Privacy Policy
1. Who We Are
Vantemo is a software-as-a-service e-commerce platform that enables businesses to create and operate online stores.
Data controller:
Inovacijų dialogas, MB
Company registration number: 306672068
VAT number: LT100016637613
Registered address: P. Vileišio g. 15-25, LT-10306 Vilnius, Lithuania
Privacy contact: For all privacy-related enquiries, data subject requests, and complaints: [email protected]
We do not have a designated Data Protection Officer. The founder is responsible for GDPR compliance. If you cannot resolve your concern with us directly, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) at www.vdai.lrv.lt.
2. How This Policy Is Structured
Vantemo operates in two distinct roles depending on whose data is being processed:
Role A — Data Controller (for merchant data). When you sign up for Vantemo and use our platform as a merchant, we collect and process data about you directly. For this data, Vantemo is the Data Controller — we determine why and how your data is processed, and we are directly responsible to you under GDPR. This is covered in Sections 3–13 of this policy.
Role B — Data Processor (for end-customer data). When your customers visit your store and make purchases, their personal data flows through Vantemo's systems on your behalf. For this data, you (the merchant) are the Data Controller. Vantemo is the Data Processor — we process this data only on your instructions and under your responsibility. This relationship is governed by our Data Processing Agreement (DPA), not by this Privacy Policy.
If you are a shopper who bought something from a store powered by Vantemo, your data is controlled by that store's owner, not by Vantemo. Please contact that merchant directly with any privacy requests.
3. Data We Collect About Merchants
We collect the minimum data necessary to provide the platform and comply with our legal obligations.
3.1 Account data (collected at signup)
| Data | Why we collect it |
|---|---|
| Full name | To identify your account |
| Email address | Account access, communications, billing |
| Password (stored as a bcrypt hash — your actual password is never stored) | Authentication |
| Shop name and URL slug | To create your store and subdomain |
| Country | To determine applicable VAT rules for your subscription |
3.2 Billing data (collected when you upgrade to a paid plan)
| Data | Why we collect it |
|---|---|
| Business legal name | Required for issuing valid invoices |
| Business address | Required for invoicing and tax compliance |
| VAT number (optional) | Determines whether EU reverse-charge VAT applies |
| Payment method (processed by Stripe — we never see your raw card details) | Subscription billing |
| Subscription history and invoices | Accounting, billing disputes, legal obligation |
3.3 Shop and platform usage data
| Data | Why we collect it |
|---|---|
| Shop configuration (theme, settings, integrations) | Operating your store |
| Products, pages, blog posts you create | Operating your store |
| Admin session tokens (short-lived, stored in Redis) | Keeping you logged in securely |
| Dashboard usage patterns (which features you use, how often) | Improving the platform |
| Email communications we send you (via AWS SES) and delivery logs | Support, compliance |
3.4 Technical and security data
| Data | Why we collect it |
|---|---|
| IP address | Security, fraud prevention, rate limiting |
| Browser and device type (user agent) | Security, debugging |
| Login attempts and admin actions (audit log) | Security, fraud detection, compliance |
| Error reports and performance traces (collected by Sentry — includes IP address, request URL, browser info, and stack traces) | Detecting and fixing crashes, platform stability |
Referral and attribution data (URL parameters such as gclid, utm_source, utm_medium, utm_campaign) | Marketing attribution; measuring advertising effectiveness |
3.5 Support correspondence
| Data | Why we collect it |
|---|---|
| Email content and metadata for support enquiries sent to our team | Resolving your support request |
3.6 Ad platform connection data (if you use Analytics features)
If you connect your Google, Meta, or TikTok advertising accounts to the Vantemo analytics dashboard, we store:
| Data | Why we collect it |
|---|---|
| OAuth access tokens for connected ad accounts | Fetching your ad spend data to display in your dashboard |
| Ad account IDs and campaign metadata | Syncing spend data for ROI reporting |
These tokens are stored encrypted at rest (AES-256-GCM) and used solely to retrieve your own advertising data. You can disconnect any ad account at any time from your dashboard settings.
3.7 Data from Stripe Connect
If you connect Stripe to receive payouts from your store, Stripe collects and holds your bank account details, identity verification documents, and payout records directly. Vantemo stores only your Stripe account ID as a reference. Stripe's privacy policy governs that data: stripe.com/privacy.
3.8 AI-generated content data
If you use Vantemo's AI content generation features, we process:
| Data | Why we collect it |
|---|---|
| Product data, text, and images submitted for AI generation | Sent to your chosen AI provider to generate content |
| AI provider selection and model preference | Operating the AI feature |
| Token usage counts (prompt + completion tokens) | Metering against your plan allowance |
| BYOK API keys (stored AES-256-GCM encrypted) | Authenticating with the provider on your behalf |
In BYOK (Bring Your Own Key) mode, your API key is encrypted at rest and never logged in plain text. Generated content is stored as regular shop data (covered by Section 3.3).
4. Legal Basis for Processing Merchant Data
GDPR requires us to have a lawful reason — a "legal basis" — for each type of processing.
| Processing activity | Legal basis | Explanation |
|---|---|---|
| Creating and maintaining your account | Contract performance (Art. 6(1)(b)) | Necessary to provide the service you signed up for |
| Issuing invoices and billing records | Legal obligation (Art. 6(1)(c)) | Lithuanian accounting law requires financial record retention |
| Sending transactional emails (invoices, security alerts, system notifications) | Contract performance (Art. 6(1)(b)) | Part of delivering the service |
| Sending product updates, tips, and marketing communications | Legitimate interest (Art. 6(1)(f)) | We have a genuine interest in communicating with active customers about the product they use. You can unsubscribe at any time. |
| Dashboard usage analytics | Legitimate interest (Art. 6(1)(f)) | We have a genuine interest in understanding how the platform is used to improve it |
| IP address logging, rate limiting, security audit logs | Legitimate interest + Legal obligation (Art. 6(1)(f) + (c)) | Security is a recognised legitimate interest under GDPR Recital 49 |
| Error monitoring and crash reporting (Sentry) | Legitimate interest (Art. 6(1)(f)) | Platform stability and security; recognised under GDPR Recital 49 |
| Processing your payments via Stripe | Contract performance (Art. 6(1)(b)) | Necessary to operate your subscription |
| AI content generation via third-party providers | Contract performance (Art. 6(1)(b)) | Feature of the service; triggered only when you explicitly request a generation |
For all legitimate interest processing, we have conducted a balancing test confirming that our interests do not override your rights and freedoms.
5. Tracking Technologies and Cookies on Vantemo.com
5.1 Strictly necessary cookies
We set one strictly necessary cookie: session_id — a secure, httpOnly, SameSite=Lax cookie that keeps you logged in to the admin dashboard. This cookie contains no personal data and expires after 8 hours. No consent is required for this cookie as it is essential for the service to function.
We also use Sentry for error monitoring and performance tracing. Sentry collects technical telemetry (IP address, request URL, browser info, stack traces) server-side to help us detect and fix crashes. This is essential for platform stability and security, and does not set any client-side cookies.
Dashboard usage analytics (Section 3.3) is collected under legitimate interest and does not require consent. The consent banner on vantemo.com applies only to optional analytics cookies (Section 5.2).
5.2 Analytics cookies (consent required)
When you visit vantemo.com, we use PostHog (PostHog Inc., USA) for product analytics and feature adoption analysis. PostHog collects usage data to help us understand how the platform is used and improve it.
We only activate PostHog after you give your explicit consent via our cookie consent banner. You can withdraw consent at any time by clicking "Cookie Settings" in the website footer, which will reopen the consent banner.
If you decline analytics cookies, only the strictly necessary trackers described in Section 5.1 above will run.
For a full list of cookies, their names, durations, and providers, see our Cookie Policy.
5.3 Cookie consent on merchant storefronts
If you are visiting a store powered by Vantemo (not vantemo.com itself), cookie management is the responsibility of that store's owner. Please refer to that store's own cookie policy. Vantemo provides store owners with tools to implement GDPR-compliant consent banners on their storefronts.
6. Third Parties We Share Your Data With
6.1 Independent Data Controllers
These companies receive certain data and process it for their own purposes under their own privacy policies. They are not acting on our instructions.
| Company | What we share | Their privacy policy |
|---|---|---|
| Stripe Inc. | Billing data, payment processing | stripe.com/privacy |
6.2 Data Processors (Sub-processors)
These companies process data only on our instructions, under contract, and only for the purposes we specify. See our full sub-processor list for details.
| Company | Country | What they process | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (SES) | USA | Email delivery — your email address and email content | EU-US DPF + SCCs |
| Cloudflare Inc. | USA | CDN, DDoS protection — IP addresses, request metadata | EU-US DPF + SCCs |
| PostHog Inc. | USA | Product analytics data | EU-US DPF + SCCs |
| Sentry (Functional Software Inc.) | USA | Error monitoring, performance tracing — IP address, request metadata, stack traces | EU-US DPF + SCCs |
| Anthropic PBC | USA | AI content generation — text submitted for generation (Platform mode only) | SCCs |
| OpenAI Inc. | USA | AI content generation — text submitted for generation (Platform mode only) | SCCs |
| Google LLC (Gemini API) | USA | AI content generation — text and images submitted for generation (Platform mode only) | EU-US DPF + SCCs |
| Hostinger | Lithuania / EU | VPS infrastructure — all platform data | EU-based, no transfer |
In BYOK mode, data is processed under your own agreement with the provider; Vantemo does not act as a processor for that data flow.
We will notify you by email at least 30 days before adding or replacing a sub-processor. See our DPA for full details.
We do not sell your personal data to any third party. Ever.
7. International Data Transfers
Vantemo is based in Lithuania (EU) and stores its primary data on servers located within the European Union. Some of our sub-processors are based in the United States. Where personal data is transferred to the USA, we ensure adequate protection through:
- EU-US Data Privacy Framework (DPF) — where the recipient is DPF-certified (AWS, Cloudflare, Google, Stripe, PostHog, and Sentry are DPF-certified)
- Standard Contractual Clauses (SCCs) — the EU Commission's standard data transfer contracts, in place with all US sub-processors as an additional safeguard
Anthropic and OpenAI are not DPF-certified; transfers are protected by SCCs as the primary mechanism.
You can request a copy of the relevant SCCs by contacting [email protected].
8. Data Retention
We keep your data only as long as necessary.
| Data category | Retention period | Reason |
|---|---|---|
| Financial records (invoices, billing history, subscription records, order records) | 10 years from creation | Mandatory under Lithuanian accounting law (Buhalterinės apskaitos įstatymas) |
| Account and shop data (profile, shop content, configuration) | Until account deletion, then deleted within 30 days | No longer needed |
| Analytics data | 24 months from collection | Standard analytics retention |
| Admin session tokens | Until logout or session expiry (Redis TTL) | Security |
| IP address and rate-limit logs | 90 days | Security, industry standard |
| Audit logs (login attempts, admin actions) | 12 months | Security incident investigation |
| Email delivery logs | 90 days | Delivery troubleshooting |
| Error reports and performance traces (Sentry) | 90 days | Debugging, platform stability |
| AI generation logs (use case, provider, model, token count, timestamp — no prompt content) | 6 months | Debugging, billing reconciliation, EU AI Act deployer obligations |
| Marketing consent / unsubscribe records | 5 years | Proof of compliance |
| Cookie consent records | Persistent (stored locally in your browser) | Proof of consent |
| Backups containing personal data | Purged within 90 days of primary deletion or anonymisation | Backup rotation; ensures deleted data does not persist indefinitely in backups |
When you delete your account: Your personal data is anonymised or deleted within 30 days. Backups containing your deleted data are purged within 90 days of the primary deletion. Financial records required by law are retained for 10 years in anonymised form (your name and email are replaced; amounts, dates, and transaction IDs are preserved for accounting purposes only).
9. Your Rights Under GDPR
As a data subject, you have the following rights. To exercise any of them, contact [email protected]. We will respond within one month (GDPR Art. 12).
| Right | What it means |
|---|---|
| Right of access (Art. 15) | Request a copy of all personal data we hold about you |
| Right to rectification (Art. 16) | Ask us to correct inaccurate data |
| Right to erasure (Art. 17) | Ask us to delete your data (subject to legal retention obligations) |
| Right to data portability (Art. 20) | Receive your data in a machine-readable format (JSON or CSV) |
| Right to object (Art. 21) | Object to processing based on legitimate interest, including direct marketing |
| Right to restrict processing (Art. 18) | Ask us to pause processing while a dispute is resolved |
| Right to withdraw consent | Where processing is based on consent, withdraw it at any time (e.g. via cookie settings or email unsubscribe) |
Automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects on you (GDPR Art. 22). No profiling, scoring, or automated account decisions are made without human review. AI content generation features (Section 10) are tools that assist you — they do not make decisions about you or your account.
Direct marketing: You have an absolute right to object to direct marketing at any time (GDPR Art. 21(2)). We will stop immediately upon receiving your objection — no balancing test applies.
Self-service options: You can exercise your right to data portability ("Download my data") and your right to erasure ("Delete my account") directly from your admin dashboard under Settings → Privacy & Data.
If you are an end-customer of a Vantemo-powered store (not a Vantemo merchant): your rights must be exercised with the store owner, who is the Data Controller for your data. Vantemo cannot fulfil erasure or access requests for data we process only as a processor on the merchant's behalf. If the merchant is unresponsive, contact us at [email protected] and we will assist in forwarding your request.
10. Artificial Intelligence and Automated Processing
10.1 How AI features work
Vantemo includes AI-powered content generation features that help merchants create product descriptions, marketing copy, and other content. These features:
- Are merchant-initiated — you click a button to generate content; AI never runs automatically on your data
- Operate in two modes: Platform mode (uses Vantemo's API keys, subject to tier-based usage limits) and BYOK mode (uses your own API key, no platform limits)
- Send only the minimum data necessary for the specific use case to the selected AI provider
- Return generated content to your dashboard for your review before use — nothing is published automatically
- Do not include personal data (your name, email, or billing details) in AI prompts
10.2 AI providers
| Provider | What they receive | Training policy | Retention |
|---|---|---|---|
| Anthropic (Claude) | Text you submit | NOT used for training | 7 days (safety review) |
| OpenAI (GPT) | Text you submit | NOT used for training by default | 30 days (abuse monitoring) |
| Google (Gemini) | Text and images you submit | NOT used for training (paid API) | Per Google API terms |
You choose your provider in Settings → AI. You can switch at any time.
10.3 Data transfers
- Anthropic and OpenAI: Standard Contractual Clauses (not DPF-certified)
- Google: EU-US Data Privacy Framework + SCCs
See Section 7 for full details on international data transfer safeguards.
10.4 Human oversight and transparency (EU AI Act)
Vantemo is a "deployer" under Regulation (EU) 2024/1689 (the EU AI Act).
- All AI-generated output requires merchant review before publication
- AI generation logs are retained for 6 months (see Section 8)
- Merchants are responsible for downstream disclosure to their own customers where required by applicable law
10.5 What AI features do NOT do
- No automated account decisions — AI is never used to determine pricing, access levels, or account suspension
- No merchant profiling — we do not use AI to profile or score merchants
- No training on your data — providers do not use your submitted content for model training
- No indefinite retention — providers do not retain your data beyond the stated safety/abuse monitoring periods
11. United States Regional Privacy Notice
11.1 Scope
This section provides additional disclosures required under US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and similar state laws. This section applies if you are a US resident.
11.2 Categories of personal information
We collect the categories of personal information described in Section 3, which map to the following CCPA categories: identifiers (name, email, IP address), commercial information (billing and subscription data), internet or electronic network activity (usage data, error logs), and professional or employment-related information (business details provided at signup).
11.3 Sale and sharing
We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. We have not sold or shared personal information in the preceding 12 months.
11.4 Your rights under US state laws
| Right | Description |
|---|---|
| Right to know | Request disclosure of what personal information we collect, use, and disclose |
| Right to delete | Request deletion of your personal information |
| Right to correct | Request correction of inaccurate personal information |
| Right to opt out of sale/sharing | We do not sell or share your data, but you may still exercise this right |
| Non-discrimination | We will not discriminate against you for exercising your privacy rights |
To exercise these rights, contact [email protected]. We will respond within 45 days as required by applicable law.
11.5 Global Privacy Control
We honour Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we treat it as a valid opt-out request under applicable US state privacy laws.
11.6 Service provider role
For end-customer data processed on behalf of merchants, Vantemo acts as a "service provider" (as defined by CCPA). See Section 2 for details on our controller/processor roles.
11.7 Authorized agents
You may designate an authorized agent to submit privacy requests on your behalf. We may require verification of the agent's authority before processing the request.
12. Children
Vantemo is a business platform. Merchant accounts are restricted to individuals aged 18 or over. We do not knowingly collect personal data from anyone under 18.
If you are aware that a person under 18 has created a Vantemo merchant account, please contact [email protected] and we will delete the account.
Regarding end-customers of merchant storefronts: merchants are prohibited under our Terms of Service from knowingly collecting personal data from individuals under 16 without implementing appropriate parental consent mechanisms. Vantemo is not responsible for a merchant's compliance with this obligation.
13. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Passwords stored as bcrypt hashes — never in plain text
- httpOnly, Secure, SameSite session cookies — not accessible to JavaScript
- Rate limiting and brute-force protection on all authentication endpoints
- Audit logging of all administrative actions
- Regular security reviews
- Access controls limiting data access to authorised personnel only
No system is perfectly secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Lithuanian State Data Protection Inspectorate (VDAI) within 72 hours and notify you without undue delay. If a data breach originates at one of our sub-processors, we will notify you as soon as we are informed and cooperate fully in mitigation.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The "Last updated" date at the top of this page will change
- For significant changes, we will notify you by email at least 30 days before the change takes effect
- Previous versions are available on request — email [email protected]
If a change materially affects how we process your personal data, we will seek your explicit consent where required by law before that change takes effect.
15. Complaints
If you believe we have handled your personal data incorrectly, please contact us first at [email protected]. We will do our best to resolve your concern within one month.
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:
Lithuanian State Data Protection Inspectorate (VDAI)
A. Juozapavičiaus g. 6, LT-09310 Vilnius
[email protected]
www.vdai.lrv.lt
If you are located in another EU/EEA country, you may also contact your local DPA.
16. Contact
Inovacijų dialogas, MB (trading as Vantemo)
P. Vileišio g. 15-25, LT-10306 Vilnius, Lithuania
[email protected]