Privacy policy

Last updated: 3 July 2026

1. Who we are

Vanadio is a product of Vanilla Steel GmbH ("we", "us"). We are the controller for the processing described in sections 3 and 4, and a processor for the processing described in section 5.

Vanilla Steel GmbH
Schönhauser Allee 36
10435 Berlin, Germany
Commercial register: Amtsgericht Charlottenburg, HRB 218619 B
Email: privacy@vanadio.ai

2. What Vanadio does

Vanadio is software for industrial-materials businesses. It classifies incoming business email (for example requests for quotation, orders, claims, and call-offs), extracts structured line items from inquiries, and supports the quoting workflow. It is offered to business customers, not to consumers.

3. Data processed when you visit this website

This website sets no cookies and uses no tracking or analytics services. We do not profile visitors.

When you access the site, our hosting provider processes the technical data your browser transmits (IP address, date and time of the request, requested page, browser type) in server logs. This processing is necessary to deliver the site securely and is based on our legitimate interest (Art. 6(1)(f) GDPR). Log data is retained only as long as needed for security and operations.

Fonts are served from our own server. No requests are made to third-party font services when you visit this site.

4. Data processed when you contact us

If you email us, we process your name, email address, and the content of your message to handle your request (Art. 6(1)(b) and (f) GDPR). We keep correspondence as long as needed to handle the matter and to meet statutory retention duties.

5. Data processed in the Vanadio platform and Outlook add-in

When a customer connects Vanadio to their Microsoft 365 environment, Vanadio accesses mailbox data through Microsoft APIs with the consent of the customer's administrator and within the permissions granted in Microsoft Entra ID (Azure AD). Access to mailbox content is read-only. Emails stay in the customer's mailbox; we do not store the original messages.

For this processing we act as a processor on behalf of our customer (the controller) under a data processing agreement pursuant to Art. 28 GDPR. Details, including the categories of data, are defined in the DPA. In summary:

  • Purpose: classification of incoming email, extraction of structured data from business inquiries, and support of the customer's quoting workflow.
  • Categories of data: email metadata (sender, recipient, timestamps, subject) and the content of business correspondence, which may contain contact details of the customer's business partners.
  • Hosting: all processing takes place on servers in the European Union.
  • No third-party LLMs: customer content is not sent to third-party large-language-model providers.
  • No training for others: customer data is never used to train or improve models made available to other customers.
  • Tenant separation: each customer's data is strictly separated.

If you are an employee or business partner of one of our customers and have questions about this processing, please contact the customer (the controller) first; we support them in answering data-subject requests.

6. Sub-processors and recipients

We use a small number of service providers under Art. 28 GDPR contracts. All sub-processors used for customer content are located in the EU or process data exclusively in the EU. The current list of sub-processors is available on request via privacy@vanadio.ai and is annexed to the DPA.

We do not sell personal data and do not share it for advertising purposes.

7. Retention and deletion

We keep personal data only as long as needed for the purposes above or as required by law. For platform data, retention is governed by the DPA: on termination of the agreement, customer data is returned or deleted in line with our deletion concept per GDPR.

8. Security

We apply technical and organizational measures appropriate to the risk, including encryption in transit and at rest, strict tenant separation, role-based access controls, and logging. More detail is on our security page. ISO 27001 certification is in progress.

9. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests. You can reach us at privacy@vanadio.ai. You also have the right to lodge a complaint with a supervisory authority; the authority competent for us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Berlin, Germany.

10. Changes to this policy

We update this policy when our processing or the legal framework changes. The date at the top shows the latest revision.