Last updated: 10 May 2026

Privacy Policy

This Privacy Policy explains what information Inviaro collects, why we collect it, how we use it, who we share it with, and the choices you have. It applies to the inviaro.com website, the Inviaro web application at app.inviaro.com, the embeddable widget, and related services (together, the Service).

Inviaro is a business communication platform. We process two kinds of personal data: (a) information about you, our customer (the operator using the platform) and (b) information about your end-users (the people who message you through channels we connect, such as WhatsApp, Instagram, Messenger, Viber, or the embedded widget). Where the law distinguishes between these roles, we are the controller for your data and a processor for your end-users' data.

1. Who we are

Inviaro is operated by Inviaro d.o.o., a company registered in Bosnia and Herzegovina. You can reach us at info@inviaro.com for any privacy question, data access request, or complaint.

2. Data we collect

2.1 Account data (you as our customer)

  • Name, work email, password (stored as a one-way salted hash, never in plain text)
  • Workspace name and any operator profile fields you fill in
  • Billing details (company name, address, VAT identifier where applicable)
  • Records of payments and invoices we issue

2.2 End-user conversation data (your customers)

  • Messages and attachments sent through the channels you connect
  • Identifiers the channel provides (for example, a WhatsApp phone number, an Instagram username, or a session token for widget visitors)
  • Contact metadata you or your flows attach to a conversation
  • Booking and calendar event details when your flow schedules them

We process this data only to provide the Service to you. We do not use your end-users' messages to train models, profile individuals, or for any advertising purpose.

2.3 Technical and usage data

  • IP address, browser type, device type, and language
  • Access logs, error reports, and security event logs
  • Anonymized product analytics about how the operator interface is used

3. Why we process this data

  • To provide the Service. We need conversation and account data to deliver messages, route them to operators, run flows, and store your history.
  • To bill correctly. Invoices, taxes, and payment records require accurate billing details.
  • To secure the Service. Logs and security signals let us detect abuse, debug incidents, and respond to threats.
  • To support you. When you email support, we read what you sent us.
  • To meet legal obligations. Tax law, anti-fraud rules, and lawful requests from authorities sometimes require us to retain or disclose specific records.

Our legal basis under GDPR is performance of a contract (you signed up to use the Service) and legitimate interest (running and securing a B2B platform). We rely on legal obligation for tax, accounting, and regulator-driven records.

4. Sub-processors

We use a small number of vendors to run the Service. Each one is contractually bound to data-protection terms at least equivalent to ours.

CategoryPurposeRegion
Application hosting and databaseHosts the Inviaro application and stores your workspace dataEU
Edge networkDDoS protection, content delivery, static asset hostingGlobal
Messaging channel APIsWhatsApp Business, Instagram, Messenger, Viber, and other channels you connectGlobal, EU
Calendar providersCalendar integration when you connect Google Calendar or OutlookGlobal
AI providersOptional AI features in Studio flows (only when you enable them)US
Payment processingSubscription billing and invoice paymentEU, US
Operational monitoringError reporting and application performance monitoringEU

A current and complete sub-processor list, including the legal entity, country, and the specific service used in each category above, is available on request. We give existing customers reasonable notice before adding a new sub-processor that materially changes how data is processed.

5. Use of Google APIs (Google Calendar integration)

When you connect your Google Calendar to Inviaro, we use Google APIs only to read availability and create or update calendar events for appointments your customers request through a conversation handled by Inviaro. We do not use Google user data for advertising, do not transfer it to third parties except as needed to provide or improve the integration for you, and do not use it to develop, improve, or train generalized or non-personalized AI or machine-learning models.

Inviaro's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect Google Calendar at any time from inside the app; we revoke our access token and stop reading or writing your calendar at that point. Cached event metadata related to existing bookings is removed within 30 days, or sooner on request.

6. International transfers

Most processing happens inside the European Economic Area. When data is transferred outside the EEA (for example, to a US-based AI provider you choose to enable), we rely on Standard Contractual Clauses with that vendor and apply additional safeguards such as encryption in transit.

7. How we store and protect data

  • All traffic is encrypted in transit using TLS 1.2 or higher.
  • Data at rest is encrypted on our managed database and managed object storage.
  • Passwords are stored as salted one-way hashes; we never store your plain-text password.
  • Operator sessions use signed session cookies; two-factor authentication is supported.
  • Access to production data is limited to a small number of engineers and audited.
  • We run automated backups daily and test restore procedures regularly.

8. How long we keep data

  • Account data: for as long as your workspace is active, plus 90 days after deletion to allow recovery from accidental closure.
  • Conversation and contact data: for as long as your workspace is active, unless you delete a contact or conversation manually or via flow retention settings.
  • Invoices and payment records: for the period required by tax law (typically 10 years in Bosnia and Herzegovina).
  • Logs and security events: typically 90 days, longer for incidents under investigation.
  • Backups: retained on a rolling 30-day cycle and then deleted.

9. Your rights

If you are in the EU, EEA, UK, or covered by the Personal Data Protection Law of Bosnia and Herzegovina, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (subject to legal retention obligations)
  • Restrict or object to certain processing
  • Receive a copy of your data in a portable format
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your local data-protection authority

To exercise any of these rights, write to info@inviaro.com. We respond within 30 days, or sooner where local law requires it.

10. End-user data (when you are our customer)

If a message you receive on Inviaro is from someone exercising their own privacy rights (for example, a customer of yours asking what data you hold about them), the request typically goes to you, not us. We process that person's data on your behalf. We will support you in fulfilling the request, but the legal obligation usually sits with you as the controller of your customer relationship. Our standard Data Processing Addendum covers this allocation of duties and is available on request.

11. Cookies

On inviaro.com we use a small number of strictly necessary cookies (session, CSRF protection, language preference). We do not use tracking or advertising cookies.

Inside the operator application at app.inviaro.com, cookies are used to keep you signed in and protect against cross-site request forgery.

12. Children

Inviaro is a B2B service and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we hold data about a child, contact us and we will delete it.

13. Changes to this policy

When we make material changes, we update the "Last updated" date at the top of this page and, for substantive changes, notify active customers by email at least 30 days before the change takes effect.

14. Contact

Privacy questions, requests, or complaints: info@inviaro.com.

Postal address: Inviaro d.o.o., Bosnia and Herzegovina. Full registered address available on request.