PRIVACY POLICY

1. Who We Are

Venvera is operated by Atlant Security EOOD, registered in Sofia, Bulgaria. In this policy, “Venvera,” “we,” “us,” and “our” refer to Atlant Security EOOD

We act as the data controller for personal data collected through our website (venvera.com) and marketing activities, and as a data processor for personal data our customers store in the Venvera platform (app.venvera.com).

2. Data We Collect

2.1 Website visitors

• Usage analytics (page views, referrer, browser type) via PostHog, self-hosted in the EU
• IP address (truncated, not stored beyond the session)
• Cookies strictly necessary for site functionality and analytics preferences

2.2 Free Compliance Check

• Email address (if you choose to receive your report)
• Job title and organisation type (optional)
• Assessment answers and resulting score

2.3 Demo requests and contact forms

• Name, email address, company name
• Message content

2.4 Platform users (app.venvera.com)

• Name and business email (from SSO provider: Microsoft Entra ID or Google Workspace)
• Organisation membership and role within the platform
• Audit log of actions taken (for security and compliance)

3. How We Use Your Data

• Service delivery: To provide, maintain, and improve the Venvera platform
• Communication: To respond to enquiries, send assessment reports, and (with consent) share product updates
• Security: To detect, prevent, and respond to security incidents
• Legal compliance: To meet our obligations under GDPR and other applicable laws
• Analytics: To understand how our website and platform are used, in aggregate

4. Legal Basis for Processing

• Contract performance: Processing necessary to deliver our services (Art. 6(1)(b) GDPR)
• Legitimate interest: Analytics, security monitoring, and fraud prevention (Art. 6(1)(f) GDPR)
• Consent: Marketing emails and non-essential cookies (Art. 6(1)(a) GDPR)
• Legal obligation: Record-keeping required by law (Art. 6(1)(c) GDPR)

5. Data Storage and Security

All data is hosted on EU-based infrastructure in Sofia, Bulgaria (DigitalOcean AMS3 region). We implement the following safeguards:

• Encryption at rest using AES-256-GCM with per-tenant encryption keys
• Encryption in transit using TLS 1.3
• PostgreSQL Row-Level Security for tenant data isolation
• Automated encrypted backups every 6 hours (AES-256, 30-day retention)
• Multi-factor authentication for infrastructure access
• Annual penetration testing and continuous vulnerability scanning

6. Data Sharing

We do not sell your personal data. We share data only with:

• Infrastructure providers: DigitalOcean (hosting), all EU-based
• Authentication providers: Microsoft Entra ID and Google Workspace (SSO only, no data stored by them)
• Error monitoring: Sentry (EU region), for application error tracking
• Law enforcement: Only when required by law, with appropriate legal process

No data is transferred outside the European Economic Area (EEA).

7. Data Retention

• Platform data: Retained for the duration of the customer’s subscription, plus 30 days for data export after termination
• Assessment results: Retained for 12 months, then automatically deleted
• Audit logs: Retained for 3 years as required for regulatory compliance
• Website analytics: Aggregated after 90 days; raw data deleted after 180 days
• Marketing contacts: Until consent is withdrawn or the contact is inactive for 24 months

8. Your Rights

Under the GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure (“right to be forgotten”) (Art. 17)
• Restrict processing (Art. 18)
• Data portability in machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time (Art. 7(3))

To exercise these rights, email privacy@venvera.com. We will respond within 30 days.

9. Cookies

We use the following categories of cookies:

• Strictly necessary: Session cookies, CSRF protection, authentication tokens
• Analytics: PostHog (self-hosted, EU) — only with your consent

We do not use third-party advertising cookies or tracking pixels.

10. Children’s Privacy

Venvera is a business-to-business service. We do not knowingly collect data from individuals under 16 years of age.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users and posted on this page with the updated date.

12. Contact

For privacy-related enquiries: