GDPR Compliance
Last Updated: February 6, 2026
Techspawn Inc. ("we," "us," or "our") is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This page outlines how Nventory complies with GDPR requirements and explains your rights as a data subject.
1. Our Role Under GDPR
1.1 As a Data Controller
We act as a data controller when we collect and process personal data of our merchants (our direct customers) for account management, billing, communication, and service improvement purposes.
1.2 As a Data Processor
We act as a data processor when we process personal data on behalf of our merchants. This includes customer data, order information, and other personal data that flows through connected sales channels (Shopify, eBay, Amazon, WooCommerce, etc.) as part of our inventory and order synchronization services. In this capacity, we process data only in accordance with our merchants' instructions and applicable data protection laws.
2. Legal Basis for Processing
We process personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (inventory sync, order management) | Performance of a contract (Art. 6(1)(b)) |
| Account management and billing | Performance of a contract (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Tax and financial record-keeping | Legal obligation (Art. 6(1)(c)) |
3. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed. We will provide this information within 30 days of your request.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can also update most account information directly through your Nventory dashboard.
Right to Erasure (Art. 17)
You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent. This is subject to legal retention obligations (e.g., tax records). Upon account deletion, we erase your data within 30 days from our active systems.
Right to Restrict Processing (Art. 18)
You can request that we restrict the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or object to our processing.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV or JSON), and to transmit it to another controller. This applies to data processed based on consent or contract performance.
Right to Object (Art. 21)
You have the right to object to processing of your personal data based on our legitimate interests. You can also object to direct marketing at any time, and we will stop processing your data for that purpose immediately.
Right to Withdraw Consent (Art. 7(3))
Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint (Art. 77)
You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement, if you believe our processing of your personal data violates the GDPR.
4. Data Processing Activities
4.1 Categories of Personal Data Processed
- Identity Data: Name, company name, job title
- Contact Data: Email address, phone number, billing address
- Financial Data: Payment method details (processed by Stripe; we do not store full card numbers)
- Technical Data: IP address, browser type, device information, login timestamps
- Usage Data: Features accessed, pages viewed, actions performed within the Platform
- Channel Data: Product information, order details, customer data, and inventory levels from connected sales channels (processed as a data processor on your behalf)
4.2 Data Minimization
We adhere to the principle of data minimization. We only collect and process personal data that is necessary for the specific purposes outlined in our Privacy Policy. We do not collect excessive data or use data for purposes incompatible with its original collection purpose.
5. International Data Transfers
Nventory is operated by Techspawn Inc. from the United States. When personal data is transferred from the EEA/UK to the United States or other countries outside the EEA/UK, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for data transfers to countries without an adequacy decision from the European Commission.
- Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data.
- Transfer Impact Assessments: We conduct assessments to evaluate and mitigate risks associated with international data transfers.
6. Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.3)
- Pseudonymization and anonymization of data where appropriate
- Regular testing and assessment of security measures
- Strict access controls with multi-factor authentication
- Tenant-isolated data architecture for multi-tenant environments
- Automated monitoring and incident detection systems
- Employee security training and awareness programs
- Secure development practices including regular code reviews and vulnerability scanning
7. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals (Art. 33).
- Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
- Notify affected merchants (when acting as a data processor) without undue delay upon becoming aware of a breach affecting their data, enabling them to fulfill their own notification obligations.
- Document all breaches in our internal breach register, including the facts, effects, and remedial actions taken.
8. Sub-Processors
We engage the following categories of sub-processors to help provide the Service:
| Category | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, and compute | United States |
| Vercel | Frontend hosting, deployment, and edge functions | United States / Global Edge |
| Cloudflare | CDN, DNS, DDoS protection, and security services | United States / Global Edge |
| Stripe | Subscription billing and payment processing | United States |
| Email Service Provider | Transactional and notification emails | United States |
| Analytics Provider | Platform usage analytics and performance monitoring | United States |
We will notify merchants of any intended changes to our sub-processor list, giving you the opportunity to object to such changes. All sub-processors are bound by Data Processing Agreements that require them to protect personal data to the same standards we maintain.
9. Shopify GDPR Compliance
As a Shopify app, Nventory handles the following mandatory GDPR webhooks in compliance with Shopify's requirements:
- Customer Data Request (customers/data_request): When a customer requests their data, we provide the merchant with all personal data we have stored for that customer within 30 days.
- Customer Data Erasure (customers/redact): When a merchant requests deletion of customer data, we erase all stored personal data for that customer within 30 days, unless legally required to retain it.
- Shop Data Erasure (shop/redact): When a merchant uninstalls the Nventory app, we erase all store data from our systems within 30 days of receiving the webhook (sent 48 hours after uninstall).
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
- Active account data: Duration of subscription + 30 days
- Channel synchronization data: Duration of active channel connection + 30 days
- Financial/billing records: Up to 7 years (legal obligation)
- Support correspondence: Up to 3 years after resolution
- Server logs: 90 days
- Marketing consent records: Duration of consent + 3 years
11. Exercising Your Rights
To exercise any of your GDPR rights, please contact us:
Data Protection Contact
Techspawn Inc.
831 Coronado Center Dr
Henderson, NV 89052, USA
Email: support@nventory.io
Please include "GDPR Request" in the subject line of your email.
We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period.
We may ask you to verify your identity before processing your request. Requests are free of charge unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
12. For End Customers
If you are an end customer of a merchant using Nventory and wish to exercise your GDPR rights regarding data processed through our Platform, please contact the merchant directly, as they are the data controller for your personal data. If you need assistance identifying the appropriate contact, you may reach out to us and we will direct your request to the relevant merchant.