Privacy Policy
This Privacy Policy explains what information Inviaro collects, why we collect it, how we use it, who we share it with, and the choices you have. It applies to the inviaro.com website, the Inviaro web application at app.inviaro.com, the embeddable widget, and related services (together, the Service).
Inviaro is a business communication platform. We process two kinds of personal data: (a) information about you, our customer (the operator using the platform) and (b) information about your end-users (the people who message you through channels we connect, such as WhatsApp, Instagram, Messenger, Viber, or the embedded widget). Where the law distinguishes between these roles, we are the controller for your data and a processor for your end-users' data.
1. Who we are
Inviaro operates the Service. For any privacy question, data access request, or complaint, contact privacy@inviaro.com. General enquiries: info@inviaro.com. Our legal entity, registered address, and applicable supervisory authority are listed in the Data Processing Agreement provided to customers at subscription.
2. Data we collect
2.1 Account data (you as our customer)
- Name, work email, password (stored as a one-way salted hash, never in plain text)
- Workspace name and any operator profile fields you fill in
- Billing details (company name, address, VAT identifier where applicable)
- Records of payments and invoices we issue
2.2 End-user conversation data (your customers)
- Messages and attachments sent through the channels you connect
- Identifiers the channel provides (for example, a WhatsApp phone number, an Instagram username, or a session token for widget visitors)
- Contact metadata you or your flows attach to a conversation
- Booking and calendar event details when your flow schedules them
We process this data only to provide the Service to you. We do not use your end-users' messages to train models, profile individuals, or for any advertising purpose.
Special-category data (GDPR Article 9). If you operate in a regulated vertical (medical, dental, aesthetics, veterinary, wellness, or similar), end-user messages may contain health information. You are the Controller for that data and must have an appropriate Article 9 lawful basis (typically explicit consent or provision of health care). Inviaro processes such data strictly as your Processor and does not independently assume Article 9 Controller responsibility. The operator-facing acknowledgement is recorded in our consent ledger at workspace setup. See our Data Processing Agreement for the full allocation of duties.
2.3 Technical and usage data
- IP address, browser type, device type, and language
- Access logs, error reports, and security event logs
- Anonymized product analytics about how the operator interface is used
3. Why we process this data
- To provide the Service. We need conversation and account data to deliver messages, route them to operators, run flows, and store your history.
- To bill correctly. Invoices, taxes, and payment records require accurate billing details.
- To secure the Service. Logs and security signals let us detect abuse, debug incidents, and respond to threats.
- To support you. When you email support, we read what you sent us.
- To meet legal obligations. Tax law, anti-fraud rules, and lawful requests from authorities sometimes require us to retain or disclose specific records.
Our legal basis under GDPR is performance of a contract (you signed up to use the Service) and legitimate interest (running and securing a B2B platform). We rely on legal obligation for tax, accounting, and regulator-driven records.
4. Sub-processors
We use a small number of vendors to run the Service. Each one is contractually bound to data-protection terms at least equivalent to ours. The complete list — including the legal entity, the data each receives, the region they store it in, and the safeguard authorising any transfer — is published at /subprocessors and kept current.
We notify active customers at least 30 days in advance of any change to that list that materially affects how Personal Data is processed, by email to the workspace owner and via an in-app banner. Subscribe to changes by emailing privacy@inviaro.com.
5. Google APIs (Calendar integration)
When you connect Google Calendar, Inviaro's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect at any time inside the app; cached metadata related to existing bookings is removed shortly after, or sooner on request.
6. International transfers
Most processing happens inside the European Economic Area. When data is transferred outside the EEA (for example, to a US-based AI provider you choose to enable), we rely on Standard Contractual Clauses with that vendor and apply additional safeguards such as encryption in transit.
7. How we store and protect data
- All traffic is encrypted in transit using TLS 1.2 or higher.
- Data at rest is encrypted on our managed database and managed object storage.
- Passwords are stored as salted one-way hashes; we never store your plain-text password.
- Operator sessions use signed session cookies; two-factor authentication is supported.
- Access to production data is limited to a small number of engineers and audited.
- We run automated backups daily and test restore procedures regularly.
8. How long we keep data
- Account data: for as long as your workspace is active, plus 90 days after deletion to allow recovery from accidental closure.
- Conversation and contact data: for as long as your workspace is active, unless you delete a contact or conversation manually or via flow retention settings.
- Invoices and payment records: for the period required by applicable accounting and tax law.
- Logs and security events: typically 90 days, longer for incidents under investigation.
- Backups: retained on a rolling 30-day cycle and then deleted.
9. Your rights
Under the EU General Data Protection Regulation (and equivalent local laws where applicable), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (subject to legal retention obligations)
- Restrict or object to certain processing
- Receive a copy of your data in a portable format
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data-protection authority
To exercise any of these rights, write to privacy@inviaro.com. Account holders can also use the self-service Export and Delete-account flows inside the operator application. We respond within 30 days, or sooner where local law requires it.
You may also lodge a complaint with your local data-protection authority.
10. End-user data (when you are our customer)
If a message you receive on Inviaro is from someone exercising their own privacy rights (for example, a customer of yours asking what data you hold about them), the request typically goes to you, not us. We process that person's data on your behalf. The operator application provides per-contact erasure and per-workspace data-export endpoints so you can fulfil these requests directly. We will support you with anything beyond what the endpoints cover. The full allocation of duties is set out in our Data Processing Agreement, electronically accepted at subscription.
11. Cookies
We use only strictly necessary cookies (authentication and CSRF protection). We do not use tracking or advertising cookies.
12. Children
Inviaro is a B2B service and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we hold data about a child, contact us and we will delete it.
13. Changes to this policy
When we make material changes, we update the "Last updated" date at the top of this page and, for substantive changes, notify active customers by email at least 30 days before the change takes effect.
14. Contact
Privacy questions, requests, or complaints: privacy@inviaro.com. General enquiries: info@inviaro.com.
Our legal entity name, registered address, and the responsible supervisory authority are listed in the Data Processing Agreement we provide to customers at subscription, or available on request to privacy@inviaro.com.