Privacy Policy
Last updated: 2026-05-30 · pursuant to Art. 13 GDPR.
1. Controller
The controller responsible for data processing on this website is:
Milan HahnUmgehungsstraße 47
35043 Marburg
Germany
Email: info@vantom.pro
No data protection officer has been appointed — the statutory thresholds under Art. 37 GDPR are not met.
2. Your Rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
The competent supervisory authority is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany — datenschutz.hessen.de.
3. Hosting (Website)
The website is hosted by Vercel Inc. (USA, with edge locations in the EU). When the website is accessed, Vercel processes technically required data (IP address, user agent, timestamp) to deliver the page. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional, secure web offering). A data processing agreement (DPA) with Vercel is in place.
4. Cookies and Local Storage
We use exclusively technically necessary browser storage to remember features such as theme selection (light/dark) and accent colour. No tracking takes place.
| Name | Purpose | Duration |
|---|---|---|
vantom-landing-mode | Stores the selected colour scheme (light/dark) | persistent (LocalStorage) |
vantom-landing-accent | Stores the selected accent colour | persistent (LocalStorage) |
v-intro-played | Prevents the logo sound from replaying | Session |
5. Newsletter / Waitlist Sign-up
If you sign up for the Vantom waitlist on this website, we process your email address to send a one-time confirmation email (double opt-in) and — after confirmation — occasional updates around the product launch.
Which data
- Your email address (entered by you)
- Timestamp of sign-up and of confirmation
- A technical hash of your IP address (SHA-256, truncated to 16 hex characters) — used solely to protect against bulk sign-ups / spam bots. The raw IP is never stored.
Legal basis
Art. 6(1)(a) GDPR (consent). You actively enter your email address and confirm the sign-up by clicking the confirmation link in the confirmation email. No further email is sent before confirmation.
Processors
- Vercel Inc. (USA, with function execution in the EU / Frankfurt
fra1) — processes the sign-up request. DPA in place. - Upstash, Inc. (USA, with data residency in the EU / Ireland) — stores only the hashed IP value + counter for the rate-limit logic. No email addresses. DPA in place.
- Resend, Inc. (USA, with sending region EU / Ireland) — sends the confirmation and welcome email and stores your contact data as a recipient. DPA in place.
Retention
Your email address remains stored at Resend until you unsubscribe (unsubscribe link in every email) or request deletion. The IP hash at Upstash expires automatically after a maximum of 1 hour (rate-limit window).
Withdrawal
You can withdraw your consent at any time — by clicking the unsubscribe link in any of our emails or informally by email to info@vantom.pro. Unsubscribing does not affect the lawfulness of processing carried out before the withdrawal.
6. Processing within the Vantom App
The Vantom Producer Suite (desktop application) processes personal data only when you actively sign in or use cloud features. In detail:
Authentication (Firebase Auth)
On optional login: email address and user ID. Provider: Google LLC (USA), DPA in place. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Project metadata (Firestore, EU region)
Tags, notes and subscription status are stored in Firestore (region europe-west).
Audio content does not leave your device. Provider: Google LLC, DPA in place.
Payment processing (Lemon Squeezy)
Lemon Squeezy LLC (USA) acts as Merchant of Record and is the contractual partner for the purchase. Name, email address and payment data are processed. The Lemon Squeezy Privacy Policy applies in addition. Legal basis: Art. 6(1)(b) GDPR.
Cloud sync (Google Drive · Dropbox · SoundCloud)
These connections are initiated exclusively and actively by you (OAuth). The tokens are stored encrypted locally on your device and are not transmitted to our servers. Legal basis: Art. 6(1)(a) GDPR (consent), revocable in the app settings.
No device identifier / no device fingerprint
The Vantom Producer Suite does not generate or process any device- or hardware-based identifier (e.g. hardware fingerprint or device hash). Your subscription and trial status is managed exclusively via your user account and the subscription held at Lemon Squeezy, not via a characteristic bound to your device.
7. Third-Country Transfers
Where data is transferred to the USA (Firebase, Lemon Squeezy, Vercel, Upstash, Resend), this is done
on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR or under the EU-U.S. Data
Privacy Framework, where the respective provider is certified. The actual processing of your
newsletter data takes place exclusively in the EU (Vercel fra1 Frankfurt, Upstash
eu-west-1 Ireland, Resend eu-west-1 Ireland).
8. Retention Period
We store your personal data only for as long as necessary to fulfil the stated purposes or as required by statutory retention obligations (e.g. 6 years under commercial law, 10 years under tax law).
9. Changes to this Privacy Policy
We reserve the right to adapt this Privacy Policy if technical or legal conditions change. The current version is always available on this page. In the event of material changes, we will inform active users by email.