This Privacy Policy describes how Storekeeper B.V. ("Company", "we", "us", "our") collects, uses, and protects personal data when you use the Proventum platform ("Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

Storekeeper B.V. is the data controller for personal data collected through the Service for our own purposes (e.g., account management, billing, platform operation). When our customers use the Service to store and process their own customers' data, the customer acts as the data controller and we act as the data processor. In such cases, our processing is governed by the applicable Data Processing Agreement.

• Company: Storekeeper B.V.
• Registered in: The Netherlands
• Contact: privacy@getproventum.com

2. What Data We Collect

2.1 Account Data

When you register for and use the Service, we collect:

• Name, email address, and contact information;
• Company name and address;
• Billing and payment information;
• Account preferences and settings;
• Authentication credentials (passwords are stored in hashed form only).

2.2 Usage Data

We automatically collect certain information when you use the Service:

• IP address and geolocation (country/region level);
• Browser type, operating system, and device information;
• Pages visited, features used, and actions taken within the Service;
• Timestamps and session duration;
• Error logs and performance data.

2.3 Customer Data

You may upload and store data in the Service as part of your use (e.g., contacts, companies, tickets, deals). We process this data solely on your behalf as a data processor. Each customer's data is stored in a separate, isolated database.

2.4 Communication Data

When you communicate with us via email or support channels, we collect the content of your communications and associated metadata.

3. How We Use Your Data

We use personal data for the following purposes:

• Service Delivery: To provide, maintain, and operate the Service, including user authentication, database provisioning, and feature access;
• Service Improvement: To analyze usage patterns, identify issues, and improve the Service;
• Communication: To send you service-related notifications, updates, security alerts, and support messages;
• Billing: To process payments, manage subscriptions, and send invoices;
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse;
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Legal Bases for Processing (GDPR Article 6)

• Performance of contract: Processing necessary to fulfill our contractual obligations to you (service delivery, billing);
• Legitimate interests: Processing necessary for our legitimate interests (service improvement, security), where these interests are not overridden by your rights;
• Legal obligation: Processing necessary to comply with legal obligations;
• Consent: Where applicable, processing based on your explicit consent (e.g., marketing communications).

4. Data Processors and Third Parties

We use the following categories of third-party service providers to operate the Service:

Provider	Purpose	Location
Hetzner Online GmbH	Server hosting and infrastructure	Germany (EU)
Resend, Inc.	Transactional email delivery	United States

We ensure all data processors have appropriate data processing agreements in place and provide adequate safeguards for international data transfers (e.g., Standard Contractual Clauses for transfers outside the EU/EEA).

We do not sell, rent, or share your personal data with third parties for their marketing purposes.

5. International Data Transfers

Our primary infrastructure is hosted in the European Union (Germany). Where data is transferred outside the EU/EEA (e.g., to Resend for email delivery), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• EU Standard Contractual Clauses (SCCs);
• Adequacy decisions by the European Commission, where applicable;
• Additional technical and organizational measures as needed.

6. Data Retention

We retain personal data for the following periods:

• Account data: For the duration of your active subscription plus 30 days after termination (for data export). Permanently deleted within 90 days after termination;
• Customer data: For the duration of your active subscription. Deleted per our Terms of Service upon termination;
• Usage and log data: Retained for up to 12 months for security and improvement purposes;
• Billing data: Retained for 7 years to comply with Dutch fiscal record-keeping requirements;
• Communication data: Retained for up to 24 months after the last interaction.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You can request a copy of the personal data we hold about you;
• Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete data;
• Right to Erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations;
• Right to Restriction (Art. 18): You can request that we restrict the processing of your data in certain circumstances;
• Right to Data Portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format;
• Right to Object (Art. 21): You can object to processing based on legitimate interests;
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@getproventum.com. We will respond to your request within 30 days in accordance with the GDPR. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your EU member state.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS/HTTPS) and at rest;
• Database-per-tenant architecture ensuring complete data isolation;
• Database credential encryption;
• Regular security updates and patches;
• Access controls and role-based permissions;
• Two-factor authentication (2FA) support;
• Regular automated backups;
• Monitoring and logging of security events.

9. Cookies and Tracking

We use the following types of cookies:

• Essential cookies: Required for the Service to function (session management, authentication, CSRF protection). These cannot be disabled;
• Functional cookies: Store your preferences such as language and locale settings.

We do not use third-party tracking cookies, advertising cookies, or analytics services that track individual users across websites. We do not participate in cross-site tracking or retargeting.

10. Data Protection Officer

For any questions or concerns regarding our data processing practices, you may contact our data protection team:

• Email: privacy@getproventum.com
• Postal: Storekeeper B.V., Attn: Data Protection, The Netherlands

11. Children's Privacy

The Service is a B2B platform not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service at least 30 days before they take effect. We encourage you to review this page periodically. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Company: Storekeeper B.V.
• Email: privacy@getproventum.com
• Website: https://getproventum.com