InVentry Privacy Notice

1.0 Scope

All data subjects whose personal data is collected, is done so in line with the requirements of the UK GDPR/Data Protection Act 2018.

2.0 Responsibilities

The Data and Safeguarding Manager is responsible for ensuring that this notice is made available to data subjects prior to the school/client organisation collecting/processing their personal data. All Employees/Staff of the school/client organisation who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and that they are aware of the lawful grounds for the processing of their data in relationship to the system.

3.0 Who are we?

Established in 2010, InVentry have quickly created a successful brand, which has seen exponential growth over the last 5 years. From a product concept to having over 100 employees; InVentry are trusted by over 8,000 organisations and have quickly become the market leaders in sign in and visitor management.

We’re dedicated to the technology we create and how this impacts the schools and businesses we work with, which has culminated in being named in the Deloitte Global fastest 500 growing companies in technology from Europe, the Middle East and Africa and the Northern Tech Awards Top 100 Fastest Growing Companies.

InVentry speeds up the signing in process, keeps identity information secure and leaves organisations feeling confident that they’re offering a safer environment for their staff members, contractors, visitors and more!

Our Data Protection Officer and data protection representatives can be contacted directly here:

dpo@InVentry.co.uk

0113 322 9253

4.0 Data being processed

4.1 Depending on the services being requested/provided, the personal data we would like to process on your behalf is:

For the purposes of implementing an InVentry Visitor Management system
Up to and including a complete and unedited copy of the on-premises database (including any MIS data which has been imported as agreed to provide additional services) will be hosted by InVentry Ltd and synchronised in real time to provide the visitor management services as agreed under contract between the Customer and InVentry Ltd. The minimum data required is as follows: Staff – System user creation · First name · Surname · Work email address Visitors – Visit record · First name · Surname For migration of MIS systems · Staff work email · Student UPN (Stored in a Pseudonymised state)					Article 6(1b) Contractual agreement

Personal data type:	Source (where InVentry Ltd obtained the personal data from)				Lawful Grounds
Staff – For use in Evacuation/communication
First name*	Provided by School and extracted from the InVentry System				Article 6(1b) Contractual agreement
Surname *
Time signed IN*
Photograph (Only if controller includes this field)
Position (Only if controller includes this field)
Email address
Student – For use in Evacuation
First Name*⁺	Provided by School and extracted from the InVentry System				Article 6(1b) Contractual agreement
Surname*⁺
Form group*⁺
Year group *⁺
Time signed IN*⁺
Time signed OUT*⁺
Reason for IN/OUT*⁺
MIS ID**⁺
AM/PM session mark**⁺
Visitor – For use in Evacuation/communication
Title*	Provided by School and extracted from the InVentry System				Article 6(1b) Contractual agreement
First name*
Surname*
Company
Photograph
Vehicle registration
Name of host/person visiting
Time signed IN*
Email address
Parent/Carer/Medical Information – For Advanced Trip Management Only
Person ID		Provided by the school, extracted from the InVentry System and used to facilitate this service.			Article 6(1b) Contractual agreement
Contact ID
Title
Contact Name
Parental Responsibility
Relationship
Priority
Telephone Number
Telephone Type
Email Address
Email Type
Court Order
MIS ID
Person ID
Condition Name
Description
Person ID
Dietary ID
Description
Notes
Classmark/Clubreg services – Student
First Name*
Surname*
Pupil MIS ID*
Year Group*
Form Group*
Sessions Marks (AM/PM) (Classmark only) *
Classmark/Clubreg services – Staff
First Name*
Surname*
MIS ID*
Email Address*
ID Badge service
This service uses a set of data identified by the Data Controller and not specified by InVentry Ltd. By using this service, the responsibility for consent lies with the Data Controller.					Article 6(1b) Contractual agreement
Support and Fault resolution
This is dependent on the issue identified and the work required to resolve the issue. It may require support to copy the whole database. Before removing data in any form, we will seek your additional consent to do so, either verbally or written, and take all steps to minimise its collection. This data is subject to a stringent internal policy and procedure ensuring that ownership and security of the data is recorded and maintained throughout the process. By design your InVentry system offers the ability to collect special category personal data in the form of biometric data (facial recognition/fingerprint recognition). If during the process of fault resolution, we are required to download the database from your system, we will treat it in accordance with the process described above and in line with our data sharing agreement. Should you so decide, you have the ability to add customised data fields that may include the collection of special category personal data. As the data controller, this is your decision and you should be aware that this will be shared with us. We will treat it in accordance with the above process and in line with our data sharing agreement.					Article 6(1b) Contractual agreement
InVentry Central
For maintaining accurate site attendance of personnel within InVentry Central system			First Name*		Article 6(1b) Contractual agreement
			Surname*
			Primary Email address*
			Scan codes*
			Member of staff*
			InVentry ID*
			Date of Birth*
SMS Service
Mobile number				Provided by School, extracted from the InVentry System and used by the SMS provider only to facilitate this service.	Article 6(1b) Contractual agreement
Visitor Email notifications
Visitor email address				Provided by School, extracted from the InVentry System and used by the email system to facilitate this service.	Article 6(1b) Contractual agreement
Audit and Compliance
First Name*				Provided by the school to facilitate the creation of users within the system.	Article 6(1b) Contractual agreement
Surname*
Email address*
Marketing (B2B only)
First name				For InVentry customers, this information will be requested from the customer on a consent or contract basis. For B2B, this information will be obtained via consent or under Article 6 (f) of GDPR. For more details see below. As we sell via approved resellers, this data may be shared with an authorised reseller solely for communications around InVentry Ltd products once consent has been obtained.	Article 6(1a) Consent Article 6(1f) Legitimate Interest
Surname*
Job Title
Email*
Mobile
Landline*
Postcode*
Employment
Personal data contained with CV submitted by candidate directly to InVentry via any appropriate mechanism.				This data may be shared for application purposes with the approved recruiter.	Article 6(1a) Consent
Financial Information
First name*				This information will be retained for 7 years, in line with financial information for completeness and accuracy of the record.	Article 6(1b) Contractual agreement
Surname*
Email*
Space Bookings/Audit and Compliance
First name*				Provided by the Organisation to facilitate this service	Article 6(1b) Contractual agreement
Surname*
Email*
For the purposes of implementing a Classmark/Clubreg services
Student First name*				Provided by the Organisation to facilitate this service	Article 6(1b) Contractual agreement
Student Surname*
Student MIS ID*
Year group*
Form group*
Session mark (Classmark only)*
Staff First name*
Staff Surname*
Staff email*
Staff MIS ID*
Space Bookings/Audit and Compliance
First name*				Provided by the Organisation to facilitate this service	Article 6(1b) Contractual agreement
Surname*
Email*

Above fields marked with * are required for system functionality, fields marked with a ** are required if using the full MIS register function of the InVentry Evacuation app. Fields marked with a ⁺ are not required for InVentry One systems.

The personal data we collect, depending on the role, will be used for the following purposes:

Attendance
Registration
Emergency Evacuation
Advanced Trip Management
Badge Production
Support and fault resolution
Marketing
Financial management
Classmark
Cloudreg
Space Bookings
Central

4.3 Our legal basis for processing for the personal data:

Article 6(1b) – processing is necessary for the performance of a contract to which the organisation has agreed
Article 6 (1f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

5.0 Lawful Processing

5.1 The data controller is consenting to this privacy notice through the lawful processing condition of performance of a contract, upon the purchase of any of the following licenses: InVentry Anywhere, maintenance or integration. You are giving InVentry Ltd permission to process the personal data supplied specifically for the purposes identified. In doing so, InVentry Ltd must assume that the data has been collected under the terms identified in Article 6 ‘Lawfulness of processing’ of the General Data Protection Regulation and reflected in the Data Protection Act 2018

5.2 Where consent is required for InVentry Ltd to process both types of personal data, it must be explicitly given. Where we are asking you for special category personal data we will always tell you why and how the information will be used.

5.3 You may withdraw consent at any time by contacting the Data Protection Officer at InVentry using the contact details above or directly through the link provided directly in any communication

6.0 Use of data for marketing purposes (B2B purposes only)

6.1 Data used by InVentry Ltd for marketing purposes is obtained in the following manner

From the individual where consent has been obtained directly
From an approved data supplier under Article 6(f) of UK GDPR – Legitimate Interest where the data has been confirmed to be eligible for use for these purposes and the Privacy and Electronic Commutation (PECR) guidelines.

6.2 Purposes and Intentions

6.2.1 InVentry’s purpose for processing and storing personal (B2B) data is as follows:

Increased awareness of the product in the market
The opportunity to present a demonstration of the system and potentially sell a system to the organisation (B2B environment only)

6.2.2 Engagement with organisations business only environment contacts to raise awareness of InVentry

To arrange meetings to provide a demonstration for interested parties.
To establish a frequency of contact that suits each individual business.
Increased networking opportunities
Growth of the business

6.2.3 InVentry’s intentions in using business data are primarily:

To engage with organisations business only environment contacts to raise awareness of InVentry
To arrange meetings to provide a demonstration for interested parties.
To enquire about and aim to establish a frequency of contact that suits each individual business.

6.2.4 Guidelines and Restrictions:

InVentry will remove CTPS exclusions either prior to use or at once upon discovery of CTPS.
No non-business email addresses i.e. @hotmail will not be used – they must be name@company.com.
All individuals at businesses will be given a clear route to opt out of future email communications and to apply their rights under current data protection legislation.
Mobile numbers will not be obtained, recorded or used unless obtained through direct communication with any given business and given out by that business voluntarily to allow InVentry to attempt to contact a given individual.
Data obtained for marketing purposes shall not be used for any other purpose

7.0 IP Addresses and Cookies

7.1 In the course of using our site, we track certain information about users, including what browser you they are using and their IP address through the use of cookies.

7.2 The cookies used on our website have been categorised based on information provided by the International Chamber of Commerce UK Cookie Guide.

7.3 For more information please read our cookies policy which can found at http://inventry.co.uk/cookie-policy/

8.0 CCTV

8.1 CCTV is used in line with the InVentry CCTV policy which is available on request

8.2 Any requests should be submitted to dpo@inventry.co.uk

9.0 Disclosure

InVentry Ltd will not release the information to any third party unless the request is subject to legal obligation without obtaining the express written authority of the partner who provided the information.

10.0 Retention period

Your InVentry system will process personal data for the following periods;

Primary pupils – In line with the school/organisations data retention policy;
Secondary pupils – In line with the school/organisations data retention policy;
Staff – In line with the school/organisations data retention policy;
Visitors – In line with the school/organisations data retention policy

InVentry Cloud

The data processed in the cloud service will be deleted 30 days following the receipt of written confirmation by the customer of the termination of the contract.

Cloud system backup

The cloud hosted data is backed up by InVentry Ltd for the following timescales

Hourly	7 days
Daily	14 days
Weekly	12 weeks

InVentry Anywhere Evacuation system

Staff/Primary pupil/Secondary pupil/visitors – Until 23:59:59 on day of attendance at site

Advanced Trip Management

Any data processed by InVentry will be deleted under one of the following conditions:

If end date of the trip set by the customer passes.
If the trip has an action of “IN” (when all students have signed back in)
If no end date is specified for a trip, we need to default it to the end of the start date

Data processed on the Anywhere App will be deleted on the next connection to the service after one of the above conditions has been met.

Classmark/Classreg (Cloud based service)

Individual records can be managed in line with the Data Controllers own policy
Data processed in the Central service will be deleted 30 days following the receipt of written confirmation by the customer of the termination of the contract
For the period of the contract

ID Badge Creation service

Any personal information supplied will be processed and stored as follows;

Up 24 hours – InVentry Ltd Tier 1 Cloud storage facility
51 days from dispatch of order, stored on local area network at our head office to enable completion and confirmation of order.

SMS Service

InVentry system – 30 days/13 moths anonymised for billing purposes only
SMS service provider – 6 months
Telecom service provide – 12 months

The message and the number are stored for the above time frames by the SMS service provider for legitimate business reasons and the Telecom service provider as this is regulated under the Investigatory Powers Act 2016.

Email address

Anywhere service – 30 days
Service Provider – 7 days

Support desk

Until no longer required under Article 6(f) – Legitimate Interest of the organisation for completeness of the record

Financial information

7 years under Article 6(f) – Legitimate Interest of the organisation for completeness of the record.

Marketing

For 12 months or until consent is withdrawn

Recruitment (Applications, supporting CV’s and other material)

Successful candidates – All details and documentation will form part of the employee records and retained in line with the retention policy for these.
Unsuccessful candidates – All details and documentation will be retained for 6 months post completion of the recruitment process.

Cloud based services (InVentry World/Space Bookings)

The data processed in the cloud service will be deleted 30 days following the receipt of written confirmation by the customer of the termination of the contract.

11.0 As the Processor

All data hosted by InVentry Ltd is done so in compliance with the requirements laid in GDPR/Data Protection Act 2018.

For more information on storage and processing security, please contact InVentry Ltd using the details above.

InVentry Ltd will support the Data Controller in demonstrating compliance with the regulations

covering the UK. Where required and reasonable, the processor will work with the data controller to;

Cooperate with the relevant data protection authorities in the event of an enquiry
Report data breaches to the controller without delay
Help the controller to comply with data subject rights
Assist the data controller in managing the consequences of data breaches
Inform the controller if the processing instructions infringe UK GDPR/Data Protection Act 2018.

InVentry will takes all possible steps to ensure the security of the data where it processes this on behalf of the data controller. However, it cannot be held responsible or liable for the any breach of data that is beyond its control. All requests for additional assistance will be subject to the agreement of the Directors.

Should InVentry choose to change a 3rd party service, we will complete appropriate impact assessments, alter our privacy statement where appropriate and notify you of this change. Where an additional service is being provided, consent will be sought.

12.0 Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review: in the event that InVentry Ltd refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 13.0 below.

All of the above requests will be dealt with in line InVentry Ltd’s Subject Access Procedure and will shared with the customer should a request come from directly a subject.

13.0 Complaints

In the event that you wish to make a complaint about how your personal data is being processed by InVentry Ltd or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and schools/organisation’s data protection representatives.

The details for each of these contacts are:

	Supervisory authority contact details	Data and Safeguarding Manager contact details
Contact Name:	Information Commissioners Office	InVentry Limited
Address line 1:	Wycliffe House	Visitor House
Address line 2:	Water Lane	Gelderd Road
Address line 3:	Wilmslow	Gildersome
Address line 4:	Cheshire	Leeds
Address line 5:	SK9 5A	LS27 7JN
Email:	registration@ico.org.uk	dpo@InVentry.co.uk
Telephone:	0303 123 1113	0113 322 9253

Document Owner and Approval

The Data Protection Officer is the owner of this document and is responsible for ensuring that this record is reviewed in line with the review requirements of the GDPR.

Signature: D.Tidman Date: 05/12/2023

Appendix 1 – InVentry Processing

The following InVentry data hosting and processing locations are utilised for the purposes described below:

Service	System	Processing provider	Purpose/Justification	Location	Article 44 compliance (where required)
Cloud version of school system and integrated services	Azure	Microsoft	Providing storage for InVentry hosted copy of site system.	UK	Legally binding contract in place
Evacuation service	InVentry Anywhere	Rackspace	Providing processing for evacuation service	UK	Legally binding contract in place
Asset and compliance management	InVentry Asset and Compliance	Rackspace	Providing processing for asset and compliance service	UK	Legally binding contract in place
Badge making	InVentry ID badge making	Rackspace	Providing processing for badge making transfer	UK	Legally binding contract in place
Email relay service	InVentry Anywhere	Twillio	Provide communications to visitors	US	Article 46 – Transfers subject to appropriate safeguards (parts c and d) – Standard data protection clauses.
Evacuation service	InVentry Anywhere	IBM	Providing processing for evacuation service	UK	Legally binding contract in place
Support desk services	ZenDesk	ZenDesk	Recording details of support calls	US/EEA	Legally binding contract in place with standard data protection clauses adopted by the Commission in accordance with the Article 46 of UK GDPR
SMS messaging	InVentry Anywhere	SendGrid	Sending SMS messages for visitor notifications	US	Article 46 – Transfers subject to appropriate safeguards (parts c and d) – Standard data protection clauses through Binding Corporate Rules with Parent Organisation Twillio

Service	System		Processing provider	Purpose/Justification	Location		Article 44 compliance (where required)
CRM	Dynamics		Microsoft	Customer management	EEA		Legally binding contract in place with standard data protection clauses adopted by the UK Government in accordance with the Article 46 of UK GDPR
Advanced Trip Management		InVentry Anywhere	Rackspace	Providing processing for evacuation service		UK		Legally binding contract in place
InVentry Central		InVentry Central	ANS	Provide processing for the InVentry Central service		UK		Legally binding contract in place
Class and Club registration		Classmark/Clubreg	Microsoft Azure	Provide class and club registration services		UK		Legally binding contract in place
Room booking		Space Bookings	AWS	Provide room booking service		UK		Legally binding contract in place

For further details, please contact dpo@inventry.co.uk