Pix Privado: A Practical Tool for Inspecting Privacy Risks in Pix Payment Information

In my article “Privacy as Infrastructure: What Brazil’s Pix Teaches the World”, I argued that the growth of Pix-related crime in Brazil is not merely a local security problem, but a warning about the systemic risks created when privacy is not built into a payment system from the start.

The article focused on the security consequences of a system that prioritized adoption while allowing personal identifiers such as phone numbers, email addresses, CPF (individual identification number), and CNPJ (company identification number) to become payment aliases.

Payment data intended for public sharing can create an attack vector when personal data embedded in QR codes or payment strings is extracted, enriched and cross-referenced with other datasets.

Pix Privado continues that argument in practical form.

Instead of only explaining why using personal data as payment identifier in payment systems create risks, the tool lets people inspect those risks directly. It asks a narrower and more operational question:

What does Pix payment information reveal before a payment is even initiated?

This question matters because payment information is often shared publicly. People publish QR codes on websites, social media profiles, donation pages, posters, livestreams, event pages, PDFs, and printed material.

For many users, especially activists, NGOs, independent journalists, human rights defenders, and community projects, this is a normal way to receive support.

But a QR code is not only an image. It is a representation of structured payment data.

Pix Privado was created to help people inspect that data, understand the risks of exposing it, and generate privacy-preserving payment information that is more appropriate for public sharing.

There is one important prerequisite: Pix Privado works with Pix payment information that is already connected to a Pix key registered in the user’s own banking app or payment institution.

The tool does not create Pix keys, register keys, open bank accounts, or connect to the Pix system. It works with payment information that the user already provides, such as a QR code or Pix Copia e Cola string generated by their banking app.

Why I built this tool

The broader argument behind “Privacy as Infrastructure” is that privacy failures in payment systems should not be treated as minor UX issues or individual user mistakes. They can become infrastructure-level vulnerabilities for millions of people.

Pix is a useful case study because it shows the trade-off clearly. It made instant payments extremely convenient and accessible. But it also allowed payment identifiers to overlap with personal identifiers.

A Pix key can be a phone number.
It can be an email address.
It can be a CPF or CNPJ.
It can also be a random key.

From an adoption perspective, this design has clear advantages. People already know their phone number and email address. They do not need to understand a new address format.

From a privacy perspective, the trade-off is more serious.

A phone number shared to receive a payment can also become a WhatsApp contact point.

An email address shared as a Pix key can also become a breach lookup key.

A CPF can connect payment information to official datasets, like Portal da Transparência.

A CNPJ can be the bridge to detailed official company information, including detailed personal information of the founders of the company.

This is the problem Pix Privado tries to make visible.

It turns the argument from the article into an interface: upload a QR code, paste a Copia e Cola string, and inspect what is actually being shared.

This is especially useful for QR codes, because the information is hidden from the human eye. A person looking at a QR code does not immediately know whether it contains a random Pix key, an email address, a phone number, a city, a name, a fixed amount, a transaction label, or other metadata.

Machines can read this information easily. People usually cannot.

Pix Privado closes that visibility gap.

What Pix Privado does

Pix Privado has three main functions.

First, it reveals the data embedded inside Pix QR codes and Pix Copia e Cola strings.

Second, it helps users understand how individual fields can contribute to data linkage.

Third, when the payment information allows it, it helps generate a reduced version that is more suitable for public sharing.

Features

The user can upload a Pix QR code image or paste a Pix Copia e Cola string. The app then decodes the payment payload and displays the information in a structured format.

It supports a nested TLV table, CRC16 validation, dynamic QR location fetching, and email breach lookups through Have I Been Pwned.

The interface is available in English and Portuguese. This is intentional. Pix is a Brazilian payment system, but the privacy lessons are relevant beyond Brazil. A bilingual interface makes the tool more useful both for Brazilian users who interact with Pix directly and for international researchers, technologists, and Freedom Tech communities studying Pix as a case.

The tool also includes contextual enrichment for selected fields. Phone-like values surface WhatsApp link and DDD area-code context. CEP (Postal code) values reveal location context. Merchant city values are compared with IBGE municipality data. These enrichments are not meant to expose people. They are meant to demonstrate how small pieces of payment metadata can become more sensitive when connected to other datasets.

Caveat

However, the tool should not be understood as a Pix account generator or payment onboarding tool. It assumes that the Pix key already exists and has already been registered by the owner in their banking app. The app helps inspect and transform the payment information generated by banking apps around that key. It does not create the underlying payment relationship with the Brazilian Pix infrastructure.

How the tool works

Pix QR codes are based on BR Code, which uses an EMV-style payload structure. In simplified terms, the payment data is encoded as a sequence of fields. Each field has an identifier, a length, and a value.

This structure is often called TLV: tag, length, value.

Pix Privado parses this structure and turns the raw payload into a readable table. Instead of showing only a long Pix Copia e Cola string, the app separates the content into fields such as Merchant Name, Merchant City, Pix key, Transaction Amount, Country Code, Currency Code, Transaction Identifier, and other nested values.

The basic inspection flow follows a local-first approach. QR decoding and payload inspection happen in the browser. This keeps the core inspection experience lightweight and reduces unnecessary dependency on external services. External requests are used only for specific enrichment features, such as fetching dynamic QR location payloads or checking whether an email address appears in known breaches (HIBP).

The tool also validates the CRC16 checksum. This is important because the checksum helps verify whether the payload is structurally valid. If the payload is changed, the checksum must be recalculated. Otherwise, the generated payment code may no longer work.

This becomes particularly relevant for the safer-sharing function. The app does not only replace sensitive fields visually. It rebuilds the payload and recalculates the checksum so that the resulting Pix Copia e Cola string and QR code remain structurally valid. Otherwise they would not work for initiating payments.

This distinction matters. A payment payload can be structurally valid, but it still depends on an active Pix key registered in the banking system. Pix Privado can help generate a cleaner payment payload, but the underlying Pix key must already exist and be connected to a bank account controlled by the receiver.

For dynamic Pix QR codes, the tool can also inspect the location field and fetch the related payload through a server-side proxy. This helps reveal additional information that may not be directly visible in the first QR payload. Important: dynamic codes are not really relevant for this project, only static payment codes, which are used by regular individuals.

In cases where an email address is present, the app can also support breach lookups through Have I Been Pwned. This is not meant to expose private data, but to illustrate a common linkage risk: if an email address used as a payment key appears in known breaches, it may already be connected to other exposed information.

The app can also generate shareable decoder links. This can be useful for education, workshops, research notes, or technical discussions where people need to look at the same example payload.

The safer-sharing function

Inspection is useful, but it is not always enough. In some cases, people also need to publish payment information publicly.

For this reason, Pix Privado includes a function to make a Pix payload safer to share.

This feature currently works under specific conditions. It is limited to static Pix QR codes that use a random Pix key, also known as an EVP key.

This limitation is intentional.

If the Pix key itself is a phone number, email address, CPF, or CNPJ, the tool cannot make that key private. The identifier is already part of the payment address. In those cases, the best recommendation is to create and use a random Pix key instead.

The random key must be created first in the user’s own banking app or payment institution. Pix Privado does not create or register this key. It only works with payment information based on a key that already exists.

When the payload is based on a registered random key, the tool can reduce unnecessary exposure. It can remove or replace fields that are not essential for public sharing, such as merchant name, merchant city, merchant category code, postal code, amount, and transaction labels. It then rebuilds the payment payload and recalculates the checksum.

The result is a new Pix Copia e Cola string and a new QR code that are better suited for public sharing. The safer QR code can also be downloaded as a PNG, making it practical to use on websites, donation pages, social media posts, printed material, or presentation slides.

The result is not anonymous payment infrastructure. It is a reduced-exposure version of the payment information. That distinction is important.

Pix Privado does not promise anonymity. It helps reduce the amount of personal data embedded in the payment information before it is shared publicly. The payment still depends on the existing Pix system, which means that the receiver’s bank account information (beneficiary's name, obfuscated CPF/CPNJ and bank name) is revealed after the initiation of the payment.

Users should always test the generated payment information in their banking app before publishing it. All my tests worked flawlessly.

What the tool does not solve

Pix Privado only addresses the issue of personal data being embedded in QR codes and Pix Copia e Cola strings.

It does not create a Pix key.
It does not register a key with a bank.
It does not verify ownership of a Pix key.
It does not change what banking apps reveal after a payment is initiated.

In Pix, banking apps normally display information about the recipient during the payment flow. This include the receiver’s full name, CPF or CNPJ information, and bank name. Pix Privado cannot prevent this, because that behavior belongs to the Pix payment flow and the banking app, not to the QR code itself.

This is an important caveat.

The tool is useful for reducing upfront exposure. It helps prevent unnecessary personal data from being passively scraped from public QR codes and payment strings.

It does not eliminate all privacy risks in the Pix payment flow, after the initiation of the payment.

The difference is still meaningful. A public QR code can be collected without initiating a payment. Bots, crawlers, scammers, and data collectors can scrape payment information from websites and social media at scale. They do not need to open a banking app or simulate a payment to extract the information embedded in the code.

Pix Privado focuses on protecting users of this first layer of exposure.

Why this matters for Freedom Tech

Freedom Tech often focuses on censorship resistance, self-custody, open protocols, secure communication, financial privacy, and tools for people operating under pressure.

Payment privacy belongs in that discussion.

A payment system can be fast, convenient, and widely adopted while still creating privacy risks through its identifiers, metadata, defaults, and user interface choices.

Pix is a valuable case study because it shows both sides clearly. It demonstrates how good usability can drive adoption at a national scale. It also shows how design decisions around identity and payment addressing can create new forms of exposure.

For people building Bitcoin, Lightning, ecash/cashu, Nostr, donation tools, wallet interfaces, or activist fundraising infrastructure, Pix raises practical design questions:

What information is visible before a payment is made?

Can the payment address be linked to communication channels, government identifiers, or login credentials?

Can public payment information be scraped at scale?

Does the system encourage users to reuse identifiers across contexts?

Can users receive payments without exposing more information than necessary?

Is a payment request merely a payment request, or does it also become an identity leak?

Pix Privado does not answer all of these questions. But it provides a concrete interface for exploring them.

That is one of the broader lessons Freedom Tech builders can take from Pix: privacy risk is not always contained inside one system. It often appears at the boundaries between systems.

A practical continuation of the research

I see Pix Privado as a practical continuation of “Privacy as Infrastructure.”

The article argued that payment privacy should not be treated as an optional feature. It should be enforced as the default and be understood as part of the infrastructure itself.

Pix Privado takes one specific issue from that broader argument and turns it into something people can test directly.

Instead of only describing the privacy problem, Pix Privado lets users inspect it.

Instead of only recommending random keys and data minimization, it helps apply those ideas to real payment payloads and QR codes that can be more safely shared.

Instead of treating QR codes as neutral objects, it shows them as structured data containers that deserve careful inspection before public use.

This is especially relevant for people who depend on public donations or public payment requests. Activists, NGOs, community organizers, independent media projects, and human rights defenders often need to make payment information easy to access. At the same time, they may face higher risks from harassment, surveillance, scams, or targeted data collection.

For these users, reducing unnecessary exposure is not a theoretical concern. It is part of operational security.

What I hope people learn from it

Pix Privado is not intended as a criticism of Pix adoption or convenience. Pix solved real payment problems for millions of people, and its success deserves serious study.

The goal of this tool is more specific.

It helps show that payment UX and privacy cannot be separated. The way a payment address is created, displayed, shared, and reused has consequences.

A QR code may look simple in the interface, but it can carry information that users do not realize they are publishing. A familiar identifier may improve adoption, but it can also create long-term linkage risks. A small metadata field may seem harmless, but at scale it can become useful for profiling or fraud.

For the Freedom Tech community, this is one of the main lessons.

Privacy should not depend only on warnings, documentation, or expert knowledge. It should be supported by defaults, compartmentalization, appropriate address formats, interface decisions, and practical tools that help users see what they are exposing.

Pix Privado is one attempt to make that problem visible.

Next steps

The current version focuses on inspection, risk awareness, and safer public sharing for static Pix QR codes using registered random Pix keys.

Future improvements could expand the educational layer, improve the explanation of each field, support clearer risk scoring, and help users better understand the difference between data embedded in the QR code and data revealed later by banking apps.

I also intend to provide in the initial screen samples of QR codes for each key type, so that users can get a taste of how the app works before submitting their own information.

Pix Privado began with a question from my work on Pix and privacy:

What can payment information reveal about people before money even moves?

This tool is my first practical answer to that question.