{"id":335220,"date":"2026-07-13T11:55:16","date_gmt":"2026-07-13T11:55:16","guid":{"rendered":"https:\/\/br.wordpress.org\/plugins\/consentguard\/"},"modified":"2026-07-17T13:13:35","modified_gmt":"2026-07-17T13:13:35","slug":"privatto","status":"publish","type":"plugin","link":"https:\/\/so.wordpress.org\/plugins\/privatto\/","author":21064875,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"2.0.0","stable_tag":"2.0.0","tested":"7.0.1","requires":"6.2","requires_php":"7.4","requires_plugins":null,"header_name":"Privatto","header_author":"Interativus","header_description":"CMP pr\u00f3pria para LGPD\/GDPR: banner de consentimento granular, bloqueio autom\u00e1tico de tags de terceiros, Google Consent Mode v2 e prova de consentimento em banco de dados pr\u00f3prio.","assets_banners_color":"fafbfa","last_updated":"2026-07-17 13:13:35","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/interativus.com.br\/privatto","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":80,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.4.0":{"tag":"1.4.0","author":"sergioinglez","date":"2026-07-13 12:42:26"},"2.0.0":{"tag":"2.0.0","author":"sergioinglez","date":"2026-07-17 13:13:35"}},"upgrade_notice":{"2.0.0":"<p>Adds plugin\/script discovery, reformulated reports, WP Consent API, multilingual banner and lightweight geolocation. Removes the optional Groq integration: everything is now fully local.<\/p>","1.4.0":"<p>Security and standards-compliance release. WordPress 6.2 or later is now required.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3605989,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3605989,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3605989,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3605989,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.4.0","2.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[223629,16626,131785,160853,396],"plugin_category":[54],"plugin_contributors":[271352],"plugin_business_model":[],"class_list":["post-335220","plugin","type-plugin","status-publish","hentry","plugin_tags-consent-mode","plugin_tags-cookie-consent","plugin_tags-gdpr","plugin_tags-lgpd","plugin_tags-privacy","plugin_category-security-and-spam-protection","plugin_contributors-sergioinglez","plugin_committers-sergioinglez"],"banners":{"banner":"https:\/\/ps.w.org\/privatto\/assets\/banner-772x250.png?rev=3605989","banner_2x":"https:\/\/ps.w.org\/privatto\/assets\/banner-1544x500.png?rev=3605989","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/privatto\/assets\/icon-128x128.png?rev=3605989","icon_2x":"https:\/\/ps.w.org\/privatto\/assets\/icon-256x256.png?rev=3605989","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>Privatto is a self-hosted consent management platform (CMP) for WordPress, built with Brazil's LGPD and the European GDPR in mind. It does not rely on any external service.<\/p>\n\n<p>Official website, live demo and documentation: <a href=\"https:\/\/interativus.com.br\/privatto\">interativus.com.br\/privatto<\/a><\/p>\n\n<p><strong>Main features:<\/strong><\/p>\n\n<ul>\n<li>Granular consent banner with per-category preferences (necessary, statistics, marketing, embeds).<\/li>\n<li>Automatic blocking of third-party scripts and iframes via output buffering: matching <code>&lt;script&gt;<\/code> tags are switched to <code>type=\"text\/plain\"<\/code> before the page reaches the browser, so nothing runs before consent.<\/li>\n<li>Google Consent Mode v2 injected with everything denied by default, updated according to the visitor's choice.<\/li>\n<li>Proof of consent stored in your own database table: unique ID, action, categories (JSON), policy version, IP hash (optional), country, user agent, page URL and UTC timestamp. Exportable to CSV for audits.<\/li>\n<li>LGPD document generator: privacy policy, terms of use, cookie policy, returns policy and a plain-language summary, built from a guided form \u2014 100% local, with no external calls.<\/li>\n<li>Data subject rights form (LGPD art. 18) with tracked protocols, 15-day response deadline monitoring and an admin queue.<\/li>\n<li>Simplified record of processing activities (ROPA) export, as required by ANPD Resolution CD\/ANPD No. 2\/2022, including for small-scale processing agents.<\/li>\n<li>\"Cookie preferences\" link to reopen the banner, letting visitors change or withdraw consent at any time.<\/li>\n<\/ul>\n\n<p><strong>Important notice:<\/strong> the generated documents are a structured, LGPD-aligned starting point; they are not legal advice. Review by a lawyer is recommended, especially for complex operations.<\/p>\n\n<h3>External services<\/h3>\n\n<p>Privatto does not connect to any external service. The banner, blocking, consent records, plugin\/script detection and document generation all run entirely on your own server, with no data sent anywhere.<\/p>\n\n<p><strong>About the third-party domain names found in the source code:<\/strong> the plugin ships a static, local catalog of well-known tracking\/embed services (Google Tag Manager, Meta Pixel, Stripe, RD Station\/CloudFront, etc.). These domain strings are reference data only, used to (a) describe \u2014 in the generated cookie policy \u2014 services the site owner already uses, and (b) match script\/iframe patterns for consent-based blocking. Privatto never makes any request to those domains and never loads any remote file from them.<\/p>\n\n<p>Note: the plugin also ships a static reference catalog (service name, vendor and known script\/domain signatures) used only to help the document generator recognize and describe third-party services <em>that your own site may already be using<\/em> (e.g. Google Analytics, Meta Pixel, Stripe) when writing your cookie policy. This catalog makes no outbound request to those services \u2014 it is a local, offline pattern check against your own site's HTML.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin under Plugins \u2192 Add New \u2192 Upload Plugin, or copy the <code>privatto<\/code> folder to <code>\/wp-content\/plugins\/<\/code>.<\/li>\n<li>Activate the plugin. The consent table and default options are created on activation.<\/li>\n<li>Follow the setup wizard, then fine-tune under <strong>Privatto \u2192 Settings<\/strong>.<\/li>\n<li>Generate your legal documents under <strong>Privatto \u2192 LGPD Documents<\/strong>.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20the%20plugin%20rely%20on%20any%20external%20service%3F\"><h3>Does the plugin rely on any external service?<\/h3><\/dt>\n<dd><p>No. The banner, blocking, consent records and document generation all run entirely on your own site. Privatto does not make any calls to external services.<\/p><\/dd>\n<dt id=\"how%20does%20tag%20blocking%20work%3F\"><h3>How does tag blocking work?<\/h3><\/dt>\n<dd><p>The plugin captures the full page output on <code>template_redirect<\/code>, injects Google Consent Mode v2 (everything denied) right after <code>&lt;head&gt;<\/code>, and rewrites any <code>&lt;script&gt;<\/code> whose <code>src<\/code> or content matches the configured patterns. When the visitor consents, the allowed scripts are restored and executed.<\/p><\/dd>\n<dt id=\"where%20is%20the%20proof%20of%20consent%20stored%3F\"><h3>Where is the proof of consent stored?<\/h3><\/dt>\n<dd><p>In a dedicated table (<code>wp_pvto_consents<\/code>). Each decision records a UUID, action, categories, policy version, irreversible IP hash (optional), country, user agent, URL and UTC timestamp. You can view it under <strong>Privatto \u2192 Logs<\/strong> and export it to CSV.<\/p><\/dd>\n<dt id=\"is%20data%20removal%20on%20uninstall%20optional%3F\"><h3>Is data removal on uninstall optional?<\/h3><\/dt>\n<dd><p>Yes. By default, uninstalling preserves the consent tables (they are your audit evidence) and removes only the settings. To delete everything, define <code>PVTO_DELETE_DATA<\/code> as <code>true<\/code> in <code>wp-config.php<\/code> before removing the plugin.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.0.0<\/h4>\n\n<ul>\n<li>New: functionality\/plugin discovery. Privatto now scans installed plugins (reading only each plugin's own local readme.txt\/header \u2014 no external calls) and surfaces the ones that may require consent, in a new \"Discoveries\" screen for human review. Nothing is applied automatically.<\/li>\n<li>New: curated signature base mapping popular plugins (analytics, marketing, functional) to likely cookie categories, with a heuristic fallback for unknown plugins.<\/li>\n<li>New: passive script scanner. Third-party script\/iframe domains that actually load on the site are recorded (deduplicated) so you can categorize them.<\/li>\n<li>New: approving a discovery adds its signature to automatic blocking and generates a ready-to-use text suggestion for your documents (draft only \u2014 never published automatically).<\/li>\n<li>New: dashboard reformulated with a 7\/30\/90-day period selector, KPI variation vs. previous period, and an accept-rate-by-category breakdown.<\/li>\n<li>New: Records screen with summary cards, structured action\/country filters, and category badges instead of raw JSON.<\/li>\n<li>New: settings for the passive scanner, region behavior and an opt-in \"Powered by Privatto\" seal.<\/li>\n<li>New: \"Pending suggestions\" tab in Documents \u2014 approved discoveries generate ready-to-use, editable text you add to a Cookie Declaration draft (never auto-published).<\/li>\n<li>New: [privatto_declaracao_cookies] shortcode renders a public list of the services\/cookies used, built from the approved draft items.<\/li>\n<li>New: WP Consent API interoperability. When the WP Consent API is active, Privatto additively announces the visitor's choice (mapping its categories to functional\/statistics\/marketing\/preferences) so compatible plugins can read the consent state. Privatto's own blocking is unchanged.<\/li>\n<li>New: multilingual banner. Add per-locale translations of the banner texts and button labels under Settings \u2192 Languages; the correct language is picked automatically from the visitor's locale, falling back to the base language and then to the default texts. English and Spanish ship with ready-to-use suggested translations.<\/li>\n<li>New: optional \"Powered by Privatto\" seal on the banner (off by default; enable under Settings \u2192 Compliance).<\/li>\n<li>New: lightweight geolocation (region behavior). Reads the visitor country only from headers your infrastructure already provides (Cloudflare, CloudFront, GeoIP) \u2014 no bundled IP database, no external call. Modes: always strict (opt-in for everyone), adaptive (opt-in for BR\/EU, configurable elsewhere) or manual. Falls back to strict when geo is unavailable.<\/li>\n<li>New: confidence levels for discoveries with a certainty-based palette (high=green, medium=blue, low=gray) plus a legend, and a configurable threshold that decides which levels generate automatic document suggestions (default: high only).<\/li>\n<li>Removed: optional Groq AI text refinement. Document generation is now 100% local, with no external calls at all.<\/li>\n<li>Note: Privatto remains free and fully self-contained \u2014 no telemetry and no remote signature service are used.<\/li>\n<\/ul>\n\n<h4>1.4.0<\/h4>\n\n<ul>\n<li>Security hardening: prepared statements with the <code>%i<\/code> identifier placeholder, input unslashing\/sanitization, output escaping.<\/li>\n<li>Internationalization: translator comments and ordered placeholders.<\/li>\n<li>Readme rewritten to follow WordPress.org standards.<\/li>\n<\/ul>","raw_excerpt":"Self-hosted LGPD\/GDPR consent: cookie banner, real third-party script blocking, Consent Mode v2 and consent receipts in your own database.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/335220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=335220"}],"author":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/sergioinglez"}],"wp:attachment":[{"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=335220"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=335220"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=335220"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=335220"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=335220"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/so.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=335220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}