Open-source LGPD toolkit · Apache-2.0

Ship LGPD compliance in a sprint. Prove it on every deadline.

Zelo is the open-source, developer-first LGPD toolkit for Brazilian SaaS — a REST API and a Spring Boot starter that give you a consent ledger, deletion-request orchestration, and a tamper-evident, hash-chained audit trail. It's a control plane that holds zero end-user PII, so your data never leaves your database. Drop it in, keep your data, and walk into any ANPD inquiry with cryptographic proof the work was done on time. Apache-2.0, self-hostable with one docker compose up.

GET /v1/audit/verify — checking live chain…

Want the managed tier?

Self-host free under Apache-2.0 today. Leave your email for early access to hosted Zelo.

zelo — quickstart

# Record a consent decision — one REST call
curl -X POST https://api.zelocompliance.com/v1/consents \
  -H "Authorization: $ZELO_API_KEY" \
  -d '{"external_id":"u_123","purpose_key":"marketing-emails","action":"GRANT","source":"signup-form"}'

// Gate any feature on live consent — false for a never-seen user, never throws
if (zelo.isGranted("u_123", "marketing-emails")) { sendNewsletter(user); }

// Handle a deletion request — Zelo signs the webhook, you run the erasure
@ZeloWebhook("dsr.delete.requested")
public Map<String,Object> erase(ZeloDeletionRequest req) {
    users.deleteByExternalId(req.externalId());   // your DB, your erasure
    return Map.of("deletedRows", 1);          // proof goes back to Zelo
}

# Recompute the entire hash chain and prove it unbroken
GET https://api.zelocompliance.com/v1/audit/verify

→ {"ok":true,"entries_checked":N}

// In the Spring starter — a green check for your admin dashboard
boolean intact = zelo.verifyAudit().ok();

Your database

PII stays here

name email CPF health data

Zelo control plane

Zero end-user PII

external_id consent DSR state hash chain

The real risk

The fine isn't the scary part. Not being able to prove you complied is.

LGPD gives you hard deadlines on deletion requests and expects a defensible record of every consent and every erasure. Most teams bolt this on with a few database columns and good intentions — exactly what falls apart under an ANPD inquiry or acquisition diligence, because a column can be edited after the fact and nobody can tell. Zelo turns "we think we handled it" into a chain you can recompute and hand over: who consented, what was deleted, and that it happened before the clock ran out. When someone asks "prove it," you run one curl instead of digging through logs.

Drop-in

A starter, not a six-month project

Add one dependency, set your API key and webhook secret, and the whole LGPD surface collapses into method calls on an injected ZeloClient. Declare a purpose once at boot. Gate any feature on live consent — and isGranted returns false for a never-seen user, so it never throws. Record a decision with grantConsent; open an erasure with requestDeletion. No DTOs to hand-write, no schema to design. The same thing is a one-line REST call:

POST /v1/consents

curl -X POST https://api.zelocompliance.com/v1/consents \
  -H "Authorization: $ZELO_API_KEY" \
  -d '{"external_id":"u_123","purpose_key":"marketing-emails","action":"GRANT","source":"signup-form"}'

Zero-PII by design

It never touches your users' PII — so it can't be your next breach

Zelo is a control plane, not a data store. It only ever sees an opaque external_id — your own user id — plus consent records, request state, and the audit trail. Names, emails, CPF, dates of birth, health data: all of it stays in your database, where it already lives. Most compliance tools become a second copy of everything sensitive you own — a honeypot waiting to leak. Zelo orchestrates operations on your data via signed webhooks instead, so there's nothing inside it worth stealing. Adopting compliance tooling shouldn't make you a bigger target; by design, it doesn't.

Deletion orchestration

Deletion that calls your code, keeps the receipt, and never misses a deadline

Open a request and Zelo computes the legal deadline and fires an HMAC-SHA256-signed webhook to your app. Annotate one method and your own erasure runs:

DeletionHandler.java

@ZeloWebhook("dsr.delete.requested")
public Map<String,Object> erase(ZeloDeletionRequest req) {
    users.deleteByExternalId(req.externalId());  // your DB, your erasure
    return Map.of("deletedRows", 1);             // proof goes back to Zelo
}

The starter verifies the signature and freshness, calls you, and auto-fulfills the request with your return value as the audited proof. Throw from the handler and Zelo treats the erasure as failed and retries with backoff; an OVERDUE sweep flags anything past its deadline as an audited SLA miss — so a missed request surfaces as an alert, not a finding. The whole loop runs end to end out of the box; the demo erases a user and self-fulfills in about a second.

The moat

A hash-chained audit trail you can prove unbroken

Every compliance event is appended to a per-integrator, hash-chained log. The rule is published and reproducible:

HashChain — entry hash rule

entry_hash = SHA-256(
  prev_hash       // 64 zeros for the genesis entry
  + "\n" + event_type
  + "\n" + canonical_json(payload)
  + "\n" + occurred_at
)

GET /v1/audit/verify recomputes the entire chain and points straight at the first broken link, so tampering with, deleting, or reordering any historical entry is detected — and because the algorithm is pure and published, your proof trail can be independently re-implemented and re-verified. You never have to take our word for the math.

# 1 · genesis

prev: 000…000

hash: a91f…7c2

# 2

prev: a91f…7c2

hash: 4d80…e5b

# 3 · tampered

prev: 4d80…e5b

hash: ✗ recompute fails

# 4

prev: …

hash: 1ba6…09f

GET /v1/audit/verify → {"ok":false, "first_broken_entry_id":3, "detail":"hash mismatch at entry 3"}

{"ok":true,"entries_checked":N} is the closest thing to unforgeable evidence that your compliance work was real and on time. The v1 code is easy to clone; a multi-year, untampered proof trail is not. In the starter it's one call: zelo.verifyAudit().ok() — a green check for your admin dashboard.

Open core

Open source you can read, run, and trust

Apache-2.0 and self-hostable from day one: docker compose up brings up the control plane, a demo integrator, and Postgres, and runs the full deletion loop end to end. Built on Java 21, Spring Boot 3, and PostgreSQL.

Append-only, explicit JDBC — no ORM. The consent ledger and audit log enforce that discipline at the data layer.
Transactional outbox. An event is queued in the same commit as the request it belongs to, then signed and delivered with HMAC-SHA256.
Idempotent & rate-limited writes via Idempotency-Key.
Ten LGPD Art. 7 legal bases as a typed enum — CONSENT, CONTRACT, LEGAL_OBLIGATION, HEALTH_PROTECTION, LEGITIMATE_INTEREST, and the rest.
No vendor lock-in, no PII leaving your perimeter, no sales call to start.

Read every line on GitHub before you trust it with a single request: github.com/thgrcarvalho/zelo.

Apache-2.0 docker compose up Java 21 · Spring Boot 3 PostgreSQL

Self-host free today. Want the managed tier?

Self-host now under Apache-2.0 — docker compose up and you're running. Leave your email for early access to hosted Zelo: a managed control plane with signed-webhook delivery, deadline monitoring, and the verifiable audit chain, run for you. No spam, just an invite when it's ready.

Join the waitlist

Early access to hosted Zelo.