top of page

 Lastro raises $15M Series A to expand its AI, Lais. Learn more.

Privacy Notice

Last updated: February 12, 2026

This Privacy Policy (“Policy”) of Lastro Tecnologia Financeira e Imobiliária Ltda. (“Lastro”) applies to all individuals whose personal data are processed by Lastro (“Data Subjects”) in connection with the use of our website, our Lais platform (“Platform”), or other interactions with us.


As the processing of such data is fundamental to providing our products and services, we recommend that you read this Policy carefully before using them, and we note that our communication channel privacidade@lastro.co is available for questions or for the exercise of your rights.

1. Privacy and Data Protection

Lastro is committed to being transparent regarding the privacy measures adopted to protect your personal data. This Policy contains information about the collection, use, retention, sharing, and disclosure of personal data, as well as other relevant aspects of the processing of your personal data, and describes how and for what purposes we process the data and information you provide to us. Your personal data will be processed in accordance with applicable legislation, in particular Law No. 13,709/2018 — the Brazilian General Personal Data Protection Law (“LGPD”).

2. Personal Data

Personal data is any information related to an identified or identifiable natural person. This means that, for example, full name, CPF (Brazilian taxpayer ID), phone number, cookies, and other types of electronic identifiers are personal data to the extent that they can be linked to a natural person.

3. Processing of Personal Data

Under the LGPD, the processing of personal data is any operation carried out with personal data, such as those related to collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

 

Lastro may perform different roles in the processing of personal data, depending on the context and the purpose of the processing.

 

When we process personal data on behalf of our customers, we act as processors, carrying out the processing exclusively in accordance with the instructions, purposes, and limits defined by the customer, who is the controller. In such cases, we recommend consulting the data controller’s privacy policy or notice for more information about the data processed, the respective purposes, and other relevant information.

4. Categories and Source of Personal Data

To provide our products and services, we may collect and process the following personal data about you:

 

  • Full name;

  • CPF (Brazilian taxpayer ID);

  • RG (Brazilian identity card);

  • Job title/position;

  • Mobile and/or landline phone number;

  • Email address;

  • Cookies;

  • IP address;

  • Image;

  • Voice; and

  • Information about the company you represent (if applicable).

 

As a rule, we collect and process your personal data as controllers in the following situations:

 

  • When directly provided by you for the provision of our services or the creation of our advertising materials;

  • When you browse our website (for more information, see our Cookie Policy) or use our social media;

  • In connection with your application for a job opening; and

  • Independently, from public data sources.

 

In situations where our customers contract our solution, Lastro will process the personal data of those partners’ customers (such as leads, tenants, or buyers) that are provided by them during the service performed by Lais. In these interactions, Lastro acts exclusively as a processor, processing the data to fulfill the purposes and instructions established by our customer (the controller).

5. Legal Bases and Purposes of Processing

As controllers, we will process your personal data only when we have a legal basis to do so. In the context of Lastro, different legal bases are used to process the data of our customers and partners, depending on the context of the interaction:

 

  • Performance of a contract or preliminary procedures related to a contract, at the request of the data subject: This legal basis is used when you express interest in our solutions or in our open positions. It also applies to actions involving data processing during the implementation phase of our product, as well as the scheduling of business meetings and technical support activities.

  • Lastro’s Legitimate Interest: We process data to manage your interaction with our platform, map the market, conduct active outreach to prospective clients, and send advertising materials and satisfaction surveys.

  • Regular Exercise of Rights: We collect and process data from legal representatives and witnesses at the time of closing the sale for the formalization and digital signing of contracts.

  • Compliance with a Legal or Regulatory Obligation: Applicable when we need to process data from partners or suppliers for tax, accounting, and registration purposes, or when we process your data to respond to a data subject rights request.

  • Consent: We use this legal basis when you provide express authorization for specific purposes that are not covered by the other legal bases. This occurs, for example, when you make your data, voice, and image available to participate in Lastro advertising materials, such as:

    • Participation in podcasts and interviews;

    • Appearances in institutional or promotional videos; and

    • Testimonials for posts on social media and other communication channels.

 

In cases where the processing of your personal data is carried out based on your consent, you have the right to revoke your consent at any time, which will not affect (i) the lawfulness of processing based on your consent before revocation; or (ii) the lawfulness of processing based on other legal bases.

6. Children and Adolescents

As a rule, we do not process the personal data of children (under 12 years of age) or adolescents (individuals between 12 and 18 years old). However, we may occasionally process information, including personal data, of children or adolescents—for example, when you provide such data on the Platform and in the recruitment of new talent for our team (in the case of apprentices or interns).

 

Whenever we become aware that a child’s personal data needs to be processed, we will make reasonable efforts to ensure that consent has been obtained from at least one parent or legal guardian. Please contact us at privacidade@lastro.co if you believe we have collected information from a child or adolescent by mistake or unintentionally.

7. Third-Party Websites

Our website may occasionally contain links to third-party websites that are not controlled by us. If you visit those websites or use the services made available on them, please remember that this Policy does not apply to data processing by third parties, and we recommend that you carefully review how those third parties process personal data before using their websites, applications, or services.

8. Data Transfers

Your personal data and other information may be shared with third parties for the purposes described in this Policy. Depending on your relationship with Lastro, such third parties may include Lastro customers, public agencies, service providers, and Lastro partners (such as technology service platforms, law firms, audit firms—for example, in the case of mergers, acquisitions, or strategic partnerships carried out by Lastro), as well as other third parties.

 

Occasionally, your data may be transferred outside the country in the course of the processing activities described in this Policy. Such transfers will take place with the adoption of appropriate safeguards and security measures in order to ensure an appropriate level of protection, in accordance with applicable legislation. Among other situations, the servers, software, and applications used by us — all with a high standard of security — may store personal data outside Brazilian territory.

 

Whenever possible, we will enter into a contract to regulate the processing of your personal data (a data processing agreement) with third parties who have access to your personal data, so that they ensure the security and privacy of your data at levels compatible with what is provided in this Policy and with applicable legislation.

9. Data Protection, Security, and Integrity

We adopt rigorous technical and administrative security measures to protect your personal data against loss, misuse, unauthorized access, disclosure, and alteration. Security measures include encryption of data and access credentials, access controls, use of strong passwords and two-factor authentication, adoption of security incident response and prevention plans, penetration testing, and continuous monitoring to detect and mitigate threats.


In any case, while we are committed to protecting our systems and services, you are responsible for adopting good security practices, including protecting your access credentials, ensuring that your personal data are accurate and up to date, making sure you are accessing our Platform through the official Lais domain, being cautious with suspicious emails or messages, and reporting any suspicious activity to privacidade@lastro.co, among other relevant measures.

10. Data Retention and Deletion

Your personal data will be processed and stored: (i) for as long as necessary to fulfill the purposes for which they were collected; (ii) in accordance with the retention periods required by applicable law; or (iii) until you revoke your consent for the processing/storage of your personal data, as applicable.

 

We will retain your personal data to comply with legal or regulatory obligations when we act as controllers, or on behalf of the controller when we act as processors. In addition, we may keep personal data for periods longer than those required by law whenever there is a legitimate interest (or a need to protect our rights), provided there is no legal prohibition.

 

We may take measures to anonymize personal data and other information, but we reserve the right to retain and access data stored in our backup and support systems, provided they are duly protected, for as long as necessary to comply with applicable legal and regulatory requirements. When no longer necessary, the data will be securely deleted, in accordance with the LGPD guidelines.

11. Data Subjects Rights

When we act as data controllers, you will have the right to exercise the rights listed in Article 18 of the LGPD, namely:

 

  • Request confirmation of the existence of processing;

  • Access your personal data;

  • Request the correction of incomplete, inaccurate, or outdated data;

  • Request the anonymization, blocking, or deletion of unnecessary, excessive data, or data processed in non-compliance with the LGPD;

  • Request the portability of data to another service or product provider, by express request, in accordance with the regulations of the national authority, and subject to commercial and industrial secrecy;

  • Request the deletion of personal data processed based on consent, except in the cases provided for in Article 16 of the LGPD;

  • Request information about the public and private entities with which Lastro has shared data;

  • Obtain information about the possibility of not providing consent and the consequences of refusal; and

  • Revoke your consent, under §5 of Article 8 of the LGPD.


The exercise of any of these rights will not affect the lawfulness of any data processing carried out before the exercise of such right. To exercise your rights, simply fill out our Data Subject Rights Request Form or contact Lastro’s Data Protection Officer, Vitor Murcia Tinoco Cesar Leal, at: privacidade@lastro.co.

In situations where we act as processors of personal data on behalf of our customers, please consult the data controller’s privacy policy or notice to learn how to exercise your rights regarding your personal data processed by or on behalf of the controller.

12. Data Protection Officer (DPO)

The Data Protection Officer (DPO) is the professional appointed by Lastro to serve as the point of contact between Lastro, data subjects (you), and the Brazilian National Data Protection Agency (ANPD).

 

Lastro’s DPO is Vitor Murcia Tinoco Cesar Leal, who can be contacted at: privacidade@lastro.co.

 

The DPO’s responsibilities include:

 

  • Handling data subject rights requests;

  • Receiving communications from the ANPD and taking appropriate measures; and

  • Performing the duties established in Lastro’s Privacy Program and in regulations such as the LGPD and ANPD Board Resolution (CD/ANPD) No. 18/2024.

13. Changes to this Privacy Policy

We are constantly working to improve and develop our procedures and systems, so we may update this Policy periodically. We will not reduce your rights under this Policy or under applicable laws. If the changes are significant, we will notify you; in any case, please review this Policy periodically to stay informed about any updates.

If you have any questions or concerns about the processing of your personal data, please contact us at: privacidade@lastro.co.

bottom of page