Privacy Policy

At Vantacron, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and Swedish data protection laws.

1. Data Controller

Simon Kjellner EF

Organization Number: 060630-7254VAT Number: SE060630725401Address: Timmergränd 1, 549 63 Skövde, SwedenEmail: [email protected]Phone: +46 76 145 15 98

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data protection laws.

2. Personal Data We Collect

Account Information

When you create an account, we collect:

Full name
Email address
Company name (optional)
Password (stored encrypted)

Payment Information

Payment processing is handled by Stripe. We do not store your credit card details. Stripe may collect payment card numbers, billing addresses, and transaction history. Please refer to Stripe's Privacy Policy for details.

Usage Data

We automatically collect:

IP address
Browser type and version
Operating system
Pages visited and features used
Date and time of access
Referring website

Website Analysis Data

When you use our SEO analysis features, we process:

URLs and domains you choose to analyze
Website content accessible through crawling
Technical SEO data from your websites
Analysis results and reports generated

Integration Data

If you connect third-party services, we may access:

Google Search Console data (search performance, indexing status)
Google Analytics data (traffic, user behavior)

You can disconnect these integrations at any time from your account settings.

Marketing Prospect Data

For our B2B cold-outreach program we process business contact details (name, job title, company, business email and website) obtained from providers such as Apollo.io and public sources, together with an automated SEO audit of the website. If you received an outreach email from us, please see our dedicated Prospect Privacy Notice, which explains how we obtained your data, our legal basis, and how to opt out.

Incidental Data in Crawled Pages

When you ask us to analyze a website, our crawler accesses publicly available pages, which may incidentally contain personal data (for example, author names or contact emails published on the page). We process this only to produce the SEO analysis you requested.

Refund and Fraud Prevention Data

When you submit a refund claim under our 5-hour money-back guarantee, we process additional data to verify the claim and prevent systematic abuse of the guarantee. The legal basis is our legitimate interest in preventing fraud (GDPR Article 6(1)(f)). The data we process includes:

The email address associated with your claim and the claim timestamp
IP address and user agent of the device used to submit the claim
A payment-method fingerprint token returned by Stripe (this identifies the card used, not the card number itself)
The claim decision (approved or denied) and the reason if denied

The fingerprint token is checked against the tokens of other accounts that have received a refund in the last 12 months, so that a second account using the same card cannot claim the guarantee. Stripe acts as the data processor for the fingerprint. See our Refund Policy for the full terms.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b))

Processing necessary to provide our services, including account creation, website analysis, and customer support.

Legitimate Interest (Article 6(1)(f))

Processing for security, fraud prevention, service improvement, and analytics to enhance user experience.

Consent (Article 6(1)(a))

Where we send marketing communications or process optional data, we rely on your explicit consent which you can withdraw at any time.

Legal Obligation (Article 6(1)(c))

Processing required to comply with Swedish tax law, accounting requirements, and legal requests from authorities.

4. Third-Party Data Processors

We work with trusted third-party service providers who process data on our behalf. All processors are bound by data processing agreements that ensure GDPR compliance.

Service	Purpose	Location
Hetzner	Server, database and file storage (self-hosted)	EU (Germany)
Stripe	Payment processing	US (EU–US DPF)
Whop	Alternative payment processing	US (SCCs)
Google	Search Console/Analytics integrations, analytics, ads, AI (Gemini), PageSpeed	US (EU–US DPF)
Meta	Advertising measurement (Pixel + Conversions API), only with your consent	US (EU–US DPF)
OpenAI	AI action plans, chat, and outreach personalization	US (SCCs)
Anthropic	AI content and analysis	US (SCCs)
Mistral AI	AI citation analysis	EU (France)
Resend	Transactional and marketing email delivery	US (SCCs)
Cloudflare	Bot/spam protection (Turnstile) and network/CDN	US/global (EU–US DPF)
DataForSEO	SEO, backlink and keyword data	US (SCCs)
Apollo.io	B2B prospect sourcing for cold outreach	US (SCCs)
Instantly.ai	Cold-outreach email delivery	US (SCCs)

We keep an up-to-date list of all sub-processors on our Sub-processors page. Transfers to providers outside the EEA rely on the EU–US Data Privacy Framework where the recipient is certified, and on EU Standard Contractual Clauses (SCCs) with supplementary safeguards otherwise.

Data Processing Agreement (DPA): Business customers can review and request our standard DPA on the DPA page or by contacting [email protected].

5. International Data Transfers

Primary Storage: Your data is primarily stored within the European Union (EU).

Transfers Outside EU: Some of our service providers (Stripe, Google) are based in the United States. These transfers are protected by:

EU-US Data Privacy Framework (DPF) certification
Standard Contractual Clauses (SCCs) approved by the European Commission
Additional technical and organizational safeguards

6. Data Retention

Active Accounts

Data is retained for as long as your account remains active.

Deleted Accounts

When you delete your account, your personal data is erased within 90 days, except records we are legally required to keep (see Payment Records below) and minimal data needed to establish or defend legal claims.

Marketing Prospects (Outreach)

Business contact data used for cold outreach is kept for up to 12 months from last contact. If you opt out, your address is kept permanently on a suppression list so we never contact you again.

Payment Records

Transaction records are retained for 7 years as required by Swedish accounting law (Bokforingslagen).

Server Logs

Technical logs are automatically deleted after 90 days.

Refund Claims and Fraud Prevention

If you submit a refund claim, the claim record, the claim decision, the IP and user agent of the device used to submit, and the payment-method fingerprint token are retained for 12 months from the date of the claim, then deleted. If the claim was denied, only the fingerprint token and the denial reason are retained beyond the claim window, for the purpose of enforcing the four anti-abuse rules in our Refund Policy.

7. Your Rights Under GDPR

Under the General Data Protection Regulation (Articles 15-22), you have the following rights:

Right of Access: Request a copy of all personal data we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete personal data.

Right to Erasure: Request deletion of your personal data ('right to be forgotten').

Right to Restrict Processing: Request limitation of how we process your data.

Right to Data Portability: Receive your data in a structured, machine-readable format.

Right to Object: Object to processing based on legitimate interest or for direct marketing.

Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

How to Exercise Your Rights

You can exercise most of these rights directly through your Vantacron account:

Data Export: Request a full export of your data from Account Settings > Privacy > Export Data
Account Deletion: Delete your account from Account Settings > Privacy > Delete Account
Data Summary: View a summary of all data we store about you in Account Settings > Privacy

For other requests or assistance, contact us at [email protected]. We will respond within 30 days as required by GDPR.

Right to Lodge a Complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY)

Box 8114, 104 20 Stockholm, Sweden

Website: www.imy.se

8. Cookies

Essential Cookies

These cookies are strictly necessary for the operation of our platform and are always active:

Session cookies: To keep you logged in during your visit
Authentication tokens: To securely verify your identity
Security cookies: To protect against cross-site request forgery
Cookie consent preference: To remember your cookie choices

Analytics & Advertising Cookies

With your consent, we use the following third-party cookies and tracking technologies to understand how our site is used and to measure the effectiveness of our advertising:

Google Analytics (GA4): Measures website traffic, user behavior, and engagement to help us improve our services
Google Ads: Tracks conversions from our advertising campaigns
Meta Pixel: Measures effectiveness of advertising on Meta platforms (Facebook, Instagram)

Your Cookie Choices

When you first visit our website, a cookie consent banner asks for your permission. Analytics and advertising cookies (and the Meta Pixel and Google tags) load only after you click "Accept all". Nothing non-essential runs if you choose "Essential only". You can change or withdraw your consent at any time using the "Cookie settings" link in our website footer. For full details, including a table of the cookies we use, see our Cookie Policy.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption of data in transit (TLS/SSL) and at rest
Secure password hashing using industry-standard algorithms
Regular security assessments and updates
Access controls limiting data access to authorized personnel
Infrastructure hosted on secure, certified platforms

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the supervisory authority within 72 hours as required by GDPR Article 33.

10. Children's Privacy

Vantacron is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected], and we will promptly delete the information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes that affect how we process your personal data, we will:

Notify you via email at least 30 days before the changes take effect
Update the "Last updated" date at the top of this policy
Provide a summary of key changes

We encourage you to review this policy periodically to stay informed about how we protect your data.

12. Contact Information

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or have concerns about how we handle your data, please contact us: