GDPR Compliance

1. Our Commitment to GDPR

Inventeta is committed to complying with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This page provides information about how we handle personal data of individuals in the European Economic Area (EEA) and the United Kingdom.

2. Data Controller Information

For our managed services, Inventeta acts as a Data Controller for:

• Account information and user credentials
• Marketing communications and inquiries
• Usage analytics on our marketing website

For self-hosted deployments, you (the customer) are the Data Controller for all data entered into the system. Inventeta has no access to your data unless you explicitly share it with us for support purposes.

Contact Details

• Company Name: Inventeta
• Email: gdpr@inventeta.com
• Address: Available upon request

3. Lawful Basis for Processing

We process personal data based on the following lawful bases under GDPR Article 6:

4. Your Rights as a Data Subject

Under GDPR, you have the following rights regarding your personal data:

4.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about how we process it.

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

4.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Erasure is required by law

Note: For traceability data subject to legal or contractual retention requirements, we may be required to retain certain records for a minimum period even after an erasure request.

4.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when you contest its accuracy or object to processing.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. Inventeta supports data export in JSON and CSV formats.

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

4.7 Rights Related to Automated Decision-Making (Article 22)

Inventeta does not make automated decisions that produce legal or similarly significant effects on individuals. All decisions within the system are made by human users.

5. Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: gdpr@inventeta.com
• Subject Line: "GDPR Data Subject Request"

We will respond to your request within 30 days. We may request additional information to verify your identity before processing your request.

For self-hosted deployments, you should address data subject requests through your own organization's processes, as you are the Data Controller for that data.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

7. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with adequate data protection
• Binding Corporate Rules where applicable

For self-hosted deployments, you control where data is stored and are responsible for any international transfer compliance.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption: TLS for data in transit; database encryption at rest
• Access Control: Role-based access, strong authentication
• Password Security: Argon2id hashing with secure parameters
• Audit Logging: Immutable logs of all data access and modifications
• Security Testing: Regular security assessments

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and remedial actions taken

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes GDPR.

The relevant supervisory authority depends on your country of residence. A list of EU Data Protection Authorities can be found at: EDPB Members

11. Data Protection Officer

For inquiries regarding our data protection practices or to exercise your rights, please contact:

• Email: dpo@inventeta.com
• Address: Available upon request

12. Self-Hosted Deployment Considerations

If you operate a self-hosted deployment of Inventeta:

• You are the Data Controller for all data in your instance
• You are responsible for GDPR compliance within your organization
• You control data location, retention, and access
• Inventeta provides tools to help you comply (data export, audit logs, retention policies)
• Consider implementing your own privacy policy for your users

13. Updates to This Information

We may update this GDPR information from time to time. We will notify you of significant changes by posting an update on this page and updating the "Last updated" date.

14. Contact Us

For any GDPR-related questions or requests:

• Email: gdpr@inventeta.com
• Subject: GDPR Inquiry
• Response Time: Within 30 days