Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Franco Consulting GmbH
Maria-Theresia-Straße 17
89331 Burgau
Germany

Phone: +49 8222 4183998
Email: kontakt@franco-consulting.com
Website: https://vantero.chat

Managing Directors: Kilian Franco and Lukas Kraus
Commercial Register: Amtsgericht Memmingen, HRB 20230
VAT ID: DE358098950

Vantero is an AI-powered chat and productivity platform that provides access to various large language models through a unified interface. The platform is offered as a web application and as a mobile app (iOS/Android). Personal data is processed during use insofar as this is necessary to provide the service, ensure security, and fulfil legal obligations.

In the course of using Vantero, we process the following categories of personal data:

a) Account Data

• Email address (for registration, login, and communication)
• First and last name (optional, for personalisation)
• Profile picture (optional, uploaded or imported from Google account)
• Password hash (when registering with a password; the password itself is not stored)
• Selected plan and team membership
• Preferred language setting (German/English)

b) Usage Data

• Chat histories and message content
• Uploaded documents and files (in knowledge management)
• Created assistants, presentations, and documents
• Token consumption and model usage (for billing purposes)
• Selected AI model and data zone per request
• Workspace and project structure

c) Technical Data (Log Data)

• IP address
• Date and time of access
• Browser type and version or app version
• Operating system
• User agent string
• Referrer URL (for website access)

d) Payment Data

• Transaction data (order ID, transaction ID, amount, payment method)
• Billing address, name, payment status, tax information, and purchase metadata (processed directly by Creem as Merchant of Record; we only receive the status and reference data necessary for contract fulfilment and team assignment)

The processing of your personal data is based on the following legal grounds:

a) Performance of Contract (Art. 6(1)(b) GDPR)

The processing of account data, chat content, uploaded documents, and usage data is necessary for the performance of the user agreement (provision of the AI platform). This includes in particular:

• Creation and management of your user account
• Processing your inputs through the selected AI models to generate responses
• Storage of chat histories and documents
• Management of teams and workspaces
• Billing of token consumption
• Sending transactional emails (login links, password resets, verification)

b) Legitimate Interests (Art. 6(1)(f) GDPR)

Based on our legitimate interests, we process data for the following purposes:

• Ensuring IT security and platform stability
• Detection and prevention of abuse (rate limiting, fraud detection)
• Logging of access for troubleshooting (log data)
• Improvement and further development of the service (based on aggregated, anonymised usage statistics)

c) Consent (Art. 6(1)(a) GDPR)

We obtain consent where legally required, in particular for:

• Login via Google OAuth (processing of profile data by Google)
• Optional transfer of data to data zones outside the EU ("USA" data zone)

Consent may be withdrawn at any time with effect for the future.

d) Legal Obligation (Art. 6(1)(c) GDPR)

Where we are subject to statutory retention obligations (e.g. tax law retention periods for billing data), we process your data on this basis.

Vantero offers the following login methods:

a) Email and Password

When registering with email and password, your password is stored exclusively as a cryptographic hash. The plaintext password is never stored. You will receive a verification email to confirm your email address.

b) Magic Link (Email Login Link)

When using the magic link method, you receive a one-time login link by email that expires after 10 minutes. No password is required or stored.

c) One-Time Password (OTP) for the Mobile App

In the mobile app, a six-digit one-time code can alternatively be requested by email, which expires after 10 minutes.

d) Google OAuth

When logging in via Google, your name, email address, and, where applicable, your profile picture are transmitted to us by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The use of Google OAuth is based on your consent (Art. 6(1)(a) GDPR). Google's privacy notice: https://policies.google.com/privacy.

The authentication solution is based on Better Auth, an open-source library that runs entirely on our own infrastructure. No authentication data is transmitted to external third-party services (except to Google when using Google OAuth).

a) Storage Location of User Data

All persistent user data (account data, chat histories, documents, workspace data, assistants) is stored on servers operated by IONOS SE in Frankfurt am Main, Germany. No replication of this data occurs outside of Germany.

b) AI Data Zones

Vantero offers a data zone model in which you can choose the geographic region where your AI requests are processed. The data zone is determined by the selected AI model. Only the chat input (prompt) and any attached files are transmitted to the respective AI provider – no account data, email addresses, or other master data.

Processing in the "USA" data zone only occurs if you actively select a model from that zone. Without an active model selection, only models from the "Germany" zone are used.

A transfer of personal data to third countries (countries outside the EU/EEA) only takes place in the following cases:

a) "USA" Data Zone (Perplexity AI)

When selecting an AI model from the "USA" data zone, your chat inputs are transmitted to Perplexity AI, Inc. (registered office: San Francisco, USA). The transfer is safeguarded by the following guarantees:

• EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR as set out in Commission Implementing Decision (EU) 2021/914
• Additional technical and organisational measures (encryption during transmission and processing)
• Where Perplexity AI is certified under the EU-U.S. Data Privacy Framework (DPF) pursuant to Adequacy Decision (EU) 2023/1795, the transfer may additionally be based on Art. 45 GDPR

Only the chat input data (prompt content) is transmitted. Account data, email addresses, or other master data is not shared with Perplexity AI.

b) Google OAuth

When using Google login, a connection is established with Google servers. While Google Ireland Limited is based in the EU, it may transfer data to Google LLC in the USA. The transfer is safeguarded by the adequacy decision for the EU-U.S. Data Privacy Framework and by SCCs.

We engage the following data processors to provide our service, with whom data processing agreements (DPAs) pursuant to Art. 28 GDPR have been concluded:

Only data necessary for the respective purpose is transmitted to the listed data processors. No disclosure to other third parties takes place unless we are legally obligated to do so.

Your inputs (prompts), chat histories, and uploaded documents are used exclusively to generate the AI response you have requested. No training, fine-tuning, or other machine learning takes place with your data – neither by us nor by the AI providers we use.

This applies to all available AI models across all data zones. We have concluded contractual agreements with all AI providers that prohibit the use of transmitted data for training purposes.

Pursuant to Art. 50(4) of Regulation (EU) 2024/1689 ("EU AI Act", in force since 1 August 2024, transparency obligations applicable since 2 August 2025), we inform you of the following:

• All responses you receive through Vantero are generated by artificial intelligence (Large Language Models).
• AI-generated content may contain errors, inaccuracies, or so-called "hallucinations". You should not accept AI responses as facts without independent verification.
• When using the image generation feature, the generated images are created entirely by AI.
• When the "web search" function is enabled (available with certain models), the AI models search the internet and summarise results. Sources are cited as references where provided by the model.

Vantero is a technical platform providing access to AI models. The AI systems accessible through Vantero are classified as general-purpose AI systems pursuant to Art. 51 et seq. EU AI Act. The providers of these models bear responsibility as AI model providers within the meaning of the regulation. As the deployer, we fulfil the transparency obligations incumbent upon us, inter alia through this privacy policy.

No automated individual decision-making within the meaning of Art. 22 GDPR takes place via Vantero. All AI responses are to be understood as assistance and do not constitute legally binding statements.

Vantero currently uses only technically necessary cookies and storage-like technologies required for the operation of the website, login, security, language selection, and interface functions explicitly triggered by you. Third-party analytics, advertising, and marketing technologies are not currently active.

You can access current information about these technologies at any time via the "Privacy Settings" link or button. We also provide our consent management for future optional categories there.

No optional analytics, marketing, or advertising trackers are set. No cross-site tracking takes place. Should we deploy optional technologies in the future, they will be described separately in the privacy settings before activation and will only be activated on the basis of required consent.

We send exclusively transactional emails that are necessary for the operation of the service:

• Login links (magic links) and one-time codes (OTP)
• Email verification upon registration
• Password reset
• Welcome emails
• Confirmation of account deletion

Emails are sent via an SMTP service. No email marketing or newsletter distribution takes place.

Payment processing for paid plans (Basic, Pro, Team), extra seats, and token packages is handled by Armitage Labs OU (Creem) (“Creem”) as Merchant of Record.

During a purchase, you are redirected to the Creem checkout page. Creem collects and processes the data required for payment processing, invoicing, tax calculation, and fraud prevention (e.g. name, email address, billing address, payment information, business and tax details) as an independent controller. We receive from Creem via webhook or API only the reference data necessary for assignment and contract fulfilment:

• Confirmation of payment and subscription status
• Checkout, order, customer, and subscription references
• Product and price references for plan and package assignment
• Buyer email address and metadata for team assignment

Credit card or bank data is never transmitted to us or stored on our servers. Creem’s privacy policy can be found at: https://www.creem.io/privacy.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

We store your personal data only for as long as necessary for the respective processing purposes or as required by statutory retention obligations:

Upon deletion of your account, all personal data will be deleted within 30 days, unless statutory retention obligations apply.

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect your data:

• Encrypted data transmission (TLS/HTTPS) for all connections
• Cryptographic password hashing (plaintext passwords are not stored)
• Rate limiting to protect against brute-force attacks and abuse
• Secure cookies (HttpOnly, Secure flag, SameSite)
• Regular security reviews and monitoring
• Access control and data processing minimisation (data minimisation principle)

You have the following rights with regard to your personal data:

• Right of Access (Art. 15 GDPR): You have the right to obtain information about the personal data we process. This includes information on processing purposes, data categories, recipients, and retention periods.
• Right to Rectification (Art. 16 GDPR): You may request the rectification of inaccurate data and the completion of incomplete data.
• Right to Erasure (Art. 17 GDPR): You may request the erasure of your personal data, provided no statutory retention obligations apply. You can delete your account at any time via the account settings.
• Right to Restriction of Processing (Art. 18 GDPR): Under certain conditions, you may request the restriction of the processing of your data.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
• Right to Object (Art. 21 GDPR): You may object at any time to the processing of your personal data based on Art. 6(1)(f) GDPR. We will then no longer process the data unless we can demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.

To exercise your rights, please contact:
Email: kontakt@franco-consulting.com
Post: Franco Consulting GmbH, Maria-Theresia-Straße 17, 89331 Burgau

We will process your request without undue delay and in any event within one month of receipt (Art. 12(3) GDPR).

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

The supervisory authority responsible for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de

Providing your email address is required to use Vantero (contract conclusion). Without providing an email address, no user account can be created and the service cannot be used.

Providing a name is voluntary and serves solely for personalisation. All other data (chat content, documents) is provided voluntarily by you during use of the platform.

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you.

The AI models generate text responses and other content based on your input. These serve as assistance and do not constitute automated decisions that have direct legal or factual consequences for you.

The Vantero mobile app (for iOS and Android) uses the same backend infrastructure as the web application. The data processing described in this privacy policy applies equally to app usage.

In addition, the following particularities apply:

• Login in the app is done via email OTP (one-time code) or Google OAuth.
• The app does not collect location data, contacts, or other device-specific data beyond what is necessary for functionality.
• Push notifications are only sent if you actively enable them.

We reserve the right to amend this privacy policy to adapt it to changed legal requirements or changes to the service or data processing. The current version is always available at https://vantero.chat/en/legal/datenschutz. In the event of material changes, we will inform registered users by email.

Below is an overview of the GDPR legal bases on which we process personal data:

• Performance of Contract (Art. 6(1)(b) GDPR) – Service provision, account management, chat processing, payment processing
• Legitimate Interests (Art. 6(1)(f) GDPR) – IT security, abuse prevention, log data, service optimisation
• Consent (Art. 6(1)(a) GDPR) – Google OAuth, use of the "USA" data zone
• Legal Obligation (Art. 6(1)(c) GDPR) – Tax law retention obligations

Applicable laws: General Data Protection Regulation (GDPR), German Federal Data Protection Act (BDSG), German Telecommunications Digital Services Data Protection Act (TDDDG), Regulation (EU) 2024/1689 (EU AI Act).