Privacy Policy

Last updated: 12 May 2026

This privacy policy explains how Vanly (“we”, “us”, “our”) collects, uses, and protects your personal data when you sign up at vanlyai.com or interact with us. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and ICO guidance.

1. Who we are

Vanly is a product of Goto-Tender Ltd, a company registered in England & Wales (company number 16627586), with registered office at 27 Bates Lane, Helsby, Frodsham, England, WA6 9LN.

Goto-Tender Ltd is the data controller responsible for your personal data.

For any questions about this policy or your data, contact us at hello@vanlyai.com.

2. What personal data we collect

When you sign up for early access, we collect the following from you directly:

  • Identity data: first name, last name
  • Contact data: email address, phone number
  • Business data: business name, postcode, trade, lead-platform usage, business pain points
  • Payment data (paid early-access only):card details and billing address. We do not store full card numbers ourselves — Stripe processes and stores them securely on our behalf. We retain a Stripe customer ID and a SetupIntent ID.
  • Marketing-attribution data: any UTM parameters (source, medium, campaign) present in the URL when you sign up, so we know which advert or referral brought you to us.
  • OAuth-connected email data (once you connect Gmail or Outlook): When you connect your Gmail or Microsoft Outlook account to Vanly, we read the contents of incoming emails to identify and parse new leads from trade platforms like Bark, Checkatrade, MyBuilder, and Rated People. We do not read your other emails or use their content for any purpose other than lead identification.
  • Calendar data: When you connect your Google Calendar or Microsoft Outlook Calendar, we read your calendar events to identify your availability and free slots, and we write calendar events for confirmed bookings that you have approved.
  • Voice and audio data:When you send voice notes via WhatsApp to Vanly, we transcribe them using OpenAI's Whisper API for the purpose of generating quotes, invoices, or capturing customer information you have dictated.
  • Customer interactions: Communications between you and your customers via WhatsApp pass through our systems for the purpose of running the AI office manager. Message content is stored to provide context, audit trails, and feature functionality.
  • Technical data: IP address and browser user-agent at the time of signup, used for fraud-prevention and security logs.

3. How we use your data, and on what lawful basis

We use your data for the following purposes:

  • To deliver the service you signed up for— contacting you 7 days before launch, billing you at launch (paid early-access), and providing the Vanly product after launch. Lawful basis: performance of a contract (UK GDPR Art. 6(1)(b)).
  • To send transactional emails— signup confirmations, launch notifications, billing receipts, account updates. Lawful basis: performance of a contract.
  • To improve the product— we read your pain-point answers and feedback replies to shape what we build. Lawful basis: legitimate interest (Art. 6(1)(f)) in building a product that solves your stated problem.
  • To attribute marketing— UTM parameters help us measure which channels work. Lawful basis: legitimate interest.
  • For security and fraud prevention— IP address and user-agent logging. Lawful basis: legitimate interest.
  • To comply with legal obligations— e.g. tax records, accounting, responding to lawful requests. Lawful basis: legal obligation (Art. 6(1)(c)).
  • To process incoming emails for lead capture (Gmail or Outlook integration)— when you authorise Vanly to read your inbox, we identify and parse new leads from trade platforms. Lawful basis: performance of a contract.
  • To manage your calendar for bookings (Calendar integration)— when you authorise Vanly to read and write your calendar, we check availability and write confirmed bookings on your behalf, after you approve each booking via WhatsApp. Lawful basis: performance of a contract.
  • To send emails on your behalf (Gmail send) — when you authorise Vanly to send emails from your address, we generate and send invoices, quotes, and customer communications, with each send explicitly approved by you via WhatsApp before transmission. Lawful basis: performance of a contract.
  • To transcribe and process voice notes — we use OpenAI's Whisper API to convert your audio recordings into text. Transcribed text is stored alongside the original audio for audit and re-processing purposes. Lawful basis: performance of a contract.
  • To power the AI office manager— we use Anthropic's Claude API to interpret and respond to WhatsApp messages on your behalf. Lawful basis: performance of a contract.

We do not currently use your data for marketing emails to other Vanly products or third-party advertising. If we ever start, we will ask for your consent first and let you opt out easily.

4. Who we share your data with

We use a small set of trusted service providers (data processors) to operate Vanly. They process your data on our instructions and under contractual safeguards:

  • Supabase Inc.— database hosting (your signup record). EU-region storage. Privacy: supabase.com/privacy
  • Stripe Payments Europe Ltd— payment method storage and (post-launch) recurring billing. Card data stored in PCI-DSS-compliant infrastructure. Privacy: stripe.com/privacy
  • Resend Inc.— transactional email delivery (signup confirmations, launch notifications). EU-region. Privacy: resend.com/legal/privacy-policy
  • ImprovMX— inbound email forwarding for replies to hello@vanlyai.com. Privacy: improvmx.com/privacy
  • Vercel Inc.— website and API hosting, plus anonymous page-view analytics (no cookies, no PII; see section 8 for detail). Privacy: vercel.com/legal/privacy-policy
  • Namecheap Inc.— domain registration and DNS. Limited registration data (name, address) appears only on internal records (your domain WHOIS uses privacy protection). Privacy: namecheap.com/legal/general/privacy-policy
  • OpenAI Inc.— voice transcription via Whisper API. Audio data is sent for transcription only; OpenAI's API terms specify that submitted data is not used to train OpenAI models. EU-US Data Privacy Framework certified. Privacy: openai.com/policies/privacy-policy
  • Anthropic PBC— large language model API powering the AI office manager. Message content is sent for inference only; Anthropic's API terms specify that submitted data is not used to train Anthropic models. EU-US Data Privacy Framework certified. Privacy: anthropic.com/legal/privacy
  • Meta Platforms Ireland Ltd— WhatsApp Business Cloud API for sending and receiving messages. Message content passes through Meta's infrastructure to reach recipients. EU-region storage available. Privacy: facebook.com/policy
  • Google LLC— Gmail and Calendar API access (when you connect a Google account). Vanly reads inbox and calendar data only as authorised by you. Privacy: policies.google.com/privacy
  • Microsoft Corporation— Microsoft Graph API access for Outlook and Outlook Calendar (when you connect a Microsoft account). Vanly reads mail and calendar data only as authorised by you. Privacy: privacy.microsoft.com/en-gb/privacystatement

We do not sell your personal data, and we do not share it with advertising networks or data brokers.

5. International data transfers

Some of our processors (Stripe, Vercel, Namecheap, ImprovMX) are US-based. Where data is transferred outside the UK/EU, transfers are protected by either the EU-US Data Privacy Framework (where the processor is certified), the UK Addendum to the EU Standard Contractual Clauses, or other lawful safeguards. You can request a copy of the relevant safeguard by emailing us.

6. How long we keep your data

  • Signup record (Supabase): retained for the duration of your relationship with Vanly. If you cancel before launch, we delete your record within 30 days of the request. If you become a paying customer, retention follows the customer terms below.
  • Stripe customer + saved card: retained while you are a customer. Deleted within 30 days of cancellation. Stripe may retain transaction history longer to comply with their own legal obligations (PCI-DSS, anti-money-laundering).
  • Email records (Resend logs): retained by Resend for up to 30 days, then auto-deleted.
  • Tax and accounting records: we retain records relating to payments for 6 years from the end of the relevant tax year, as required by HMRC.
  • Gmail and Outlook content:email content read for lead identification is not retained beyond the time needed to parse and store the identified lead. The original email remains in your inbox; only the lead-specific information (sender, date, location, job description) is stored in Vanly's database.
  • Calendar events: read for availability checks only and not stored. Calendar events written by Vanly remain in your calendar as standard.
  • Voice notes and voicemails: retained for 90 days, then automatically deleted. Transcribed text is retained alongside the related quote, invoice, or customer record.
  • Customer messages (WhatsApp conversations): retained for the duration of your account, then deleted within 30 days of cancellation.
  • Receipt images: retained for 7 years to support HMRC requirements for VAT/expense record-keeping.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Access— request a copy of all data we hold about you
  • Rectification— ask us to correct inaccurate or incomplete data
  • Erasure (“right to be forgotten”) — ask us to delete your data
  • Portability— receive your data in a machine-readable format and have it sent elsewhere
  • Restriction— ask us to pause processing while a query is resolved
  • Objection— object to processing based on legitimate interest
  • Withdraw consent— if we ever process your data based on consent, you can withdraw it at any time
  • Not be subject to automated decision-making — we do not currently use automated profiling that has legal or significant effects

To exercise any of these rights, email hello@vanlyai.com. We will respond within 30 days.

8. Cookies and similar technologies

We use Vercel Analytics to count anonymous page views and identify which pages and referrers bring traffic to Vanly. Vercel Analytics is privacy-friendly by design:

  • It does not use cookies and does not store any data on your device
  • It does not collect personally identifiable information (PII) such as your name, email, IP address, or precise location
  • It works by hashing a request fingerprint daily; the hash cannot be linked back to you across days
  • It does not share data with advertising networks

Because Vercel Analytics does not use cookies and does not collect PII, it falls outside the scope of consent requirements under the UK GDPR and PECR (Privacy and Electronic Communications Regulations). For full technical detail see Vercel's analytics privacy policy.

We do not use Google Analytics, Meta Pixel, or similar third-party advertising trackers on the public landing page.

When you enter your card details, Stripe may set functional cookies inside its iframe for fraud prevention and to remember your card-on-file authorisation. These cookies are necessary for the payment flow and exempt from consent under PECR since they are strictly necessary for a service you have requested.

If we add additional analytics or tracking in the future, we will update this policy and present a cookie banner where required by law.

9. Marketing communications

Signing up for Vanly means you have agreed to receive transactional emails from us about your early access (signup confirmations, launch notifications, billing receipts). We do not currently send marketing emails to a separate marketing list.

Every email we send includes our address and an easy way to contact us. You can opt out of non-essential emails by replying to any email or contacting hello@vanlyai.com. Cancellation of your account also unsubscribes you from future non-billing emails.

10. Security

We protect your data with industry-standard safeguards:

  • HTTPS/TLS encryption for all traffic to vanlyai.com
  • Card data is never sent to or stored on our servers — Stripe handles it directly via tokenisation
  • Database access protected by service-role keys, with row-level-security policies preventing public reads
  • Admin endpoints protected by HTTP Basic Auth with strong random passwords
  • Environment-secret rotation when team access changes

No system is 100% secure. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and you without undue delay where required by law.

11. Children's data

Vanly is intended for UK-based tradespeople aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has signed up, contact us and we will delete the record.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent version. Material changes will be notified by email at least 14 days before they take effect.

13. Complaints to the ICO

If you are not satisfied with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
ico.org.uk

We'd ask you to contact us first so we can try to resolve any concerns directly — email hello@vanlyai.com.

14. Google API Services User Data Policy compliance

Vanly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Vanly:

  • Uses Google user data (Gmail content, Calendar events) only to provide the user-facing features you have signed up for and explicitly approved through OAuth consent.
  • Does not transfer Google user data to third parties except for the limited purposes outlined in this Privacy Policy (transcription, AI processing, message delivery) and only with appropriate safeguards in place.
  • Does not use Google user data to serve advertising, including remarketing, personalised, or interest-based advertising.
  • Does not allow humans to read Google user data unless one of the following applies: (a) we have obtained your explicit consent for a specific purpose, (b) we need to for security purposes (such as investigating abuse), (c) we need to comply with applicable law, or (d) the data has been aggregated and anonymised in a way that prevents identification of any individual.

For Microsoft user data acquired via Microsoft Graph (Outlook mail and Outlook Calendar), the same principles apply: we use the data only for the user-facing features you have signed up for, do not use it for advertising, and do not allow human review except under the limited circumstances above.