Privacy Policy
Last updated: June 19, 2026
Inni ("we", "us", or "our") operates the website and application at inni.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under applicable law including the General Data Protection Regulation (GDPR).
By using Inni you agree to the collection and use of information in accordance with this policy. If you are using Inni on behalf of an organisation, you confirm that you have authority to agree to these terms on its behalf.
1. Who is the data controller?
Inni is a product operated by Andreality S.L. (Tax ID B-10663193), Pasaje Dr. Bartual Moret 8, 46010 Valencia, Spain, which is the data controller for personal data processed through Inni. You can reach us at hello@inni.com.
2. Data we collect
Account and profile data
When you register we collect your name, email address, and a hashed password. If you invite team members we also store their email addresses and role assignments.
Brand and shop data
You may provide us with information about your brand including its name, logo, colour palette, fonts, products, variants, and collections. This information is used solely to power your branded shop and the 3D design studio.
Customer design data
When a customer creates a design in the 3D studio we store the artwork, text, colours, placement, and product configuration that make up that design. Designs are held within the brand workspace they belong to and are used exclusively to render previews, produce print-ready output, and fulfil orders.
Order data
When an order is placed we store the items ordered, the associated designs, selected variants and sizes, order status, and any fulfilment details needed to process and deliver the order. Order data is held within the brand workspace and used solely to operate and track orders on your behalf.
Uploaded media and assets
Images, logos, artwork, and other media files you upload are stored in our cloud object storage (Cloudflare R2) under a per-brand prefix. Files are accessible only to authenticated members of your brand workspace and, where applicable, to customers designing within that brand's studio.
Usage and log data
We collect server access logs (IP address, browser user-agent, page visited, timestamp) for security, debugging, and abuse prevention. Log data is retained for 90 days.
Cookies and analytics
We use first-party session cookies essential for authentication. With your consent (via our cookie-consent banner) we may also load Google Analytics (GA4) to understand aggregate usage patterns. GA4 data is anonymised and no cross-site tracking occurs. You can withdraw consent at any time via the cookie settings link in the footer.
Contact form submissions
If you contact us through our website form we store your name, email, subject, message, IP address, and browser user-agent. This data is used only to respond to your enquiry and is deleted after 24 months.
3. Studio and rendering processing
Inni's 3D design studio runs in the browser to render products and designs in real time. To deliver and fulfil orders, we generate print-ready files from the designs customers create. Your brand assets (logos, artwork, fonts) and customer designs may be processed by our rendering and storage infrastructure solely to produce previews, print-ready output, and shop pages. We do not use your designs or brand assets for any purpose beyond operating the Service for you.
4. Third-party services and sub-processors
We engage the following sub-processors. Each is GDPR-compliant or operates under appropriate transfer safeguards (e.g. EU Standard Contractual Clauses):
- Hetzner Online GmbH — application hosting and database (Germany, EU)
- Cloudflare — object storage (R2), content delivery (CDN), DNS, and bot protection (Turnstile)
- Resend — transactional email delivery
- Google — optional analytics (GA4)
- Sentry — application error monitoring
We do not sell, rent, or share your personal data with any third party for advertising purposes.
5. Legal bases for processing
- Contract performance — processing necessary to deliver the service you subscribed to.
- Legitimate interests — security logging, abuse prevention, and product improvement analytics (aggregated).
- Consent — optional analytics cookies; you can withdraw at any time.
- Legal obligation — retaining records where required by applicable law.
6. Data retention
We retain account data for as long as your account is active plus 60 days after deletion to allow recovery. Customer designs and order data are retained for as long as the brand workspace is active, unless you remove them. Uploaded media is deleted when you explicitly remove it or when the brand workspace is deleted. Log data is purged after 90 days. Contact-form submissions are deleted after 24 months.
7. Data transfers
Inni's application servers and primary database are hosted in the European Union (Hetzner, Germany). Some sub-processors listed above (e.g. Google, Cloudflare) may process data outside the European Economic Area (EEA). Where required, such transfers are governed by Standard Contractual Clauses approved by the European Commission.
8. Your rights (GDPR)
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — at any time where consent is the legal basis.
To exercise any of these rights email hello@inni.com with the subject line "Data Rights Request". We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
9. Security
We implement appropriate technical and organisational measures to protect your data, including TLS in transit, encryption at rest for sensitive credentials, access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
10. Children
Inni is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you by email or by a prominent notice within the application when we make material changes. The "Last updated" date at the top of this page will always reflect the most recent revision.
12. Contact
Questions about this policy? Email us at hello@inni.com or write to us at Andreality S.L., Pasaje Dr. Bartual Moret 8, 46010 Valencia, Spain.