How we handle your data.

Avrentis (“Avrentis”, “we”, “us”) operates the approval, procurement, and records platform available at avrentis.com and app.avrentis.com. This policy explains how we handle personal data in that service and on this marketing website.

For privacy questions, contact our privacy enquiry form.

Account information. Name, work email, organisation, role, optional profile details, and any identity attributes your employer passes through SSO or SCIM.

Content you create. Payment vouchers, purchase orders, attachments, approval comments, signatures, audit-trail events, and any other material you submit while using the platform.

Usage and device data. IP address, user-agent, timestamps, and pages or actions accessed — recorded primarily to power the immutable audit trail and to secure the service.

Support correspondence. Messages, phone numbers (if shared), and any information you voluntarily include when contacting us.

Marketing-site analytics. Minimal aggregate traffic data for this website. We do not place advertising cookies.

We process personal data only where we have a lawful basis to do so:

• Contract. To provide the Avrentis service to your organisation — authenticating users, routing approvals, generating documents, maintaining audit records.
• Legitimate interest. To secure the service, prevent abuse, monitor operational health, improve the product, and maintain business records.
• Legal obligation. To meet tax, accounting, anti-fraud, and other regulatory duties.
• Consent. For optional marketing communications, where we ask first and you can withdraw at any time.

We do not sell personal data. We share it only in the following, narrowly defined cases:

• Within your organisation. Approval workflows route documents and events to other users in your tenant according to roles you configure.
• With sub-processors.Infrastructure and operational providers we engage to run the service. See the list under “Sub-processors” below.
• To comply with law. Where a valid legal process compels disclosure. We challenge over-broad requests and notify affected customers where law permits.
• In a corporate transaction. If Avrentis is involved in a merger, acquisition, or asset sale, data may transfer under equivalent privacy commitments.

We engage trusted infrastructure providers to operate the platform. Each is bound by a data-processing agreement. The categories of provider we rely on today are:

• Managed PostgreSQL for application data (EU).
• Application hosting and edge compute (global edge).
• Content delivery and object storage for document attachments (global).
• Managed Redis for session state and rate-limiting (EU / US).
• Transactional email delivery (US).
• SMS notification delivery, where enabled (Africa / international).
• Error and performance monitoring (EU).

The specific named providers in each category — along with their DPA status — are shared with prospective customers through our privacy enquiry form, typically alongside a Data Processing Agreement. An overview of the categories is also maintained at /trust.

Primary application data is stored in the European Union on a managed PostgreSQL service. Document attachments are stored in an encrypted object-storage provider at the region our infrastructure tier is configured for. Backups are taken daily and retained for a rolling window consistent with our recovery objectives.

Dedicated in-country or in-region hosting is available as part of an enterprise engagement. Contact us if data residency is a hard requirement for your organisation.

Account data. Retained while your organisation is an Avrentis customer, plus a short grace period for reactivation, then deleted or anonymised.

Content & documents.Retained per your plan’s retention policy. Your administrator can export or delete documents at any time.

Audit logs. Retained permanently for the lifetime of the tenant. Because the log is the compliance record of who did what, it is never purged while the account is active.

Support emails and marketing enquiries. Retained for the period needed to respond and for reasonable record-keeping.

If you are in a jurisdiction with statutory data-protection rights (EU/EEA under GDPR, Nigeria under NDPR, California under CCPA, United Kingdom under UK GDPR, and others), you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion, subject to legal and contractual retention obligations.
• Receive a portable copy of your data.
• Object to or restrict certain processing.
• Withdraw consent where consent is the lawful basis.
• Lodge a complaint with your local supervisory authority.

Where Avrentis processes your data on behalf of your employer (most features of the platform), we will forward your request to the relevant administrator and assist with its fulfilment. For direct requests, email our privacy enquiry form.

Security is a structural feature of the platform, not a bolt-on. The full stack — tenant isolation, role-based authority, session integrity, audit trail, access lifecycle, encryption — is documented at /product/security.

No system is perfectly secure; we operate a responsible-disclosure programme and welcome good-faith reports through our responsible-disclosure form.

Avrentis is a business platform. It is not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has provided data to us, contact us and we will delete it.

We may update this policy as our service evolves or laws change. Material changes will be communicated to account administrators and noted on this page with a new effective date. Continuing to use Avrentis after a change constitutes acceptance of the updated policy.

For any question about this policy, or to exercise a right listed above, write to our privacy enquiry form. We respond within one business day for enterprise customers and otherwise within a reasonable time not exceeding the statutory deadline applicable to your jurisdiction.