Last updated: 2026-05-16
Brazil — LGPD Privacy Notice
This page is the Brazilian-specific privacy notice Gila publishes for Brazilian data subjects (titulares) under the Lei Geral de Proteção de Dados Pessoais (LGPD), Federal Law No. 13.709 of 14 August 2018. It supplements — and does not replace — our main Privacy Policy and Health Data Notice. Where this notice and the main Privacy Policy diverge for a Brazilian data subject, this notice controls.
If anything is unclear, email dpo@gila.coach and we will explain it. A Portuguese-language translation will be published at /pt-BR/privacidade before our Brazilian app-store launch; until then, this English master controls.
1. What LGPD adds
The LGPD is Brazil's comprehensive data protection law, modeled in significant part on the GDPR but with distinct features — including ten lawful bases of processing (rather than six), a separate sensitive-data regime (Art. 11), explicit consent rules with the burden of proof on the controller (Art. 8), and a supervisory authority (the Autoridade Nacional de Proteção de Dados — ANPD) with rulemaking, advisory, and enforcement powers.
The LGPD applies to Gila because we offer the Gila service to individuals located in Brazil through the Brazilian App Store and Google Play, and because we collect personal data from Brazilian users (LGPD Art. 3, items I–III). All references below to statutory articles are to Lei nº 13.709/2018 unless stated otherwise.
2. Controller and Data Protection Officer (Encarregado)
Controller (Controlador)
| Field | Value |
|---|---|
| Legal entity | Sezen Soykut, sole-trader (şahıs şirketi) registered in the Republic of Türkiye |
| Trade name | Gila |
| Registered address | Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye |
| General mailbox | hello@gila.coach |
The controller is established outside Brazil. LGPD Art. 3 nonetheless applies because Gila is offered to individuals located in Brazil. We do not currently have a Brazilian establishment.
Data Protection Officer — Encarregado pelo Tratamento de Dados Pessoais (Art. 41)
| Field | Value |
|---|---|
| Encarregado | Sezen Soykut |
| Contact | dpo@gila.coach |
| Disclosure | Published in this notice and in the main Privacy Policy |
The Encarregado is the point of contact for Brazilian data subjects and for the ANPD per Art. 41(2). The Encarregado will (a) receive complaints and communications from data subjects, (b) receive communications from the ANPD, (c) guide Gila's contractors and employees regarding LGPD compliance, and (d) carry out other duties determined by the controller.
3. What we collect and what we use it for
The full categorisation lives in the main Privacy Policy §3 and in the Data Inventory. For Brazilian data subjects, the categories are:
- Personal data (dados pessoais) — Art. 5(I): account email, display name, OAuth subject ID, profile photo URL, push device token, locale and time zone, app version, pseudonymised analytics events
- Sensitive personal data (dados pessoais sensíveis) — Art. 5(II): body weight, GLP-1 medication and dose, injection zone, side effects, mood, food intake (calories, macronutrients), Apple Health / Health Connect synced signals, journal entries, AI-derived health insights, optional habit-evidence photos
All sensitive-data processing is gated by separate explicit consent per Art. 11(I).
4. Lawful bases (Art. 7) and sensitive-data conditions (Art. 11)
| Processing activity | Art. 7 base | Art. 11 condition (if sensitive) |
|---|---|---|
| Account creation and authentication | Art. 7(V) — execution of contract | n/a |
| Health, weight, medication, mood, food, journal tracking | Art. 7(V) — execution of contract for the non-sensitive accessories; Art. 7(I) — consent for the sensitive components | Art. 11(I) — specific and highlighted consent |
| AI features (food vision, AI coaching, weekly briefing, activity-goal AI, report narrative) | Art. 7(I) — consent | Art. 11(I) — specific and highlighted consent |
| Apple Health / Health Connect sync | Art. 7(I) — consent (in addition to OS-level permission) | Art. 11(I) — specific and highlighted consent |
| Push notifications | Art. 7(I) — consent | n/a |
| Transactional emails (verification, deletion confirmation, account-state) | Art. 7(V) — execution of contract; Art. 7(II) — legal obligation for deletion confirmation | n/a |
| Marketing emails and newsletter | Art. 7(I) — consent (opt-in only; default flipped to opt-out per our decision log #12) | n/a |
| Product analytics (pseudonymised) | Art. 7(I) — consent for Brazilian users (analytics category in cookie banner default OFF) | n/a |
| Error tracking | Art. 7(IX) — legitimate interest (pseudonymised, scrubbed; documented legitimate-interest assessment) | n/a |
| Bot protection (Cloudflare Turnstile on web forms) | Art. 7(IX) — legitimate interest | n/a |
| Account deletion / data subject right fulfilment | Art. 7(II) — compliance with legal or regulatory obligation (LGPD Art. 18) | n/a |
| Subscription management (when paywall enabled) | Art. 7(V) — execution of contract | n/a |
Consent for sensitive data is collected in a specific and highlighted manner in the in-app LegalConsentGate before any sensitive field is written. The consent receipt is persisted in public.consent_log (decision-log #13) with the policy version, accepted categories, and timestamp — satisfying the burden-of-proof rule in Art. 8(2).
5. International data transfer (Art. 33)
5.1 Where your data goes
Gila's primary database (Supabase, PostgreSQL) is hosted in the United States (us-east-2, Ohio, AWS). Our AI features call Google Gemini in the United States. Push notifications transit Firebase Cloud Messaging in the United States. Email transits Resend in the United States. The full processor list is at /subprocessors.
Every flow of personal data from a Brazilian data subject to a Gila system is, therefore, an international data transfer under LGPD Art. 33.
5.2 Why the transfer is lawful
Art. 33 permits international transfer only on one of the eight bases listed there. The ANPD has not yet issued an adequacy decision (Art. 33(I)) for the United States. Effective from August 2025, the ANPD has approved standard contractual clauses (cláusulas-padrão contratuais) under ANPD Resolution CD/ANPD No. 19/2024.
Pending our adoption of the ANPD-approved standard contractual clauses across all processor agreements (a workstream tracked in the decision log under Phase 5 follow-ups), the lawful basis for international transfer of personal data of Brazilian data subjects is:
- Art. 33(VIII) — specific and highlighted consent of the data subject, provided with prior information about the international character of the transfer.
The consent gate in the app and on the website tells you, before you submit any sensitive data, that:
- Your data will be stored on infrastructure located in the United States
- The United States is not currently subject to a Brazilian adequacy decision
- Our processors are bound by contracts that require them to protect your data and not to re-sell or re-use it
- You can withdraw consent at any time, in which case future processing stops and you may request deletion (see §6)
For our transfer-impact analysis covering the US legal regime, supplementary technical measures (encryption in transit and at rest, RLS, no-training contractual flags on AI providers), and per-importer risk verdict, see our Transfer Impact Assessment. The TIA was authored under the EDPB Recommendations 01/2020 methodology and applies the same logic to the LGPD transfer question.
When we migrate processor agreements to the ANPD-approved standard contractual clauses, this notice will be updated and Art. 33(II)(b) will become the primary transfer basis.
6. Your rights (Art. 18)
Brazilian data subjects have the following rights, exercisable at any time, free of charge:
| Right | LGPD Art. | What it means at Gila |
|---|---|---|
| Confirmation of processing | Art. 18(I) | Confirm whether we process your personal data |
| Access to data | Art. 18(II) | Receive a copy of the personal data we hold about you |
| Correction | Art. 18(III) | Correct incomplete, inaccurate, or out-of-date data |
| Anonymisation, blocking, or deletion of unnecessary, excessive, or non-conformant data | Art. 18(IV) | Have data that is unnecessary, excessive, or processed in non-conformity with the LGPD anonymised, blocked, or deleted |
| Portability | Art. 18(V) | Receive your data in a structured, machine-readable format and transmit it to another controller (subject to ANPD regulation) |
| Deletion of personal data processed with consent | Art. 18(VI) | Have your personal data deleted, subject to retention required by law (Art. 16) |
| Information about shared data | Art. 18(VII) | Receive information about the public and private entities with which we have shared your data |
| Information about consent denial consequences | Art. 18(VIII) | Be informed about the consequences of refusing or withdrawing consent (we provide this at the moment of consent collection) |
| Revocation of consent | Art. 18(IX) and Art. 8(5) | Revoke consent at any time through a free and facilitated procedure |
| Right to review of automated decisions | Art. 20 | Request human review of decisions made solely on the basis of automated processing of personal data that affect your interests |
6.1 Automated decisions (Art. 20)
Gila's AI features are decision-support features under your direct control. The food-vision feature suggests calorie estimates that you can accept, edit, or reject. AI coaching, weekly briefing, activity-goal AI, and habit suggestions produce text and recommendations that you can act on or ignore. These are not automated decisions that produce legal effects or that significantly affect you within the meaning of Art. 20(1). If you nonetheless want a human review of any AI-generated output that affected you, file a request at /dsar and we will respond as set out in §6.3.
6.2 How to exercise these rights
Two channels, both free, both designed to be easy:
- Self-service web form — visit
/dsarand select Brazil (LGPD) as your jurisdiction. We will email you a verification link to confirm the request. - Email — write to dpo@gila.coach stating the right you are exercising and a contact email associated with your Gila account.
Revoking consent is also possible directly in the app: Settings → Privacy → Consents — withdrawal is intended to be as easy to perform as giving was, per Art. 8(5).
6.3 Response window
The LGPD does not set a single fixed response deadline. The ANPD's guidance and the prevailing practice for Brazilian controllers are:
- Confirmation of processing and access (Art. 18(I), (II)): response in simplified format immediately, or in complete format within 15 days from the date of receipt (Art. 19(I), (II))
- All other rights (correction, deletion, portability, revocation, automated-decision review): reasonable period, with 15 days as the prevailing operational target
We will acknowledge within 5 business days and complete within 15 days for most requests. For complex requests, we will tell you in writing within the initial 15-day window why more time is needed and when to expect a response.
7. Children and adolescents (Art. 14)
Article 14 imposes specific safeguards for the processing of children's and adolescents' personal data, with the best interest of the child as the guiding principle. Processing of children's data (under 12 in Brazil per the Estatuto da Criança e do Adolescente / ECA) requires specific and highlighted consent given by at least one of the parents or the legal guardian.
Gila has a 16-and-over self-attested age gate that exceeds the LGPD Art. 14 threshold and the COPPA / GDPR-K equivalent thresholds — see Privacy Policy §11. We do not knowingly serve users under 16. If we learn that we have collected personal data from a person under 16, we will delete it promptly through our standard right-to-delete workflow.
8. ANPD complaint
You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at any time, in addition to (or instead of) filing a request with Gila:
- ANPD website: https://www.gov.br/anpd
- ANPD petition channel: https://www.gov.br/anpd/pt-br/canais_atendimento/peticao-do-titular
- ANPD address: Esplanada dos Ministérios, Bloco "C", 1º andar — Brasília/DF — CEP 70046-900
Filing an ANPD complaint does not require you first to have contacted Gila, although we ask that you give us a chance to resolve the matter directly via the channels in §6.
9. Sanctions and accountability
The ANPD may impose administrative sanctions on a controller for LGPD violations under Art. 52, including:
- Warning, with deadline for corrective measures
- Simple fine of up to 2 % of revenue in Brazil in the preceding year, limited to R$50 million per violation
- Daily fine, subject to the above cap
- Public disclosure of the violation after confirmation
- Blocking or deletion of the personal data related to the violation
- Partial suspension or full prohibition of processing
Gila maintains a documented compliance programme — Records of Processing Activities, Data Inventory, DPIA on health-data and AI processing, TIA on US transfers, and append-only consent receipts in public.consent_log — that demonstrates good faith and proportionality and that can serve as a Relatório de Impacto à Proteção de Dados Pessoais (RIPD) on ANPD request under Art. 38.
10. Security (Art. 46)
We maintain administrative, technical, and physical safeguards proportionate to the nature and volume of personal and sensitive data we process:
- TLS 1.3 for all data in transit
- AES-256 at-rest encryption for the Supabase Postgres database and storage objects
- Row-level security on every Supabase table that holds personal or sensitive data, scoped to the authenticated user
- OAuth state + PKCE for Google / Apple sign-in
- "Do not train" flag set on every Google Gemini API request
- Scrubbing of sensitive fields at the analytics / error-tracking boundary
- Minimisation of push payload content (deliberately non-revealing of health context)
- Sub-processor written contracts with security and confidentiality obligations
- Append-only consent receipts for accountability
If a security incident affecting Brazilian data subjects occurred, we would notify the ANPD and the affected data subjects in a reasonable period (Art. 48), consistent with our Breach Response Playbook.
11. Contact
For any LGPD question or request:
- Email: dpo@gila.coach
- Self-service:
/dsar(select Brazil (LGPD)) - ANPD: https://www.gov.br/anpd
- Mailing address: Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye
12. Updates to this notice
We update this notice whenever:
- The LGPD or ANPD resolutions change in a way that affects our practices
- Our processing of Brazilian personal or sensitive data materially changes
- A material processor change occurs, including our migration to ANPD-approved standard contractual clauses for international transfers
We will give you at least 30 days' notice before any change that reduces your LGPD protections takes effect, by email (if you have an account) and by an in-app banner. The effective_date in the frontmatter above is the current version date.