Privacy Notice

Last updated:
Jan 16, 2026

1. Introduction

Thank you for being interested in Nu. This Privacy Notice (“Notice”) was created to show our commitment to always handling your personal data with security, privacy, and transparency. It describes the personal data we collect when you access our website nu.co (“Website”) and share your personal data with us, as well as how your data is used, stored, and shared, and what rights you have over such data.

PERSONAL DATA is any information that directly or indirectly defines a specific natural person, as defined by the applicable law.

The Controller of your personal data, that is, the companies responsible for deciding how to handle your personal data, will be Nu Holdings Ltd. and its affiliates ("Nu" or “we”, “our”, “us”).

By accessing the Website and registering for our waitlist, you acknowledge the contents of this Notice. For this reason, we recommend that you read it until the end.

If you don't agree to this Notice, or to any changes we subsequently make to it

2. Application

This Notice is applicable to anyone who visits our Website and signs up for our waitlist, including, but not limited to, individuals we prospect as potentially interested in our services (“Services”), or who apply to join our waitlist.

It does not apply to users of our Services, to job candidates or to our employees, who are covered by separate privacy notices.

3. Collection of personal data

We only collect and use your personal data for legitimate purposes, in accordance with applicable legislation, as indicated below:

Type of personal data

Purpose of processing

  • Name
  • Email
  • Country of residence
  • Phone number
  • Address
  • Browsing and device data, such as IP addresses, interactions with the Website, device ID, operating system, model
  • Cookies, according to our Cookie Notice
  • Operate, maintain, and improve our Website
  • Communicate with you
  • Allow the creation of a waitlist for our Services
  • Assess whether you are legally allowed to obtain access to our Services
  • Monitor the use and performance of our Website
  • Provide customer support and answer questions
  • Detect and prevent security or technical issues
  • Prospect customers, carry out market research and opinion surveys, and promote our Services
  • Exercise our rights, including presenting documents in judicial and administrative proceedings
  • Comply with court orders, requests from competent authorities or supervisory bodies, and legal or regulatory obligations

4. Personal data sharing

In certain circumstances, we may disclose the personal data listed above to third parties, for the purposes stated below:

Third party

Purpose of sharing

Other companies in our group

  • Operate, maintain, and improve our Website
  • Communicate with you
  • Allow the creation of a waitlist for our Services
  • Detect and prevent security or technical issues
  • Investigate and implement measures to prevent and fight illegal activities, fraud, financial crimes and ensure the security of our customers and financial system
  • Prospect customers, carry out market research and opinion surveys, and promote our Services
  • Exercise our rights, including presenting documents in judicial and administrative proceedings
  • Comply with court orders, requests from competent authorities or supervisory bodies, and legal or regulatory obligations

Business partners, service providers, and other third parties

  • Help to operate, maintain, and improve our Website
  • Communicate with you
  • Prospect customers, carry out market research and opinion surveys, and promote our Services
  • Detect and prevent security or technical issues
  • Investigate and implement measures to prevent and fight illegal activities, fraud, financial crimes and ensure the security of our customers and financial system
  • Exercise our rights, including presenting documents in judicial and administrative proceedings
  • Comply with court orders, requests from competent authorities or supervisory bodies, and legal or regulatory obligations
  • Merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices

Authorities and regulatory bodies

  • Investigate and implement measures to prevent and fight illegal activities, fraud, financial crimes and ensure the security of our customers and financial system
  • Exercise our rights, including presenting documents in judicial and administrative proceedings
  • Comply with court orders, requests from competent authorities or supervisory bodies, and legal or regulatory obligations

All business partners, service providers, and other third parties are contractually bound to handle data securely and only for specified purposes. This means that, when sharing your personal data with these third parties, we will require them to use the personal data exclusively for the limited purpose for which we provide it, as well as to maintain reasonable security measures for the protection of such information, and comply with the provisions as outlined in this Privacy Notice and in the applicable data protection laws.

We do not sell, trade, or rent your personal data to third parties. We only share your personal data with third parties with your authorization, in connection with the Website, or other limited circumstances as specified herein.

When using our Website, you may be redirected to third-party websites or applications. Once redirected to a third-party website or application, privacy practices will be governed by their privacy notices and terms of use. We cannot control or be responsible for the privacy practices and content of third parties. Please read the applicable privacy notices carefully to understand how they collect and process your data.

5. Security measures

We use various types of security measures to ensure the integrity of your personal data, such as information security standards practiced by the industry when collecting and storing personal data.

We may also store personal data through cloud computing technology and other potential future technologies, always seeking to improve and enhance our Website and its security.

We have a robust, highly qualified team responsible for ensuring that we adopt the best security practices, including:

  • Multi-factor authentication for information access
  • Security as code, to enable automations and fast and efficient responses to security events in the technological environment
  • Encryption for data at rest, in transit, and in use, to ensure information integrity
  • Continuous environment monitoring
  • Continuous information security analyses and tests in our systems, performed by internal and external teams
  • Periodic audits

We use commercially reasonable safeguards to help protect and secure your personal data. Although we work to protect the security of your data, please be aware that no method of transmitting data over the internet or storing data is completely secure.

If you suspect unauthorized activity with respect to your use of our Website, or if you suspect a security incident has occurred, please contact us immediately through the service channels listed in the "Contact us" section below.

6. Cross-border transfer of data

As an international company, we may need to transfer your personal data to other countries. This includes countries where Nu already operates (such as Brazil, Mexico, and Colombia), as well as other countries in the EU (such as Germany, where part of our cloud environment is hosted) and in other regions, whenever necessary. When cross-border data transfer is necessary, we comply with all the requirements established by current legislation and use one of the lawful data transfer mechanisms.

Where personal data from certain jurisdictions are transferred to jurisdictions with different levels of data protection, we ensure that the same degree of protection is afforded to the data. We do so by implementing appropriate safeguards as defined by applicable legal and regulatory requirements. For example:

  • For international data transfers carried out within companies of the Nu group, we implement intragroup data transfer agreements;
  • For data transfers to service providers in other jurisdictions, we may implement standard contractual clauses (SCCs) for the international data transfers when such clauses exist.

7. Data subject rights

In certain jurisdictions, you may be entitled under applicable law to have rights and choices with respect to your personal data, including: information about what personal data we have about you, access to this personal data, update, review, delete or restrict the processing of your personal data. Where we process your personal data based on consent, you have the right to withdraw your consent at any time with respect to future processing. You may be entitled to exercise additional rights depending on the jurisdiction where you are.

To exercise any of your rights, please submit a request through the channels indicated in the “Contact us” section below.

We will not discriminate against you for exercising these rights. However, we may require additional information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your request.

You may elect not to receive promotional emails from us either by unsubscribing to an email you receive from us or by contacting us through the service channels listed in the "Contact us" section below.

8. Retention and deletion of personal data

Data storage and retention periods for personal data held in IT systems and as physical records are defined by legal, regulatory, contractual and business requirements.

When applicable, and even if you stop using the Website, we may store your personal data for an additional period for auditing purposes, compliance with legal or regulatory obligations, for the regular exercise of our rights, or also for the necessary period in accordance with the legal basis that justifies the retention of the data, always in compliance with the applicable law. These legal/regulatory data retention periods generally vary between 5 and 20 years.

Your data will always be kept in a secure and controlled environment and will be deleted or anonymized as soon as its maintenance is no longer necessary or justifiable in accordance with the applicable data protection law.

9. Changes to the Privacy Notice

We may from time to time change this Privacy Notice, but we always value transparency: whenever a relevant change is made, we will send you a notice indicating the new version in effect, and we will promptly post any Privacy Notice's changes to this page.

To stay informed of our privacy practices, we recommend you review the statement on a regular basis as you continue to use the Website.

10. Contact us

You can contact us for matters involving your personal data through the channel privacy@nu.co

We are always available to answer your questions and put you in control of your personal data.