Last updated: 9 May 2026
1. Roles
For Inventory Data and account data you upload, the Customer is the controller and Invento is the processor. Each party complies with the UK GDPR and Data Protection Act 2018.
2. Scope and duration
Processing is limited to what is necessary to provide the Service, for the duration of the subscription, plus statutory retention periods described in the privacy policy.
3. Sub-processors
We engage vetted sub-processors for cloud hosting, transactional email, and error monitoring. A current list, with locations and purposes, is available on request. We give 14 days’ notice of material changes.
4. Security
- AES-256 encryption at rest, TLS 1.2+ in transit.
- Role-based access control with audit logging.
- Annual penetration testing and quarterly access reviews.
- Background checks on all staff with production access.
5. International transfers
Personal data is hosted in the UK and EEA by default. Where transfers outside that region are required, we rely on UK IDTA / EU SCCs and carry out a transfer impact assessment.
6. Data subject requests
We provide tooling for the Customer to fulfil access, correction, erasure and portability requests. We assist Customers with such requests where they cannot be fulfilled in the product.
7. Breach notification
We will notify the Customer of any confirmed personal data breach without undue delay and within 72 hours of becoming aware, providing the information needed to meet their notification obligations.
8. Audit
On reasonable notice and no more than once per year, the Customer may audit our compliance, or rely on independent third-party reports we make available.
9. Return or deletion
On termination the Customer can export Inventory Data for 60 days; after that we delete it from active systems and from backups within the next backup rotation cycle.
Questions: ops@heybruno.ai.