Duetri
Legal

Privacy Policy

Última actualización: May 2026

Notice: This is the Privacy Policy of the Duetri / Atrium Platform (app.duetri.com). It is different from the policy of the corporate website duetri.com, which governs only the public website.

Version 1.0 · Last updated: 29 May 2026

1 · Who is responsible for your data

This policy applies to the Duetri / Atrium platform accessible at app.duetri.com (hereinafter, "the Platform").

The controller of the Platform is Duetri SL (a company in the process of incorporation at the date of this version), with Tax ID [pending], registered office at [pending] and email contacto@duetri.com.

2 · Your role and Duetri's role depending on how you access the Platform

The Platform is used by two types of people, and responsibility over the data changes depending on the case. It is important that you understand this distinction, because it determines whom to direct your enquiries to.

Case 1 — You are a user of the management office (owner, admin, member, viewer)

Your office (property manager) has contracted Atrium to manage communities. When you enter the Platform to do your work:

  • Regarding your user account data (your name, your access email, your password, your session logs, the support data you send us): Duetri is the Controller. This policy explains what we do with them.
  • Regarding the data of the communities, owners and residents that you manage (fees, incidents, minutes, etc.): your office is the Controller and Duetri acts as Data Processor on its behalf, in accordance with the signed DPA. For enquiries about that data, contact your office.

Case 2 — You are an owner or resident and you access the resident portal

The office that administers your community has given you access to Atrium so that you can consult information about your dwelling, communicate with the manager, view convocations and other similar aspects.

  • Regarding the data of your portal access account (your login email, your password, session logs, technical cookies): Duetri is the Controller and this policy applies to you.
  • Regarding data relating to your dwelling, your community, fees, special levies, etc.: the Controller is the management office that gave you access. To request access, rectification, deletion or objection regarding that data, contact your manager. If you cannot locate them, you can write to us at contacto@duetri.com and we will bridge the communication.

3 · What data we process as Controller and for what purposes

Below are the data that Duetri processes as Controller, that is, the data directly linked to your user account on the Platform.

3.1 · Account and authentication data

| Concept | Detail | |---|---| | What we process | Name, surnames, email address, password (stored hashed), language and interface preferences, role assigned within the Platform. | | For what | To allow you to access the Platform, verify your identity, recover your password and manage your session. | | Legal basis | Performance of the contract entered into with the client office or, in the case of residents, performance of the portal service. | | Retention | While your account is active. After cancellation, data is kept blocked during applicable legal periods and then deleted. |

3.2 · Technical and security data

| Concept | Detail | |---|---| | What we process | IP address, session identifier, dates and times of access, browser, operating system, actions carried out on the Platform (audit logs), technical errors generated during use. | | For what | To guarantee the security of the Platform, prevent unauthorised access, diagnose incidents, maintain an audit trail in accordance with security best practices. | | Legal basis | Legitimate interest in the security of the service and, where appropriate, compliance with legal obligations (for example, activity logging in the event of incidents). | | Retention | Up to 24 months for general activity records. Records relating to security incidents are kept for the period necessary for their analysis and management, and until the prescription of any possible liabilities. |

3.3 · Support and communication data with Duetri

| Concept | Detail | |---|---| | What we process | The content of the tickets, messages or emails that you send us requesting help, together with the information necessary to respond to you (your identity as sender, screenshots you attach, etc.). | | For what | To attend to your queries, resolve incidents, improve the quality of the service. | | Legal basis | Performance of the contract and, where appropriate, legitimate interest in improving the product. | | Retention | Up to 36 months after the resolution of the ticket. |

3.4 · Billing data (only for clients and office representatives)

| Concept | Detail | |---|---| | What we process | Company name, Tax ID, tax address, legal representative data, bank account data for the SEPA mandate, history of invoices and payments. | | For what | To issue invoices, manage SEPA direct debit collections, comply with accounting and tax obligations. | | Legal basis | Performance of the contract and compliance with legal obligations (tax, commercial and payment services regulations). | | Retention | During the time necessary for the provision of the service and, subsequently, during applicable legal periods (6 years for billing under the Commercial Code, corresponding tax periods). |

3.5 · Artificial intelligence functionalities (when you use them)

| Concept | Detail | |---|---| | What we process | The content of the queries you make to the Scriba assistant or to other AI functionalities, together with the tenant context necessary to respond (aggregated counts, documents selected for OCR, etc.). | | For what | To provide the requested AI functionality (query, assisted writing, OCR, classification). | | Legal basis | Performance of the service. | | Who can use it | These functionalities are only available to users with office management role (owner, admin, member). The viewer and vecino roles cannot invoke the AI. | | Retention | Processing by the AI model is one-off (the query is sent and the response is received). The query and its response may be kept associated with the history of the user who made it, within the Platform, for as long as it is useful for the service. | | Subprocessor | The model is provided by Anthropic PBC (United States). Queries are not used to train Anthropic models, in accordance with the contractual conditions in force with that provider. |

4 · Cookies and similar technologies

The Platform uses strictly necessary cookies for its operation:

  • Session and authentication cookies: essential to keep your session active, verify your identity and protect your account from unauthorised access.
  • Technical preference cookies: remember interface settings (light/dark theme, language).
  • Security cookies: protection against CSRF (Cross-Site Request Forgery) and other similar threats.

These cookies do not require your prior consent in accordance with the AEPD guidance. We do not use marketing cookies, third-party advertising or cross-site tracking.

If in the future we were to incorporate cookies requiring consent (for example, identifiable product analytics), we would enable a management banner before installing them and update this policy.

5 · With whom we share your data

5.1 · Subprocessors that provide technical support to the service

To provide the service we use the technology providers listed on the page duetri.com/legal/subprocesadores (updated list). All of them are bound by contracts guaranteeing GDPR compliance.

For information purposes, the main subprocessors are:

| Provider | Service | Location | |---|---|---| | Neon Inc. | Database | Frankfurt (EU) | | Railway Corp. | Application hosting | Netherlands (EU) | | Anthropic PBC | AI models | United States (with Standard Contractual Clauses) | | Resend Inc. | Transactional email | EU / USA | | Sentry | Technical monitoring | EU |

5.2 · Communications to third parties for legal obligation

We may communicate your data when there is a legal obligation (court requirements, requirements from the Tax Agency, duly substantiated requirements from law enforcement and security forces, etc.). In those cases, we will communicate exclusively what is legally required.

5.3 · Communications arising from corporate operations

In the event of merger, spin-off, sale of business unit or restructuring of Duetri, the data may be transferred to the acquirer, informing you in advance.

5.4 · What we do not do

We do not sell your data. We do not transfer it to third parties for marketing. We do not share it with social networks or advertising platforms.

6 · International data transfers

As a general rule, data is processed in the European Union (Frankfurt, Germany, and EU West).

AI functionalities involve processing by Anthropic PBC in the United States, under the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914) and, where appropriate, the Data Privacy Framework while the adequacy decision is in force.

The transactional email managed by Resend may involve transfers to the United States with the same guarantees.

You may request a copy of the guarantees applied by writing to us at contacto@duetri.com.

7 · Security measures

We apply technical and organisational measures to protect your data, among which:

  • Encryption in transit (TLS 1.2 or higher) and encryption at rest (AES-256) of the database.
  • Individual authentication with robust password policy and two-factor authentication (2FA) available, activatable by the user.
  • Principle of least privilege in access.
  • Strict isolation between clients (multi-tenant with Row-Level Security in database).
  • Daily backups with retention in accordance with the current infrastructure plan.
  • Activity logs and continuous monitoring.
  • Documented incident management and breach notification procedure.

Despite these measures, no platform can guarantee absolute security. In the event of a breach affecting your personal data, we will comply with legal notification obligations.

8 · Your rights

As a data subject, you can exercise the following rights:

  • Access: know what data of yours we process and obtain a copy.
  • Rectification: correct inaccurate or incomplete data.
  • Deletion: request the deletion of your data when it is no longer necessary or when you withdraw your consent.
  • Objection: object to the processing of your data for reasons related to your particular situation.
  • Restriction: request that we restrict processing while a rectification or objection is verified.
  • Portability: receive your data in structured format to transmit to another controller.
  • Withdraw consent: when the processing is based on your consent, you can withdraw it at any time, without retroactive effects.

8.1 · How to exercise them

Write to contacto@duetri.com indicating the right you wish to exercise and, if necessary, attaching a document that proves your identity. We will respond within a maximum period of one month, extendable two more months if the complexity of the request justifies it.

8.2 · Important: rights over data of your community

If you are an owner, resident or member of a community and your request refers to data relating to your dwelling, receipts, debts, communications or any information managed by your manager, you must contact your property manager (who is the Controller of that data), not Duetri. If you cannot locate them or do not obtain a response, write to us and we will bridge the communication.

8.3 · Complaint to the supervisory authority

If you consider that we have not responded adequately, you can lodge a complaint with the Spanish Data Protection Agency: www.aepd.es.

9 · Minors

The Platform is aimed at professionals (property management offices) and at adult persons who own dwellings in managed communities. It is not designed to collect data from minors under 14 years of age. If we detect that data from minors has been collected without adequate authorisation, we will delete it without delay.

10 · Changes to this policy

We may update this policy to adapt it to regulatory changes, service evolution or new functionalities. When changes are substantial, we will inform you by email or through prominent notice on the Platform with reasonable notice before its entry into force.

The current version and its update date will always be available at app.duetri.com/legal/privacidad.

11 · Contact

For any query about this policy or about the processing of your personal data:

Duetri SL (in the process of incorporation) · Email: contacto@duetri.com · Web: https://duetri.com