Vantom
Legal

Privacy Policy

Deutsch →

Last updated: 2026-05-29 · pursuant to Art. 13 GDPR.

1. Controller

The controller responsible for data processing on this website is:

Milan Hahn
Vantom
Umgehungsstrasse 47
35043 Marburg
Germany
Email: legal@vantom.pro

No data protection officer has been appointed — the statutory thresholds under Art. 37 GDPR are not met.

2. Your rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

The competent supervisory authority is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Postfach 3163, 65021 Wiesbaden, Germany.

3. Hosting (website)

The website is hosted by Vercel Inc. (USA, with edge locations in the EU). When the website is accessed, Vercel processes technically necessary data (IP address, user-agent, timestamp) to deliver the page. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional, secure web service). A data processing agreement (DPA) with Vercel is in place.

4. Cookies and local storage

We use only technically necessary browser storage to remember features such as the theme (light/dark) and accent colour. No tracking takes place.

Name Purpose Duration
vantom-landing-mode Stores the chosen colour scheme (light/dark) persistent (LocalStorage)
vantom-landing-accent Stores the chosen accent colour persistent (LocalStorage)
v-intro-played Prevents the logo sound from replaying Session

5. Newsletter / waitlist signup

If you sign up for the Vantom waitlist on this website, we process your email address to send a one-time confirmation email (double opt-in) and — after you confirm — occasional updates around the product launch.

What data

  • Your email address (entered by you)
  • Timestamp of signup and confirmation
  • A technical hash of your IP address (SHA-256, truncated to 16 hex chars) — used solely to protect against mass signups / spam bots. The raw IP is never stored.

Legal basis

Art. 6(1)(a) GDPR (consent). You actively enter your email address and confirm the signup by clicking the confirmation link in the confirmation email. No further email is sent before confirmation.

Processors

  • Vercel Inc. (USA, with function execution in the EU / Frankfurt fra1) — processes the signup request. DPA in place.
  • Upstash, Inc. (USA, with data residency in the EU / Ireland) — stores only the hashed IP + counter for the rate-limit logic. No email addresses. DPA in place.
  • Resend, Inc. (USA, with sending region EU / Ireland) — sends the confirmation and welcome email and stores your contact details as a recipient. DPA in place.

Retention

Your email address remains stored at Resend until you unsubscribe (unsubscribe link in every email) or request deletion. The IP hash at Upstash expires automatically after at most 1 hour (rate-limit window).

Withdrawal

You may withdraw your consent at any time — via the unsubscribe link in any of our emails or informally by email to legal@vantom.pro. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. Processing within the Vantom app

The Vantom Producer Suite (desktop application) processes personal data only when you actively sign in or use cloud features. In detail:

Authentication (Firebase Auth)

On optional login: email address and user ID. Provider: Google LLC (USA), DPA in place. Legal basis: Art. 6(1)(b) GDPR (contract performance).

Project metadata (Firestore, EU region)

Tags, notes and subscription status are stored in Firestore (region europe-west). Audio content never leaves your device. Provider: Google LLC, DPA in place.

Payment processing (Lemon Squeezy)

Lemon Squeezy LLC (USA) acts as Merchant of Record and is the contracting party for the purchase. Name, email address and payment data are processed. The Lemon Squeezy Privacy Policy additionally applies. Legal basis: Art. 6(1)(b) GDPR.

Cloud sync (Google Drive · Dropbox · SoundCloud)

These connections are initiated exclusively by you (OAuth). The tokens are stored encrypted locally on your device and are not transmitted to our servers. Legal basis: Art. 6(1)(a) GDPR (consent), revocable in the app settings.

Google API Services — Limited Use

When you connect Google Drive, Vantom requests only the drive.file OAuth scope. This limits the app to files and folders it creates itself — specifically a dedicated /Vantom/ folder; Vantom cannot see, read or modify any other file in your Google Drive. Vantom's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, we do not sell it, and we do not use it to develop, improve, or train generalised AI/ML models.

Hardware fingerprint (fraud / abuse prevention)

To prevent the same device from farming throwaway accounts (e.g. re-redeeming a one-time launch promotion or bypassing the 6-project Free-tier cap), the app derives a pseudonymous hardware fingerprint: a one-way hash (HMAC-SHA-256) of stable, non-personal device attributes (operating-system platform, CPU architecture, CPU model, core count, installed memory). No MAC addresses, hostnames or advertising IDs. The hash is stored server-side as a key under hardware_ids/{hash} with no link to your account and is not transmitted to any third party. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in licence enforcement and abuse prevention); you may object under Art. 21 GDPR via the email in the Imprint.

Diagnostics / crash reports

If you opt in, crash diagnostics (stack traces, app version, platform, and your user ID if signed in) are sent to our error-monitoring provider; personal data is scrubbed beforehand. This is off by default. Legal basis: Art. 6(1)(a) GDPR (consent), revocable at any time in the app settings.

7. International transfers

Where data is transferred to the USA (Firebase, Lemon Squeezy, Vercel, Upstash, Resend), this is done on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR or under the EU-U.S. Data Privacy Framework where the respective provider is certified. The actual processing of your newsletter data takes place exclusively in the EU (Vercel fra1 Frankfurt, Upstash eu-west-1 Ireland, Resend eu-west-1 Ireland).

8. Retention

We store your personal data only for as long as is necessary to fulfil the stated purposes or as required by statutory retention obligations (e.g. 6 years under commercial law, 10 years under tax law).

9. Changes to this Privacy Policy

We reserve the right to adjust this Privacy Policy if technical or legal conditions change. The current version is always available on this page. For material changes we notify active users by email.