Privacy Notice

Version 1.0 — Effective from 3 May 2026. Last updated: 2026-05-03.

1. Who We Are

VentReport is a platform for EN 15780:2025 Annex J grease-duct cleaning compliance. This Privacy Notice applies to VentReport (ventreport.com) and describes how we process your personal data.

Data Controller

Gilanpour Development AB · Org. nr 559265-4676

Address: Elektravägen 53, 126 30 Hägersten, Sweden Contact: via the contact form (no email or telephone contact channel — all enquiries are routed through the form so they reach the right responder and are logged for audit).

We are based in the European Union and operate under GDPR and Swedish data-protection regulations.

2. What Personal Data We Process

We process different categories of personal data depending on how you use VentReport. Below is a summary; the detailed lawful basis for each category is in Section 3.

Identity and account data. When you sign up, we collect your email address, full name, country, phone number (optional), and job title. We also store your language preference and any signature image you upload for compliance documents.

Compliance and inspection records. When your organisation performs a grease-duct inspection or cleaning, VentReport stores inspection results, WFFT measurements (in micrometres), photos of ductwork, schematic annotations, and cleaning reports. If you sign a cleaning report, your name, signature image, and timestamp are recorded and become part of the permanent compliance record.

Access and activity logs. Every time you or anyone else opens a cleaning report, inspection record, or photo in VentReport, we log who accessed it, when, from which device, and their IP address. This is part of the compliance audit trail. Even access by our support team is logged.

Photos and images. Compliance photos may incidentally capture people (kitchen staff, technicians) in the background. We strip EXIF metadata (GPS, device serial number, photographer name) from every photo before storing it. We retain un-stripped original photos in secure cold storage for audit and legal purposes.

Technical and usage data. We use analytics and performance monitoring to understand how you use VentReport. This includes page views, feature usage, browser type, device type, and anonymised IP addresses. You can opt in or out of analytics via Cookie Preferences.

Geolocation (map display). If you choose to display a Site location on a map, we request your device's location permission and show the location on screen. We do not retain geolocation data after you close the map view.

VAT verification data. When you register a Company on VentReport and click "Verify VAT", we transmit your Company's VAT identification number to the EU VIES (VAT Information Exchange System) service as both the subject and the requester. VIES is a third-party service operated by the European Commission. Your VAT number and the verification result are logged for audit purposes.

Consent and preference records. We record your choices about analytics and marketing cookies, including when you grant or withdraw consent, which categories you enable, and which browser/session context the choice was made in.

3. Why We Process Your Data — Lawful Basis

Under GDPR, we must have a lawful basis for every processing activity. Here is the basis for each category:

Special note on EN 15780 and legal obligation

Cleaning reports and all supporting documentation are retained under the legal obligation in EN 15780:2025 Annex J. Most EU member states also have national fire-safety regulations (Sweden: SBF / LSO, Norway: brannvernloven, etc.) that mandate retention of ventilation cleaning records for 10+ years. You cannot request deletion of cleaning reports because they are evidence of compliance with legal fire-safety duties. Once a Site's compliance period expires, records are automatically archived per local law.

4. Where Your Data Is Stored and Sub-Processors

Data hosting. VentReport is hosted on Supabase, a PostgreSQL cloud platform in Stockholm, Sweden (EU region). Your personal data and compliance records are stored in the European Union and do not leave the EU during normal operation.

Sub-processors (third-party services). We work with the following third-party services that may process your personal data:

• Supabase — primary database, authentication, and session storage (EU hosted)
• Google Analytics 4 — website analytics (US hosted, transfers under SCCs + Schrems II TIA)
• Microsoft Clarity — session replay and heatmaps (US hosted, transfers under SCCs + Schrems II TIA)
• Google Ads — conversion tracking on the marketing site (US hosted, transfers under SCCs + Schrems II TIA)
• VIES (EU Commission) — VAT validation (EU hosted)
• Resend (EU region) — transactional email (magic-link, reminders, notifications), EU-hosted
• Cloudflare R2 (EU jurisdiction) — object storage for logos, signatures, photos, PDFs
• Anthropic (US) — AI provider for the in-app support assistant and translation tooling. Prompts are retained by Anthropic for up to 30 days for abuse-prevention and are not used to train models. US-hosted with SCCs + Schrems II TIA for transfers.

For a detailed sub-processor list with data-sharing details and transfer mechanisms, see /legal/subprocessors.

5. International Data Transfers

Some of our sub-processors are based in the United States. Under GDPR, transferring personal data to countries outside the EU requires legal safeguards. We rely on:

• Standard Contractual Clauses (SCCs) — contractual terms approved by the EU that obligate US processors to protect your data as if it were in the EU
• Schrems II Transfer Impact Assessment (TIA) — a documented review of each US processor's exposure to US surveillance law (FARA, CFAA, US Cloud Act, etc.) to ensure adequate safeguards exist

Important. You understand that US sub-processors may be compelled by US law to disclose your data to US government agencies. While we have negotiated SCCs to limit this risk, transfers to the US carry inherent risk that cannot be entirely eliminated. If you object to this risk, you may disable analytics and marketing cookies via Cookie Preferences, which will prevent data from being sent to US destinations.

6. Your Data Protection Rights

Under GDPR, you have the following rights. To exercise any of these, contact us via the contact form.

Right to access (DSAR). You can request a copy of all personal data we hold about you in machine-readable format (JSON export). To request: visit your user profile and click "Export My Data" or use the contact form.

Right to rectification. You can correct inaccurate personal data (your name, email, phone number, company details). To do so: edit your profile directly in VentReport or use the contact form.

Right to erasure (deletion). You can request deletion of your account and personal data. Exception: cleaning reports, inspection records, and compliance signatures cannot be deleted because they are evidence of legal compliance with fire-safety regulations. These records are instead anonymised (your name replaced with a hash). Non-compliance data (your email, phone, preferences) is deleted 24 months after account termination. To request deletion: use the contact form.

Support tickets. If you have used our support system, the tickets you were part of are a shared record between you and our support team. When you delete your account we remove your identity from those tickets (your name and contact details are erased and you appear as "Former user"), but the ticket history is retained in this pseudonymised form so that the other people on the ticket keep their record of the conversation and so we can establish, exercise, or defend legal claims (GDPR Art. 17(3)(e)). Pseudonymised support tickets are deleted 24 months after the ticket is resolved.

Right to restrict processing. You can ask us to pause processing of your data in certain circumstances (e.g. while you dispute accuracy). Use the contact form with details.

Right to data portability. You can request your personal data in a portable format (JSON) that you can transfer to another service. Use the "Export My Data" feature or the contact form.

Right to object. You can object to processing of your data for marketing or profiling purposes. You can always opt out of analytics and marketing cookies via Cookie Preferences.

Right to withdraw consent. If we are processing your data based on your consent (analytics, marketing, geolocation), you can withdraw consent at any time via Cookie Preferences or by contacting us. Withdrawal does not affect the lawfulness of processing before you withdrew consent.

7. Photos and Incidental Biometric Data

Compliance photos taken in commercial kitchens may incidentally capture people (kitchen staff, technicians, cleaners) in the background. Under GDPR Article 9, this is potentially "biometric data" if faces are visible and identifiable.

Our approach:

• We do not perform facial recognition or biometric analysis on photos.
• Photos are treated as evidence of compliance and retained under Art. 6(1)(c) legal obligation.
• Access to photos is restricted to: SiteAdmins, the cleaning contractor Company, and the platform support team (with access logged).
• EXIF metadata is stripped to prevent location and device-identity leakage.
• If you are incidentally captured in a compliance photo, you have the right to request blurring or anonymisation before the photo is stored. Use the contact form.

Lawful basis: Art. 6(1)(c) legal obligation to retain compliance evidence + legitimate interest in operational safety. Art. 9 does not prohibit this processing because it is necessary to comply with fire-safety regulations and does not involve automated decision-making about you.

8. Automated Decisions and Profiling

VentReport includes a "next due" calculation that suggests when the next grease-duct cleaning should be performed, based on EN 15780:2025 Annex J accumulation-rate analysis (J.19). This is a recommendation only, not a binding automated decision.

Key points:

• The next-due calculation is a mathematical model, not profiling about you personally.
• You are always free to override the recommendation and schedule cleaning on your own timetable.
• We do not use the next-due calculation to deny you access to any service or to make other automated decisions about you.
• A human (SiteAdmin, facility manager) always reviews and acts on the recommendation before any cleaning is booked.

If you have concerns about this recommendation or want to discuss the calculation method, contact us via the contact form.

9. Cookies, Analytics, and Tracking

VentReport uses cookies and tracking technologies in two forms: strictly necessary (always on) and optional (requires your consent).

Strictly necessary cookies (always enabled):

• Session cookies (to keep you logged in)
• CSRF tokens (to prevent cross-site attacks)
• Rate-limit fingerprints (to prevent abuse)
• PWA offline cache (so the app works without internet)

Optional tracking (requires consent):

• Analytics — Google Analytics 4 and Microsoft Clarity track page views, feature usage, and user behaviour to help us improve the product. Default: off. You can enable/disable via Cookie Preferences.
• Marketing — Google Ads, Meta Pixel, and LinkedIn Insight Tag track conversions on the marketing site (ventreport.com landing page). Default: off. Only affects marketing-site visitors, not app users.
• Personalisation — reserved for future use. Currently: off.

Change your preferences: Click the "Cookie Preferences" link in the footer or open the cookie banner at the bottom of the page. Your choices are saved in our database (ConsentRecord) so they persist even if you clear your browser cookies.

10. Platform Team Access and SuperAdmin Disclosure

VentReport has a platform team (developers, support staff, and administrators) with elevated access to all data for support and security purposes.

What the platform team can do:

• Read your personal data, compliance records, and cleaning reports to help troubleshoot issues or investigate abuse.
• Read platform strings and copy from any rendered page and edit them in place via a right-click overlay (SuperAdmin translation authoring). Any such edits are logged.
• Cannot modify, delete, or forge compliance records.
• Cannot access your password or session tokens directly (authentication is cryptographically secured).

Logging and audit:

• Every time a SuperAdmin reads a cleaning report, the access is logged in the report's audit trail with access_kind = 'super_admin'.
• You can see all accesses to your reports (including SuperAdmin reads) on the report's Access Log.
• All SuperAdmin write actions (including string edits via the overlay) are audit-logged and reviewed externally on a quarterly cadence.
• Geographic location of SuperAdmin sign-ins (EU vs. outside EU/EEA) is flagged in the access log.

Transparency. By accepting the Terms of Use, you acknowledge that the platform team may access your data for support purposes and that all such accesses are logged and visible to you.

11. Data Protection Contact

Under GDPR Article 37, a formal Data Protection Officer is only mandatory for controllers whose core activities involve large-scale, regular and systematic monitoring of data subjects or large-scale processing of special-category data. Gilanpour Development AB does not currently meet that threshold, so no formal DPO has been appointed. Data-protection responsibility sits with the controller.

Data-protection contact:

Behrang Gilanpour (controller / publisher / GDPR contact) Gilanpour Development AB · Org. nr 559265-4676 Elektravägen 53, 126 30 Hägersten, Sweden Via the contact form only.

You can use the contact form to discuss any data-protection concerns, request a review of our processing activities, or report a suspected data breach. We will re-evaluate the DPO threshold as processing scales — if it changes, this section will be updated and a re-acceptance prompt will be issued.

12. Your Right to Lodge a Complaint

If you believe we have violated your data-protection rights, you can lodge a complaint with the supervisory authority in your country. For residents of Sweden:

Integritetsskyddsmyndigheten (IMY) — Swedish Authority for Privacy Protection

Website: www.imy.se Email: imy@imy.se Phone: +46 8 657 61 00

Complaints can also be lodged with the data-protection authority in any other EU member state where you reside or where the processing occurs.

13. Data Breach Notification

If a data breach occurs (unauthorised access, loss, or damage to personal data), we will:

1. Notify the relevant supervisory authority within 72 hours (as required by GDPR Article 33).
2. Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms (as required by GDPR Article 34).
3. Document the breach and our response for regulatory review.

If you believe a breach has occurred, please report it immediately via the contact form and mark the subject as "Security / data breach" so it reaches the controller without delay.

14. Changes to This Privacy Notice

We may update this Privacy Notice if our processing practices change. Substantial changes (new processing category, new sub-processor, new retention period) will trigger a re-acceptance prompt when you next log in. You can choose to accept the new terms or decline — declining does not lock you out of existing records, but you cannot perform new data-writing actions until you accept.

Editorial changes (typo fixes, formatting improvements) do not require re-acceptance.

The "effective date" at the top of this page indicates when the current version came into force. For a history of changes, use the contact form.

15. Contact Us

If you have questions about this Privacy Notice or how we process your data:

Controller: Gilanpour Development AB · Org. nr 559265-4676 Mailing address: Elektravägen 53, 126 30 Hägersten, Sweden Contact channel: the contact form (we do not maintain a separate email or telephone contact line — the form routes requests to the controller and logs them for audit).

We aim to respond to all GDPR requests within 30 days.

← Back to home · Terms of Use →