Albor
Last updated · 2026-04-30

Privacy Policy

1. Data controller

The data controller for personal data processed by the Service is Albor Compliance Suite SL (NIF B-12345678), Carrer Vicent Serra 14, 07800 Eivissa.

For Agency Tenants, your agency is the controller for guest and owner data; Albor acts as a data processor on your behalf and operates under the Data Processing Agreement (DPA).

2. What data we process

Account data: email, name, role, locale, hashed password, last sign-in.

Property data: cadastral references, addresses, license numbers, capacity, photos, documents.

Booking data: guest names, contact info, dates, amounts, channel of origin.

Guest registration data (Decreto 933/2021): full name, document type and number, nationality, birth date, document scan.

Operational data: system logs, audit trail, error reports, usage analytics (PostHog), error monitoring (Sentry).

3. Legal bases (Art. 6 GDPR)

Performance of contract: account, property, booking, billing data.

Legal obligation: SES.HOSPEDAJES submissions (Decreto 933/2021), VUDA reports (RDL 7/2024), tax records (LGT).

Legitimate interest: security logs, fraud prevention, product analytics. You may object to analytics from Settings → Privacy.

4. Retention

Account data: until account deletion + 6 years (Spanish commercial code).

Booking and SES.HOSPEDAJES data: 3 years post-checkout, then auto-purged.

Property compliance documents: until deletion request, subject to legal retention duties of the Agency Tenant.

Logs: 90 days for security logs; 12 months for audit trail.

5. Sub-processors

Vercel Inc. (US, EU regions) — application hosting · DPA signed, SCCs in place.

Supabase Pty (EU region) — database and storage · DPA signed.

Stripe Payments Europe (Ireland) — billing · DPA signed.

Resend (US) — transactional email · SCCs in place.

Twilio (Ireland) — guest comms · DPA signed.

Anthropic (US) — AI processing for guest comms · zero-retention API · SCCs in place.

Sentry (US) — error monitoring · DPA signed, IP truncation enabled.

PostHog (EU region) — product analytics · DPA signed.

6. Your rights

Access, rectification, erasure, restriction, portability and objection — exercisable by emailing dpo@albor.es. We respond within 30 days.

You also have the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos, www.aepd.es).