contato@taxup.com.br   São Paulo · Rio de Janeiro · Brasília
PT EN
TaxUp Book a Consultation PT
Legal

LGPD — Data Protection

Detailed technical page on TaxUp's compliance program for the LGPD (Lei Geral de Proteção de Dados), Brazil's GDPR equivalent (Law 13.709/2018).

1. TaxUp's commitment to the LGPD

Taxup Consultoria Ltda. maintains a structured compliance program for the LGPD (Law 13.709/2018) — Brazil's General Data Protection Law, the local equivalent of the European GDPR — with particular focus on the processing of tax data, one of the most sensitive categories from a regulatory standpoint.

The program covers internal policies, technical and administrative controls, ongoing staff training and a formal incident-response plan.

2. Data Protection Officer (DPO)

In accordance with Article 41 of the LGPD, TaxUp has appointed a Data Protection Officer (DPO).

Dedicated DPO channel:

  • Email: contato@taxup.com.br (subject: "DPO — data protection")
  • Postal address: Taxup Consultoria Ltda. — Rua Sader Macul, 96, Itaim Bibi, São Paulo/SP, 04542-090, Brazil

The DPO acts as the point of contact between TaxUp, data subjects and the Brazilian National Data Protection Authority (ANPD).

3. LGPD principles applied to processing

The processing of personal data by TaxUp observes the principles of Article 6 of the LGPD:

  • Purpose — use restricted to the stated purpose;
  • Suitability — compatibility between processing and purpose;
  • Necessity — limitation to the minimum necessary;
  • Free access — the data subject has the right to know what is processed;
  • Data quality — accuracy, clarity, currency;
  • Transparency — clear and accessible information;
  • Security — technical and administrative measures;
  • Prevention — adoption of measures to prevent harm;
  • Non-discrimination — prohibition of processing for unlawful or abusive purposes;
  • Accountability — demonstration of compliance with the rules.

4. Special attention to tax data

Tax data frequently involves personal data by nature:

  • Customer tax IDs (CPF) on electronic invoices (NF-e) and tax documents;
  • Employee payroll data (address, salary, dependents);
  • Bank details of customers and suppliers;
  • Data of individual service providers subject to social-security and income-tax withholding.

TaxUp's processing of this data is grounded in compliance with a legal or regulatory obligation (Art. 7, II) and performance of a contract (Art. 7, V) — legal bases provided for by the LGPD.

Mandatory retention observes the 5-year tax statute of limitations (Art. 168 of the Brazilian Tax Code, CTN) and specific terms where applicable.

5. Security measures in place

Technical measures

  • Encryption in transit (TLS/HTTPS) and at rest for sensitive data;
  • Role-based access controls and segregation of duties;
  • Two-factor authentication on critical systems;
  • Periodic backups in a segregated environment;
  • Log monitoring and anomaly detection;
  • Regular software updates and security patches.

Administrative measures

  • Internal data-protection policy;
  • Periodic staff training and awareness;
  • Confidentiality terms with employees and suppliers;
  • Data processing agreements (DPAs) with processors;
  • Periodic auditing of access and logs.

6. Incident-response plan

TaxUp maintains a formal plan to respond to security incidents involving personal data, with the following stages:

  1. Immediate detection and containment of the incident;
  2. Technical and legal assessment of its extent and the risk to data subjects;
  3. Notification to the ANPD within a reasonable period (ANPD regulation), where applicable;
  4. Communication to affected data subjects where the risk is material;
  5. Full documentation of the incident, the measures taken and lessons learned;
  6. Review and strengthening of controls to prevent recurrence.

7. How to exercise your rights

The data-subject rights provided for in Article 18 of the LGPD are exercised through the dedicated DPO channel (contato@taxup.com.br, subject "DPO — data-subject request").

We respond to requests within 15 business days, except in cases that require a justified extension under ANPD regulation.

For details on the available rights and the response process, see the Privacy Policy.

8. Contacting the ANPD

If you believe your rights have not been adequately addressed by TaxUp, you may also turn to the Brazilian National Data Protection Authority (ANPD):

Explore complementary technical analyses on the Brazilian tax landscape relevant to multinationals and foreign founders.

Brazilian Tax Reform 2026—2033 Transfer Pricing — OECD-aligned Recovery of Tax Credits International Tax Planning Tax Litigation Tax Compliance Expanding to Brazil — foreign founder brief