§What LGPD requires
Source: Lei nº 13.709/2018 — Lei Geral de Proteção de Dados (Brazil) — accessed 2026-05-11.
Jurisdiction. Applies (per Art. 3) to processing operations carried out by natural or legal persons, of public or private law, regardless of the country in which the controller is established or where the data is located, where the processing is carried out in Brazilian territory, has the purpose of offering goods or services in Brazil, or processes data of persons located in Brazil at the time of collection. Effective from August 2020; sanctions enforceable from August 2021.
Personal data definition. Art. 5(I) defines dado pessoal as "informação relacionada a pessoa natural identificada ou identificável" — information related to an identified or identifiable natural person. The structure parallels the GDPR's Art. 4(1) definition closely; in practice, what is personal data under GDPR is generally personal data under LGPD.
Special / sensitive categories. Art. 5(II) defines dado pessoal sensível — sensitive personal data — as personal data concerning racial or ethnic origin, religious conviction, political opinion, trade-union or religious / philosophical / political organisation membership, data referring to health or sex life, and genetic or biometric data when linked to a natural person. Art. 11 sets stricter rules for processing sensitive personal data, requiring specific and highlighted consent by default or a narrow list of indispensable-purpose exceptions.
Key requirements relevant to mobile analytics. LGPD is structurally a GDPR-style law. It establishes lawful bases for processing (consent, contract performance, legal obligation, vital interest, public interest, legitimate interest, etc.), data-subject rights (access, correction, anonymisation, blocking, deletion, portability), and obligations on controllers and operators. The Autoridade Nacional de Proteção de Dados (ANPD) is the Brazilian supervisory authority.
⚑Where mobile analytics typically creates exposure for fintech & mobile banking apps
Because LGPD's personal-data definition mirrors GDPR's, the same analytics-SDK concerns apply: persistent identifiers, IP addresses, and any free-form event parameter capable of linking to a Brazilian user fall within scope. Brazilian-user data flowing to a US-based analytics SDK is a cross-border transfer that triggers Arts. 33–36 of LGPD on international data transfers.
Fintech apps process account numbers, transaction amounts, merchant categories, card last-four, IBANs, transfer recipients, and KYC documents. Many also log credit-score read events, loan-application data, and balance snapshots.
Account credentials paired with security codes are sensitive personal information under CPRA. Account numbers and full PANs are personal data under GDPR Art. 4(1) and trigger the PCI-DSS data flow obligations regardless of jurisdiction. Even transaction descriptions can reveal special-category information (e.g., merchant names tied to health, religion, or politics).
▸What Respectlytics's design does (technical facts)
Respectlytics is not your payments processor or your transaction store. It tracks product signals — transfer_initiated, card_added, investment_purchase_completed — without per-event amounts, account numbers, or merchant descriptions. The authoritative financial data lives in your payments backend; product analytics tells you the funnel rate, not the dollar values.
Reduces the surface. Removing the surface where the categories covered by LGPD could be collected in the first place narrows what a LGPD review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
How does LGPD relate to GDPR?
LGPD was modelled on GDPR and shares much of its structure: a similar definition of personal data, similar lawful bases for processing, similar data-subject rights. The two are not identical (different supervisory authorities, different penalties, different territorial-scope language), but the data-minimisation patterns that work under GDPR are generally a useful starting point when assessing LGPD.
Does LGPD apply if our app is hosted outside Brazil?
Art. 3 makes LGPD applicable based on where the processing happens, where it targets goods or services, or where the data subject is located at collection — regardless of where the controller is established. Hosting outside Brazil does not by itself avoid LGPD; offering an app to Brazilian users typically brings the processing into scope.
Does using Respectlytics by itself resolve LGPD obligations for our fintech & mobile banking apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets LGPD's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies LGPD for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.