You can ask any company to delete your data. Almost nobody uses this right.

Companies have data on you right now. Far more than you imagine. The e-commerce site where you bought a charger in 2019 still holds your name, CPF, address, phone number, and browsing history. The delivery app you used three times in 2021 and then uninstalled has your location data, usage time patterns, and card number. The social network you abandoned in 2018 still has all your old photos, messages, and contacts.

The LGPD (General Data Protection Law, Law 13.709/2018) has been in force in Brazil since 2020. Among the rights it guarantees you is the right to deletion of your personal data. In theory, any company that has your registration is required to delete it upon your request, within a reasonable timeframe, at no cost, without demanding an elaborate justification.

In practice, almost nobody makes this request. Those who do usually have to fight for it a bit.

Let us break down how it works, what you can do, and where the law has gaps.

What the LGPD says, in plain language

Article 18 of the LGPD lists the rights of the data subject (you). Among them, item VI:

"Deletion of personal data processed based on the data subject's consent, except in the cases provided for in article 16 of this Law."

In plain terms: you can request deletion. The company must delete. There are exceptions (which we will cover). But the general rule is to delete.

Additionally, article 18 guarantees:

• Right of access (knowing what they hold about you)
• Right of correction (fixing incorrect data)
• Right of portability (receiving data in a structured format to take to another service)
• Revocation of consent

All of this at no cost and within a reasonable timeframe (the law says "immediately" but the ANPD interprets this as "as soon as technically possible given the circumstances").

How to request deletion in practice

There is no standardized federal form. Each company sets up its own process. Some have dedicated pages ("Privacy," "LGPD," "Data Protection Officer"). Others bury the option in an obscure FAQ. Some simply pretend it does not exist and respond generically.

The standard path:

1. Find the right channel

Look for the following at the company:

• The "Privacy Policy" page usually mentions the Data Protection Officer (DPO) and provides a contact email
• A "LGPD" or "Privacy" page in the site footer
• Account settings in the company's app or website
• Chat or customer service center (in some cases you need to ask to speak with the "data protection department")

If nothing comes up, the DPO's email is mandatory under the LGPD (art. 41). A company that does not have this information visibly available is already violating the law.

2. Write the request

You do not need complicated legal language. A simple template:

"Dear [Company], Under article 18, item VI, of Law 13.709/2018 (LGPD), I request the deletion of all my personal data stored by [company name]. Identifying information: Full name: [your name] CPF: [your CPF] Registered email: [email used with the company] I request written confirmation of the deletion performed, including: 1. Categories of data that were deleted 2. Any data that must be retained due to a legal obligation (with the legal basis cited) 3. Confirmation that data has also been deleted from any third parties with whom it was shared I await your response within the legal timeframe. Sincerely, [Your name]"

Send this by email to the DPO. Attach a copy of your ID or driver's license (some companies ask for identity verification to prevent impersonation requests).

3. Wait for a response

The LGPD does not set a specific number of days. The ANPD recommends "as soon as technically possible," and sector-specific regulations (finance, health) use 15 to 30 business days as a reference.

If the company does not respond within 30 days, you are entitled to:

4. Contact the ANPD

The Autoridade Nacional de Proteção de Dados (National Data Protection Authority, ANPD) is the supervisory body. You can file a complaint on the official website at gov.br/anpd. The ANPD does not compensate you, but it can audit the company, open administrative proceedings, and issue fines (which go to the Treasury, not to you).

The real weight of the ANPD: it publishes decisions and fines. A company that gets flagged tends to respond quickly after a second warning. Filing a complaint is free and takes about 10 minutes.

5. Judicial action (last resort)

For cases where there was proven harm (a data breach, improper use, repeated refusal), you can file a case in small claims court for compensation. There are already rulings recognizing moral damages for LGPD non-compliance, with amounts between R$ 2,000 and R$ 15,000. But it is a slow path and not always worth it just to "get data deleted."

The legal exceptions (where the company can say "no")

The LGPD does not require deletion of everything, always. Article 16 lists situations in which data may be retained:

1. Compliance with a legal obligation. Banks must keep transaction records for years (Central Bank rules). Telecom companies must keep logs (Marco Civil). Hospitals must keep medical records (CFM). You request deletion and they may retain the legally required portions while deleting the rest.

1. Research by a public body, anonymized. A university using your data in anonymous research does not need to delete the anonymized version.

1. Transfer to a third party when you consented or when there is independent legal basis. If you consented to data sharing with partners, deletion at the source may not automatically reach those third parties.

1. Exclusive use by the controller, anonymized. Anonymous statistical data may be retained.

In practice, many companies abuse these exceptions. A common response: "we retained your data due to a legal obligation" without specifying which law, which article, or which obligation. In that case, push back and request the legal basis in writing.

What nobody tells you

The company can drag it out on purpose

Without a specific number of days fixed in law (the ANPD recommends but does not mandate), some companies stall. To speed things up:

• Mention article 18, article 41, and article 52 (sanctions) in the request
• Mention that you will contact the ANPD if no response comes within 30 days
• Keep the tone respectful but firm

Deletion is rarely total

When a company says "we deleted your data," it typically means:

• Deleted from the active database
• May still exist in backups (which rotate over weeks or months)
• May still exist in logs (which also rotate)
• May still exist as anonymous or statistical data

It is not "as if you never existed." It is more like "as if you permanently cancelled your account." Acceptable for most cases.

Data at third parties is not automatically affected

If company A shared your data with company B (a partner, a marketing platform, a payment processor), your request to company A does not obligate company B to delete. You would need to request separately from each one.

That is why, before accepting "data sharing with partners" terms at any new signup, it is worth thinking about how much cleanup work that creates down the line.

Data brokers are a nightmare

Companies that sell lists of people (Serasa Experian, Big Data Brasil, smaller brokers) have your registration even though you never contracted with them. Requesting deletion works in theory, but:

• Some have opaque processes
• Many will re-collect your data from other sources after "deleting" it
• It is an endless cat-and-mouse game

Why so few people exercise this right

Recent surveys (2024 to 2025) with Brazilians indicate that fewer than 5% of data subjects have ever made a formal deletion request under LGPD. The most common reasons:

• "I did not know I could." Most people have never read the LGPD.
• "I thought it would be complicated." The initial bureaucracy looks worse than it is.
• "I was afraid of retaliation" (actually illegal, but the feeling exists).
• "I did not think it was worth it." It is not worth it for every irrelevant registration, but it is for the ones that matter.

Comparatively, in the European Union (where the GDPR has been in force since 2018, the equivalent of the LGPD), 18% of citizens had made a formal deletion request by 2024. Brazil is still learning to use the right.

Practical priority: where to start

You do not need to request deletion from 200 companies. Focus on where it matters most:

1. Services you used and abandoned. Old dating apps, delivery apps you no longer use, social networks you left. Sensitive data that keeps accumulating.

1. E-commerce with saved cards. Magazine Luiza, Americanas, Submarino, Casas Bahia, smaller sites where you bought something once. Saved card plus address plus purchase history.

1. Financial apps you no longer use. Abandoned digital wallets, digital banks you opened and closed.

1. Data brokers (harder but worth trying).

1. Marketing lists (newsletters, loyalty programs you abandoned).

Make 3 to 5 requests per month. In six months, your digital footprint shrinks considerably.

And TAIVA Vault in all this?

TAIVA Vault takes LGPD seriously because a personal digital vault touches extremely sensitive data (passwords, documents, identity). By design:

• Self-service deletion: you can delete your TAIVA Vault account in 1 click directly from the interface. Email confirmation within 24 hours and a 30-day grace period (in case you change your mind). After that, all data is permanently and irrecoverably deleted.
• Native portability: you export everything in open JSON format, at any time, without asking anyone. Take it to another vault if you want.
• Auditable consent history: you can see exactly what you agreed to and when, and revoke consents granularly (analytics, marketing, etc.).
• Public and directly contactable Data Protection Officer (DPO) at vault.taiva.com.br/dpo.

This is not just legal commitment. It is also a design issue: a client-side encrypted personal digital vault means that we, as the service operator, cannot read your data even if we wanted to. Technical deletion is trivial because we hold no plaintext copy anywhere.

The simple rule

The LGPD gave you a tool. Almost nobody uses it. Companies benefit from that inertia. You do not need to be a privacy activist. Just exercise the right occasionally, especially for services you no longer use.

30 minutes a month, 3 to 5 requests. In 12 months, your digital exposure shrinks significantly. And the signal to the market: companies that receive many requests invest more in LGPD compliance and in actually deleting data.

TAIVA Vault: personal digital vault with native LGPD self-service, deletion and portability in 1 click, public DPO. Create free account →

This article is informational and does not constitute legal advice. For a specific situation involving LGPD non-compliance or action against a company, consult an attorney specializing in data protection.