Privacy Policy
Last updated: March 2026
This Privacy Policy explains how [VANIMT LEGAL NAME] ("Vanimt", "we", "us") collects, uses, and protects your personal data when you use our AI assistant platform. We act as a data processor on behalf of your employer or organisation (the data controller) and as a data controller for account-level data we hold directly.
This policy complies with the EU General Data Protection Regulation (GDPR) and the EU AI Act.
1. Data Controller
[VANIMT LEGAL NAME] [Registered address] [Registration number]
Contact: privacy@vanimt.com
A Data Protection Officer (DPO) has not been appointed as our core activities do not constitute large-scale systematic monitoring of individuals. Questions about data protection can be directed to the contact above.
2. What Data We Collect and Why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address and display name (from Google or Microsoft sign-in) | Create and identify your account | Contract performance — Art. 6(1)(b) |
| Chat messages and questions | Deliver AI-generated responses from your organisation's knowledge base | Contract performance — Art. 6(1)(b) |
| Session metadata (timestamps, session IDs, titles) | Display your conversation history | Contract performance — Art. 6(1)(b) |
| Usage metrics (query counts per user per month) | Enforce subscription rate limits | Contract performance — Art. 6(1)(b) |
| Security and audit logs (IP address, access events, error events) | Detect and prevent abuse; maintain system security | Legitimate interests — Art. 6(1)(f) |
We do not collect sensitive categories of personal data (Art. 9 GDPR). We do not use your data for advertising or sell it to third parties.
3. AI-Generated Responses — EU AI Act Transparency
Vanimt uses AI systems to generate responses to your queries. Specifically:
- Responses are generated by Google Gemini (a general-purpose AI model) via Google Cloud Vertex AI.
- Retrieval results are provided by Google Vertex AI Search, which indexes your organisation's uploaded knowledge base documents.
- AI responses are informational only. No automated decisions with legal effects or similarly significant impacts are made about you based on AI outputs (GDPR Art. 22; EU AI Act Art. 50).
- Vanimt is classified as a Limited Risk AI system deployer under the EU AI Act. We comply with transparency obligations by disclosing the AI nature of responses in the product interface.
Your organisation's data is not used to train AI models. Google's Vertex AI terms confirm that customer data submitted via the API is not used to train or improve Google's foundation models. See Google Cloud Vertex AI data governance.
4. Sub-Processors
We share data with the following sub-processors to operate the service:
| Sub-processor | Data shared | Location | Basis for transfer |
|---|---|---|---|
| Google Firebase Authentication | Email, UID, sign-in timestamps | United States | Standard Contractual Clauses (Google Cloud DPA) |
| Google Firestore | All stored application data (sessions, messages, profiles) | EU (europe-north1, Finland) | Within EEA — no transfer |
| Google Cloud Vertex AI (Gemini) | Chat messages, session history, system prompts | EU (europe-west1, Belgium) | Within EEA — no transfer |
| Google Cloud Vertex AI Search | Document content, search queries | EU (eu multi-region) | Within EEA — no transfer |
| Google Cloud Storage | Uploaded knowledge base documents | EU (europe-north1, Finland) | Within EEA — no transfer |
| Stripe | Billing events, subscription metadata | United States | Standard Contractual Clauses (Stripe DPA) |
Google Firebase Authentication is the only service that processes personal data outside the EEA. This transfer is governed by the Standard Contractual Clauses (Module 2: Controller to Processor) incorporated into the Google Cloud Data Processing Addendum. You can review Google's sub-processor list at cloud.google.com/terms/subprocessors.
5. Data Retention
| Data type | Retention period |
|---|---|
| Chat sessions and messages | 24 months from the date of creation, then automatically deleted |
| Account profile (email, display name) | Until account deletion |
| Usage metrics | 24 months rolling |
| Security and audit logs | 12 months |
| Billing records | 7 years (legal obligation) |
When your organisation's subscription ends or you request deletion, all personal data is deleted within 30 days, except where we are required to retain records by law.
6. Cookies
We use the following cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
__session | Authentication — stores your signed session token | 15 minutes (refreshed automatically) | Strictly necessary |
NEXT_LOCALE | Stores your language preference | 1 year | Functional |
No advertising, tracking, or analytics cookies are used.
7. Your Rights Under GDPR
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — request correction of inaccurate personal data.
- Right to erasure (Art. 17) — request deletion of your personal data. We will action this within 30 days.
- Right to restriction of processing (Art. 18) — request that we limit how we process your data in certain circumstances.
- Right to data portability (Art. 20) — receive your personal data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Rights related to automated decision-making (Art. 22) — as stated above, we do not make automated decisions with legal effects about you.
To exercise any of these rights, contact us at privacy@vanimt.com. We will respond within 30 days. There is no charge for exercising your rights.
8. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. Depending on your country of residence:
- Sweden — Integritetsskyddsmyndigheten (IMY) — imy@imy.se
- Denmark — Datatilsynet — dt@datatilsynet.dk
- Norway — Datatilsynet — postkasse@datatilsynet.no
- Other EU/EEA countries — find your national authority at edpb.europa.eu
We would however appreciate the opportunity to address your concern before you contact a supervisory authority.
9. Changes to This Policy
We will notify registered users of material changes to this policy by email or in-product notification at least 30 days before the changes take effect.
10. Contact
Data protection enquiries: privacy@vanimt.com
[VANIMT LEGAL NAME] [Registered address]