Privacy Policy
Invena Labs Limited (trading as invena)
Company number 17237229
Version: 0.2 (beta)
Last updated: 26 June 2026
Effective date: 26 June 2026
This Privacy Policy explains how Invena Labs Limited collects, uses, discloses, and protects personal data when you use our website, app, invitations, and related services.
Beta notice: Invena is in early access. Our marketing website at invena.app is not yet live. The beta app is available at our beta app URL. This policy describes how we handle personal data in the beta app and related services today. Retention periods and subprocessors may be refined as we move toward wider launch. We will update this page when we make material changes.
1. Who we are
Data controller: Invena Labs Limited (trading as invena)
| Registered address | 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom |
| Privacy contact | privacy@invena.app |
| Support | support@invena.app |
| Data protection | We are not required to appoint a Data Protection Officer. For privacy matters, contact privacy@invena.app. |
This policy applies to:
- our website at invena.app (when live);
- the Invena app, including the current beta version at invena-backend.streamlit.app;
- transactional emails we send (for example Space invitations);
- support and privacy requests you send to us.
It does not cover third-party websites or services you access through links from Invena.
2. What Invena does
Invena helps households organise important information, share selected content with trusted people, and maintain continuity around documents and records.
We aim to:
- collect only the data needed to run the service;
- let you control what you store and who you share it with;
- be clear about what we do and do not do with your data; and
- separate preview steps, such as document extraction, from persistent records until you review and confirm them.
We do not sell your personal data.
3. Personal data we collect
Personal data means information that identifies you or could reasonably be used to identify you.
3.1 Account and profile data
When you create an account or sign in, we process:
- your email address;
- an internal account identifier;
- authentication data, including your password in hashed form only (we do not store plain-text passwords);
- profile information you choose to provide, such as your name or display name; and
- sign-in and session metadata, such as when you last signed in.
We collect this data from you when you register or update your profile. Authentication is provided by Supabase (our identity and authentication provider). Supabase may process your email address, account identifiers, and technical data such as IP address and device or browser information when you sign in.
We use sign-in metadata to operate your account, maintain security, and detect abuse.
3.2 Spaces, sharing, and invitations
Invena is organised around Spaces: private areas controlled by a Space owner, where you store and share information with people you trust.
We process:
- Space names and descriptions;
- your role in each Space (for example owner, editor, or viewer);
- invitation details, including invitee email address, role, and invitation status; and
- membership and sharing settings.
Invitation flow
If someone invites you to a Space by email:
- we use your email address to send the invitation;
- the invitation does not create an account;
- you must create an account or sign in with that email address and accept the invitation before you can access the Space; and
- until you accept, you cannot view Space content.
Receiving an invitation email alone does not grant access.
3.3 Records and documents you add
You may store structured entries (for example insurance, utilities, or household records) and upload documents (such as PDFs or images).
Your responsibility for content
- You decide what to upload or enter.
- You should only upload material you are entitled to store and share.
- If your content includes information about other people (for example a partner, relative, or household member), you must have authority or another lawful basis to share that information with us and with other Space members you invite.
Sensitive and special category data
We do not require you to provide special category data (such as health information) to use Invena. However, you may choose to upload documents that contain sensitive or special category information — for example passports, wills, medical records, insurance documents, bank statements, or estate-related information.
If you upload such information, you are responsible for ensuring you have a lawful basis to share it with us and with other Space members who can access the relevant Space.
We process this content to provide the service you request, including storage, retrieval, sharing within your Space, reminders, and related product functions.
Documents are treated as evidence attached to your records. We do not use your uploaded documents to train public AI models.
3.4 Document extraction and previews
When you upload a document (currently PDF text extraction in beta), Invena may generate a preview, such as extracted text, to help you review the document before saving it as a record.
Important points:
- This is processing of personal data. Extracted text may itself be personal data and may be sensitive depending on the source document.
- Where it runs: preview extraction is performed on Invena's servers (our API). In the current beta, PDF text extraction uses native processing on our infrastructure — it is not sent to a third-party AI or OCR service for that step.
- Storage: previews are generated when you request them and are returned to the app for your review. They are not automatically saved as records unless you choose to save or proceed with intake steps that persist data.
- Purpose: previews support your review only. They do not automatically create or change your records.
Image OCR and additional extraction capabilities may be added later. If we introduce new extraction providers, we will update this policy and our subprocessor list.
3.5 Operational, security, and support data
We process data needed to run the service safely and reliably, including:
- Audit and activity events — who performed an action, what type of action, and when. We do not store the full text of your documents in audit logs;
- In-app notifications — for example invitations, membership changes, or reminders;
- Error and diagnostic data — limited technical information (such as error type, request metadata, and device or browser information) may be sent to our error-monitoring service if something goes wrong; and
- Support and privacy correspondence — if you email us, we keep what you send so we can respond.
3.6 Website and beta app technical data
When you visit invena.app (when live) or use the beta app, standard hosting logs may include your IP address, browser type, and pages or requests accessed.
We do not currently use third-party marketing analytics on the website or in the beta app. If we introduce privacy-friendly analytics in future, we will update this policy and our cookie notice and will ask for consent where required.
3.7 What we do not collect today
At present, we do not:
- run a public waitlist that stores your data separately from the app;
- use third-party product analytics (such as PostHog) in production; or
- offer connected-account OAuth sign-in in the current beta.
4. Why we use your data (purposes and lawful bases)
Under UK data protection law, we must have a lawful basis for each purpose for which we use personal data. The table below explains our main purposes, the data involved, and the lawful basis we rely on.
| Purpose | Data involved | Lawful basis |
|---|---|---|
| Create and manage your account | Account and profile data | Performance of a contract (to provide the service you sign up for) |
| Provide Spaces, sharing, invitations, and permissions | Space, membership, and invitation data | Performance of a contract; legitimate interests where needed for service administration and secure operation |
| Store and display records, documents, and reminders | Records, documents, metadata, and related content | Performance of a contract |
| Generate document previews and extracted text | Uploaded documents and extracted text | Performance of a contract |
| Maintain security, prevent abuse, and operate logs | Audit, activity, device, and technical data | Legitimate interests (to keep Invena and users safe) |
| Provide support and respond to requests | Correspondence and account details | Legitimate interests; performance of a contract where the request relates to service use |
| Comply with legal obligations | Account, audit, and disclosure records | Legal obligation |
| Send service and transactional emails | Email address and relevant service data | Performance of a contract; legitimate interests |
| Optional analytics or other optional features, if introduced | Limited technical data or identifiers | Consent, where required |
Legitimate interests: Where we rely on legitimate interests, we balance our interests against your rights and freedoms and only use data where necessary and proportionate.
Consent: We use consent only for optional processing (for example optional analytics if we introduce them). You may withdraw consent at any time. Withdrawal does not affect processing that happened before withdrawal, and it does not affect processing we carry out on another lawful basis (such as contract) for core service features.
We do not rely on consent for core product processing such as account creation, document storage, access control, invitations, or security logging.
5. Who can see your data
5.1 Within Invena
A Space is a private area controlled by the Space owner. Members can access only the content and actions permitted by their role.
- You can access the Spaces and records your permissions allow.
- Space owners can manage members, invitations, and governance-sensitive actions.
- Editors can create and update records and upload documents within a Space, subject to role limits.
- Viewers can see content they are invited to but cannot make destructive changes.
Permissions are enforced on our servers — not only in the app interface.
5.2 Our access to your content
We do not routinely access the contents of your Spaces or documents to browse user data.
We may access limited account or technical information when you contact support so we can help you. Any broader access to your content would only occur with your direction, to resolve a specific support request you raise, or where required by law. Access for operational support is limited and proportionate.
5.3 Service providers and subprocessors
We use trusted providers to run Invena. They process data only on our instructions and for the purposes of providing services to us.
| Provider | Role | Typical data | Location |
|---|---|---|---|
| Supabase | Authentication, database, and file storage | Account data, app content, metadata | West Europe (London) |
| Resend | Transactional email (invitations from invites@invena.app) | Email address, inviter name, Space name | United States |
| Sentry | Error monitoring | Technical diagnostics, limited identifiers | European Union |
| Railway | API hosting | Request metadata | United States |
| Streamlit (Streamlit Cloud) | Beta app hosting | Session and interaction data | United States |
| Vercel | Website hosting (when live) | IP address, request logs | United States / global edge |
We may also use categories of provider such as cloud hosting, identity infrastructure, email delivery, error monitoring, and customer communications tools as the service matures.
A more detailed subprocessor list may be published at invena.app/subprocessors.
Some providers are located outside the UK. Where we transfer personal data internationally, we use appropriate safeguards as required by UK data protection law.
5.4 Legal requirements
We may disclose information if required by law, regulation, court order, or to protect the rights, safety, and security of users and Invena.
6. How long we keep data
We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law.
6.1 Active use
While your account is active, we keep your account data and the content you store until you delete it or close your account, subject to the recovery windows below.
6.2 Deletion and recovery windows
Invena uses soft delete before permanent removal. Deleted content may remain recoverable for a limited period before it is permanently purged from active systems.
| Item | Recovery period before permanent purge |
|---|---|
| Entry (record) | 30 days after deletion |
| Space | 90 days after deletion |
During the recovery period, authorised owners may be able to restore items. After that window, purge permanently removes stored content from active systems.
6.3 Audit evidence
When content is purged, we may retain limited audit records (for example that a Space existed and who performed a deletion) for security, accountability, and legal purposes. Audit records do not include the full text of your documents.
Intended retention (beta): audit and security logs are typically retained for up to 24 months, unless a longer period is needed for security investigations, legal claims, or regulatory requirements.
6.4 Account deletion
Full self-serve account deletion is not yet available in the beta app. To request deletion of your account and associated data, contact privacy@invena.app.
We will handle requests in line with applicable law and will explain what we can delete immediately and what requires a short operational process.
6.5 Backups
Database backups support recovery from incidents.
| Backup type | Intended retention (beta → production) |
|---|---|
| Automated daily backups (Supabase Pro, when enabled) | Up to 7 days |
| Operator-managed backups (during beta) | Up to 30 days |
Purged content should not remain in active use. Residual backup copies may persist for a limited period before rotation. We are improving backup and restore practices as we move toward production operations.
6.6 Invitation and support correspondence
Pending invitations and support emails are kept for as long as needed to provide the service or resolve your request, then deleted or archived in line with our retention practices.
7. Security
We take security seriously. Measures include:
- Encryption in transit using HTTPS/TLS;
- Encryption at rest through our cloud providers (provider-managed encryption — we do not currently offer end-to-end or client-side encryption);
- Role-based access within Spaces, enforced on our API;
- Re-authentication — requiring your current password before changing to a new one;
- Soft delete and staged purge rather than immediate silent removal; and
- Audit logging for important lifecycle actions.
No online service can guarantee absolute security. If you believe your account has been compromised, contact security@invena.app promptly.
We do not claim formal certifications (such as SOC 2 or ISO 27001) unless and until we publish them on our Trust Centre.
8. Your rights
If you are in the UK, EEA, or another region with similar rights, you may have the right to:
- Access your personal data;
- Rectify inaccurate or incomplete personal data;
- Erase your personal data, subject to legal and operational limits;
- Restrict or object to certain processing;
- Port your data in a structured, machine-readable format, where applicable;
- Withdraw consent where processing is based on consent; and
- Complain to a supervisory authority.
How to exercise your rights
- Email privacy@invena.app with your request. We may need to verify your identity.
- Update profile information in the app under Account → Profile.
- Delete or purge Space content using in-app controls, subject to the recovery windows above.
Automated data export and in-app account deletion are planned but not yet available in beta. We will not ignore valid requests while those features are being built.
Complaints
If you are unhappy with how we handle your personal data, you have the right to complain to a supervisory authority.
- United Kingdom: Information Commissioner's Office (ICO) — you can also contact us first at privacy@invena.app so we can try to resolve your concern.
- EEA: you may lodge a complaint with your local data protection authority in the country where you live or work.
9. Children
Invena is not directed at children under 18, and we do not knowingly collect personal data directly from children.
Adults may use Invena to organise household information. That information may incidentally include details about children or other family members (for example in documents you upload). If you include information about others, you must have authority or a lawful basis to share it, as described in section 3.3.
If you believe a child has provided us with personal data directly, contact privacy@invena.app and we will take appropriate steps.
10. Document extraction and preview tools
Invena may use automated tools to help you preview information from documents — for example text extraction from PDFs — before you decide what to save.
Important principles:
- previews are for your review, not automatic record-keeping;
- tools do not replace your ownership or authority over your data;
- tools do not access data outside your permissions; and
- we do not take hidden actions on your behalf.
This is not generative AI in the current beta. More detail will be published in our AI policy at invena.app/legal/ai-policy when available.
11. Cookies and similar technologies
Website (invena.app, when live): we do not currently use non-essential cookies or third-party marketing trackers. Essential cookies or similar technologies may be needed for security and basic site function.
Beta app: the beta app may use session technologies needed to keep you signed in and operate the service.
If we add analytics (for example privacy-friendly website analytics), we will publish a cookie policy and ask for consent where required.
12. Changes to this policy
We may update this policy from time to time. We will post the new version on invena.app/privacy with an updated "Last updated" date. For material changes, we may also notify you in the app or by email.
If you continue to use Invena after an update takes effect, that indicates you are aware of the updated policy. The lawful bases for processing remain as set out in the current version of this policy unless we explain otherwise.
13. Contact us
| Controller | Invena Labs Limited (trading as invena) |
| Address | 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom |
| Privacy | privacy@invena.app |
| Support | support@invena.app |
For terms of use, see invena.app/terms (when published).
invena™ — trademark application pending.