Privacy Policy

1. Data We Collect

ZS Advogados Associados may collect the following personal data depending on how you interact with our website and services:

• Identification data: full name, tax ID (CPF), national ID (RG), nationality, marital status, and date of birth.
• Contact data: email address, phone number, residential or business address.
• Browsing data: IP address, browser type, pages visited, time on site, and cookies.
• Voluntarily provided data: information submitted through contact forms, legal consultations, or registration.

2. Purpose of Processing

Personal data collected is used exclusively for the following purposes:

• Provision of legal services and legal advisory;
• Responding to inquiries, questions, and consultations received through our contact channels;
• Compliance with legal and regulatory obligations;
• Sending relevant communications about our services, when authorized by the data subject;
• Improving website experience and analyzing usage metrics;
• Protecting the rights and legitimate interests of the firm and its clients.

3. Legal Basis Under the LGPD

The processing of personal data by ZS Advogados Associados is grounded in the following legal bases under Brazil's General Data Protection Law (Lei Geral de Protecao de Dados — Law No. 13,709/2018):

• Art. 7, I — Consent: when the user voluntarily provides data through forms or contact requests.
• Art. 7, II — Legal or regulatory obligation: to comply with legal requirements applicable to the practice of law.
• Art. 7, V — Performance of a contract: when necessary for the provision of contracted legal services.
• Art. 7, VI — Regular exercise of rights: for participation in judicial, administrative, or arbitration proceedings.
• Art. 7, IX — Legitimate interest: for security, fraud prevention, and service improvement purposes.

4. Data Sharing

ZS Advogados Associados does not sell personal data. Data may only be shared under the following circumstances:

• With courts, public prosecutors, or administrative authorities, when required by law or court order;
• With service providers essential to the operation of the website (hosting, data analytics), always under confidentiality obligations;
• With third parties involved in the provision of legal services, with the data subject's consent or legal basis.

5. Data Security

We adopt appropriate technical and administrative measures to protect personal data against unauthorized access, accidental or unlawful destruction, loss, alteration, or disclosure. These measures include:

• Data encryption in transit (HTTPS/TLS);
• Restricted access controls for personal data;
• Internal confidentiality and professional secrecy policies;
• Continuous monitoring of technology infrastructure.

6. Your Rights as a Data Subject

Under Article 18 of the LGPD, you have the right to:

• Confirm whether your data is being processed;
• Access your personal data;
• Correct incomplete, inaccurate, or outdated data;
• Request anonymization, blocking, or deletion of unnecessary or excessive data;
• Request data portability to another service provider;
• Request deletion of personal data processed with your consent;
• Obtain information about third parties with whom your data has been shared;
• Revoke your consent at any time.

To exercise any of these rights, please contact us using the information below.

7. International Data Transfers

Some processing operators we rely on (cloud hosting, analytics, communication tools) are located outside Brazil. When your personal data is transferred to a country outside Brazil, we rely on the bases set out in Articles 33 to 36 of the LGPD, including the standard contractual clauses approved by the Brazilian National Data Protection Authority (ANPD) under Resolução CD/ANPD nº 19/2024, and, where applicable, the EU-US Data Privacy Framework for transfers to certified US-based recipients.

We document each international transfer, identify the lawful basis, and require confidentiality and data-protection commitments from every operator that processes personal data on our behalf.

8. Cookies, Analytics & Google Consent Mode v2

We use Google Tag Manager and Google Analytics 4 to understand site usage. We implement Google Consent Mode v2: on first visit, all four signals — analytics_storage, ad_storage, ad_user_data, and ad_personalization — are set to "denied" by default. Tracking only loads after you accept the cookie banner, and you can reject all non-essential cookies on the same banner with equal visual weight.

• GA4 user-data retention: 14 months from the user's last visit, after which event-level and user-level data is automatically deleted by Google.
• User Deletion API: on a verified data-subject request, we initiate deletion via the Google Analytics User Deletion API; the request propagates to Google's systems within standard timelines.
• IP anonymization: GA4 does not log full IP addresses; geolocation derives from a truncated IP and an edge-set country bucket cookie (zs_geo) that does not identify you individually.
• No cross-site advertising tracking until consent is granted.

9. Data Security Incidents

In the event of a security incident that may pose risk or relevant harm to data subjects, we notify the Brazilian National Data Protection Authority (ANPD) and the affected data subjects in accordance with Article 48 of the LGPD, within the deadline established by the ANPD's regulatory acts on incident notification. Our incident-response runbook covers detection, internal escalation, ANPD notification drafting, and post-incident remediation.

10. Data Protection Officer & Contact

To exercise any of the data-subject rights listed in Section 6, request information about international transfers under Section 7, or report a security incident, please contact our Data Protection Officer (encarregado) appointed under Article 41 of the LGPD:

This policy may be updated periodically. The most current version is always available on this page. Last updated: 30 April 2026.