and sensitivity of the Personal Information, the purposes for which we Process it, the potential risk of harm from unauthorized use or disclosure, the requirements of Applicable Law (including, without limitation, minimum and maximum retention periods imposed under anti-money-laundering, tax, and consumer-protection regimes), and whether the purposes can be achieved through other means.

Without limitation, our typical retention periods are as follows (each subject to extension where required by Applicable Law, legal hold, or pending regulatory inquiry):

1. Quotation-related Personal Information: thirty-six (36) months from the date of submission;
2. Server logs and automatically collected technical information: typically twelve (12) months;
3. KYC, KYB, sanctions-screening, and other compliance records: for the duration of the relationship with the relevant Customer and at least five (5) years thereafter, or such longer period as required by Applicable Law (which may, in certain jurisdictions, exceed ten (10) years);
4. Transaction records (including card-authorization, settlement, and transfer data): for the duration of the relationship with the relevant Customer and at least five (5) years thereafter, or such longer period as required by Applicable Law;
5. Marketing-list data: until you opt out or otherwise withdraw your consent, and thereafter in a suppression list to enable us to honor your preferences;
6. Recruiting data: for the duration of the recruitment process and for a reasonable period thereafter, as permitted by Applicable Law;
7. Communications and support records: typically for the duration of the relationship plus twenty-four (24) months.

Upon expiration of the applicable retention period, we will securely delete or de-identify the relevant Personal Information.

12. Cookies and Tracking Technologies

The Site uses cookies, web beacons, pixel tags, software development kits, local storage, session storage, and similar technologies (collectively, “Cookies”) to enable the Site to function, to remember your preferences, to analyze how the Site is used, and to measure the effectiveness of our marketing. We use the following categories of Cookies:

1. Strictly necessary Cookies. Required to operate the Site, to authenticate Users, to protect the Site against fraud and abuse, and to remember choices that you have made (such as language or cookie preferences). These Cookies cannot be disabled.
2. Analytics Cookies. Used to understand how visitors interact with the Site, including which pages are visited and how often, in order to improve performance and user experience. We use these Cookies on an aggregated basis and configure our analytics providers to limit the Personal Information that they receive.
3. Preference Cookies. Used to remember your settings and preferences so that you do not have to re-enter them on each visit.

We do not use Cookies to deliver cross-context behavioral advertising. You can manage Cookies through your browser settings; however, disabling certain Cookies may affect the functionality of the Site. Where required by Applicable Law (including the GDPR, the U.K. GDPR, the LGPD, and similar laws), we will obtain your consent through a cookie-consent banner before setting non-essential Cookies. We honor Global Privacy Control (“GPC”) signals to the extent practicable and as required by Applicable Law.

13. Data Security and Breach Notification

We implement and maintain commercially reasonable administrative, technical, organizational, and physical safeguards designed to protect Personal Information against unauthorized or unlawful access, use, disclosure, alteration, or destruction. These safeguards include, without limitation, encryption of Personal Information in transit (using Transport Layer Security) and at rest, role-based access controls, multi-factor authentication for administrative access, segregation of duties, secure software-development practices, periodic vulnerability assessments and penetration tests, security training of personnel, and incident-response procedures.

No method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach that triggers notification obligations under California Civil Code § 1798.82, the GDPR, the U.K. GDPR, the LGPD, Colombia’s Law 1581 of 2012, Mexico’s LFPDPPP, or any other Applicable Law, we will notify affected individuals and relevant authorities in accordance with such Applicable Law and within the timeframes required thereunder.

14. Automated Decision-Making and Profiling

In connection with onboarding, sanctions screening, fraud prevention, transaction monitoring, and risk management, we may use automated decision-making, including profiling, to make decisions about whether to accept or decline an applicant, to flag a transaction for review, to suspend access to the Services, or to apply other risk-mitigation measures. Where Applicable Law requires, we will provide meaningful information about the logic involved and the significance and envisaged consequences of such Processing, and you may have the right to request human review of a decision that significantly affects you. Requests for human review may be submitted using the contact details in Section 27.

15. Artificial Intelligence and Machine Learning

We use, and may in the future use, artificial-intelligence and machine-learning technologies, including third-party large-language-model providers, to support and improve the Services. Specifically, we may use such technologies to (a) support customer-support and developer-experience workflows; (b) detect, investigate, and prevent fraud and other illegal activity; (c) classify, summarize, or extract information from documents you submit (including, where applicable, KYC/KYB documents); (d) operate the Bloque MCP Server, which enables authorized third-party agents to invoke Services on your behalf; and (e) improve the quality, security, and reliability of the Site and Services.

We do not authorize our third-party large-language-model providers to use your Personal Information to train their general-purpose models, and we have entered (or will enter) into written agreements with such providers reflecting that restriction. Where we use Personal Information to train, fine-tune, or evaluate our own models, we use, wherever feasible, aggregated or de-identified information, and we provide additional disclosures and choices to you where required by Applicable Law.

16. Marketing Communications

You may opt out of marketing communications at any time by following the unsubscribe instructions included in any marketing e-mail, by adjusting your communication preferences in any Account you may have, or by contacting us using the details in Section 27. We will continue to send you transactional, service-related, and security communications even if you opt out of marketing communications, as those communications are not promotional in nature.

17. Testimonials and Public Endorsements

If you submit a testimonial, quote, photograph, video, audio recording, or similar User Content for use in our marketing or communications, our use of such User Content is also governed by Section 10 (User Content; Testimonial, Name, Image, and Likeness License) of our Terms of Use, which you accepted by accessing the Site. Without limiting the foregoing: (a) we will use such User Content in accordance with the U.S. Federal Trade Commission’s Guides Concerning the Use of Endorsements and Testimonials in Advertising, 16 C.F.R. Part 255; (b) we will disclose material connections between us and the endorser where required; and (c) you may, at any time, request that we discontinue further use of your testimonial in new materials by contacting us as set forth in Section 27, in which case we will use commercially reasonable efforts to do so, although we do not guarantee removal of materials already distributed.

18. Recording of Communications

Some of our calls and video meetings may be recorded and transcribed for quality-assurance, training, compliance, and product-improvement purposes. Before any recording begins, we will provide notice and, where required by Applicable Law (including the law of any jurisdiction that requires the consent of all parties to a recording), we will obtain your consent. You may decline to be recorded; in that case we will conduct the call without recording.

19. Job Applicants

If you apply for a role with us, we will Process the Personal Information you submit in connection with your application (including résumé contents, work history, education, references, and assessment results) for the purpose of evaluating your candidacy, communicating with you, and, with your consent, conducting background and reference checks. We will retain your application materials for a reasonable period, as permitted by Applicable Law, to consider you for future opportunities. We treat all applicant Personal Information confidentially.

20. Your Privacy Rights — California Residents

If you are a California resident, you have specific rights under the CCPA and CalOPPA. The CCPA imposes certain disclosure obligations on us, which we satisfy through this Section 20 and the rest of this Policy. The CCPA also affords you certain rights, which are summarized below.

20.1 Right to know

You have the right to request that we disclose: (a) the categories of Personal Information we have collected about you; (b) the categories of sources from which we collected the Personal Information; (c) our business or commercial purposes for collecting, selling, or sharing the Personal Information; (d) the categories of third parties to whom we disclose the Personal Information; and (e) the specific pieces of Personal Information we have collected about you. We have disclosed in Sections 4, 5, 6, 7, and 9 of this Policy the categories of Personal Information we have collected, used, and disclosed about California residents in the preceding twelve (12) months.

20.2 Right to delete

You have the right to request that we delete the Personal Information we have collected from you, subject to the exceptions provided by the CCPA — including, without limitation, that we may decline to delete Personal Information that is necessary to complete a transaction you requested, to detect or respond to security incidents, to comply with legal obligations, to enable internal uses reasonably aligned with your expectations, or to defend legal claims.

20.3 Right to correct

You have the right to request that we correct inaccurate Personal Information we maintain about you. We will use commercially reasonable efforts to correct inaccurate Personal Information upon a verified request, taking into account the nature of the Personal Information and the purposes of the Processing.

20.4 Right to opt out of sale or sharing

As stated in Section 9, we do not sell your Personal Information, and we do not share your Personal Information for cross-context behavioral advertising. Accordingly, no opt-out mechanism is required. Should our practices change, we will update this Policy and provide a “Do Not Sell or Share My Personal Information” link on the Site’s homepage and honor opt-out preference signals where required.

20.5 Right to limit the use of sensitive Personal Information

California residents have the right to limit our use and disclosure of Sensitive Personal Information to those uses authorized by the CCPA. As described in Section 6, we Process Sensitive Personal Information only for the purposes permitted by the CCPA — including, without limitation, to provide the Services that you have requested, to verify and maintain the quality of the Services, to detect and prevent fraud and other security incidents, to ensure the safety of natural persons, and to comply with legal obligations. We do not Process Sensitive Personal Information for purposes that would trigger the right to limit under the CCPA; accordingly, no “Limit the Use of My Sensitive Personal Information” link is provided.

20.6 Right to non-discrimination

We will not discriminate against you for exercising any of your rights under the CCPA. We will not deny you goods or services, charge you different prices or rates, provide you a different level or quality of goods or services, or suggest that you will receive a different price or quality of goods or services, on the basis of your exercise of your privacy rights.

20.7 How to exercise your California rights

To exercise any of the rights described above, please submit a verifiable consumer request by one of the following methods:

• By e-mail to: hi@bloque.team
• By written request to: Pagos Cube LLC, Attention: Privacy Officer, 30N Gould St, Ste R, Sheridan, WY 82801, U.S.A.

Your request must include sufficient information to allow us to verify your identity, which may include your full name, e-mail address, organization name (where applicable), and a description of your relationship with Bloque. We will acknowledge your request within ten (10) business days and respond to it within forty-five (45) calendar days of receipt, with the possibility of a single forty-five (45) day extension where reasonably necessary and upon notice to you.

You may designate an authorized agent to submit a request on your behalf, provided you submit a written authorization signed by you (or a notarized power of attorney) and we may require you to verify your identity directly with us. We will not respond to a request that we are unable to verify.

20.8 CalOPPA

In accordance with the California Online Privacy Protection Act, Cal. Bus. & Prof. Code § 22575 et seq., we disclose that: (a) you may review and request changes to Personal Information we maintain about you by contacting us as described above; (b) we honor Global Privacy Control (“GPC”) signals to the extent practicable and as required by Applicable Law; and (c) third parties may collect personally identifiable information about online activities over time and across different websites when you use the Site only to the extent permitted by this Policy.

21. Your Privacy Rights — Other U.S. States

If you are a resident of another U.S. state with a comprehensive consumer-privacy law (which, as of the Effective Date, may include Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, among others), you may have the right, subject to verification and to the exceptions provided by Applicable Law, to: (a) confirm whether we Process Personal Information about you and access that Personal Information; (b) correct inaccuracies in that Personal Information; (c) request deletion of that Personal Information; (d) obtain a portable copy of that Personal Information; (e) opt out of the sale of Personal Information, the Processing of Personal Information for purposes of targeted advertising, and certain profiling decisions; and (f) appeal a refusal by us to act on a request. We do not sell Personal Information, and we do not engage in targeted advertising as those terms are defined under those laws. To exercise your rights, please contact us as described in Section 27. We will respond within the timeframes required by Applicable Law. If we deny your request, you may appeal our decision by contacting us at the same address and indicating that you wish to appeal; if your appeal is denied, you may have the right to contact your state attorney general.

22. Your Privacy Rights — European Economic Area, United Kingdom, and Switzerland

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to the exceptions provided by Applicable Law: (a) the right of access to your Personal Information; (b) the right to rectification of inaccurate Personal Information; (c) the right to erasure of your Personal Information (“right to be forgotten”); (d) the right to restriction of Processing; (e) the right to data portability; (f) the right to object to Processing based on our legitimate interests or carried out for direct-marketing purposes; (g) the right not to be subject to a decision based solely on automated Processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, except as permitted by Applicable Law; and (h) the right to withdraw consent (where Processing is based on consent), without affecting the lawfulness of Processing based on consent before its withdrawal.

To exercise these rights, please contact us as described in Section 27. You also have the right to lodge a complaint with your local supervisory authority. The lead supervisory authorities in the EEA and the U.K. are listed at https://edpb.europa.eu and https://ico.org.uk, respectively. We will identify and, where required, appoint a representative under Article 27 of the GDPR if our Processing of Personal Information of EEA data subjects triggers the obligation to do so.

23. Your Privacy Rights — Latin America

Below we summarize the privacy rights afforded to residents of certain Latin American jurisdictions in which the Services are offered. The summary is provided for convenience and does not modify or limit your rights under Applicable Law. To exercise your rights, please contact us as described in Section 27. Where required by Applicable Law, we will also publish or make available a separate notice of privacy practices in the local language and format prescribed by such law.

23.1 Colombia

If you reside in Colombia, you have the rights afforded by Law 1581 of 2012 (Habeas Data) and its implementing regulations, including, without limitation, the right to: (a) know, update, and rectify your Personal Information; (b) request proof of the consent given for the Processing of your Personal Information, except where such consent is not required by law; (c) be informed of the use given to your Personal Information; (d) submit complaints to the Superintendencia de Industria y Comercio for breaches of Colombian data-protection law; (e) revoke your consent or request the deletion of your Personal Information when the Processing does not comply with constitutional or legal principles, rights, and guarantees; and (f) access free of charge your Personal Information that has been the subject of Processing. Our policy for the treatment of personal data (“Política de Tratamiento de Datos Personales”) under Colombian law is or will be available on the Site in Spanish.

23.2 Mexico

If you reside in Mexico, you have the rights afforded by the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”) and its implementing regulations, including, without limitation, the rights of access, rectification, cancellation, and opposition (the “ARCO” rights), and the right to limit or revoke your consent. Our notice of privacy practices (“Aviso de Privacidad”) prepared in accordance with the LFPDPPP is or will be available on the Site in Spanish. You may exercise your ARCO rights or submit complaints to the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).

23.3 Brazil

If you reside in Brazil, you have the rights afforded by the Lei Geral de Proteção de Dados Pessoais, Law No. 13,709/2018 (“LGPD”), including, without limitation, the rights to: (a) confirmation of the existence of Processing; (b) access to your Personal Information; (c) correction of incomplete, inaccurate, or outdated information; (d) anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully Processed information; (e) data portability; (f) deletion of Personal Information Processed on the basis of consent; (g) information about public and private entities with which we have shared your Personal Information; (h) information about the possibility of refusing consent and the consequences thereof; and (i) revocation of consent. Where required by the LGPD, we will identify a person in charge of Personal Information (“Encarregado”), whose contact details will be made available. You may submit complaints to the Autoridade Nacional de Proteção de Dados (ANPD).

23.4 Argentina

If you reside in Argentina, you have the rights afforded by Law No. 25,326 (Ley de Protección de los Datos Personales) and its implementing regulations, including the rights of information, access, rectification, updating, deletion (suppression), and confidentiality. You may submit complaints to the Agencia de Acceso a la Información Pública (AAIP).

23.5 Chile

If you reside in Chile, you have the rights afforded by Law No. 19,628 (and, when it enters into force, by Law No. 21,719 and its implementing regulations), including the rights of information, access, rectification, deletion, blocking, and opposition. You may submit complaints to the Agencia de Protección de Datos Personales once it is established under Law No. 21,719.

24. Third-Party Links and Services

The Site may contain links to third-party websites, products, services, repositories, or applications that are not owned or controlled by Pagos Cube LLC. This Policy applies solely to information Processed by Pagos Cube LLC. We do not endorse and assume no responsibility for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party site or service you visit.

25. Children’s Privacy

The Site and the Services are not directed to, and we do not knowingly collect Personal Information from, children. Specifically: (a) consistent with the U.S. Children’s Online Privacy Protection Act (“COPPA”), we do not knowingly collect Personal Information from individuals under the age of thirteen (13); and (b) consistent with the CCPA, we do not knowingly sell or share Personal Information of minors under the age of sixteen (16) without obtaining the opt-in consent required by the CCPA. If you believe that we have inadvertently collected Personal Information from a child, please contact us at hi@bloque.team, and we will take prompt steps to delete such information. The Services are intended for use by adults (eighteen (18) years of age or older) or by entities, and you must not access or use the Services if you are below the age of majority in your jurisdiction.

26. Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time. When we make changes, we will update the “Last Updated” date at the top of this Policy. Where the changes are material, we will provide additional notice as required by Applicable Law (such as by e-mail to the address you have provided, by a banner on the Site, or by an in-product notification). Your continued access to or use of the Site or the Services following the effective date of the updated Policy constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

27. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Pagos Cube LLC
Attention: Privacy Officer / Data Protection Officer
30N Gould St, Ste R, Sheridan, WY 82801, U.S.A.

• E-mail (privacy): hi@bloque.team
• E-mail (legal): hi@bloque.team
• E-mail (general): hi@bloque.team
• Website: https://www.bloque.app

Where Applicable Law requires us to appoint a representative in the European Economic Area, the United Kingdom, Brazil, Mexico, or another jurisdiction, the identity and contact details of such representative will be provided here or in a separately accessible notice.