Privacy policy
Last updated: May 20, 2026
1. Data controller
Alastia SLU (hereinafter, "we" or "Tributs") is the data controller for personal data processed when you use the service via tributs.ad and its subdomains.
Identification: Andorran limited liability company, NRT L-720150-X, registered office at C/ Prat de la Creu 96, 4-1, AD500 Andorra la Vella (Principality of Andorra). Privacy contact: hola@tributs.ad.
2. What data we process
Account data: full name, email, password (bcrypt-hashed), registration date.
Company data: legal name, NRT, parish, incorporation date, tax data.
Accounting and tax data: issued and received invoices, bank movements, tax filings, annual accounts.
Attached images and documents: photos and PDFs of invoices you scan with the AI capture feature.
Technical data: access logs (IP, browser, timestamps), session cookies.
3. Purposes of processing
Provide the contracted service (fiscal and accounting management of an Andorran company).
Generate tax filings from your accounting data.
Extract structured data from invoices you scan using a generative AI provider (section 5).
Send transactional notifications (verification, unpaid invoices, fiscal calendar reminders).
Manage billing of your Tributs subscription.
Comply with legal obligations.
4. Legal basis
Contract performance: for all processing necessary to provide the service.
Legal obligation: for retention of fiscal records during the periods required by Andorran law (Decret 595/2023 art. 35 — 5-year minimum).
Consent: for commercial communications unrelated to the service.
Legitimate interest: for service improvement and fraud prevention.
5. Sub-processors
To provide the service, we contract external providers acting as sub-processors. All have a Data Processing Agreement (DPA) with us, and where applicable, EU Commission-approved Standard Contractual Clauses (SCCs) for international transfers outside the EEA.
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic, PBC | Structured invoice data extraction via AI (Claude Vision). | Estats Units · EEUU | Standard Contractual Clauses (SCCs) |
| Hetzner Online GmbH | Hosting of servers and databases. | Alemanya · UE | Adequació RGPD (UE) |
| Resend, Inc. | Transactional email sending (verification, notifications, invoices). | Estats Units · EEUU | Standard Contractual Clauses (SCCs) |
| Cloudflare, Inc. | DNS, CDN and DDoS mitigation for our domains. | Estats Units · EEUU | Standard Contractual Clauses (SCCs) |
| Vercel, Inc. | Hosting of the tributs.ad landing and anonymous analytics. | Estats Units · EEUU | Standard Contractual Clauses (SCCs) |
| Functional Software, Inc. (Sentry) | JavaScript error diagnostics for the SPA (stack traces, URL, browser). No content from your documents. Configurable from /perfil → Error diagnostics. | Regió UE (ingest a Frankfurt). Empresa matriu EEUU. | Standard Contractual Clauses (SCCs) + regió d'ingest UE |
6. International transfers
Some sub-processors (section 5) are located outside the European Economic Area (United States). For these transfers we rely on Standard Contractual Clauses (SCCs) approved by the EU Commission.
Anthropic (our invoice scanner AI provider) is also certified under the EU-US Data Privacy Framework.
You may request a copy of applicable SCCs by writing to hola@tributs.ad.
7. Retention period
Account data: while you have an active account + 30 days post-closure.
Fiscal and accounting documents: 5 years after the closing of the fiscal period (LQPD art. 12.4 + Decret 595/2023).
Technical logs: 6 months.
Backups: 30 days (automatic rotation).
Before closing your account, you may export all your data in standard format.
8. Security measures
Encryption in transit: TLS 1.3 for all communication.
Encryption at rest: passwords stored with bcrypt. Migration to Hetzner Object Storage with SSE AES-256 planned before commercial launch.
Physical isolation: each client company has its own physical database (multi-site model).
Access control: 2FA mandatory for internal staff.
Backups: daily automatic copies with rotating retention.
9. Data subject rights
Under LQPD arts. 19-25 and GDPR arts. 15-22, you have the following rights: access, rectification, erasure, restriction, portability, objection and automated decisions.
To exercise any right, email hola@tributs.ad. We will respond within one month.
If you believe we violate the regulation, you may lodge a complaint with the Andorran Data Protection Agency (APDA): www.apda.ad.
10. Breach notification
In the event of a security breach with significant risk, we will notify you within 72 hours (LQPD art. 38) along with the mandatory notification to APDA.
11. Changes to this policy
If we change this policy substantially, we will email you at least 30 days in advance.
12. Contact
Data protection questions: hola@tributs.ad.
When we appoint a Data Protection Officer (DPO), their contact will be published here.