GDPR Privacy Notice (EU/EEA )

Inventrik Pte Ltd (Vouchermatic)
Last Updated: 30 July 2025
Last Reviewed : 30 Jan 2026

1. Introduction

Inventrik Pte Ltd (“Inventrik“, “Vouchermatic“, “we“, “our“, or “us“) is committed to protecting the privacy and personal data processed through our own business operations and, where applicable, personal data processed on behalf of our customers through the Vouchermatic Software-as-a-Service (“SaaS”) platform.

This Privacy Notice explains how we collect, use, disclose, store and protect personal data in accordance with the European Union General Data Protection Regulation (EU) 2016/679 (“GDPR”), together with other applicable data protection laws.

At Inventrik, privacy and information security are fundamental to how we design, build and operate our services. We implement technical and organisational measures designed to safeguard personal data and maintain internationally recognised security standards. Our information security programme includes ISO/IEC 27001 certification, the Singapore Data Protection Trustmark (DPTM), Cyber Essentials Mark certification, together with appropriate technical and organisational security measures designed to protect Personal Data.

Inventrik provides the Vouchermatic platform to organisations worldwide. Vouchermatic is a cloud-based Software-as-a-Service platform that enables organisations to create, manage and administer digital engagement campaigns, including digital vouchers, promotional campaigns, gamification experiences and other customer engagement initiatives.

In most cases, Inventrik generally does not determine the purposes or means of processing campaign participant Personal Data. Instead, we provide the technology platform that enables our customers to operate their campaigns.

Accordingly, Inventrik primarily acts as a Data Processor (also referred to in certain jurisdictions as a Data Intermediary) on behalf of our customers. Our customers determine the purposes and means of processing personal data collected through their campaigns and therefore act as the Data Controllers under the GDPR.

Inventrik acts as a Data Controller only for specific categories of personal data relating to our own business operations, including but not limited to:

  • Employees
  • Job Applicants
  • Website Visitors
  • Existing Customers (authorised users)

Where we process personal data solely on behalf of our customers, we do so only in accordance with instructions provided by those customers and applicable contractual obligations.

This Privacy Notice explains:

  • what personal data we collect;
  • the purposes for which personal data is processed;
  • the lawful bases relied upon under the GDPR;
  • when Inventrik acts as a Data Controller and when we act as a Data Processor;
  • how personal data is protected;
  • how long personal data is retained;
  • the rights available to individuals under the GDPR; and
  • how individuals may contact us regarding privacy-related matters.

We are committed to processing personal data lawfully, fairly and transparently while respecting the rights and freedoms of individuals. 


2. Scope of this Privacy Notice

This Privacy Notice applies to personal data processed by Inventrik in connection with:

  • the Vouchermatic SaaS platform;
  • Employees;
  • Job applicants;
  • Website visitors;
  • Existing customers (for account administration/ troubleshooting);

This Privacy Notice applies to individuals located within the European Economic Area (“EEA”), the United Kingdom and Switzerland, as well as to any other individual whose personal data is processed where the GDPR or equivalent data protection legislation applies.

Where Inventrik may process personal data on behalf of one of our customers through the Vouchermatic platform, that customer is responsible for determining the purposes and legal basis for the processing of such personal data. In these circumstances, the customer’s own privacy notice will govern how personal data is collected and used. Inventrik may process such data solely on behalf of and under the instructions of the relevant customer.

Individuals participating in campaigns operated through Vouchermatic who wish to exercise their privacy rights relating to campaign data—including requests for access, correction, deletion, restriction of processing or data portability—should contact the relevant campaign organiser or customer directly. Inventrik will assist our customers in responding to such requests where required under our contractual obligations and applicable law.

This Privacy Notice does not apply to third-party websites, applications or services that may be linked from our website or integrated with the Vouchermatic platform. Such third-party services operate under their own privacy notices and terms, and we encourage individuals to review those notices before providing personal data.

3. Definitions

For the purposes of this Privacy Notice, the following terms have the meanings set out below. Unless otherwise stated, capitalised terms have the meanings assigned to them under the GDPR.

Personal Data

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable individual is one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, online identifier, location data, email address, telephone number, IP address or one or more factors specific to that person’s identity.

Depending on how our customers configure the Vouchermatic platform, Personal Data processed through the platform may include names, email addresses, telephone numbers and gender.

Data Subject

A “Data Subject” is an identified or identifiable individual whose Personal Data is processed.

Examples include:

  • Employees
  • Job applicants

Processing

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission and deletion.


Data Controller

A Data Controller is the organisation that determines the purposes and means of Processing Personal Data.

The Data Controller decides:

  • why Personal Data is collected;
  • what Personal Data is collected;
  • how long it is retained;
  • who it is shared with; and
  • the legal basis for Processing.

For campaigns operated through the Vouchermatic platform, the campaign organiser or customer is typically the Data Controller.

Inventrik acts as a Data Controller only for Personal Data relating to its own business operations, such as employee records, recruitment activities and website enquiries.


Data Processor

A Data Processor is an organisation that Processes Personal Data on behalf of a Data Controller.

Inventrik primarily acts as a Data Processor by providing the Vouchermatic SaaS platform and associated services.

When acting as a Data Processor, Inventrik:

  • May process Personal Data only under instructions from the relevant Data Controller;
  • Does not determine the purposes for which campaign participant data is collected;
  • Does not sell customer Personal Data;
  • Implements appropriate technical and organisational security measures; and
  • Assists customers in fulfilling their obligations under the GDPR where contractually required.

Data Intermediary

Under certain privacy laws, including Singapore’s Personal Data Protection Act (PDPA), a Data Processor may also be referred to as a Data Intermediary.

For the purposes of this Privacy Notice, the terms Data Processor and Data Intermediary are used interchangeably where appropriate.


Customer

A Customer is any organisation that subscribes to or uses the Vouchermatic platform to operate campaigns.

Customers typically act as Data Controllers for campaign participant Personal Data.


Campaign Participant

A Campaign Participant is an individual who participates in or interacts with a campaign operated through the Vouchermatic platform.


Vouchermatic Platform

The Vouchermatic Platform refers to Inventrik’s cloud-based Software-as-a-Service solution used to create, manage and administer digital engagement campaigns.


Subprocessor

A Subprocessor is a third-party service provider engaged by Inventrik to support the delivery of the Vouchermatic platform while Processing Personal Data on behalf of our Customers.

Inventrik ensures that any appointed Subprocessors are subject to appropriate contractual obligations and security requirements consistent with applicable data protection laws.



4. Our Role Under the GDPR

One of the core principles of the GDPR is that organisations must clearly explain their role when Processing Personal Data. Inventrik recognises that our responsibilities differ depending on the type of Personal Data being processed and the services being provided.

Accordingly, Inventrik may act as either a Data Controller or a Data Processor, depending on the circumstances described below.

4.1 Inventrik as a Data Processor

For the vast majority of Personal Data processed through the Vouchermatic platform, Inventrik acts solely as a Data Processor.

Our Customers use Vouchermatic to operate digital engagement campaigns for their own consumers, members, employees, dealers, distributors or event participants.

Examples include campaigns involving:

  • Digital vouchers;
  • Gift cards;
  • Promotional campaigns;
  • Surveys;
  • Gamification;
  • Digital stamp cards;
  • Customer engagement initiatives.

In these circumstances:

  • the Customer determines why Personal Data is collected;
  • the Customer determines what categories of Personal Data are collected;
  • the Customer determines how long the data should be retained;
  • the Customer determines who may access the data;
  • the Customer determines the legal basis for Processing;
  • Inventrik merely provides the technology platform and associated support services.

Inventrik does not determine the commercial purpose of these campaigns and does not use campaign participant Personal Data for our own marketing, advertising or commercial purposes.


4.2 Our Responsibilities as a Data Processor

When acting as Processor we:

  • process Personal Data only under Customer instructions;
  • maintain appropriate security measures;
  • assist Customers with GDPR obligations where required; and
  • ensure authorised personnel are bound by confidentiality obligations.

Inventrik does not independently decide how campaign participant Personal Data should be used.


4.3 Inventrik as a Data Controller

Inventrik acts as a Data Controller only where we determine the purposes and means of Processing Personal Data relating to our own business operations.

Examples include Personal Data relating to:

  • Employees;
  • Job applicants;
  • Website visitors;
  • Existing customers (for account administration/ troubleshooting);

For these activities, Inventrik determines the purposes, legal basis and retention periods for Processing Personal Data and is responsible for complying with the obligations imposed on Data Controllers under the GDPR.


4.4 Requests Relating to Campaign Data

Because Inventrik generally acts as a Data Processor, Campaign Participants wishing to exercise their GDPR rights in relation to campaign data should contact the relevant campaign organiser or Customer directly.

Such requests may include:

  • Access to Personal Data;
  • Correction of inaccurate information;
  • Deletion of Personal Data;
  • Restriction of Processing;
  • Objection to Processing;
  • Withdrawal of consent (where applicable);
  • Data portability requests.

Where requested by the Customer, Inventrik will provide reasonable assistance to enable the Customer to fulfil its obligations under the GDPR.

Inventrik will not normally respond directly to requests concerning campaign participant data unless authorised or legally required to do so.

5. Personal Data We Collect and Process

The categories of Personal Data processed by Inventrik depend on the nature of the services being provided and whether Inventrik is acting as a Data Controller or Data Processor.

As explained in Section 4, Inventrik primarily acts as a Data Processor for campaign participant data processed through the Vouchermatic platform. Inventrik does not collect campaign participant Personal Data for its own purposes. Such data is processed solely on behalf of our Customers acting as Data Controllers.We also collect and process certain Personal Data as a Data Controller for our own business operations.

The following sections describe the categories of Personal Data that may be processed.


5.1 Personal Data We Collect as a Data Controller

Inventrik acts as a Data Controller only where we determine the purposes and means of processing Personal Data for our own business operations.

The categories of Personal Data we collect are limited to the following:

Process Data Subject Personal Data Types
Recruitment Job Applicants and Internship Applicants Name, email address, contact number, employment history, educational qualifications, professional certifications, achievements and awards, and any other information voluntarily provided as part of a job application. We do not require applicants to provide unnecessary sensitive personal data.
Employee Management Employees Name, date of birth, marital status, gender, residential and postal address, personal email address, mobile number, employment information, emergency contact details, bank account details and other information necessary for employment administration and compliance with legal obligations.
Intern Management Interns Name, date of birth, gender, residential address, postal code, personal email address, mobile number, nationality, school information, emergency contact details, bank account details and other information required for internship administration.
Website Enquiries Website Visitors and Business Contacts Name, company name, business email address, telephone number, and any information voluntarily submitted through our website contact forms, demo request forms or other enquiries.
Customer Account Administration and Technical Support Authorised Customer Users Business contact information, account details, support requests, communication history and limited information required to administer customer accounts and provide technical support or troubleshooting services.

Inventrik collects only the Personal Data that is reasonably necessary for the relevant business purpose and processes such information in accordance with applicable data protection laws.


5.2 Personal Data Processed on Behalf of Our Customers

Inventrik primarily provides the Vouchermatic platform as a Software-as-a-Service (SaaS) solution to organisations operating digital engagement campaigns. In these circumstances, Inventrik acts as a Data Processor and processes Personal Data only on behalf of and in accordance with the instructions of the relevant Customer.

we may process Personal Data including, but not limited to:

  • Name
  • Email address
  • Mobile or telephone number
  • Date of birth
  • Gender

The categories of Personal Data processed vary depending on the Customer’s campaign requirements and the services used. Inventrik processes such Personal Data solely for the purpose of providing, maintaining and supporting the Vouchermatic platform and does not use Customer Personal Data for its own marketing or other independent commercial purposes.


5.3 Special Categories of Personal Data

Inventrik does not intentionally require or collect Special Categories of Personal Data (also referred to as sensitive personal data) for the operation of the Vouchermatic platform.

Customers should only collect such data where it is necessary for their campaign and where they have identified an appropriate lawful basis under applicable data protection laws.

If a Customer chooses to collect Special Categories of Personal Data through the Vouchermatic platform, Inventrik will process such information solely on the Customer’s behalf and in accordance with their instructions.


6. Purposes of Processing and Legal Basis

Where Inventrik acts as a Data Controller, Personal Data is processed based on one or more of the following legal bases:

  • Your consent;
  • Performance of a contract 
  • Legitimate interests pursued by our clients or us
  • Compliance with legal obligations.

Where Inventrik acts as a Data Processor, we process Personal Data solely on behalf of our Customers and in accordance with their instructions. The applicable legal basis for such processing is determined by the relevant Customer acting as the Data Controller.

7. Sharing and Disclosure of Personal Data

Inventrik does not sell Personal Data.

Data may be shared with:

  • Our authorised employees and service providers under strict confidentiality
  • Third-party vendors (e.g. cloud service providers, email gateways)
  • Regulatory authorities, if required by law
7.1 International Data Transfers

We do not intentionally transfer Data outside Singapore unless required to provide our services, instructed by our Customers, or required by law.

Where Personal Data is transferred internationally, Inventrik will implement appropriate safeguards as required under applicable data protection laws.

8. Data Retention

Inventrik retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal or regulatory obligations, or as otherwise required by applicable law.

Where Inventrik acts as a Data Processor, Personal Data is retained in accordance with the instructions of the relevant Customer and the applicable contractual arrangements.

Where Inventrik acts as a Data Controller, Personal Data is retained in accordance with Inventrik’s internal data retention policies and applicable legal requirements.


9. Security of Personal Data

Inventrik implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, disclosure, alteration, loss or destruction.

These measures include administrative, physical and technical safeguards appropriate to the nature of the Personal Data being processed.

Inventrik maintains an Information Security Management System certified to ISO/IEC 27001 and holds the Singapore Data Protection Trustmark (DPTM) and Cyber Essentials Mark certifications.

10. Your Rights Under the GDPR

Where the GDPR applies, you may have the following rights in relation to your Personal Data, subject to applicable legal limitations:

  • The right to access your Personal Data;
  • The right to request correction of inaccurate or incomplete Personal Data;
  • The right to request erasure of your Personal Data;
  • The right to request restriction of processing;
  • The right to object to processing;
  • The right to request data portability, where applicable; and
  • Where processing is based on your consent, the right to withdraw your consent at any time.

Where Inventrik acts as a Data Processor, requests relating to Personal Data processed on behalf of our Customers should be directed to the relevant Customer acting as the Data Controller. Inventrik will assist our Customers in responding to such requests where required under applicable law or contractual obligations.


11. Cookies and Similar Technologies

Our website uses cookies to improve your browsing experience. The cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website generally, recognize your repeat visits and preferences, as well as to measure and analyse traffic.

These cookies will be stored in your browser only with your consent. By clicking “Accept” on our cookie banner, or if you continue to explore our site without changing your cookie settings (link provided in the cookie banner), you consent to the use of cookies on our website. You also have the option to opt-out of these cookies by changing your cookie settings anytime. But opting out of some of these cookies may have an effect on your browsing experience.

12. Contact Us

DATA PROTECTION OFFICER

You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:

DPO:
Name: Neha Lad
Email: [email protected]
DID: +65 66567724

13. Complaints

If you have any complaint relating to how we manage your personal data, you may send it to us via the email address above using the Personal Data Complaint & Action Form >> Personal Data Complaint & Action Form


14. Changes to this Privacy Notice

We may update this Privacy notice from time to time. Changes will be posted on this page with the updated date. Continued use of our services after changes take effect constitutes your agreement to the revised policy