§What LGPD requires
Source: Lei nº 13.709/2018 — Lei Geral de Proteção de Dados (Brazil) — accessed 2026-05-11.
Jurisdiction. Applies (per Art. 3) to processing operations carried out by natural or legal persons, of public or private law, regardless of the country in which the controller is established or where the data is located, where the processing is carried out in Brazilian territory, has the purpose of offering goods or services in Brazil, or processes data of persons located in Brazil at the time of collection. Effective from August 2020; sanctions enforceable from August 2021.
Personal data definition. Art. 5(I) defines dado pessoal as "informação relacionada a pessoa natural identificada ou identificável" — information related to an identified or identifiable natural person. The structure parallels the GDPR's Art. 4(1) definition closely; in practice, what is personal data under GDPR is generally personal data under LGPD.
Special / sensitive categories. Art. 5(II) defines dado pessoal sensível — sensitive personal data — as personal data concerning racial or ethnic origin, religious conviction, political opinion, trade-union or religious / philosophical / political organisation membership, data referring to health or sex life, and genetic or biometric data when linked to a natural person. Art. 11 sets stricter rules for processing sensitive personal data, requiring specific and highlighted consent by default or a narrow list of indispensable-purpose exceptions.
Key requirements relevant to mobile analytics. LGPD is structurally a GDPR-style law. It establishes lawful bases for processing (consent, contract performance, legal obligation, vital interest, public interest, legitimate interest, etc.), data-subject rights (access, correction, anonymisation, blocking, deletion, portability), and obligations on controllers and operators. The Autoridade Nacional de Proteção de Dados (ANPD) is the Brazilian supervisory authority.
⚑Where mobile analytics typically creates exposure for fitness & wellness apps
Because LGPD's personal-data definition mirrors GDPR's, the same analytics-SDK concerns apply: persistent identifiers, IP addresses, and any free-form event parameter capable of linking to a Brazilian user fall within scope. Brazilian-user data flowing to a US-based analytics SDK is a cross-border transfer that triggers Arts. 33–36 of LGPD on international data transfers.
Fitness apps process step counts, heart-rate readings, sleep stages, weight, BMI, workout types, calorie intake, and frequently the user's age, sex, and menstrual phase. Many integrate with HealthKit (iOS) or Health Connect (Android), which restrict on-device access but say nothing about what flows to an analytics SDK.
Although consumer fitness apps are typically not HIPAA covered entities, their data is special category personal data under GDPR Art. 9 (data concerning health), sensitive personal information under CPRA, and falls within the scope of regulators' interest in children's services when used by under-18s.
▸What Respectlytics's design does (technical facts)
Respectlytics is designed for the product-analytics layer, not the data store. Step counts, heart-rate values, and sleep stages stay in HealthKit / Health Connect, where they have their own privacy model. Respectlytics records whether a feature was used (run_logged, sleep_session_synced) — without the values the user just generated.
Reduces the surface. Removing the surface where the categories covered by LGPD could be collected in the first place narrows what a LGPD review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
How does LGPD relate to GDPR?
LGPD was modelled on GDPR and shares much of its structure: a similar definition of personal data, similar lawful bases for processing, similar data-subject rights. The two are not identical (different supervisory authorities, different penalties, different territorial-scope language), but the data-minimisation patterns that work under GDPR are generally a useful starting point when assessing LGPD.
Does LGPD apply if our app is hosted outside Brazil?
Art. 3 makes LGPD applicable based on where the processing happens, where it targets goods or services, or where the data subject is located at collection — regardless of where the controller is established. Hosting outside Brazil does not by itself avoid LGPD; offering an app to Brazilian users typically brings the processing into scope.
Does using Respectlytics by itself resolve LGPD obligations for our fitness & wellness apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets LGPD's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies LGPD for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.