Data Protection & Privacy Policy
Effective Date: February 15, 2026
1. Introduction
Vane Loop Research Inc. ("Vane Loop"), a Delaware C-Corporation, is committed to protecting your data. This Policy describes how we collect, use, store, share, and protect information when you use vaneloop.com and our platform (the "Service").
The Service is a business-to-business (B2B) product offered exclusively for professional and commercial use. This Policy applies to all users including website visitors and subscribers across all tiers. Read together with our Terms of Service, Cookie Policy, and AUP.
2. Data Controller
Data controller: Vane Loop Research Inc., Delaware, USA. Email: privacy@vaneloop.com.
EU representative (GDPR Art. 27): Designated through our regional reseller network. Details at vaneloop.com/legal/eu-representative.
3. Applicable Laws
This Policy complies with: GDPR (EU 2016/679); CCPA/CPRA (California); Delaware DPDPA; other U.S. state comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Iowa, Tennessee, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, and others as enacted); UK GDPR and Data Protection Act 2018; Swiss FADP; Canadian PIPEDA; and the EU AI Act (Regulation (EU) 2024/1689) transparency requirements. We apply the highest applicable standard.
4. Data We Collect
| Data Category | Examples | Legal Basis (GDPR) | Retention |
|---|---|---|---|
| Account Data | Name, email, company, role, country | Contract (Art. 6(1)(b)) | Account duration + 30 days |
| Usage Data | Features used, query counts, sessions | Legitimate interest (Art. 6(1)(f)) | 24 months |
| AI Query Data | Prompts, responses, context | Contract (Art. 6(1)(b)) | Account duration + 30 days |
| Billing Data | Payment method, invoices, VAT ID | Legal obligation (Art. 6(1)(c)) | 7 years (tax) |
| Benchmark Data | Anonymized bucketed aggregates | Contract (Starter) / Legit. int. (other) | Indefinite (anonymized) |
| Technical Data | IP, browser, device, OS | Legitimate interest (Art. 6(1)(f)) | 12 months |
| Cookie Data | Session tokens, preferences, analytics | Consent (Art. 6(1)(a)) | See Cookie Policy |
4.1 Automatically Collected Data
We use Google Firebase Analytics for product analytics. Firebase collects device identifiers, session data, and usage events. Firebase is provided by Google LLC, which participates in the EU-US Data Privacy Framework. We configure Firebase with IP anonymization enabled, advertising features disabled, and minimal data collection. See Cookie Policy for specifics.
4.2 Data You Provide
Information provided during registration, subscription, AI queries, portfolio configuration, and support interactions.
4.3 AI Query Data
AI prompts and responses are processed solely to deliver functionality and improve the Service. Individual query content is never shared with other users, included in benchmarks, or used to train third-party AI models. In compliance with EU AI Act Article 50, the Service clearly discloses AI interaction in the UI, these Terms, and this Policy.
5. How We Use Your Data
Purposes: (a) provide and improve the Service; (b) process payments (via Stripe) and manage subscriptions, including VAT calculation; (c) generate anonymized benchmarks per Section 6; (d) account and service communications; (e) marketing (consent-based only); (f) fraud prevention; (g) legal compliance; (h) Terms enforcement.
6. Benchmark Data Contribution
The Vane Loop Benchmark Index uses anonymized, bucketed aggregate data. The following is never contributed: personal or identifiable data; free-text or query content; exact numerical values; company names or identifiers; proprietary documents.
Freemium & Starter: Bucketed aggregates only (broad industry category, company size range, country, maturity score bands, use-case counts). No opt-out; participation is integral to these tiers (Starter legal basis: contract performance, Art. 6(1)(b)).
Pro & Pro/Team: Detailed contribution by default. Opt-out via account settings reduces to basic bucketed aggregates. Legal basis: legitimate interest (Art. 6(1)(f)), subject to Art. 21 right to object.
Enterprise: Fully excluded from all data sharing.
On-Premise Customers: No data leaves the Customer's infrastructure. Benchmark features operate on local data only.
7. Third-Party Sharing
We share data with: (a) sub-processors (Section 8); (b) Stripe for payment processing; (c) law enforcement when legally required; (d) professional advisors under confidentiality; (e) successor entities in M&A, with equivalent protections. We do not sell personal data.
8. Sub-Processors and Regional Hosting
| Sub-Processor | Region | Purpose | Data Processed |
|---|---|---|---|
| Google LLC (Firebase, Workspace) | US / EU (DPF certified) | Analytics, auth, infrastructure | Usage, technical, account data |
| Regional Reseller (DACH) | AT / DE / CH | Regional hosting & processing | All data for DACH users |
| Regional Reseller (North America) | US / CA | Regional hosting & processing | All data for NA users |
| Stripe, Inc. | US / EU | Payment processing | Billing data only |
| Email Service Provider | US / EU | Transactional emails | Email, name |
Full list at vaneloop.com/legal/sub-processors. Thirty (30) days' notice for material changes.
9. International Transfers
Transfers from EEA/UK/Switzerland rely on: EU-US Data Privacy Framework (Google, Stripe); Standard Contractual Clauses (SCCs Module 2); and supplementary measures. Regional hosting keeps data in-jurisdiction where applicable. On-premise Enterprise deployments involve no international transfers.
10. Data Security
Measures include: AES-256 encryption at rest, TLS 1.2+ in transit; RBAC with least privilege; regular vulnerability assessments; 72-hour breach notification (GDPR); employee training; secure SDLC. See vaneloop.com/security for details.
11. Your Rights
Access: Request a copy of your data (GDPR Art. 15, CCPA, DPDPA).
Rectification: Correct inaccurate data (Art. 16).
Erasure: Request deletion (Art. 17, CCPA, DPDPA), subject to legal retention.
Restriction: Restrict processing (Art. 18).
Portability: Export in machine-readable format (Art. 20, EU Data Act). Built-in Excel/CSV export available.
Object: Object to legitimate-interest processing including benchmarks (Art. 21). Pro/Pro/Team: use opt-out mechanism.
Automated Decisions: AI features support but do not replace human decisions. Where outputs could constitute automated decisions with significant effects, you may request human review (Art. 22). Contact privacy@vaneloop.com.
U.S. State Rights: Know, delete, correct, opt out of targeted advertising (we do not engage in this), non-discrimination.
Contact: privacy@vaneloop.com. Response within 30 days or as required by law.
12. Data Retention
Retention periods per Section 4 table. Post-termination: 30 days for export, then deletion. Anonymized benchmark data retained indefinitely.
13. Children's Privacy
Not directed at individuals under 18. No knowing collection from minors.
14. Changes
Material changes notified 30 days in advance. Continued use constitutes acceptance.
15. Supervisory Authorities
EEA/UK: local DPA (Österreichische Datenschutzbehörde for Austria). California: CPPA.
16. Contact
Vane Loop Research Inc.
Email: privacy@vaneloop.com
Website: vaneloop.com
EU Representative: vaneloop.com/legal/eu-representative
Sub-Processors: vaneloop.com/legal/sub-processors