How Lexato protects your personal data in full compliance with the Brazilian General Data Protection Law.
Last updated: February 2026
Lexato was designed from its inception with privacy as a fundamental principle. All our data processing activities strictly follow Law No. 13,709/2018 (LGPD), ensuring transparency, security, and respect for data subjects' rights.
Unlike competitors that host data abroad, Lexato keeps all its infrastructure on servers in Brazil (AWS São Paulo), ensuring that your personal data remains under Brazilian jurisdiction.
100% of data stored in Brazil
The LGPD guarantees fundamental rights to every personal data subject. Below, each right is accompanied by the corresponding article and an explanation of how to exercise it at Lexato.
Request confirmation that Lexato processes your personal data, including which data is processed and for what purposes.
Obtain a complete copy of your personal data stored by Lexato, in a readable and structured format.
Request correction of incomplete, inaccurate, or outdated data — such as incorrectly registered name, email, or CPF.
Unnecessary, excessive, or non-compliant data under the LGPD may be anonymized, blocked, or deleted.
Transfer of your personal data to another service provider, upon express request, as regulated by the ANPD.
Request deletion of personal data processed based on your consent. Exceptions: legal obligations, exercise of rights in proceedings, and legitimate interest.
Know which public and private entities Lexato shares your data with — including infrastructure providers, payment processors, and blockchain networks.
You have the right to be informed about the possibility of not providing consent and the consequences of such refusal for the use of services.
Consent may be revoked at any time, free of charge and easily. Revocation does not affect processing carried out previously.
Request a review of decisions made solely based on automated processing of personal data that affect your interests.
All data processing at Lexato is based on one of the legal bases provided in Art. 7 of the LGPD. No data is processed without legal grounds.
Used for analytical cookies, marketing, and promotional communications. You may revoke at any time.
Examples at Lexato: Non-essential cookies, newsletter, marketing notifications.
Processing necessary to provide the contracted service — evidence capture, certificate generation, and storage.
Examples at Lexato: Registration data, captured evidence, payment data.
Data maintained to comply with legal and regulatory obligations, such as invoice issuance and accounting records.
Examples at Lexato: CPF for NF-e, audit logs, tax records.
Processing necessary for platform security, fraud prevention, and service improvement, always respecting your rights.
Examples at Lexato: Essential cookies, security logs, fraud prevention.
Simple and transparent process, with guaranteed response within 15 days.
Send an email to dpo@lexato.com.br identifying yourself and describing the right you wish to exercise. Include your full name and email registered on the platform.
For your security, we may request additional information to confirm your identity before processing the request. This prevents third parties from accessing your data.
Your request will be analyzed and responded to within 15 business days, as required by Art. 18, § 5 of the LGPD. In complex cases, the deadline may be extended with justification.
After analysis, the requested action will be executed and you will receive confirmation by email. If the request cannot be fully fulfilled, we will inform you of the legal reasons.
Main data processing operations carried out by Lexato in the context of digital evidence certification. Click to see details.
We detail where your data is processed and the applicable safeguards.
All of Lexato's main infrastructure is hosted on AWS São Paulo region (sa-east-1), ensuring that your personal data remains under Brazilian jurisdiction and in compliance with the LGPD.
Hashes registered on blockchain (Polygon, Arbitrum, and Optimism) are non-personal data — alphanumeric sequences that do not allow identification of the data subject. The decentralized nature implies global replication, but without exposure of personal data.
InfinitePay and Sentry may transfer data to servers in the USA. These transfers are supported by standard contractual clauses (SCCs) and certifications under the EU-US Data Privacy Framework, as per Art. 33 of the LGPD.
Technical and organizational measures implemented to protect your personal data, as required by Art. 46 of the LGPD.
Encryption in transit
TLS 1.3 on all connections
Encryption at rest
AES-256 for stored data
Multi-factor authentication
Mandatory MFA for accounts
Access control
RBAC — minimum necessary access
Audit logs
Recording of all operations
Redundant backups
Geographic redundancy in Brazil
SHA-256 hash
Verifiable evidence integrity
Immutable blockchain
Polygon, Arbitrum, and Optimism
ICP-Brasil timestamp
Temporal stamp with public faith
If you believe that Lexato's processing of your personal data violates the LGPD, you have the right to file a petition with the ANPD (Art. 18, § 1). We recommend contacting us first so we can resolve your issue directly — our DPO responds within 15 days.
Setor Comercial Norte, Quadra 6, Bloco A — Brasília/DF
This page may be updated to reflect changes in our data processing practices or applicable legislation. Significant changes will be communicated by email to registered users with a minimum of 30 days advance notice.
LGPD compliance is not a project with an end date — it is a permanent commitment. Lexato conducts periodic reviews of its data processing practices and maintains ongoing training for its team on data protection.
Questions about LGPD or data protection?
dpo@lexato.com.br