GDPR

Descodify is GDPR compliant. We built EU data residency into the product from day one because the people we serve — solo entrepreneurs in Portugal — deserve a tool that puts their financial data under European protection, not American.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU law that came into force on 25 May 2018. It governs how organisations collect, use, store, and share personal data about people in the EU. The Portuguese implementation is overseen by the CNPD (Comissão Nacional de Proteção de Dados).

GDPR gives you eight rights over your personal data:

Right to be informed— know what data we collect and why
Right of access— request a copy of all personal data we hold about you
Right to rectification— correct inaccurate data
Right to erasure— ask us to delete your data (subject to legal retention requirements)
Right to restrict processing— limit how we process your data
Right to data portability— receive your data in a machine-readable format
Right to object— object to processing based on legitimate interest
Rights related to automated decision-making— opt out of decisions made solely by automated processing

Where your data lives — and under whose jurisdiction

All Descodify application data sits on servers in the European Union. The companies running that infrastructure are EU-incorporated too: hosting via Hetzner Online GmbH (Germany), email delivery via AhaSend B.V. (Netherlands), and document OCR via Mistral AI(France). Each is subject to EU law — not just operating on EU soil under a US-parented owner.

This distinction matters. Under US extraterritorial law (CLOUD Act, FISA Section 702), US-parented companies can be compelled to produce customer data regardless of where the data physically resides. A dataset in an EU data centre owned by a US company is not the same legal posture as one held by an EU-incorporated company. We picked EU-jurisdictional subprocessors wherever a credible EU option exists.

Where a US-parented partner is unavoidable — Anthropic (optional chat assistant, routed to EU-region endpoints), Cloudflare (edge TLS, DDoS protection), Google (optional OAuth sign-in), Stripe (payment processing for paid tiers) — traffic is always TLS-encrypted in transit, and we never store sensitive payloads with them in plain form. Transfers are governed by EU Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

On the free tier, with the AI assistant disabled and magic-link or passkey sign-in instead of Google, zero of your application data ever touches a US-parented company. The full subprocessor table is in our Privacy Policy.

How we protect your personal data

Encryption in transit and at rest— all connections use TLS; tax-authority credentials are encrypted with AES-256-GCM
No third-party tracking— we self-host Umami analytics, which is cookieless and never sends data to any third party. No advertising pixels, no fingerprinting, no cross-site identifiers.
Strictly necessary cookies only— one authentication cookie. No marketing cookies, no analytics cookies, so no cookie consent banner is needed under ePrivacy + GDPR.
Organisation-scoped access control— data is partitioned by organisation; users only ever see their own organisation's data
Audit logging— tax-authority interactions and state changes (VAT report locks, IRS submissions) are appended to immutable audit tables

Subprocessors and contracts

We work with a small, EU-curated set of subprocessors — each serves a single defined purpose. The full list (with purpose, data shared, region, and transfer mechanism) is in our Privacy Policy.

Every subprocessor relationship is governed by a Data Processing Addendum (DPA) under Article 28 of GDPR. For US-parented processors (Anthropic, Cloudflare, Google, Stripe US-side), the DPA includes EU Standard Contractual Clauses and references the EU-US Data Privacy Framework where applicable.

We notify users by email when a significant subprocessor change happens. The most recent update was on 28 May 2026.

Exercising your rights

Once signed in, you can download your data and request account deletion from Settings → Privacy & data. The export is delivered as a ZIP archive of your invoices, customer records, expenses, uploaded documents, and tax reports. Account deletion has a 30-day cooling-off window; you can cancel it during that window if you change your mind.

For any other GDPR request — access, rectification, restriction, objection, portability beyond the ZIP export — email [email protected]. We will respond within 30 days.

Financial records (invoices, comprovativos, VAT/SS reports) are legally retained for 10 years under Portuguese tax law, even after you delete your account. We anonymise those records at the user-identity layer while retaining the financial integrity required for tax-authority audit.

If you have a complaint

We hope you'll write to us first at [email protected]— we read every message and respond within 30 days.

You also have the right to lodge a complaint directly with the Portuguese supervisory authority: CNPD, at www.cnpd.pt. If you're acting outside your trade or profession (“consumidor” under Lei 24/96), you can additionally refer disputes to CNIACC or use the Portuguese electronic complaint book at livroreclamacoes.pt.

Who we are

Descodify is provided by DESCODIFY, UNIPESSOAL LDA (NIPC 519352548), registered at the Conservatória do Registo Comercial de Aveiro under matrícula 519352548. We are established in the EU (Portugal), so we do not need to appoint an EU representative under GDPR Art. 27. We have not designated a Data Protection Officer — Art. 37 doesn't require one for an operation at our scale, and the founder is the controller contact.