Back to Inventro

Privacy Policy

Last Updated: January 24, 2026

This Privacy Policy explains how Inventro Inc. (“Inventro”, “we”, “us”) collects, uses, and protects personal information related to Tenants, Tenant staff, and website visitors in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy legislation.

1. Accountability

Inventro is responsible for the personal information under its control. Our Privacy Officer can be reached at legal@inventro.com. We are committed to the ten fair information principles set out in PIPEDA.

2. Information Collected

We collect the following categories of personal information:

  • Account information: Name, email address, business name, and phone number provided during registration
  • Authentication data: Hashed passwords and OAuth tokens (e.g., Google sign-in)
  • Usage data: Feature usage patterns, session duration, and actions taken within the platform
  • Technical data: IP address, browser type, device type, operating system, and referring URL
  • Billing information: Plan selection and billing cycle (payment processing is handled by third-party providers)

3. Purpose of Collection and Use

Personal information is collected and used for the following identified purposes:

  • Providing, operating, and maintaining the Services
  • Authenticating users and securing accounts
  • Processing transactions and sending transactional emails
  • Improving platform performance and user experience
  • Communicating service updates, security alerts, and support messages
  • Complying with legal obligations and enforcing our Terms

We will not use personal information for purposes beyond those identified without obtaining further consent.

4. Consent

By creating an account and using the Services, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. You may withdraw consent at any time by contacting us, subject to legal or contractual restrictions. We will inform you of the implications of withdrawal.

5. Cookies and Tracking Technologies

Inventro uses the following technologies on its website and platform:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Local storage: Used to store user preferences (e.g., dismissed banners, theme settings)

Inventro does not currently use third-party analytics cookies, advertising trackers, retargeting pixels, or social media tracking scripts. If this changes, this policy will be updated and consent will be obtained where required.

6. Third-Party Processors (Subprocessors)

Inventro uses the following vetted subprocessors to deliver the Services:

  • Amazon Web Services (AWS) — Cloud hosting, data storage (S3), and email delivery (SES). Data is processed in Canada and the United States.
  • Google LLC — When you connect your Google Calendar, Inventro communicates with the Google Calendar API to create and manage events on the calendar you select. See Section 7 below for details.

Personal information is never sold to third parties. Subprocessors are contractually bound to process data only as instructed by Inventro and to maintain appropriate security measures. This list will be updated as subprocessors change.

7. Google User Data and Third-Party Integrations

When you connect a Google account to Inventro (for example, to sync bookings to your Google Calendar), Inventro accesses and processes a limited set of Google user data on your behalf. Inventro’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7.1 Scopes Requested

When you connect Google Calendar, Inventro requests the following OAuth scopes:

  • openid and email — to identify the Google account being connected and confirm it belongs to you.
  • https://www.googleapis.com/auth/calendar— to create a dedicated “Inventro” calendar in your account (if you choose the dedicated-calendar option) and to read calendar metadata needed to write events.
  • https://www.googleapis.com/auth/calendar.events — to create, update, and delete the booking-related events (deliveries and pickups) that Inventro manages on the calendar you select.

7.2 How We Use Google User Data

Google user data obtained through these scopes is used solely to provide the Google Calendar integration feature you have requested. Specifically, Inventro:

  • Creates a dedicated calendar in your Google account (if you chose the dedicated option) named according to your input;
  • Writes events to the calendar you selected — each event describes a booking delivery or pickup (customer name, booking reference, address, time, items) generated from data already in your Inventro account;
  • Updates or deletes events Inventro previously created when the underlying booking changes or is cancelled;
  • Stores the encrypted OAuth refresh token, the connected Google account email, the selected target calendar ID, and a mapping between Inventro bookings and the corresponding Google event IDs so updates can be applied.

Inventro does not read, store, or process events on your calendar that it did not itself create, and does not access any other Google services or data.

7.3 Limited Use

In accordance with Google’s Limited Use policy, Inventro:

  • Uses Google user data only to provide and improve the Google Calendar integration feature you explicitly enabled;
  • Does not sell Google user data, and does not transfer it to third parties except as needed to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with appropriate notice;
  • Does not use Google user data to serve advertisements, including retargeting or personalized ads;
  • Does not use Google user data to train, develop, or improve generalized AI or machine-learning models;
  • Does not allow humans to read Google user data unless we have your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), it is required to comply with applicable law, or the data has been aggregated and anonymized in a way that cannot reasonably be linked back to an individual user or Google account.

7.4 Storage, Retention, and Disconnection

OAuth refresh tokens are encrypted at rest. You may revoke Inventro’s access at any time by disconnecting Google Calendar from Organization → Integrations → Google Calendar inside Inventro, or by revoking access directly at myaccount.google.com/permissions. When you disconnect, Inventro stops accessing your Google account and deletes the stored OAuth tokens. Events that Inventro previously wrote to your Google Calendar remain in your calendar; you may delete them from Google directly. If you permanently close your Inventro account, all stored Google integration data (tokens, calendar IDs, event-mapping records) is deleted in accordance with Section 8 (Retention and Disposal).

8. Security Safeguards

We implement administrative, technical, and organizational safeguards proportionate to the sensitivity of the information, including:

  • Encryption in transit (TLS) and at rest (AES-256)
  • Hashed and salted password storage
  • Tenant-level data isolation
  • Role-based access controls
  • Regular security reviews and monitoring

9. Retention and Disposal

Personal data is retained for the duration of your active account. Upon account termination:

  • Account and booking data is retained for up to thirty (30) days to allow recovery, then permanently deleted
  • Financial records may be retained for up to seven (7) years as required by Canadian tax law
  • Security and audit logs may be retained for up to one (1) year

See Section 7.4 above for Google integration data handling on disconnection.

10. Your Rights Under PIPEDA

You have the right to:

  • Access your personal information held by Inventro
  • Correct inaccurate or incomplete information
  • Withdraw consent to the collection, use, or disclosure of your information
  • Request deletion of your personal information, subject to legal retention requirements
  • Export your data in a machine-readable format
  • File a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated

We will respond to access and correction requests within thirty (30) days.

11. International Transfers

Your personal information may be processed in Canada and the United States through our cloud infrastructure provider (AWS). Appropriate contractual safeguards are in place to ensure your information receives a comparable level of protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-platform notification at least thirty (30) days before taking effect.

13. Contact

For privacy inquiries, access requests, or complaints:

Inventro Inc.
Privacy Officer
Ontario, Canada
Email: legal@inventro.com

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.