Searches for DeepSeek Privacy LGPD usually come from one practical concern: can Brazilian users and companies use DeepSeek without creating privacy or compliance problems under Brazil’s Lei Geral de Proteção de Dados, known as the LGPD?
The careful answer is not a simple “yes” or “no.” DeepSeek’s public privacy documentation raises Brazil-specific questions around transparency, lawful basis, data subject rights, international data transfers, security disclosures, and AI model training. DeepSeek’s official privacy policy says the service is controlled by Hangzhou DeepSeek Artificial Intelligence Co., Ltd., collects several categories of personal data, and directly collects, processes, and stores personal data in the People’s Republic of China.
For individuals, the main rule is simple: do not enter sensitive personal data, confidential business information, client files, health data, financial records, legal documents, or personal data about third parties unless you have a clear legal basis and understand the risks. For Brazilian companies, DeepSeek should be treated as a high-review AI vendor, not as a casual productivity tool.
Key Takeaways
- DeepSeek’s official privacy policy says it may collect account data, prompts, uploaded files, photos, voice inputs, chat history, device data, IP address, approximate location, usage logs, payment data for paid platform services, third-party login data, security data, and public personal data.
- DeepSeek states that personal data is directly collected, processed, and stored in China, which makes international data transfer analysis central under the LGPD.
- The LGPD can apply to foreign companies when processing is carried out in Brazil, aimed at offering goods or services to people in Brazil, or involves personal data collected in Brazil.
- Article 33 of the LGPD allows international data transfers only in defined cases, such as adequacy, contractual safeguards, binding corporate rules, or specific consent.
- Based on public documentation, the safer conclusion is that DeepSeek raises material LGPD compliance questions, especially for business use involving personal, sensitive, confidential, or client data.
Why DeepSeek Privacy Matters Under Brazil’s LGPD
Generative AI tools are different from ordinary apps because users often paste large amounts of text into them: contracts, spreadsheets, medical questions, HR records, customer complaints, source code, meeting notes, invoices, and internal strategy documents. A prompt can easily contain personal data under the LGPD, even when the user does not think of it as “data processing.”
The LGPD defines personal data broadly as information related to an identified or identifiable natural person, and it defines sensitive personal data to include categories such as racial or ethnic origin, religious belief, political opinion, health, sex life, genetic data, and biometric data when linked to a natural person.
This matters because the DeepSeek privacy question is not only “Is the app safe?” The better question is: do DeepSeek’s public disclosures and actual data flows allow Brazilian users and organizations to meet the LGPD’s requirements for transparency, purpose limitation, necessity, security, accountability, data subject rights, and international transfer safeguards?
FGV’s 2025 study on generative AI platforms and LGPD compliance found widespread transparency issues across major platforms. The study evaluated official company documentation against criteria such as availability of privacy policies in Portuguese, clarity and accessibility, transparency about personal data collection and use, and specifications on international data transfers.
What Data Does DeepSeek Say It Collects?
DeepSeek’s privacy policy says it collects personal data in three ways: data users provide, data automatically collected, and data from other sources. The following table translates those categories into practical LGPD risk terms.
| Data category | What DeepSeek says it may collect | Practical example | LGPD relevance |
|---|---|---|---|
| Account data | Date of birth where applicable, username, email address or phone number, password | Creating an account with a Brazilian phone number | Identifies or can identify a user |
| User inputs and prompts | Text input, voice input, prompts, uploaded files, photos, feedback, chat history, and other content | Pasting an employment dispute summary or uploading a contract | May contain personal, sensitive, or third-party data |
| Uploaded files, photos, voice inputs | Files, images, voice input, and related content | Uploading a customer list or audio note | Can include biometric, health, children’s, or confidential data |
| Chat history and feedback | Conversation history and feedback about outputs | Asking DeepSeek to summarize client complaints | May create retained records of personal data processing |
| Device and network data | Device model, operating system, IP address, device identifiers, system language, crash reports, performance logs | Using the app on a work laptop in São Paulo | Enables tracking, security analysis, and approximate location |
| Usage logs | Features used and actions taken | Monitoring how often a user uses file upload or chat | Relevant to transparency and data minimization |
| Approximate location | Approximate location based on IP address | Inferring that a user is in Brazil | Can trigger jurisdictional and privacy analysis |
| Payment data | Payment order and transaction data for paid open platform services | Paying for API or platform usage | Financial/transactional personal data |
| Third-party login/security data | Access tokens from Apple or Google login; security data from trusted partners | Logging in with Google | Shared processing and third-party data flows |
| Public personal data | Publicly available personal data from online sources to train models and provide services | Public webpages containing names or profiles | Raises legal basis, transparency, and scraping questions |
DeepSeek also states that its services are not designed or intended to process sensitive personal data and tells users not to provide such data, including health data, genetic or biometric data, children’s data, precise geolocation, and other sensitive categories.
From an LGPD perspective, that warning helps but does not eliminate risk. In business use, employees may still paste sensitive or confidential data into prompts. A company cannot rely only on a vendor’s warning; it must implement internal controls, training, and permitted-use rules.
Where DeepSeek Stores and Processes Personal Data
DeepSeek’s privacy policy states that personal data may be stored on servers outside the user’s country and that, to provide services, DeepSeek directly collects, processes, and stores personal data in the People’s Republic of China.
That statement is central to any LGPD assessment because it raises both international-transfer and international-collection questions. The LGPD does not automatically prohibit China-based processing. However, under ANPD Resolution CD/ANPD No. 19/2024, direct collection of personal data by a foreign processing agent may be treated differently from an international transfer of personal data, even though LGPD obligations may still apply when the conditions of Article 3 are met.
Where an international transfer exists, Article 33 of the LGPD allows transfers only through specific legal mechanisms, including adequacy decisions, contractual safeguards, binding corporate rules, or other legally recognized transfer mechanisms.
ANPD Resolution CD/ANPD No. 19/2024 regulates international data-transfer mechanisms, including adequacy decisions, standard contractual clauses, equivalent standard clauses, specific contractual clauses, and binding corporate rules. As of ANPD’s international transfer page reviewed in June 2026, the European Union is listed as adequate through Resolution CD/ANPD No. 32/2026. The same page states that no equivalent standard contractual clauses, specific contractual clauses, or binding corporate rules had been approved by ANPD’s Board of Directors.
For DeepSeek, the key legal question is therefore not “China versus Brazil” in a political sense. The key question is whether the collection, transfer, processing, and storage of Brazilian personal data are supported by an appropriate LGPD legal framework, accompanied by clear information to data subjects and effective safeguards.
How the LGPD Applies to Foreign AI Platforms
A foreign company does not need to be headquartered in Brazil for the LGPD to matter. Article 3 of the LGPD says the law applies regardless of where the company is headquartered or where the data is located when the processing is carried out in Brazil, the processing activity is aimed at offering or supplying goods or services to individuals located in Brazil, or the personal data was collected in Brazil.
This does not mean every foreign AI service is automatically in breach. It means a foreign AI platform serving Brazilian users may need to consider LGPD obligations. For a Brazilian company using DeepSeek internally, the company may also be a controller for the data it decides to submit to the tool. That company must understand the purposes, data categories, recipients, transfer mechanisms, retention, security, and rights-handling process.
DeepSeek Privacy LGPD Compliance Checklist
| LGPD area | What LGPD expects | What to check in DeepSeek’s policy/practice | Risk level |
|---|---|---|---|
| Transparency and Portuguese accessibility | Clear, adequate, accessible information for Brazilian data subjects | Is there an official Portuguese privacy notice for Brazilian users? | High |
| Controller identity | Identification of the controller | DeepSeek identifies Hangzhou DeepSeek Artificial Intelligence Co., Ltd. as controller | Medium |
| DPO/contact channel | Clear contact for rights and privacy questions | DeepSeek lists privacy@deepseek.com, but the public policy reviewed does not show a Brazil-specific DPO section | Medium to high |
| Legal basis | Specific lawful basis for each processing purpose | EEA/UK section lists legal bases, but the policy page reviewed does not present a Brazil/LGPD legal basis table | High |
| Data minimization | Only data necessary for specific purposes | Evaluate whether prompt, log, device, and public-data collection are necessary for each use case | Medium to high |
| Sensitive data | Extra safeguards and strict limits | DeepSeek tells users not to provide sensitive data | High for uncontrolled business use |
| Data subject rights | Access, correction, deletion, portability, and other rights | DeepSeek lists several rights and an email channel | Medium |
| International transfer mechanism | Adequacy or safeguards under Article 33 | Check whether DeepSeek provides LGPD-specific transfer safeguards for China processing | High |
| Retention/deletion | Clear retention periods and deletion rules | DeepSeek gives purpose-based retention language, not a simple fixed period for all data | Medium |
| Security measures | Technical and administrative safeguards | DeepSeek refers to commercially reasonable safeguards but limited technical detail | Medium |
| Model training/public data use | Clear explanation of training uses and opt-out | DeepSeek states users can opt out of use of personal data for model training or technology optimization | Medium to high |
| Business/confidential data | Vendor governance, DPA, employee controls | Check enterprise terms, API terms, contractual safeguards, and internal AI policy | High |
The Biggest LGPD Risk Areas for DeepSeek
1. International data transfers to China
DeepSeek’s China storage and processing statement makes international transfer analysis unavoidable. Under the LGPD, international transfer is not automatically prohibited, but it must fit a legal mechanism. Public policy language saying “appropriate safeguards” may not be enough for a Brazilian company unless the company can identify the applicable mechanism, contractual terms, responsibilities, and data subject information.
Machado Meyer’s Brazilian legal analysis makes a useful distinction: the destination country is not the only issue; the absence of an appropriate transfer mechanism is what creates legal nonconformity.
2. Transparency and language accessibility
FGV’s LGPD study treated Portuguese-language availability and clear accessibility as important transparency criteria for Brazilian users. Machado Meyer also flagged language barriers, noting that DeepSeek’s privacy notice was available in English and Chinese at the time of its 2025 analysis, creating a barrier for many Brazilian users.
DeepSeek’s current official policy reviewed for this article contains a jurisdiction-specific supplement for the EEA, Switzerland, and the UK, but the reviewed page does not present a comparable Brazil/LGPD supplement.
3. Model training and opt-out clarity
DeepSeek states that it uses personal data to improve and train its technology, including machine learning models and algorithms. It also states that users may opt out of using personal data for training models or optimizing technologies.
The practical issue is whether Brazilian users can easily understand, exercise, and verify that opt-out right. For organizations, the safer approach is to prohibit employees from submitting personal or confidential data unless the organization has confirmed the relevant contractual and technical controls.
4. Security and retention disclosures
DeepSeek says it maintains commercially reasonable technical, administrative, and physical security measures, and that it retains personal data for as long as necessary for service, legal, contractual, legitimate business, and legal-claims purposes. That language is common in privacy policies, but companies processing Brazilian personal data often need more detail for vendor due diligence: encryption, access controls, subprocessors, incident notification, audit rights, deletion timelines, and retention controls.
5. Sensitive or confidential data in prompts
DeepSeek warns users not to provide sensitive personal data. That warning is important because AI prompts can easily include health records, union information, children’s data, financial identifiers, legal disputes, HR complaints, or client documents.
For individuals, the safe rule is: do not paste anything into DeepSeek that you would not want processed by a third-party AI provider. For companies, the rule should be formalized in an AI acceptable-use policy.
6. Shadow AI and enterprise governance
The most common business risk is not an official DeepSeek deployment. It is an employee using a personal DeepSeek account to summarize emails, translate contracts, debug proprietary code, or analyze customer data. That creates “shadow AI”: processing that security, legal, and privacy teams cannot see or control.
Under LGPD accountability principles, companies should be able to demonstrate governance, risk assessment, training, and safeguards. The LGPD also allows the national authority to request a data protection impact assessment report in certain situations, including a description of data collected, security methodology, and risk mitigation measures.
Is DeepSeek LGPD Compliant?
Based on public documentation, it is safer to say that DeepSeek raises material LGPD compliance questions rather than to give a definitive legal conclusion.
DeepSeek provides meaningful privacy disclosures: it identifies the controller, lists data categories, describes purposes, states where personal data is processed, warns against sensitive data, describes some rights, and provides a privacy contact.
However, a Brazil-focused compliance review should still examine unresolved issues: whether Brazilian users receive sufficiently clear information in Portuguese, whether LGPD-specific lawful bases are mapped, whether the international transfer to China is supported by an Article 33 mechanism, whether there is a Brazil-specific DPO/contact arrangement, whether retention and deletion are operationally clear, and whether security controls satisfy the company’s risk profile.
FGV’s 2025 report scored DeepSeek at 5 “yes” answers across 14 evaluated criteria, behind several other major generative AI platforms, but that finding should be read as a time-specific evaluation of documents available to researchers then, not as a current regulatory decision.
Practical Recommendations for Brazilian Users
Do not enter sensitive personal data into DeepSeek. Avoid prompts involving health, religion, race or ethnicity, biometrics, children, precise location, criminal matters, or sexuality.
Do not upload confidential company or client files. A contract, spreadsheet, invoice, customer support transcript, medical note, or HR complaint can contain personal data and business secrets.
Review your settings and delete chat history where appropriate. DeepSeek says users can manage, copy, or delete chat history through settings.
Use the rights channel if needed. DeepSeek says users may submit rights requests by emailing privacy@deepseek.com.
Treat outputs carefully. DeepSeek’s model disclosure explains that model outputs are probabilistic and may be inaccurate, and DeepSeek says AI-generated content should not be treated as professional advice.
Practical Recommendations for Companies in Brazil
Map data flows before allowing DeepSeek. Identify who uses it, what data is entered, where data goes, whether files are uploaded, whether API calls are logged, and whether data is used for model improvement.
Define allowed and prohibited use cases. For example, allow generic brainstorming, public information summaries, and non-confidential drafts. Prohibit customer data, employee records, health data, legal case files, trade secrets, source code, and credentials unless approved.
Review vendor terms and transfer mechanisms. Ask which LGPD Article 33 mechanism supports any international transfer, whether standard contractual clauses apply, and whether subprocessors or group companies are involved.
Use a data processing agreement where possible. A Brazilian company should not rely only on a public privacy policy for high-risk processing.
Create prompt hygiene rules. Train employees to remove names, emails, CPF numbers, addresses, account numbers, medical details, and confidential facts before using AI tools.
Deploy technical controls. Consider data loss prevention, browser controls, AI gateways, access logging, approved-tool lists, and enterprise identity management.
Involve privacy, legal, security, and the DPO. DeepSeek should be reviewed as part of a broader AI governance program, not only as a software procurement decision.
DeepSeek vs Local Deployment: Does Self-Hosting Solve LGPD Risk?
Self-hosting can reduce some risks, but it does not remove LGPD obligations.
DeepSeek’s official Model & Algorithm Mechanism Description says it releases model weights, parameters, and inference tool code on open-source platforms under the MIT License, allowing users to download and deploy them. A properly governed local deployment may reduce third-party disclosure and cross-border transfer risks because prompts can remain inside the company’s controlled environment.
However, local deployment still involves personal data processing if employees or systems use personal data in prompts, retrieval databases, logs, fine-tuning sets, or outputs. The company still needs a lawful basis, purpose limitation, minimization, access controls, retention rules, security measures, incident response, data subject rights procedures, and documentation.
For high-risk Brazilian business use, a private or local deployment can be safer than a public hosted chatbot, but only if it is implemented with LGPD governance.
FAQ
Is DeepSeek compliant with LGPD in Brazil?
There is no simple public yes/no answer. DeepSeek’s public documentation contains useful privacy disclosures, but it raises LGPD questions around Portuguese accessibility, lawful basis, data subject rights, international transfer safeguards, security detail, and Brazil-specific governance.
Does DeepSeek store Brazilian users’ data in China?
DeepSeek’s official privacy policy says personal data may be stored outside the user’s country and that DeepSeek directly collects, processes, and stores personal data in the People’s Republic of China.
What personal data does DeepSeek collect?
DeepSeek says it may collect account data, prompts, text input, voice input, uploaded files, photos, feedback, chat history, device and network data, IP address, device identifiers, usage logs, approximate location, cookies where applicable, payment data for paid platform services, third-party login data, security data, and public personal data.
Can Brazilian users opt out of DeepSeek model training?
DeepSeek’s privacy policy says users may have the right to opt out of using personal data for training models or optimizing technologies, subject to applicable law.
Can a Brazilian company use DeepSeek for customer data?
A company should not use DeepSeek for customer data until it has completed a vendor review, LGPD risk assessment, international transfer analysis, security review, and internal AI governance process. Customer data often contains personal data, and sometimes sensitive data.
What does Article 33 of the LGPD mean for DeepSeek?
Article 33 means that transferring personal data internationally must fit one of the allowed legal mechanisms, such as adequacy, contractual safeguards, binding corporate rules, or specific and distinguishable consent.
Is running DeepSeek locally safer under LGPD?
It can be safer because it may reduce third-party disclosure and cross-border transfer risks. But local deployment does not eliminate LGPD duties if personal data is processed.
What should I avoid entering into DeepSeek?
Avoid sensitive personal data, customer records, employee data, confidential contracts, legal files, medical information, financial identifiers, children’s data, passwords, API keys, trade secrets, and personal data about other people.