Legal

Privacy Policy.

How Art de Vivre collects, uses, shares and protects your personal data — written to the standards of Brazil's Lei Geral de Proteção de Dados (LGPD, Lei nº 13.709/2018) and the European Union's General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).

Effective date: 14 May 2026 · Last updated: 14 May 2026

1 · Who we are

The data controller.

Art de Vivre ("ADV", "we", "us", "our") is a Rio de Janeiro real estate brokerage and luxury rental house, licensed under CRECI RJ 009278/O. ADV is the controlador (LGPD) and controller (GDPR) of personal data processed through artdevivre.com.br and the channels described below.

Registered address: Rio de Janeiro — RJ, Brazil.
General contact: info@artdevivre.com.br
Phone / WhatsApp: +1 347 937 6474 · +55 21 975 100 656

Data Protection Officer / Encarregado pelo Tratamento de Dados Pessoais (DPO): reachable at info@artdevivre.com.br with the subject line "DPO — Privacy request". Where this Policy uses "DPO", the term covers both the GDPR Data Protection Officer and the LGPD Encarregado.

2 · Personal data we collect

What we hold on you.

We only collect personal data we actually need to broker, rent, sell, advise on or service a property — or to answer a message you sent us. The categories are:

Identification data — full name, nationality, date of birth (only when required for a deed, lease or KYC), and a copy of identity documents (passport, RG, CPF, EU national ID) where mandated by Brazilian real-estate law or anti-money-laundering rules.
Contact data — email address, mobile/WhatsApp number, postal address, preferred language.
Transaction data — properties viewed, offers made, lease and sale terms, payment references, bank details strictly for closing or rental payouts.
Booking data — check-in/check-out dates, guest count, special requests, and any data you submit through our booking partner (currently Guesty).
Communications data — the content of emails, WhatsApp messages, contact-form submissions and call notes our team logs.
Technical data — IP address, browser type, device type, referrer URL, timestamps, pages viewed. Collected via our hosting provider (Cloudflare) and analytics (Google Analytics 4, property "Cavmir Network", measurement ID G-4DN36CS35D).
Marketing preferences — whether you have asked to receive listings, journal posts or campaign updates from us.

We do not intentionally collect special-category data (GDPR Art. 9) or sensitive data (LGPD Art. 5, II) — ethnicity, religion, health, sexual orientation, trade-union membership, biometric or genetic data. If you choose to send us such information (for example a medical-mobility requirement for a rental), we will treat it with heightened protection and only retain it for as long as needed to serve your request.

3 · How we collect it

Where the data comes from.

We collect personal data directly from you when you fill in a contact form, send us a WhatsApp or email, request a viewing, sign a mandate or lease, complete a booking through Guesty, or browse the site. We may also receive data from third parties in limited circumstances: from buyer/seller agents and lawyers acting on your behalf, from co-listing brokers, from Hostex or other booking-management platforms our partners use, and from public registries (e.g. the Rio property registry) when verifying ownership.

4 · Why we process your data

Purposes & legal bases.

Under GDPR Art. 6 and LGPD Art. 7, every processing activity has a stated purpose and a lawful basis. Ours are:

Purpose	GDPR basis (Art. 6)	LGPD basis (Art. 7)
Reply to an enquiry, run a viewing, send a quote.	(b) Steps prior to a contract.	(V) Execução de contrato.
Perform a brokerage, lease, sale or rental contract.	(b) Performance of a contract.	(V) Execução de contrato.
Comply with Brazilian real-estate, tax, AML and CRECI obligations.	(c) Legal obligation.	(II) Cumprimento de obrigação legal ou regulatória.
Improve the site, troubleshoot, protect against fraud, measure marketing performance.	(f) Legitimate interest.	(IX) Interesse legítimo do controlador.
Send you marketing emails, journal posts or property alerts.	(a) Consent — freely given, revocable any time.	(I) Consentimento do titular.
Defend a legal claim or respond to an authority.	(f) Legitimate interest / (c) Legal obligation.	(VI) Exercício regular de direitos / (II) Obrigação legal.

Where we rely on legitimate interest, we have run the three-step test (purpose / necessity / balancing) required by GDPR Recital 47 and the equivalent analysis under LGPD. You can ask us for a copy of that assessment.

5 · Who we share data with

Recipients & processors.

We do not sell personal data. We share it only with parties that need it to do something on our behalf, or where the law requires us to:

Service providers acting as processors — our hosting and CDN provider (Cloudflare, Inc., USA); our analytics provider (Google LLC / Google Ireland Limited); our booking partner (Guesty Inc., USA, and where used, Hostex Ltd.); our email and messaging vendors (including Meta Platforms Ireland Ltd. for WhatsApp); our CRM and cloud storage providers.
Professional advisers — Brazilian and EU lawyers, notaries, accountants and immigration counsel, only when you have engaged them in a transaction or asked us to introduce them.
Co-listing brokers and counterparties — the other side of a transaction, where required to negotiate or close.
Public authorities — CRECI, Receita Federal, the Banco Central do Brasil (BACEN), municipal property registries, courts, ANPD, and EU supervisory authorities, where mandated by law or a binding order.

Each processor is bound by a written agreement that limits use to ADV's documented instructions and obliges them to apply appropriate security measures (GDPR Art. 28, LGPD Art. 39).

6 · International data transfers

When data leaves Brazil or the EEA.

ADV is based in Brazil. Some of our processors (Cloudflare, Google, Meta, Guesty) host data in the United States and other third countries. We rely on the following safeguards:

For transfers out of the EEA / UK — European Commission Standard Contractual Clauses (SCCs, 2021/914) supplemented, where appropriate, by additional technical and contractual measures; the EU–U.S. Data Privacy Framework where the processor is certified; UK Addendum where data originates in the United Kingdom.
For transfers out of Brazil — the conditions of LGPD Art. 33, including transfers to countries that provide an adequate level of protection, specific contractual clauses, and, for transfers based on contract performance or consent, the corresponding LGPD legal basis.

You can request a list of the specific safeguards used for each transfer by emailing the DPO.

7 · Retention

How long we keep it.

We keep personal data only for as long as we need it for the purpose we collected it, then we delete or anonymise it. Our default schedules:

Enquiry that did not lead to a contract — 24 months from last contact, then deleted or anonymised.
Brokerage, lease and sale records — 10 years from contract termination, to comply with Brazilian civil-law and tax retention rules (Código Civil Art. 205; tax statute-of-limitations).
AML / KYC records — 5 years from the end of the business relationship, per Brazilian and EU anti-money-laundering rules.
Booking records (Guesty / Hostex) — 5 years from check-out, for tax and dispute-resolution purposes.
Marketing data — until you unsubscribe, then for a further 12 months in a suppression list so we don't accidentally re-add you.
Web analytics — standard GA4 retention of 14 months, then aggregated.

8 · Your rights

What you can ask of us.

Whichever law applies to you, you have a strong set of rights over your data. We treat LGPD and GDPR rights as a single floor — we apply whichever gives you more protection.

Confirm and access — ask whether we hold data about you, and receive a copy (GDPR Art. 15, LGPD Art. 18, I–II).
Rectify — correct inaccurate or incomplete data (GDPR Art. 16, LGPD Art. 18, III).
Erase — ask for deletion ("right to be forgotten") where there is no overriding legal reason to keep it (GDPR Art. 17, LGPD Art. 18, VI / Art. 16).
Restrict or object — pause processing, or object to processing based on legitimate interest or for direct marketing (GDPR Arts. 18 & 21, LGPD Art. 18, § 2).
Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller (GDPR Art. 20, LGPD Art. 18, V).
Withdraw consent — at any time, without affecting processing already carried out (GDPR Art. 7(3), LGPD Art. 8, § 5).
Anonymisation, blocking, or deletion of unnecessary or excessive data (LGPD Art. 18, IV).
Information about sharing — the public and private entities your data has been shared with (LGPD Art. 18, VII).
Information about the consequences of refusing consent (LGPD Art. 18, VIII).
Human review of automated decisions — we don't run solely automated decisions with legal or similarly significant effects on you (GDPR Art. 22, LGPD Art. 20), but if that ever changes you can ask for human review.
Lodge a complaint — with Brazil's Autoridade Nacional de Proteção de Dados (ANPD, gov.br/anpd) or, in the EU, with the supervisory authority of your country of residence, work or alleged infringement (GDPR Art. 77).

To exercise any right, write to the DPO at info@artdevivre.com.br with the subject line "DPO — Privacy request". We will reply within 15 days (LGPD) and in any case within one month (GDPR Art. 12(3)). We may ask for proof of identity before fulfilling a request.

9 · Cookies & analytics

What runs in your browser.

We use a small number of cookies and similar technologies:

Strictly necessary — for the site to load, render and remember basic preferences. These do not require consent under GDPR Art. 5(3) of the ePrivacy Directive or LGPD.
Analytics — Google Analytics 4 (G-4DN36CS35D), with IP anonymisation enabled and ad personalisation disabled, used to understand which content is useful.
Embedded third parties — when you load a booking widget (Guesty / Hostex), a map (Google Maps) or a video, those providers may set their own cookies. Their privacy notices apply.

You can block or delete cookies in your browser settings at any time. Disabling analytics will not break the site. We do not run advertising re-targeting pixels on artdevivre.com.br.

10 · Security

How we protect data.

We apply technical and organisational measures appropriate to the risk (GDPR Art. 32, LGPD Art. 46): TLS in transit, encryption at rest with our cloud providers, role-based access, multi-factor authentication on admin tools, principle-of-least-privilege, and vetted sub-processors. Despite this, no system is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the ANPD and (where applicable) the relevant EU supervisory authority within the deadlines set by LGPD Art. 48 and GDPR Art. 33, and you directly if the risk is high (GDPR Art. 34).

11 · Children

A site for adults.

Our services are aimed at adults — buyers, sellers, tenants and guests. We do not knowingly collect personal data from anyone under 16 (GDPR) or under 12 without parental consent (LGPD Art. 14). If you believe a child has provided us with personal data, contact the DPO and we will delete it.

12 · Changes to this policy

When it changes.

We update this Policy when our practices, vendors or the law change. Material changes are dated and announced on this page; if you are on our marketing list, we will also notify you by email. The "Last updated" date at the top of this page tells you when the current version took effect.

13 · Contact

Talk to our DPO.

For any privacy question, request or complaint:

Art de Vivre — DPO / Encarregado
info@artdevivre.com.br
Subject line: "DPO — Privacy request"
Postal: Art de Vivre, Rio de Janeiro — RJ, Brazil

You can also reach the relevant authorities directly:

Brazil — ANPD, gov.br/anpd
European Union — the supervisory authority of your country of residence; a directory is maintained at edpb.europa.eu
United Kingdom — Information Commissioner's Office, ico.org.uk

Questions?

Privacy questions, answered by a person.

Contact ADV →