Privacy Policy
Last updated: 22 April 2026. This page explains what InventorIA collects, why, and what you can do about it.
1. Who we are
InventorIA is a SaaS platform for IT asset, contract, license, and people management, operated from Nürnberg / Falkenstein, Germany on Hetzner infrastructure. For any question about this policy, write to contact@inventoria-app.com.
2. Data we collect
- Account data: name, email, hashed password (bcrypt), company name, industry, country, and the workspaces you belong to.
- Workspace content: assets, contracts, licenses, people, assignments, activity logs you enter into your workspace.
- Usage telemetry: login timestamps, feature actions (audit log), AI queries and per-day counts for quota enforcement.
- Billing: subscription plan, invoice history. Payment card data is never stored by us — it is collected directly by Stripe.
- Technical logs: IP address, user agent, request timestamps. Retained 30 days unless tied to a security incident.
3. How we use it
- To provide and operate the service you signed up for.
- To authenticate you (JWT, 24 h sessions; Firebase for social login).
- To send transactional email (welcome, invite, contract-expiry alerts, billing notifications) via Resend.
- To enforce per-plan entitlements (asset/user caps, AI daily quota).
- To answer natural-language questions via the AI assistant, which is scoped to your role's permissions.
4. Sub-processors
InventorIA shares strictly the minimum data required with the following processors:
- Hetzner Online GmbH (Germany, EU) — hosting, data at rest.
- Stripe, Inc. (USA, SCCs) — subscription billing, no card data stored by us.
- Resend (Resend, Inc., USA, SCCs) — transactional email delivery.
- Google LLC (USA, SCCs) — Firebase Authentication for social login; Gemini 2.5 Flash via Firebase AI for the Ask-AI assistant. Per Google's Vertex AI data governance terms, your content is not used to train foundation models.
- Zoho Corporation — inbox hosting for
@inventoria-app.comaddresses.
5. AI usage
When you send a message to the Ask-AI chat, the backend builds a context bundle of the workspace data you are entitled to see (assets / people / contracts / assignments, scoped by your role) and sends it, along with your question, to Google's Gemini 2.5 Flash model via Firebase AI. Google is contractually prohibited from using your content to train foundation models. Each call is counted against your per-user daily quota (1/day on Free, 50/day on Plus, 500/day on Pro, unlimited on Enterprise).
6. Security
- TLS 1.3 everywhere (Let's Encrypt).
- Passwords stored as bcrypt (
$2a$). - Multi-tenant row-level isolation: every business entity carries a
company_idand requests are scoped by anX-Company-IDheader + server-verified membership. - Audit trail of login events, role / permission changes, AI queries, and CUD actions.
- Disk-at-rest encryption and warm-standby replica are on our infrastructure roadmap and will be enabled before onboarding large enterprise customers.
7. Retention
- Workspace data: kept as long as the workspace is active. On account deletion, data is removed within 30 days (backups rotate out after 30 days).
- Audit logs: 12 months.
- Billing records: 10 years (legal obligation).
8. Your rights (GDPR)
You can access, correct, export, or delete your personal data at any time. A full workspace export (JSON + ZIP) is available to workspace admins via the Settings page. To exercise any right, or to object to processing, email contact@inventoria-app.com. We respond within 30 days.
9. Cookies
We use only strictly necessary cookies for authentication (JWT in localStorage, not an HTTP cookie) and workspace selection. No advertising or cross-site tracking cookies.
10. Changes
We will notify you by email of any material change. Continuing to use the service after the effective date means acceptance.
Questions? contact@inventoria-app.com