Brazil · LGPDWordPress hosting with LGPD plugin built into the platform.
Consent capture, titular rights portal, ANPD breach workflow, and signed DPA — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. It's how every Yovale site ships to Brazilian visitors, on every plan.
We use cookies to measure traffic and improve the site. You can accept all, customize, or only allow what's strictly necessary. Your consent is free, informed, and revocable.
Six obligations you have to meet.
The Lei Geral de Proteção de Dados Pessoais, in force since September 2020 and enforced by the ANPD since August 2021, gives every Brazilian titular enforceable rights over their personal data. Hosting a WordPress site for Brazilian visitors means meeting these obligations — whether you read the law or not. Fines reach 2% of Brazilian revenue capped at R$50M per violation.
- 01
Free, informed, unambiguous consent
Brazilian titulares must opt in BEFORE you fire analytics, ad pixels, or any non-essential script. Consent must be free, informed, unambiguous, and revocable at any time. Pre-checked boxes and bundled consent don't qualify.
- 02
Titular rights — nine of them
Confirmation of processing, access, correction, anonymization or deletion, portability, information on sharing, information on the consequences of refusing consent, and revocation. You have 15 days to respond to most requests.
- 03
ANPD breach reporting
Notify the Autoridade Nacional de Proteção de Dados of any security incident that may cause relevant risk or damage to titulares. The ANPD expects notice within a reasonable period — typically interpreted as within 2 business days.
- 04
Encarregado (DPO) appointment
Most controllers must appoint an encarregado as the public point of contact between the company, titulares, and the ANPD. Their name and contact information must be published on the site.
- 05
Cross-border transfer restrictions
Sending personal data outside Brazil requires a legal basis — adequacy decision, standard contractual clauses, binding corporate rules, or explicit titular consent. Cloud providers count; you must know where the data lives.
- 06
Lawful basis + DPA
Every processing activity needs one of ten lawful bases (consent, contract, legal obligation, legitimate interest, etc). Signed data processing agreement with every operador, including your host. Maintain a record of processing activities.
Built into the platform. Not a plugin you install.
Yovale ships LGPD compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.
LGPD consent banner
Geo-aware. Brazilian visitors see free, informed, unambiguous opt-in consent before any non-essential script fires. EU visitors see GDPR. US visitors see CCPA. Renders in Portuguese plus 7 more locales. Configurable in the dashboard.
Titular rights portal
/.well-known/privacy on every Yovale site. Brazilian titulares confirm processing, request access, correction, deletion, anonymization, or portability without filing a support ticket. You see every request in the Compliance dashboard tab with a 15-day SLA timer.
Consent audit log
Every consent given, revoked, or modified is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained for 5 years (matching LGPD's statute of limitations). Proves to the ANPD that consent was free and informed.
Signed DPA + ANPD-ready records
Pre-signed data processing agreement available in your dashboard. Lists every operador (Cloudflare, Anexia, R2), data flows, security measures, cross-border transfer basis, and ANPD breach notification SLAs. PDF download for your records.
Why infrastructure beats a plugin.
Typical WordPress LGPD plugin
- Adds 200-500ms to every page load (banner JS, cookie scan, DB writes)
- Stores consent records in wp_options — slow, untyped, breaks with object caching
- Updates through wp-admin — you maintain it, you break it, you debug conflicts
- Costs $49-119/year per site (Complianz, CookieBot, plugins claiming LGPD support)
- Breaks when you migrate hosts; consent history lost, ANPD audit trail gone
Yovale's built-in approach
- 0ms latency — consent state computed at the edge worker, cached in the CDN
- Audit log in a dedicated database, queryable, never blocks page render
- Updates ship through the platform — you don't see them, you don't break them
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — consent history is yours to export
14 regulations. One toggle each. All automatic.
- Lawful basis for processing
- Titular rights (nine of them)
- ANPD breach notification
- Encarregado (DPO) appointment
- Cross-border transfer basis
LGPD + Yovale, answered.
Do I need to install an LGPD plugin on top of Yovale?
No. The compliance MU-plugin is part of the hosting, not something you add. Installing a separate LGPD plugin on top of Yovale would create duplicate consent banners, fight over the same wp_options keys, and confuse Brazilian visitors. The platform handles it.
Does this work for sites outside Brazil?
Yes. The compliance system is geo-aware. Brazilian visitors see LGPD opt-in flows with the nine titular rights. EU visitors see GDPR opt-in flows. US visitors see CCPA opt-out flows. India sees DPDPA. The same hosting handles every regulation automatically — no extra config per region.
What if I get a titular request?
Brazilian titulares handle most requests themselves through the privacy portal at /.well-known/privacy on your domain — confirmation of processing, access, correction, deletion, portability, and consent revocation. For requests that require human review, you see them in your dashboard Compliance tab with a 15-day SLA timer aligned to LGPD expectations.
Do I need to appoint an encarregado?
Most controllers do — the ANPD considers it a strong indicator of good faith even when not strictly mandatory. Yovale doesn't act as your encarregado (we're an operador, not a controller), but the dashboard publishes a configurable encarregado contact block on /.well-known/privacy automatically. You provide the name and email; the platform handles the rest.
Is the DPA legally binding under Brazilian law?
Yes. It's a pre-signed agreement that meets LGPD operador requirements. Available as a PDF download in the dashboard. We're listed as the operador (data processor), you're the controlador (controller). It covers cross-border transfers from Brazil to our infrastructure regions (EU and US) with the required legal basis, plus every sub-operador (Cloudflare, Anexia, R2) and the security measures applied.
What about ANPD breach notification?
If a security incident on Yovale infrastructure affects your site, we notify you immediately with the incident details, scope, and remediation timeline — enough to file your own ANPD notification within the expected window. The Compliance dashboard tab shows incident history with timestamps suitable for the ANPD record.
Ship an LGPD-compliant WordPress site in 60 seconds.
Every Yovale site is LGPD-ready from the moment you deploy. No plugin to install. No DPA to chase. No banner to configure. Start the free Growth trial and see your first compliance dashboard.