Privacy Policy
Last updated: June 9, 2026
Descodify is a certified invoicing and tax reporting tool for solo entrepreneurs in Portugal. This policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have.
We keep this policy in plain language. If anything is unclear, email us at [email protected].
Who we are
Descodify is operated from Portugal. We are the data controller for the personal data described in this policy. You can reach us at:
- Email: [email protected]
- Location: Algarve, Portugal
What we collect and why
Account data
When you create an account, we collect:
- Email address - to identify your account, send verification emails, and communicate with you
- Name - to display in the app and on invoices
- Passkey credentials (if you register a passkey) - the public key for your device, never a password. Descodify has no passwords: sign-in is by magic link, passkey, or Google.
- Google account data (if using Google sign-in) - OAuth tokens for authentication only
Legal basis: Contract performance (we need this to provide the service).
Business profile
To configure your invoicing and tax reporting, we collect:
- Business name and NIF (Portuguese tax number)
- VAT regime (normal, simplified, or exempt)
- Activity type (goods, services, or mixed)
- Territory (mainland, Madeira, or Azores)
Legal basis: Contract performance (required for certified invoicing and tax calculations).
Customer data
When you add customers to issue invoices, we store their details as provided by you:
- Name, address, city, postal code, country
- Email and phone number (optional)
- VAT number or personal tax ID (NIF)
Legal basis:Contract performance (required for invoice generation). You are responsible for ensuring you have a lawful basis to provide your customers' data.
Invoices and financial records
We store all invoice data you create through Descodify:
- Invoice numbers, dates, amounts, and payment methods
- Line items with descriptions, quantities, and VAT rates
- A snapshot of the customer details at the time the invoice was finalized
Legal basis: Contract performance and legal obligation (Portuguese law requires retention of invoicing records).
Uploaded documents
You can upload expense receipts and other documents. We store the file, its filename, and metadata about when it was uploaded and by whom.
To extract structured data (supplier, amounts, VAT, dates) from uploaded documents, we send the document image and text to Mistral AI for OCR and extraction. Mistral is a French AI provider; processing runs against EU-region endpoints. Mistral does not use this data to train models.
Legal basis: Contract performance (extraction is part of the expense-tracking service).
Tax authority credentials
If you choose to connect your Portal das Finanças account, Descodify creates a dedicated subuser on the AT portal - a separate login used only by Descodify. We store only the subuser credentials, encrypted at rest using AES-256-GCM - we cannot read the password in plain text.
If you use automatic setup, your main portal credentials are used once to create the subuser and then immediately and permanently deleted. We never store your main login. Alternatively, you can create the subuser yourself and provide only those credentials.
Every interaction with the tax authority portal is logged in an audit trail (action type, success/failure, timestamp) so you can see exactly what was accessed and when.
Legal basis: Explicit consent (you choose to connect your portal account and can disconnect at any time).
VAT number and company lookups
When you verify a customer's VAT number, we send the country code and VAT number to the EU's VIES (VAT Information Exchange System) service. VIES returns whether the number is valid, along with the registered name and address for some countries. We store the verification result and timestamp.
To pre-fill a company customer's details (name, address, activity code), we also look the company registration number (NIPC) up against two additional sources: nif.pt (a business-registry service operated by Cegid, a French company) and SICAE(Sistema de Informação da Classificação Portuguesa de Actividades Económicas), the official Portuguese government registry run by the Ministry of Justice (IRN). A NIPC identifies a legal entity (a company), not a person, so these lookups do not involve anyone's personal data.
We never send an individual's or sole trader's personal tax number (NIF) to nif.pt or SICAE when verifying a customer. The only time your own personal NIF may be sent to nif.pt is during your own onboarding, to pre-fill your business profile from data about you.
Legal basis: Legitimate interest (verifying and pre-filling counterparty details is required for correct invoicing under EU and Portuguese VAT rules).
AI assistant conversations (optional)
Descodify includes an optional AI assistant powered by Anthropic's Claude. The assistant is entirely optional - you can disable it in your organization settings, and Descodify works fully without it. No data is sent to Anthropic unless you actively use the assistant.
If you choose to use the assistant:
- Your messages and the assistant's responses are stored in our database so you can revisit past conversations
- Your messages are sent to Anthropic's API for processing against EU-region endpoints. Anthropic does not use your data to train their models (see Anthropic's privacy policy)
- We do not include your financial data or customer details in AI requests unless you explicitly type them into the chat
If you disable the assistant, no conversation data is collected and no requests are made to Anthropic.
Legal basis: Consent (you opt in by using the assistant and can disable it at any time).
Session and security data
When you log in, we collect:
- IP address - for session security and abuse prevention
- Browser and device information (user agent) - for session identification
- Session tokens - stored as encrypted cookies in your browser
Legal basis: Legitimate interest (security of your account).
Newsletter (optional)
If you sign up for our newsletter — the monthly email about working for yourself in Portugal (invoicing, VAT, Social Security, expenses, deadlines, tax) — we collect:
- Email address - to send you the newsletter
- Confirmation status and timestamp - the date you confirmed your subscription, recorded as proof of consent
The newsletter uses double opt-in: after you submit your email, we send a confirmation link, and you only start receiving the newsletter once you click it. We do not need an account, and the newsletter is entirely separate from the transactional emails that keep your account running (sign-in links, deadline reminders, billing) - those are sent whether or not you subscribe. Every newsletter email includes a one-click unsubscribe link.
Legal basis: Consent (you opt in, confirm by email, and can withdraw at any time by unsubscribing).
What we do not collect
- We do not use third-party analytics or tracking pixels. We self-host a privacy-friendly analytics service (Umami) that records anonymous page-view counts, with no cookies, no fingerprinting, and no cross-site tracking
- We do not set marketing cookies - only an authentication cookie
- We do not sell or share your data with advertisers
- We do not track your browsing behavior across pages
- We do not use device fingerprinting
Where your data is stored — and under whose jurisdiction
All application data is stored on servers in the European Union. We host with Hetzner Online GmbH in Germany (Nuremberg and Falkenstein data centres), send email via AhaSend B.V. in the Netherlands, and run document OCR via Mistral AI in France, and process subscription payments for paid tiers via Mollie B.V. in the Netherlands. Each of these is an EU-incorporated company on EU infrastructure — so neither the data nor the company answers to non-EU law.
This distinction matters: many “EU-hosted” services are operated by US-parented companies that remain subject to US extraterritorial law (CLOUD Act, FISA Section 702) regardless of which data centre the bits live in. We picked subprocessors under EU jurisdiction wherever a credible EU option exists.
Where a US-parented processor is unavoidable — Anthropic (optional chat assistant, routed to EU-region endpoints), Cloudflare (edge TLS and DDoS protection), Google (optional OAuth sign-in) — traffic to those providers is always TLS-encrypted in transit, and we never store sensitive payloads with them in plain form. Transfers are governed by EU Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.
On the free tier, with the AI assistant disabled and magic-link or passkey sign-in instead of Google, zero of your application data ever touches a US-parented company.
Who has access to your data
Your data is accessible only to you and anyone you explicitly invite to your organization (e.g., your accountant). We access your data only when necessary to operate the service or when you contact us for support.
Service providers
We use the following third-party services to operate Descodify:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting | All application data at rest | EU (Germany) |
| AhaSend B.V. | Email delivery — transactional (verification, deadline reminders, billing) and the opt-in newsletter | Email address, email content | EU (Netherlands) |
| Anthropic | AI assistant (Claude) — optional, opt-in per session | Chat messages you send | EU region endpoints |
| Mistral AI | Invoice and expense OCR (extraction from uploaded documents) | Document images and extracted text | EU (France) |
| Mollie B.V. | Subscription billing for paid tiers | Email, billing address, card data (handled by Mollie), subscription state | EU (Netherlands) |
| OAuth sign-in (optional) | Authentication tokens, email, name | EU/US (SCC + EU-US DPF) | |
| Cloudflare | DNS, edge TLS termination, DDoS protection | IP address, request metadata | Global edge (SCC + EU-US DPF) |
| EU VIES | VAT number verification | Country code, VAT number | EU |
| nif.pt (Cegid) | Company detail lookup (name, address, activity code) | Company registration number (NIPC); your own NIF only during your onboarding | EU (France) |
| SICAE (Ministério da Justiça / IRN) | Official company activity-code (CAE) lookup | Company registration number (NIPC) | EU (Portugal) |
| Umami (self-hosted) | Privacy-friendly analytics (anonymous page views, no cookies) | Pseudonymised pageviews | Self-hosted alongside the app |
We do not share your data with any other third parties. We do not sell your data. We never will.
How we protect your data
- Encryption in transit: All connections use TLS (HTTPS)
- Encryption at rest: Sensitive credentials (AT Portal passwords) are encrypted with AES-256-GCM
- Passwordless sign-in: No passwords to store or leak - you sign in with a magic link, a passkey (WebAuthn), or Google
- Session security: Encrypted, httpOnly cookies with CSRF protection
- Access control: Organization-based permissions - users can only access data in organizations they belong to
- Audit logging: Tax authority interactions are logged for transparency
How long we keep your data
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Invoices and financial records | Minimum 10 years (Portuguese legal requirement for accounting records) |
| Customer data | Until you delete the customer or your account |
| Uploaded documents | Until you delete them or your account |
| AI conversations | Until you delete them or your account |
| AT Portal credentials | Until you disconnect your portal |
| Newsletter subscription | Until you unsubscribe (we keep the confirmation timestamp as proof of consent while you are subscribed) |
| Session data | Automatically expired and cleaned up |
| Audit logs | Retained for compliance and security purposes |
Your rights under GDPR
As a user in the EU, you have the following rights. To exercise any of them, email us at [email protected]. We will respond within 30 days.
- Access - request a copy of all personal data we hold about you
- Correction - ask us to fix inaccurate data
- Deletion - ask us to delete your data (subject to legal retention requirements for invoicing records)
- Portability - receive your data in a machine-readable format
- Restriction - ask us to limit how we process your data
- Objection - object to processing based on legitimate interest
- Withdraw consent - for processing based on consent (e.g., AT Portal connection or the newsletter), you can withdraw at any time (for the newsletter, use the unsubscribe link in any issue)
You also have the right to lodge a complaint with the Portuguese data protection authority: CNPD (Comissão Nacional de Proteção de Dados), at www.cnpd.pt.
Cookies
We use a single cookie:
- Authentication cookie - an encrypted session token that keeps you logged in. It is httpOnly (cannot be read by JavaScript), Secure (only sent over HTTPS), and SameSite=Lax (protects against cross-site attacks). No marketing, analytics, or tracking cookies.
Because we only use a strictly necessary cookie, we do not need a cookie consent banner.
Children
Descodify is a business tool for solo entrepreneurs and individuals exploring tax obligations in Portugal. Under Portuguese GDPR rules, users must be at least 16 to consent to data processing. If you believe someone under 16 has created an account, contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. When we make significant changes, we will notify you by email or through a notice in the app. The date at the top of this page always reflects the latest revision.
Contact
For any questions about this policy or your personal data, email us at [email protected].