LGPD Compliance for Integrators
Quick Reference
What is LGPD
The Lei Geral de Proteção de Dados (Law No. 13,709/2018) is Brazil's comprehensive data protection law, effective since September 2020. It governs how personal data is collected, processed, stored, and shared — including payment data.
LGPD is enforced by the ANPD (Autoridade Nacional de Proteção de Dados) and applies to any organization processing personal data of individuals in Brazil, regardless of where the organization is based.
Data A55 Processes
| Data Category | Examples | Storage |
|---|---|---|
| Cardholder name | As provided in payer.name | Field-level Fernet encryption in PostgreSQL |
| Card number (PAN) | 4111 1111 1111 1111 | Encrypted at field level (Fernet AES-128-CBC) — stored in PostgreSQL, never in plaintext |
| Card expiration | Month/year | Field-level Fernet encryption in PostgreSQL |
| CVV | 3-digit code | Never stored — used only during authorization |
| CPF/CNPJ | payer.document | Encrypted at rest |
payer.email | Encrypted at rest | |
| IP address | Collected for anti-fraud | Retained per anti-fraud policy |
| Transaction data | Amount, status, timestamps | Retained per regulatory requirements |
CVV handling
A55 never stores CVV. It is transmitted in-memory to the acquirer during authorization and immediately discarded. You should never store CVV on your side either — it is a security risk.
Legal Basis for Processing
A55 processes personal data under these LGPD legal bases:
| Legal Basis | LGPD Article | Applies To |
|---|---|---|
| Contract execution | Art. 7, V | Processing payments as part of a purchase contract between merchant and buyer |
| Legal obligation | Art. 7, II | Retaining transaction records as required by BACEN and tax regulations |
| Legitimate interest | Art. 7, IX | Anti-fraud analysis and transaction monitoring |
| Consent | Art. 7, I | Marketing communications (if applicable) |
Merchant Responsibilities
As a merchant integrating with A55, you are a data controller for the personal data you collect. A55 acts as a data processor for payment operations.
You must:
- Collect valid consent — Inform users what data you collect and why before they pay
- Maintain a privacy policy — Your policy must disclose that payment data is processed by a third-party (A55)
- Appoint a DPO — Designate an Encarregado and publish their contact information
- Maintain a data processing record — Document what personal data you process, why, and for how long
- Report incidents — Notify ANPD and affected individuals in case of a data breach
- Honor data subject rights — Respond to access, correction, and deletion requests within 15 days
Privacy policy checklist:
- Discloses which personal data is collected during checkout
- Names A55 as a payment processor (data processor)
- States the legal basis for processing (contract execution)
- Describes data retention periods
- Provides contact for data subject rights requests
- Lists data subject rights under LGPD
Data Subject Rights
LGPD grants individuals these rights regarding their personal data:
| Right | LGPD Article | Your Obligation |
|---|---|---|
| Access | Art. 18, II | Provide a copy of all personal data you hold |
| Correction | Art. 18, III | Fix inaccurate personal data |
| Anonymization/blocking/deletion | Art. 18, IV | Delete data that is no longer necessary |
| Portability | Art. 18, V | Transfer data to another service provider |
| Information on sharing | Art. 18, VII | Disclose which third parties received the data |
| Revocation of consent | Art. 18, IX | Stop processing data based on consent |
Deletion limitations
Some payment data cannot be deleted due to regulatory requirements. Transaction records must be retained for at least 5 years per BACEN regulations. Inform data subjects of this limitation when processing deletion requests.
Data Retention Periods
| Data Type | Retention | Reason |
|---|---|---|
| PAN / expiry / cardholder name (encrypted) | Merchant active + 12 months | Regulatory minimum storage |
| Transaction logs | 365 days | Operational and regulatory compliance |
| CVV | 0 seconds — never stored | Security best practice — never stored post-authorization |
| Anti-fraud data (IP, device) | Per anti-fraud policy | Fraud investigation window |
| Audit logs | 12+ months | Security and compliance |
| Backups | 7 days | Azure-managed retention |
ANPD Notification
In case of a security incident affecting personal data:
- Notify ANPD within a reasonable timeframe (LGPD does not specify exact hours, but ANPD recommends 2 business days)
- Notify affected data subjects if the incident poses risk to their rights
- Document the incident — nature, affected data, measures taken, and remediation plan
A55 will notify you if an incident on our side affects your customers' data, as required by our Data Processing Agreement.
Best Practices
- Collect only what you need — Do not request additional personal data beyond what is required for the transaction
- Use A55's tokenization — Never store raw card numbers; use tokens returned by A55
- Encrypt data at rest — All personal data stored on your side must be encrypted
- Implement access controls — Limit who in your organization can access personal data
- Document everything — Maintain records of processing activities, consent, and data subject requests
- Regular audits — Review your data processing practices quarterly
- Train your team — Ensure staff handling personal data understand LGPD obligations