§What LGPD requires
Source: Lei nº 13.709/2018 — Lei Geral de Proteção de Dados (Brazil) — accessed 2026-05-11.
Jurisdiction. Applies (per Art. 3) to processing operations carried out by natural or legal persons, of public or private law, regardless of the country in which the controller is established or where the data is located, where the processing is carried out in Brazilian territory, has the purpose of offering goods or services in Brazil, or processes data of persons located in Brazil at the time of collection. Effective from August 2020; sanctions enforceable from August 2021.
Personal data definition. Art. 5(I) defines dado pessoal as "informação relacionada a pessoa natural identificada ou identificável" — information related to an identified or identifiable natural person. The structure parallels the GDPR's Art. 4(1) definition closely; in practice, what is personal data under GDPR is generally personal data under LGPD.
Special / sensitive categories. Art. 5(II) defines dado pessoal sensível — sensitive personal data — as personal data concerning racial or ethnic origin, religious conviction, political opinion, trade-union or religious / philosophical / political organisation membership, data referring to health or sex life, and genetic or biometric data when linked to a natural person. Art. 11 sets stricter rules for processing sensitive personal data, requiring specific and highlighted consent by default or a narrow list of indispensable-purpose exceptions.
Key requirements relevant to mobile analytics. LGPD is structurally a GDPR-style law. It establishes lawful bases for processing (consent, contract performance, legal obligation, vital interest, public interest, legitimate interest, etc.), data-subject rights (access, correction, anonymisation, blocking, deletion, portability), and obligations on controllers and operators. The Autoridade Nacional de Proteção de Dados (ANPD) is the Brazilian supervisory authority.
⚑Where mobile analytics typically creates exposure for ai chatbot & assistant apps
Because LGPD's personal-data definition mirrors GDPR's, the same analytics-SDK concerns apply: persistent identifiers, IP addresses, and any free-form event parameter capable of linking to a Brazilian user fall within scope. Brazilian-user data flowing to a US-based analytics SDK is a cross-border transfer that triggers Arts. 33–36 of LGPD on international data transfers.
AI chatbot apps process user prompts (which may contain anything the user types), model outputs, conversation history, user-uploaded files, and feedback ratings. The prompt and response strings are the highest-risk surface — a single message can contain PII, PHI, financial data, or special-category information.
Because prompts are free-form natural language, they can contain any category of personal data under any regulation — names, health, finance, sexual orientation, religious belief. Logging full prompts to an analytics SDK is one of the highest-exposure patterns in modern apps.
▸What Respectlytics's design does (technical facts)
Respectlytics's API does not accept prompt or response strings as event parameters. A chatbot app can record that a user sent a message, opened the feedback dialog, or hit a token-quota wall — without the content of the message flowing into analytics. The conversation content remains where the user expects: inside the app's primary store, governed by the app's privacy notice.
Reduces the surface. Removing the surface where the categories covered by LGPD could be collected in the first place narrows what a LGPD review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
How does LGPD relate to GDPR?
LGPD was modelled on GDPR and shares much of its structure: a similar definition of personal data, similar lawful bases for processing, similar data-subject rights. The two are not identical (different supervisory authorities, different penalties, different territorial-scope language), but the data-minimisation patterns that work under GDPR are generally a useful starting point when assessing LGPD.
Does LGPD apply if our app is hosted outside Brazil?
Art. 3 makes LGPD applicable based on where the processing happens, where it targets goods or services, or where the data subject is located at collection — regardless of where the controller is established. Hosting outside Brazil does not by itself avoid LGPD; offering an app to Brazilian users typically brings the processing into scope.
Does using Respectlytics by itself resolve LGPD obligations for our ai chatbot & assistant apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets LGPD's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies LGPD for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.