This privacy policy explains how Vanly (“we”, “us”, “our”) collects, uses, and protects your personal data when you sign up at vanlyai.com or interact with us. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and ICO guidance.
1. Who we are
Vanly is a product of Goto-Tender Ltd, a company registered in England & Wales (company number 16627586), with registered office at 27 Bates Lane, Helsby, Frodsham, England, WA6 9LN.
Goto-Tender Ltd is the data controller responsible for your personal data.
For any questions about this policy or your data, contact us at hello@vanlyai.com.
2. Your customers' data, and automated replies (WhatsApp Coexistence)
When you connect your own WhatsApp number to Vanly through WhatsApp Coexistence, Vanly also processes messages sent to you by your customers (the people who contact your business). This section explains that relationship and how the AI handles those conversations.
Our role is your data processor.For your customers' personal data, you are the data controller and Goto-Tender Ltd (Vanly) acts as your data processor, processing that data only on your instructions and to provide the Vanly service to you. This is separate from Section 1: for your own account, signup, and billing data, Goto-Tender Ltd is the controller.
What we process about your customers.To run the AI office manager on your behalf, we process: their name; their phone number; the email address they give you, if any; the content of the messages they send; any job, address, or location details they provide; and any photos, documents, or voice notes they send. Voice notes are transcribed to text as described under “Voice and audio data” below. This data is stored to provide context, audit trails, and the features you have signed up for.
Lawful basis. As your processor, we rely on the lawful basis that applies to your own relationship with your customer, normally the performance of your contract with them or your legitimate interest in running and servicing your business. As the controller, you are responsible for that lawful basis and for giving your customers any privacy information they are due.
Automated replies.If you switch on autonomous mode, Vanly's AI may read and reply to your customers' WhatsApp messages on your behalf without you approving each reply, answering enquiries and gathering the qualifying details you have configured. By default (approve-first mode), Vanly instead drafts replies for you to approve before they are sent. In both modes this is customer-service automation: it does not make decisions that produce legal or similarly significant effects for your customers, and it does not carry out profiling. This is consistent with “Your rights under UK GDPR” below.
Money stays under your control. The AI does not commit you to anything financial on its own. Actions such as sending a quote or an invoice, or confirming a booking, need your authorisation: by default an explicit confirmation from you for each one, and, only where you switch on auto-approval (which is off by default), automatically within the limits you set, such as a maximum amount for quotes and invoices.
3. What personal data we collect
When you sign up for early access, we collect the following from you directly:
- Identity data: first name, last name
- Contact data: email address, phone number
- Business data: business name, postcode, trade, lead-platform usage, business pain points
- Payment data (paid early-access only):card details and billing address. We do not store full card numbers ourselves — Stripe processes and stores them securely on our behalf. We retain a Stripe customer ID and a SetupIntent ID.
- Marketing-attribution data: any UTM parameters (source, medium, campaign) present in the URL when you sign up, so we know which advert or referral brought you to us.
- OAuth-connected email data (once you connect Gmail or Outlook): When you connect your Gmail or Microsoft Outlook account to Vanly, we read the contents of incoming emails to identify and parse new leads from trade platforms like Bark, Checkatrade, MyBuilder, and Rated People. We do not read your other emails or use their content for any purpose other than lead identification.
- Calendar data: When you connect your Google Calendar or Microsoft Outlook Calendar, we read your calendar events to identify your availability and free slots, and we write calendar events for bookings once they are confirmed, either by your approval or within any auto-approval limits you have set.
- Voice and audio data:When you send voice notes via WhatsApp to Vanly, we transcribe them using OpenAI's Whisper API for the purpose of generating quotes, invoices, or capturing customer information you have dictated.
- Customer interactions: Communications between you and your customers via WhatsApp pass through our systems for the purpose of running the AI office manager. Message content is stored to provide context, audit trails, and feature functionality.
- Technical data: IP address and browser user-agent at the time of signup, used for fraud-prevention and security logs.
4. How we use your data, and on what lawful basis
We use your data for the following purposes:
- To deliver the service you signed up for— contacting you 7 days before launch, billing you at launch (paid early-access), and providing the Vanly product after launch. Lawful basis: performance of a contract (UK GDPR Art. 6(1)(b)).
- To send transactional emails— signup confirmations, launch notifications, billing receipts, account updates. Lawful basis: performance of a contract.
- To improve the product— we read your pain-point answers and feedback replies to shape what we build. Lawful basis: legitimate interest (Art. 6(1)(f)) in building a product that solves your stated problem.
- To attribute marketing— UTM parameters help us measure which channels work. Lawful basis: legitimate interest.
- For security and fraud prevention— IP address and user-agent logging. Lawful basis: legitimate interest.
- To comply with legal obligations— e.g. tax records, accounting, responding to lawful requests. Lawful basis: legal obligation (Art. 6(1)(c)).
- To process incoming emails for lead capture (Gmail or Outlook integration)— when you authorise Vanly to read your inbox, we identify and parse new leads from trade platforms. Lawful basis: performance of a contract.
- To manage your calendar for bookings (Calendar integration)— when you authorise Vanly to read and write your calendar, we check availability and write confirmed bookings on your behalf. By default we do this after you approve each booking via WhatsApp; where you have switched on auto-approval, bookings may be written automatically within the limits you set. Lawful basis: performance of a contract.
- To send emails on your behalf (Gmail send) — when you authorise Vanly to send emails from your address, we generate and send invoices, quotes, and customer communications. By default each send is approved by you via WhatsApp before transmission; where you have switched on auto-approval, sends may go out automatically within the limits you set. Lawful basis: performance of a contract.
- To transcribe and process voice notes — we use OpenAI's Whisper API to convert your audio recordings into text. Transcribed text is stored alongside the original audio for audit and re-processing purposes. Lawful basis: performance of a contract.
- To power the AI office manager— we use Anthropic's Claude API to interpret and respond to WhatsApp messages on your behalf. Lawful basis: performance of a contract.
We do not currently use your data for marketing emails to other Vanly products or third-party advertising. If we ever start, we will ask for your consent first and let you opt out easily.
5. Who we share your data with
We use a small set of trusted service providers (data processors) to operate Vanly. They process your data on our instructions and under contractual safeguards:
- Supabase Inc.— database hosting (your signup record). EU-region storage. Privacy: supabase.com/privacy
- Stripe Payments Europe Ltd— payment method storage and (post-launch) recurring billing. Card data stored in PCI-DSS-compliant infrastructure. Privacy: stripe.com/privacy
- Resend Inc.— transactional email delivery (signup confirmations, launch notifications). EU-region. Privacy: resend.com/legal/privacy-policy
- ImprovMX— inbound email forwarding for replies to
hello@vanlyai.com. Privacy: improvmx.com/privacy - Vercel Inc.— website and API hosting, plus anonymous page-view analytics (no cookies, no PII; see section 9 for detail). Privacy: vercel.com/legal/privacy-policy
- Namecheap Inc.— domain registration and DNS. Limited registration data (name, address) appears only on internal records (your domain WHOIS uses privacy protection). Privacy: namecheap.com/legal/general/privacy-policy
- OpenAI Inc.— voice transcription via Whisper API. Audio data is sent for transcription only; OpenAI's API terms specify that submitted data is not used to train OpenAI models. EU-US Data Privacy Framework certified. Privacy: openai.com/policies/privacy-policy
- Anthropic PBC— large language model API powering the AI office manager. Message content is sent for inference only; Anthropic's API terms specify that submitted data is not used to train Anthropic models. EU-US Data Privacy Framework certified. Privacy: anthropic.com/legal/privacy
- Meta Platforms Ireland Ltd— WhatsApp Business Cloud API for sending and receiving messages. Message content passes through Meta's infrastructure to reach recipients. EU-region storage available. Privacy: facebook.com/policy
- Google LLC— Gmail and Calendar API access (when you connect a Google account). Vanly reads inbox and calendar data only as authorised by you. Privacy: policies.google.com/privacy
- Microsoft Corporation— Microsoft Graph API access for Outlook and Outlook Calendar (when you connect a Microsoft account). Vanly reads mail and calendar data only as authorised by you. Privacy: privacy.microsoft.com/en-gb/privacystatement
We do not sell your personal data, and we do not share it with advertising networks or data brokers.
6. International data transfers
Some of our processors (Stripe, Vercel, Namecheap, ImprovMX) are US-based. Where data is transferred outside the UK/EU, transfers are protected by either the EU-US Data Privacy Framework (where the processor is certified), the UK Addendum to the EU Standard Contractual Clauses, or other lawful safeguards. You can request a copy of the relevant safeguard by emailing us.
7. How long we keep your data
- Signup record (Supabase): retained for the duration of your relationship with Vanly. If you cancel before launch, we delete your record within 30 days of the request. If you become a paying customer, retention follows the customer terms below.
- Stripe customer + saved card: retained while you are a customer. Deleted within 30 days of cancellation. Stripe may retain transaction history longer to comply with their own legal obligations (PCI-DSS, anti-money-laundering).
- Email records (Resend logs): retained by Resend for up to 30 days, then auto-deleted.
- Tax and accounting records: we retain records relating to payments for 6 years from the end of the relevant tax year, as required by HMRC.
- Gmail and Outlook content:email content read for lead identification is not retained beyond the time needed to parse and store the identified lead. The original email remains in your inbox; only the lead-specific information (sender, date, location, job description) is stored in Vanly's database.
- Calendar events: read for availability checks only and not stored. Calendar events written by Vanly remain in your calendar as standard.
- Voice notes and voicemails: retained for 90 days, then automatically deleted. Transcribed text is retained alongside the related quote, invoice, or customer record.
- Customer messages (WhatsApp conversations): retained for the duration of your account, then deleted within 30 days of cancellation.
- Receipt images: retained for 7 years to support HMRC requirements for VAT/expense record-keeping.
8. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Access— request a copy of all data we hold about you
- Rectification— ask us to correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — ask us to delete your data
- Portability— receive your data in a machine-readable format and have it sent elsewhere
- Restriction— ask us to pause processing while a query is resolved
- Objection— object to processing based on legitimate interest
- Withdraw consent— if we ever process your data based on consent, you can withdraw it at any time
- Not be subject to automated decision-making — we do not currently use automated profiling that has legal or significant effects
To exercise any of these rights, email hello@vanlyai.com. We will respond within 30 days.
9. Cookies and similar technologies
We use Vercel Analytics to count anonymous page views and identify which pages and referrers bring traffic to Vanly. Vercel Analytics is privacy-friendly by design:
- It does not use cookies and does not store any data on your device
- It does not collect personally identifiable information (PII) such as your name, email, IP address, or precise location
- It works by hashing a request fingerprint daily; the hash cannot be linked back to you across days
- It does not share data with advertising networks
Because Vercel Analytics does not use cookies and does not collect PII, it falls outside the scope of consent requirements under the UK GDPR and PECR (Privacy and Electronic Communications Regulations). For full technical detail see Vercel's analytics privacy policy.
We do not use Google Analytics, Meta Pixel, or similar third-party advertising trackers on the public landing page.
When you enter your card details, Stripe may set functional cookies inside its iframe for fraud prevention and to remember your card-on-file authorisation. These cookies are necessary for the payment flow and exempt from consent under PECR since they are strictly necessary for a service you have requested.
If we add additional analytics or tracking in the future, we will update this policy and present a cookie banner where required by law.
10. Marketing communications
Signing up for Vanly means you have agreed to receive transactional emails from us about your early access (signup confirmations, launch notifications, billing receipts). We do not currently send marketing emails to a separate marketing list.
Every email we send includes our address and an easy way to contact us. You can opt out of non-essential emails by replying to any email or contacting hello@vanlyai.com. Cancellation of your account also unsubscribes you from future non-billing emails.
11. Security
We protect your data with industry-standard safeguards:
- HTTPS/TLS encryption for all traffic to vanlyai.com
- Card data is never sent to or stored on our servers — Stripe handles it directly via tokenisation
- Database access protected by service-role keys, with row-level-security policies preventing public reads
- Admin endpoints protected by HTTP Basic Auth with strong random passwords
- Environment-secret rotation when team access changes
No system is 100% secure. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and you without undue delay where required by law.
12. Children's data
Vanly is intended for UK-based tradespeople aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has signed up, contact us and we will delete the record.
13. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top reflects the most recent version. Material changes will be notified by email at least 14 days before they take effect.
14. Complaints to the ICO
If you are not satisfied with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
ico.org.uk
We'd ask you to contact us first so we can try to resolve any concerns directly — email hello@vanlyai.com.
15. Google API Services User Data Policy compliance
Vanly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, Vanly:
- Uses Google user data (Gmail content, Calendar events) only to provide the user-facing features you have signed up for and explicitly approved through OAuth consent.
- Does not transfer Google user data to third parties except for the limited purposes outlined in this Privacy Policy (transcription, AI processing, message delivery) and only with appropriate safeguards in place.
- Does not use Google user data to serve advertising, including remarketing, personalised, or interest-based advertising.
- Does not allow humans to read Google user data unless one of the following applies: (a) we have obtained your explicit consent for a specific purpose, (b) we need to for security purposes (such as investigating abuse), (c) we need to comply with applicable law, or (d) the data has been aggregated and anonymised in a way that prevents identification of any individual.
For Microsoft user data acquired via Microsoft Graph (Outlook mail and Outlook Calendar), the same principles apply: we use the data only for the user-facing features you have signed up for, do not use it for advertising, and do not allow human review except under the limited circumstances above.