Privacy Policy

Last Updated: May 12, 2026

1. Introduction

Welcome to InVitroManager. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our plant inventory management platform. Please read this policy carefully.

2. Information We Collect

2.1 Personal Information

When you register for an account, we collect:

• Name (first and last name)
• Email address
• Organization name
• Profile picture (optional)
• Password (stored securely using industry-standard hashing)

2.2 Business Data

Through your use of the platform, we store:

• Plant inventory records and lot information
• Production work logs and reports
• Employee records associated with your organization
• Uploaded documents and worksheets
• Labels and printing configurations

2.3 Automatically Collected Information

We automatically collect certain information when you access our platform:

• IP address
• Browser type and version
• Access times and dates
• Pages viewed and features used
• Session information

2.4 Third-Party Services

To run the platform we use a small number of third-party processors. Each has limited access to the categories of data noted below:

• Google Analytics (GA4) — visitor analytics on our public marketing pages only (home page and feature pages). Records page views, referrers, approximate location, and aggregated device characteristics. Does not run inside the authenticated application area.
• Google Fonts — when the marketing pages load, your browser requests web fonts (Inter Tight, JetBrains Mono, Fraunces) from Google. Google can see your IP address as part of this request. The fonts are not loaded inside the authenticated application area.
• Sentry — application error monitoring. When an exception occurs, a redacted error report is sent. We have personally identifiable information capture disabled (send_default_pii=False) so reports contain stack traces, URLs, and request metadata but not user-provided form values.
• DigitalOcean — server hosting in the United States. Your data is processed and stored on infrastructure operated by DigitalOcean under their applicable data processing terms.

2.5 Data We Cannot Read (Browser-Side Encryption)

Certain fields you designate as proprietary — most notably media recipe formulations — are encrypted in your browser before they reach our database. Your organization holds the decryption key; we do not. We can show these records back to authorized members of your organization, but we cannot read their contents on our servers, and they cannot appear in our logs, our error reports, or our backups in plaintext form.

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain our plant inventory management services
• Process and manage your account
• Enable organization-based access and collaboration
• Generate reports and analytics for your business
• Communicate with you about service updates or issues
• Improve our platform and develop new features
• Ensure security and prevent unauthorized access

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• Within Your Organization: Other members of your organization may see shared inventory data based on their assigned roles and permissions. The platform uses per-organization data isolation (schema-per-tenant) so data entered in one organization is not visible to members of another.
• Service Providers: We share specific categories of data with the third-party processors listed in Section 2.4 (Google Analytics, Google Fonts, Sentry, DigitalOcean). Each processor is subject to the applicable industry-standard data processing terms.
• Legal Requirements: We may disclose information if required by law, court order, or governmental regulation.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Secure HTTPS encryption for all data transmission
• Password hashing using industry-standard algorithms
• Session security controls and automatic timeouts
• Role-based access controls within organizations
• Regular security audits and monitoring

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information and business data for as long as your account is active or as needed to provide our services. If you request account deletion, we will remove your personal data within 30 days, though we may retain certain information as required by law or for legitimate business purposes.

7. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data.
• Export: Request your data in a portable format.
• Objection: Object to certain types of data processing.

To exercise any of these rights, please contact us using the information provided below.

8. Children's Privacy

Our platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete that information.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the platform after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

• Email: brett@invitromanager.com