Data protection & LGPD
Privacy and information security are part of the product, not an afterthought. This page summarizes, in plain language, how ImobGo handles personal data in compliance with Brazilian Law 13.709/2018 (LGPD). Preliminary version.
1. Our commitment
Agents trust ImobGo with sensitive data — their own and that of every client, lead, and owner. We treat it with the same rigor we apply to money in the wallet: least-privilege access, a record of who accessed what, and nothing shared without a legal basis. Privacy by default and by design.
2. Roles: controller and processor
For each agent's or brokerage's data, CodeBloodedCorp typically acts as the processor — handling data for the purpose you, the controller of your clients' data, define. For your own account data (sign-up, billing, platform usage), we act as the controller. Exact roles are detailed in the data processing agreement (DPA) provided at signup.
3. Multi-tenant isolation
Each agent and organization operates in a logically isolated workspace. No data leaks between agents: queries are always filtered by tenant at the application and database level. This isolation is the first line of defense for your clients' privacy.
4. Information security
We apply encryption in transit (TLS) and at rest, role-based access control (RBAC), the principle of least privilege, strong authentication for admin access, and audit logging of sensitive operations. Infrastructure runs on a market-standard cloud provider (AWS) with daily backups and point-in-time recovery (PITR).
5. Purpose and minimization
We collect only the data needed to operate the platform and deliver the contracted service: managing properties, leads, proposals, inspections, co-broking, and the wallet. We do not use your clients' data for advertising, nor do we sell it to third parties.
6. Data-subject rights
Every data subject has the right to: confirmation of and access to their data; correction of incomplete or outdated data; anonymization, blocking, or deletion of unnecessary or non-compliant data; portability; information about sharing; and consent revocation. Requests about an agent's client data are routed to the agent (controller); requests about your account we handle directly.
7. Subprocessors
To operate, we use a lean set of subprocessors (hosting, transactional email, payment processing). All are contractually bound to security and privacy standards compatible with LGPD. An up-to-date list is available upon request.
8. Security incidents
In the event of an incident that may pose relevant risk or harm to data subjects, we notify affected controllers and, where applicable, the Brazilian Data Protection Authority (ANPD), within the timeframes and manner required by LGPD.
9. Retention and deletion
We retain data for the duration of the contractual relationship and for the period needed to meet legal obligations. Once an account is closed, data is deleted or anonymized within a defined timeframe, except where retention is legally required.
10. Data Protection Officer (DPO) and contact
Data Protection Officer: CodeBloodedCorp. To exercise rights, ask questions, or report a privacy concern, write to [email protected]. We respond within 15 business days.
Last updated: 05/06/2026