LGPD in Brazil: a practical guide for apps and SaaS

If your app or SaaS has even a single user in Brazil, the LGPD already applies to you. It doesn't matter whether your company is based in São Paulo, Santiago, or Bogotá: what determines compliance is whose data you hold, not where your server sits. And the good news is that most of what the law asks of you can be reviewed and fixed without lawyers or six-month projects.

In this guide I'll explain, in plain language, what the LGPD is, who it applies to, which legal bases you can use, what rights people have, what the ANPD does, and above all what to check today on your site or app. No fearmongering and no jargon: the goal is for you to walk away with a concrete list of tasks.

What the LGPD is

The LGPD is the Lei Geral de Proteção de Dados Pessoais, Brazil's Law No. 13.709. It's the framework that governs how organizations collect, use, store, share, and delete the personal data of people in Brazil. Its spirit is very close to that of Europe's GDPR: people own their data, and whoever processes it must do so on a clear legal basis, transparently, and with reasonable security.

"Personal data" is any information that identifies or could identify a person: name, email, phone number, IP address, cookie identifiers, location, usage history. The law also recognizes sensitive personal data (racial or ethnic origin, health, sex life, religion, political opinions, genetic or biometric data), which is subject to stricter rules because its misuse can cause greater harm.

Note: the LGPD frames data protection in Brazil as a right of individuals, not as a bureaucratic formality. You'll see that nearly every obligation boils down to one idea: treat other people's data the way you'd want yours treated.

Who it applies to (even if you're not in Brazil)

Here's the point many founders overlook. The LGPD applies to any processing of data when at least one of these conditions is met:

• The processing operation takes place on Brazilian territory.
• The purpose of the processing is to offer goods or services to people in Brazil, or it involves the data of people who are in Brazil.
• The personal data was collected in Brazil.

In practical terms: if you have a Spanish- or Portuguese-language landing page that brings in Brazilian users, if you charge customers in Brazil, or if your app simply stores the emails of people who signed up from there, you fall within the scope of the law even if your team is outside the country. This is what's known as extraterritorial scope, and it follows the same logic as the GDPR.

The law draws a distinction between two roles worth keeping clear:

• Controller (controlador): whoever decides why and how data is processed. Usually you and your company.
• Processor (operador): whoever processes the data on behalf of the controller. This is where your vendors come in: hosting, database, transactional email, analytics, payment gateway.

When you hire a vendor that touches your users' data, you remain responsible for ensuring that vendor complies. That's why data processing agreements and your list of sub-processors matter so much, as you'll see in the checklist.

The legal bases for processing data

You can't process personal data "just because." You need a legal basis that justifies each instance of processing. The LGPD recognizes several; these are the ones apps and SaaS use most:

Two key points. First: consent must be free, informed, specific, and unambiguous. A pre-checked box or an "by using this site you accept everything" notice doesn't cut it. Second: legitimate interest is useful, but it isn't a free pass; you must be able to justify why your interest doesn't override the rights of the individual, and it's sometimes wise to document that analysis.

The rights of the data subject

The data subject is the person who owns the data. The LGPD grants them rights your app must be able to honor, usually through a request to the controller:

• Confirmation and access: knowing whether you process their data and obtaining a copy.
• Correction of incomplete or outdated data.
• Anonymization, blocking, or deletion of unnecessary data or data processed outside the law.
• Portability to another provider.
• Deletion of data processed on the basis of consent, when that consent is withdrawn.
• Information about who you've shared their data with.
• Withdrawal of consent, as easily as it was given.

In practice this means having a clear channel (an email along the lines of [email protected] or a form) and an internal process to respond within reasonable timeframes. You don't need a sophisticated portal to get started: you need someone to receive the request and know what to do with it.

The role of the ANPD

The ANPD (Autoridade Nacional de Proteção de Dados) is the Brazilian authority that oversees the LGPD. It issues regulations, provides guidance on how to comply, handles complaints, and can investigate and impose penalties.

The law provides for sanctions ranging from warnings to fines. The exact figures and applicable percentages depend on the law as it currently stands and on the authority's own criteria, so if you need the precise amount for your case, check the ANPD's up-to-date regulations rather than relying on a number you found online. Beyond the fine, the real risk for a young app is usually something else: the loss of trust and reputational damage when it comes out that you weren't taking care of people's data.

The LGPD also recommends appointing a data protection officer (encarregado or DPO), who serves as the point of contact with the ANPD and with data subjects. For a small team, this can be someone already on the team with that responsibility formally assigned.

Security principles

The LGPD doesn't hand you a fixed list of technical controls, but it does require technical and administrative measures appropriate to protect data against unauthorized access, loss, alteration, or destruction. The principles that guide it are a useful compass:

• Purpose and necessity: collect only what you genuinely need, for a clear purpose.
• Security and prevention: protect data throughout its entire life cycle.
• Transparency: explain in simple terms what you do with the data.
• Accountability: complying isn't enough; you must be able to prove it.

In concrete terms, "appropriate technical measures" for a web app today include things as basic as encryption in transit (TLS/HTTPS), access control for your databases, correct security headers, and prudent cookie handling. The good part is that much of this is observable from the outside, which is why a scan of your public surface tells you a lot.

What to check on your site or app today

This is the actionable part. Treat it as a checklist you can work through this very week.

1. HTTPS across the entire site. Loading over HTTPS isn't enough: redirect all HTTP traffic to HTTPS and verify that your TLS certificate is valid and properly configured. Encryption in transit is the most visible technical measure of all.
2. Security headers. Check Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy. They're clear signals that you take seriously the protection of data traveling to and from your app.
3. Cookies and consent. List the cookies you set before any interaction. Non-essential cookies (analytics, marketing) require prior consent, with a real option to refuse. Mark your cookies with secure attributes (Secure, HttpOnly, SameSite) where appropriate.
4. A real privacy policy. It should state, in plain language, what data you collect, on what legal basis, for how long, with whom you share it, and how to exercise rights. A generic copy-pasted template doesn't reflect your app, and it shows.
5. Processors and sub-processors. Make an inventory of every vendor that touches your users' data (hosting, email, analytics, payments, support). Confirm that you have contracts or data processing clauses with each one.
6. International transfers. If your database or your vendors are outside Brazil, that's an international transfer. Verify that a valid basis for it exists and document it in your policy.
7. Minimization. Review your forms: are you asking for data you don't use? Every extra field is one more risk. Delete what you don't need and set retention periods.
8. Rights channel. Publish an email address or form for data subject requests and make sure someone is monitoring it.

The first three points (TLS, headers, and cookies) are precisely the part a public-surface scanner can surface in minutes. They don't prove you comply with the entire LGPD, but they do show objectively whether your basic technical measures are in place or whether you have gaps visible from the very start.

An honest tip: no automated tool replaces a legal review when you process sensitive data or operate at large scale. What a scan does do is give you a quick snapshot of what's measurable, so you can prioritize instead of wasting time guessing.

How a scan helps

With Pursecure, you paste in your site's URL and, within minutes, you get a score from 0 to 100 and a list of findings sorted by severity. We check what's visible from the outside: whether your TLS is properly configured, which security headers you're missing, how your cookies are marked, and other technical signals that connect directly to the LGPD's security principles.

What sets it apart is that each finding comes with a ready-to-use prompt to fix it with AI (Claude or Cursor): we don't just tell you "you're missing HSTS," we give you the text so your coding assistant can implement it. That's the difference between a report that gets filed away and a task list you actually close out.

Conclusion

The LGPD isn't an insurmountable wall: it's an invitation to handle your users' data with care and to be able to prove it. For an app or SaaS just getting started, the practical path is clear: have a legal basis for each instance of processing, be transparent, respect people's rights, and maintain reasonable technical measures, starting with TLS, headers, and cookies.

If you want to see where you stand today without the theory, scan your site at pursecure.app or go straight to /scan. In minutes you'll have a snapshot of your visible technical measures and the prompts to close the gaps. Data protection in Brazil starts with what's already in plain sight.