Legal

Privacy Policy

Last updated: 1 January 2026

This policy is written in plain language. If anything is unclear, contact us at privacy@salvinta.com.

1. Who We Are

Salvinta GRC (“Salvinta”, “we”, “us”, “our”) is an enterprise Governance, Risk, and Compliance (GRC) software platform operated by Placeholder B.V. (the registered company name will be updated when registration is finalised).

For the purposes of the EU General Data Protection Regulation (GDPR), Placeholder B.V. is the data controller for data collected via our website (salvinta.com) and our SaaS platform.

Contact: privacy@salvinta.com

2. What Personal Data We Collect

We collect the minimum data necessary to provide the Salvinta platform.

2.1 Account and Profile Data

  • Full name
  • Business email address
  • Organisation name
  • Role within your organisation (as you define it in Salvinta)
  • Department (optional)

2.2 Subscription and Billing Data

  • Billing email address
  • Company name and billing address (if provided for invoicing)
  • Subscription plan and status

Payment card details are processed exclusively by Stripe, Inc. We do not receive, store, or process payment card numbers. Stripe's privacy policy applies to payment processing: stripe.com/privacy.

2.3 GRC Platform Content

When you use the Salvinta platform, you create and store business data including risk registers, control records, evidence files references, incident reports, and management review content. This content is processed on your behalf as a data processor (where that content contains personal data). You are the data controller for any personal data within your GRC records.

2.4 Usage and Technical Data

  • API request logs (IP address, timestamp, endpoint, HTTP status code) — retained in AWS CloudWatch for up to 30 days
  • Application audit log entries (user ID, action, timestamp, record ID) — retained indefinitely for your own compliance trail
  • Error logs — retained for debugging purposes up to 90 days

2.5 Cookies

Salvinta's website uses only functional cookies that are strictly necessary for the operation of the service. We do not use advertising cookies, tracking cookies, or any third-party analytics. No cookie consent banner is required for strictly necessary cookies, but we inform you of them here in full transparency.

The cookies we use:

  • CognitoIdentityServiceProvider.* — authentication session cookies set by Amazon Cognito. Session-scoped.

3. How We Use Your Data

PurposeLegal Basis
Providing the Salvinta platform to youPerformance of a contract (Art. 6(1)(b) GDPR)
Billing and subscription managementPerformance of a contract (Art. 6(1)(b) GDPR)
Sending important service and billing notificationsPerformance of a contract (Art. 6(1)(b) GDPR)
Security monitoring, fraud prevention, abuse detectionLegitimate interests (Art. 6(1)(f) GDPR)
Compliance with legal obligationsLegal obligation (Art. 6(1)(c) GDPR)
Product improvement and internal analytics (aggregated, anonymised)Legitimate interests (Art. 6(1)(f) GDPR)

4. Where Your Data is Stored

All Salvinta data is stored and processed in AWS EU West 1 (Ireland). We do not transfer personal data outside the European Union. All AWS services used are covered under the AWS Data Processing Agreement, which incorporates the EU Standard Contractual Clauses (SCCs) where applicable.

5. How Long We Retain Your Data

  • Account and profile data: Retained for the duration of your subscription and deleted within 90 days of account closure, unless retention is required by law.
  • GRC platform content: Retained until you delete it or close your account. Deletion is permanent.
  • Billing records: Retained for 7 years to comply with EU tax and accounting regulations.
  • Technical/API logs: Retained for up to 90 days.

6. Sharing Your Data

We do not sell, rent, or trade your personal data to third parties. We share personal data only with:

  • Stripe, Inc. (payment processing) — Stripe processes payments on our behalf
  • Amazon Web Services, Inc. (cloud infrastructure) — all data is hosted on AWS; AWS acts as a processor under a Data Processing Agreement
  • Amazon Bedrock (AI features, Advanced plan only) — query content is sent to Bedrock for AI processing; prompts are not retained or used for training

In the event of a legal obligation (e.g. court order, law enforcement request), we may be required to disclose data. We will notify you where legally permitted to do so.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data. You can update most profile data directly in the application settings.
  • Right to erasure: Request deletion of your personal data (“right to be forgotten”). Note: we may retain certain data as required by law (e.g. billing records).
  • Right to restriction: Request that we pause processing of your data in certain circumstances.
  • Right to data portability: Request your data in a machine-readable format (JSON or CSV). You can export most records directly from within the application.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at privacy@salvinta.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands (our primary jurisdiction), this is the Autoriteit Persoonsgegevens.

8. Data Security

We implement appropriate technical and organisational measures to protect your data. For full detail, see our Security page. Key measures include encryption at rest and in transit, tenant data isolation, least-privilege access controls, and audit logging.

9. Children's Privacy

Salvinta is a business-to-business service intended for professional use only. We do not knowingly collect data from individuals under 18 years of age. If you believe a minor has provided us with personal data, contact us at privacy@salvinta.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify active subscribers by email. The “Last updated” date at the top of this page reflects the date of the most recent revision.

11. Contact

For any privacy-related questions or to exercise your rights: