Inventroy

Privacy Policy

Last updated: 13 April 2026

Draft notice. This is a free-template draft covering UAE PDPL, EU GDPR and California CCPA at a reasonable level. It is not yet lawyer-reviewed. Contact privacy@inventroy.com with any questions about how we handle your personal data.

1. Who we are

Inventroy("we", "us", "our") operates the Inventroy service. We are based in the United Arab Emirates. For personal data we collect directly from you (e.g. your account email), we act as the data controller. For personal data you upload into your workspace as part of running your business (customer names, supplier contacts, etc.), we act as the data processor on your behalf — that relationship is governed by our Data Processing Addendum.

2. What personal data we collect

  • Account data: name, email address, password hash, IP address at signup, timezone, locale.
  • Workspace data: the subdomain you pick, company name, any data you or your users upload while using the product (products, contacts, invoices, files).
  • Payment data: we do NOT store credit-card numbers. Stripe processes payments and returns a tokenised reference. We store the reference and basic billing info (plan, billing country).
  • Usage data: pages visited, features used, error events (captured via Sentry), basic device/browser information. Used to improve the Service and debug issues.
  • Support communications: the content of emails or chat messages you send us.

3. Why we process your data (legal basis)

PurposeLegal basis (GDPR / PDPL)
Provide and operate the ServiceContract (Art. 6(1)(b) GDPR / Art. 5 PDPL)
Billing, tax, fraud preventionContract + legal obligation
Product improvement, analyticsLegitimate interest
Marketing emails (optional)Consent — you can withdraw any time
Security, incident responseLegitimate interest

4. Cookies and similar technologies

  • Essential cookies — session, CSRF, tenant routing. Required for the Service to function. Cannot be disabled.
  • Analytics cookies — anonymous product usage metrics. Opt-in.
  • Functional cookies — embedded videos, chat widgets, other third-party extras. Opt-in.

You can accept, reject, or customise optional cookies at any time via the banner that appears on your first visit.

5. Who we share data with (sub-processors)

To deliver the Service we use a small number of trusted sub-processors. The current list is maintained in our Data Processing Addendum and includes:

  • Hosting + database: Neon Inc. (EU region), Vercel Inc. (EU / US regions)
  • Transactional email: Resend Inc. (US)
  • Payments: Stripe Payments Europe Limited / Stripe Inc.
  • Error monitoring: Functional Software Inc. d/b/a Sentry (US)
  • DNS + CDN: Cloudflare Inc. (global)

We do not sell personal data. We do not share it with advertisers. We share it with sub-processors only to the extent necessary to provide the Service, under contracts that require equivalent data-protection safeguards.

6. International data transfers

Your data may be processed in the United Arab Emirates, the European Union, the United Kingdom, and the United States depending on the sub-processor. Where data leaves the UAE or the EEA, transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards under PDPL Article 22.

7. How long we keep data

  • Active accounts — indefinitely while you use the Service.
  • Cancelled accounts — Customer Data is retained for thirty (30) days after cancellation to allow reinstatement, then permanently deleted except where law requires longer retention (e.g. tax records, typically five years).
  • Support emails — up to 24 months, then purged.
  • Error logs (Sentry) — 90 days by default.

8. How we protect data

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Passwords hashed with scrypt and unique per-user salts.
  • Per-tenant database isolation — one Postgres database per customer.
  • Sub-processor selection restricted to SOC 2 / ISO 27001 certified vendors where available.
  • Least-privilege access for Inventroy employees.
  • Audit logging of administrative actions.

9. Your rights

Subject to local law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and data ("right to be forgotten").
  • Export your data in a machine-readable format.
  • Restrict or object to certain processing activities.
  • Withdraw consent where we rely on consent.
  • Lodge a complaint with the UAE Data Office or your local data-protection authority.

To exercise any of these rights, email privacy@inventroy.com. We will respond within thirty (30) days. Verification of your identity may be required.

10. Children's privacy

The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact privacy@inventroy.com and we will delete it.

11. California privacy rights (CCPA / CPRA)

Californian residents have the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information in the sense defined by the CCPA. To exercise your rights, email privacy@inventroy.com.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the registered account owner or via in-app notice at least fourteen (14) days before they take effect.

13. Contact

For privacy questions or to exercise your rights, email privacy@inventroy.com. For DPO inquiries, contact privacy@inventroy.com.

cart

your cart is empty