Privatto
Privatto is a self-hosted consent management platform (CMP) for WordPress, built with Brazil’s LGPD and the European GDPR in mind. It does not rely on any external service.
Official website, live demo and documentation: interativus.com.br/privatto
Main features:
- Granular consent banner with per-category preferences (necessary, statistics, marketing, embeds).
- Automatic blocking of third-party scripts and iframes via output buffering: matching
<script>tags are switched totype="text/plain"before the page reaches the browser, so nothing runs before consent. - Google Consent Mode v2 injected with everything denied by default, updated according to the visitor’s choice.
- Proof of consent stored in your own database table: unique ID, action, categories (JSON), policy version, IP hash (optional), country, user agent, page URL and UTC timestamp. Exportable to CSV for audits.
- LGPD document generator: privacy policy, terms of use, cookie policy, returns policy and a plain-language summary, built from a guided form — 100% local, with no external calls.
- Data subject rights form (LGPD art. 18) with tracked protocols, 15-day response deadline monitoring and an admin queue.
- Simplified record of processing activities (ROPA) export, as required by ANPD Resolution CD/ANPD No. 2/2022, including for small-scale processing agents.
- “Cookie preferences” link to reopen the banner, letting visitors change or withdraw consent at any time.
Important notice: the generated documents are a structured, LGPD-aligned starting point; they are not legal advice. Review by a lawyer is recommended, especially for complex operations.
External services
Privatto does not connect to any external service. The banner, blocking, consent records, plugin/script detection and document generation all run entirely on your own server, with no data sent anywhere.
About the third-party domain names found in the source code: the plugin ships a static, local catalog of well-known tracking/embed services (Google Tag Manager, Meta Pixel, Stripe, RD Station/CloudFront, etc.). These domain strings are reference data only, used to (a) describe — in the generated cookie policy — services the site owner already uses, and (b) match script/iframe patterns for consent-based blocking. Privatto never makes any request to those domains and never loads any remote file from them.
Note: the plugin also ships a static reference catalog (service name, vendor and known script/domain signatures) used only to help the document generator recognize and describe third-party services that your own site may already be using (e.g. Google Analytics, Meta Pixel, Stripe) when writing your cookie policy. This catalog makes no outbound request to those services — it is a local, offline pattern check against your own site’s HTML.
