GDPR · As of 7 May 2026

Privacy policy

We process personal data exclusively on the basis of legal permission under Art. 6 GDPR and only to the extent necessary. Below, we explain what we process and why.

1. Controller

Company
VAND
Address
Berliner Allee 12, 10115 Berlin
Email
datenschutz@vand.ai

2. What data do we process?

  • Account data: Name, email, language and workspace membership. Legal basis: Art. 6 para. 1 lit. b GDPR.
  • Usage data: Models accessed, token volume, response times and tools triggered.
  • Content: Prompts, responses and uploaded files, to the extent required for the agreed service.
  • Security logs: IP address, user agent and authentication events. Maximum retention: 30 days.

3. Hosting and data location

We operate our platform in data centres within the European Union under EU data-protection requirements. Data does not leave the European Economic Area by default. Processing by global model providers only occurs when explicitly enabled in the workspace through the Global data-boundary setting.

4. Data processing and subcontractors

We have concluded data processing agreements pursuant to Art. 28 GDPR with all subcontractors. A current list of subcontractors is available on request at datenschutz@vand.ai.

5. Retention periods

  • Account data: until account deletion.
  • Usage and billing data: 10 years (§ 257 HGB, § 147 AO).
  • Authentication logs: 30 days.
  • Model content: configurable per workspace; default 90 days.

6. Your rights

You may exercise your rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21) at any time. Send requests to datenschutz@vand.ai. You also have the right to lodge a complaint with the competent supervisory authority, such as the Berlin Commissioner for Data Protection.

7. Cookies

We use only technically necessary cookies for sessions and CSRF protection. No tracking takes place.


This privacy policy is a placeholder and must be reviewed by the external data protection officer before go-live.