LGPD Compliance

LGPD-Compliant Scheduling in Brazil

Brazilian businesses and any business with Brazilian clients must comply with the Lei Geral de Proteção de Dados Pessoais (LGPD). Schedly provides the consent capture, transparency, and data rights tools required to maintain LGPD-compliant appointment scheduling.

Regulation: Lei Geral de Proteção de Dados Pessoais (LGPD), Lei nº 13.709/2018

Start Your Compliant Trial View Pricing

HIPAA Eligible

SOC 2 Type II

AES-256 Encrypted

CCPA Ready

BAA Available

Audit Logs

What the Regulation Requires

The Lei Geral de Proteção de Dados Pessoais (LGPD), Lei nº 13.709/2018 requirements that apply to scheduling

Lawful basis for processing

LGPD requires a lawful basis for processing personal data. For appointment scheduling, the performance of a contract (scheduling the appointment as requested by the data subject) typically provides the lawful basis under LGPD Article 7.

Transparency and information rights

Data subjects must be informed about how their personal data is processed. Schedly allows you to link your privacy policy in booking pages and intake forms, fulfilling the transparency requirement.

Data subject rights

Brazilian data subjects have rights to confirm data processing, access their data, correct inaccuracies, and request deletion. Schedly's admin tools support fulfilling these requests.

Data Processing Agreement with operators

LGPD requires that controllers (businesses) establish agreements with operators (processors) that handle personal data on their behalf. Schedly provides a Data Processing Agreement for LGPD compliance.

How Schedly Keeps You Compliant

Compliance built into every plan

These features ship on every Schedly account — not locked behind expensive enterprise tiers.

LGPD-compliant Data Processing Agreement

Schedly provides a Data Processing Agreement covering the terms required by LGPD for the controller-operator relationship, available to all Brazilian business customers.

Consent capture at booking

Add LGPD-compliant consent checkboxes to booking intake forms with clear descriptions of data use. Consent records are stored with booking records for audit purposes.

Privacy policy link integration

Add your privacy notice link to booking pages, ensuring data subjects can access your LGPD privacy disclosure before providing personal information.

Data deletion tools for subject requests

Delete all personal data associated with any individual data subject from the Schedly admin panel — fulfilling LGPD deletion requests within the required timeframes.

Security Architecture

Built security-first, from the infrastructure up

Every layer of the Schedly stack is designed for regulated industries.

AES-256 Encryption

All booking data, intake forms, and client PHI is encrypted at rest and in transit using AES-256.

SOC 2 Type II Certified

Annual third-party audits verify our infrastructure controls. Certificate available on request.

Audit Logs & Access Controls

Every data access is logged. Role-based permissions ensure only authorized staff see protected records.

Isolated Data Infrastructure

Client data is siloed per account. Multi-tenant architecture is designed so data never co-mingles.

Automated Data Retention

Configure data retention windows that match your compliance policy. Deletions are permanent and auditable.

BAA Available on Pro+

Business Associate Agreements are available on Professional and Enterprise plans with one-click execution.

Interactive Checklist

Your Compliance Setup Checklist

Check off each step as you complete your compliant scheduling setup.

Compliance Setup Progress

0/6

Execute a Data Processing Agreement (DPA) with Schedly as your data operatorAdd your LGPD privacy notice link to all booking pagesConfigure consent capture checkboxes on intake forms where processing requires consentDocument your lawful bases for processing appointment booking dataTest your data subject request fulfillment process for access and deletion requestsTrain staff on LGPD requirements as they apply to appointment scheduling workflows

BAA Available

Business Associate Agreement ready to sign

For practices and businesses that require a signed BAA, Schedly offers a standard BAA on Professional and Enterprise plans — executable directly in your dashboard with no legal back-and-forth.

Executed in your Schedly dashboard in minutes
No attorney required — pre-approved standard language
Covers all PHI processed by Schedly on your behalf
Renewed automatically with your subscription

Start Free — Upgrade for BAA →

Business Associate Agreement

Schedly Inc. — Standard Form

Covered Entity Information

HIPAA Permitted Uses

PHI Safeguards

Data Breach Notification

Termination Provisions

Signature & Effective Date

HIPAA CompliantLegally ReviewedInstant Execution

Deep Dive

LGPD and Business Scheduling: A Compliance Guide for Brazilian Service Businesses

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), which came into force in 2020, established a comprehensive personal data protection framework that broadly mirrors GDPR in structure while reflecting Brazilian legal traditions. For Brazilian service businesses that schedule client appointments electronically, LGPD creates specific compliance requirements: a lawful basis must exist for collecting client information, data subjects must be informed about how their data is used, and businesses must be able to respond to individual rights requests. The ANPD (Autoridade Nacional de Proteção de Dados), Brazil's data protection authority, has issued guidance and begun enforcement actions that signal the seriousness of LGPD compliance requirements.

Understanding the Controller-Operator Relationship Under LGPD

LGPD uses the terms 'controlador' (controller — the business that determines the purpose and means of data processing) and 'operador' (operator — the vendor that processes data on behalf of the controller). When a Brazilian business uses scheduling software, the business is the controller and the scheduling software provider is the operator. LGPD requires that this relationship be formalized through a data processing agreement that establishes the scope of processing, security requirements, and data subject rights procedures. Scheduling software providers that serve Brazilian businesses should provide LGPD-compliant data processing agreements — a basic compliance requirement that should be verified before deploying any scheduling tool for Brazilian client data.

Practical LGPD Implementation for Brazilian Scheduling Workflows

Brazilian service businesses implementing LGPD-compliant scheduling workflows should focus on three practical areas. First, documentation: execute a DPA with your scheduling software provider and document your lawful bases for processing appointment data. Second, transparency: ensure your booking pages include links to your privacy notice (Aviso de Privacidade) so data subjects can access your LGPD disclosure before providing information. Third, rights fulfillment: test your ability to locate and export all data associated with a specific individual, and your ability to permanently delete individual records on request. These three elements — documentation, transparency, and rights fulfillment capability — form the foundation of a defensible LGPD compliance program for appointment scheduling.

FAQ

Compliance Questions Answered

Start for free · No credit card required

Stop Losing Bookings to
Scheduling Friction.

Schedly puts your calendar to work around the clock. Every lead, every client, and every meeting lands exactly where it should, automatically.

Get Started - Free View Pricing

✓ Free forever plan✓ Set up in under 5 minutes✓ No credit card required✓ Cancel anytime