Your privacy matters. Cynventory is committed to GDPR compliance and protecting your personal data. We collect only what is necessary to provide and improve our Services, and we never sell your data to third parties.
Who We Are (Data Controller)
Cynventory ("we," "us," "our") is the data controller responsible for your personal data. We operate the cloud-based inventory management platform accessible at our website.
- Company Name: Cynventory
- Email: info@cynventor.com.tr
- Phone: +90 555 555 55 55
- Address: deneme adres 2
For any privacy-related inquiries or to exercise your data rights, please contact us at info@cynventor.com.tr.
Data We Collect
We collect different categories of personal data depending on how you interact with our Services:
- Email address (login credential and primary communication channel)
- First and last name (if provided during profile setup)
- Password (stored as a one-way bcrypt hash — we cannot read it)
- Two-factor authentication settings and backup codes
- Language and timezone preferences
- Business name, trading name, and industry type
- Business address, country, and phone number
- Tax identification number or VAT number (where voluntarily provided for invoicing)
- Currency and timezone settings
This includes all data you input into the platform: products, categories, SKUs, prices, stock levels, suppliers, customers, sales records, purchase orders, and any associated documents. This is primarily your business data, not personal data, though it may contain personal data about your customers or employees.
- Billing name and address
- Last 4 digits of payment card (for display purposes only)
- Card type and expiry month/year
- Transaction IDs and payment history
- Subscription plan, duration, and renewal dates
Full card numbers and CVV codes are never stored on our servers. All card data is processed and stored by our PCI DSS Level 1-compliant payment service provider.
- IP address and approximate geographic location (country/city)
- Browser type, version, and operating system
- Pages visited, features used, and actions taken within the platform
- Session duration and login timestamps
- Error logs and crash reports
- API access logs (Business plan)
- Content of support tickets and chat conversations
- Email correspondence with our team
- Survey responses and feedback submissions
- Referral codes and associated referral relationships
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and maintain the Services (account management, inventory tracking, reporting) | Account, Business, Inventory, Usage Data | Contract |
| Process subscription payments and manage billing | Payment & Billing Data | Contract |
| Send transactional emails (invoices, password resets, low stock alerts) | Email, Account Data | Contract |
| Send marketing and product update emails | Email, Account Data | |
| Detect and prevent fraud, abuse, and security incidents | Usage, Technical, Payment Data | Legitimate Interest |
| Improve the platform (product analytics, feature usage analysis) | Usage & Technical Data (anonymised) | Legitimate Interest |
| Comply with legal obligations (tax records, regulatory requests) | Account, Payment, Business Data | Legal Obligation |
| Provide customer support and resolve disputes | Communication, Account Data | Contract |
| Manage the referral programme | Email, Account, Payment Data | Contract |
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined in the GDPR:
- Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Services you have subscribed to, manage your account, and process payments.
- Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests in operating, securing, and improving our platform, provided such interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): Where you have explicitly consented, such as for optional marketing communications or non-essential cookies. You may withdraw consent at any time.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax regulations, financial reporting requirements, or lawful requests from competent authorities.
- Vital Interests (Art. 6(1)(d)): In exceptional circumstances, to protect your vital interests or those of another natural person.
Payment Data & PCI DSS Compliance
The security of payment transactions is a top priority. Cynventory uses industry-leading payment service providers that are certified to PCI DSS Level 1 — the highest level of payment security compliance.
- Your full credit/debit card number is never transmitted to or stored on our servers.
- Card data entry occurs in a secure, tokenised environment hosted by our PSP.
- We only receive and store a payment token and non-sensitive card metadata (last 4 digits, card type, expiry).
- All payment pages use TLS 1.2+ encryption with HSTS enabled.
- 3D Secure (3DS2) authentication is enforced where required by applicable regulations (including EU PSD2 Strong Customer Authentication).
Billing records (amounts, dates, plan names, transaction IDs) are retained for 7 years to comply with financial record-keeping laws.
Data Sharing & Third Parties
We never sell your personal data. We share your data only with the following categories of trusted third parties, strictly for the purposes outlined in this policy:
- Payment Service Providers: To process subscription payments securely. These providers are contractually bound to handle your data in compliance with PCI DSS and applicable privacy laws.
- Cloud Infrastructure Providers: We host our platform on enterprise-grade cloud infrastructure with SOC 2 Type II and ISO 27001 certifications. Your data is encrypted at rest and in transit.
- Email Service Providers: To send transactional and (where consented) marketing emails. Providers are bound by data processing agreements.
- Analytics Services: We may use privacy-respecting analytics tools to understand platform usage patterns. Usage data shared with analytics providers is anonymised or pseudonymised.
- Customer Support Tools: Support ticket and live chat systems used to assist you. Conversations are stored securely and accessible only to authorised support staff.
- Legal & Compliance: We may disclose data to law enforcement agencies, regulatory bodies, or courts when required by applicable law or a valid legal order, or to protect the rights, property, or safety of Cynventory, our users, or the public.
- Business Transfers: In the event of a merger, acquisition, or sale of all or part of our assets, your data may be transferred to the acquiring entity, subject to the same privacy protections. We will notify you before your data is transferred and becomes subject to a different privacy policy.
All third-party processors are subject to Data Processing Agreements (DPAs) ensuring they process your data only for specified purposes and maintain appropriate security standards.
International Data Transfers
Your data may be stored and processed in countries outside your own, including countries outside the European Economic Area. When we transfer personal data from the EEA to countries that the European Commission has not deemed to provide an adequate level of data protection, we implement appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements with all third-party processors.
- Transfer Impact Assessments where required.
For more information about the safeguards we have in place for international transfers, please contact us.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law:
- Active Accounts: Data is retained throughout the duration of your subscription and for 30 days following account closure (to allow export and reactivation).
- Deleted Accounts: After the 30-day post-closure retention period, personal data is permanently deleted from active systems. Backups are purged within 90 days.
- Billing & Financial Records: Payment records and invoices are retained for 7 years to comply with financial and tax regulations.
- Support Communications: Support tickets and chat logs are retained for 3 years to assist with recurring issues and quality improvement.
- Security Logs: Access and authentication logs are retained for 12 months for security and fraud detection purposes.
- Analytics Data: Anonymised/aggregated analytics data may be retained indefinitely as it cannot be linked back to individuals.
Your Privacy Rights
Depending on your location, you have the following rights regarding your personal data. We will respond to all verified requests within 30 days (or within 72 hours for urgent requests such as data breach notifications).
To exercise any of these rights, email us at info@cynventor.com.tr with the subject line "Data Rights Request." We will verify your identity before processing the request. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.
Security
We implement a comprehensive set of technical and organisational security measures to protect your personal data:
- Encryption at Rest: All data stored in our databases is encrypted using AES-256.
- Encryption in Transit: All communications between your browser and our servers use TLS 1.2+ with HSTS.
- Access Controls: Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication (MFA) is enforced for all internal admin access.
- Automated Backups: Daily encrypted backups with geo-redundant storage. Backup restoration is tested regularly.
- Vulnerability Management: Regular security assessments, penetration testing, and dependency vulnerability scanning.
- Incident Response: A documented incident response plan. In the event of a data breach affecting your rights, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Art. 33/34.
- SOC 2 Infrastructure: Our cloud infrastructure is hosted on providers with SOC 2 Type II certification.
Despite our best efforts, no method of electronic transmission or storage is 100% secure. You are responsible for maintaining the security of your own account credentials and for notifying us promptly of any suspected unauthorised access.
Cookies
We use cookies and similar tracking technologies on our website and platform. Our full cookie practices are described in our Cookie Policy, which forms part of this Privacy Policy.
In summary, we use:
- Strictly Necessary Cookies: Essential for authentication, session management, and security (cannot be disabled).
- Functional Cookies: Remember your preferences such as language and theme settings.
- Analytics Cookies: Understand how users interact with the platform (with your consent, where required).
You can manage non-essential cookies through your browser settings or our cookie preference centre.
Children's Privacy
Our Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@cynventor.com.tr and we will take steps to delete such data promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by:
- Posting a notice on our website and within the platform at least 30 days before the changes take effect.
- Sending an email notification to the address associated with your account.
Your continued use of the Services after the effective date of the updated Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically. The "Last Updated" date at the top of this page indicates when the most recent changes were made.
Contact Us & Data Protection Officer
For any questions about this Privacy Policy, to exercise your rights, or to raise a data protection concern, please contact us:
Cynventory – Privacy Team
We aim to respond to all privacy requests within 30 days. For urgent matters (e.g., suspected data breaches), we respond within 72 hours.