Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Vanaheim SRL (“Lambda,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you visit our corporate website at vanaheim.io, our product website at onlambda.com, or use the Lambda platform. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), Romanian Law 190/2018 implementing the GDPR, and all other applicable data protection legislation.

1. Data Controller

The data controller responsible for your personal data is:

Vanaheim SRL
Romania, European Union
Corporate website: vanaheim.io
Product website: onlambda.com
Email: [email protected]

The competent supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP — anspdcp.ro).

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information (Business Customers)

• Name, email address, phone number of business staff and administrators
• Business name, address, and business details
• Billing details (subscription plan, invoice records). Payment-method data (card number, CVC, expiry) is collected and held by our payment processor Stripe; we only store a Stripe customer/subscription identifier on our systems.
• Login credentials (passwords are stored as hashed values only)

2.2 Customer Data (Processed on Behalf of Businesses)

When businesses use Lambda to communicate with their customers via WhatsApp or the web assistant, we process customer data as a data processor on behalf of the business (who acts as the data controller). This may include:

• Customer name, phone number, and email address
• Appointment details (date, time, service type)
• Conversation content exchanged via WhatsApp or the web assistant
• Customer intake form responses (relevant details, reason for visit, and other information as provided by the customer)

Important: The business is the data controller for all customer data. The business is responsible for obtaining appropriate customer consent, providing privacy notices to customers, and ensuring a lawful basis for processing customer data. Lambda processes this data only according to the business’s instructions and in accordance with our Data Processing Agreement (DPA).

2.3 Website Usage Data

• IP address (anonymized for analytics)
• Browser type and version, operating system
• Pages visited, time spent, referral source
• Cookies and similar technologies (see our Cookie Policy)

2.4 Demo Request and Contact Form Data

• Name, email, phone number, business name, business size
• Any additional information you provide in the message field

3. How We Use Your Data

We process personal data for the following purposes and on the following legal bases:

• Providing and maintaining our services — Performance of contract (Art. 6(1)(b))
• Processing customer data on behalf of businesses — Performance of contract / Data Processing Agreement (Art. 6(1)(b), Art. 28)
• Responding to demo requests and inquiries — Legitimate interest (Art. 6(1)(f)) / Pre-contractual measures (Art. 6(1)(b))
• Billing and payment processing — Performance of contract (Art. 6(1)(b))
• Website analytics (with consent) — Consent (Art. 6(1)(a))
• Ensuring website security — Legitimate interest (Art. 6(1)(f))
• Complying with legal obligations (e.g., tax, accounting) — Legal obligation (Art. 6(1)(c))

4. WhatsApp Data Flows

Lambda integrates with the Meta Business API (WhatsApp Business Platform) to enable businesses to communicate with their customers via WhatsApp. The data flow works as follows:

• The business is the data controller for all WhatsApp conversations with customers.
• Lambda (Vanaheim SRL) acts as the data processor, processing messages on behalf of the business.
• Meta Platforms Ireland Limited acts as a separate data controller/processor for the WhatsApp platform infrastructure, subject to Meta’s own terms and policies.
• Message content is transmitted via Meta’s WhatsApp Business API and processed by Lambda’s AI systems hosted on Microsoft Azure EU data centers.
• We do not sell, share, or use customer WhatsApp data for advertising, profiling, or any purpose other than providing the service to the business.

5. Data Retention

• Account data: Retained for the duration of the contractual relationship plus 5 years for legal and accounting purposes as required by Romanian fiscal legislation.
• Customer data (processed on behalf of businesses): Retained according to the business’s instructions and our Data Processing Agreement. Upon termination of the contract, customer data is deleted or returned to the business within 30 days, unless retention is required by law.
• Website analytics data: Anonymized and retained for up to 26 months.
• Demo request data: Retained for up to 12 months from the date of the request, or until you ask us to delete it.
• Billing records: Retained for 10 years as required by Romanian fiscal and accounting regulations.

6. Your Rights

Under GDPR and Romanian Law 190/2018, you have the following rights regarding your personal data:

• Right of access (Art. 15) — Obtain confirmation of whether we process your data and request a copy.
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
• Right to restriction of processing (Art. 18) — Request limitation of processing in certain circumstances.
• Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interest, including direct marketing.
• Right not to be subject to automated decision-making (Art. 22) — Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
• Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint — File a complaint with the ANSPDCP (anspdcp.ro) or any EU supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Note for customers: If you are a customer of a business using Lambda, please direct your data access, rectification, or deletion requests to the business first, as they are the data controller for your data. We will cooperate with the business to fulfill your request.

7. International Data Transfers

Your personal data is processed and stored within the European Union. Our primary infrastructure is hosted on Microsoft Azure EU data centers (West Europe region — Netherlands).

We do not transfer personal data outside the EU/EEA unless:

• The transfer is covered by an adequacy decision of the European Commission (Art. 45 GDPR).
• Appropriate safeguards are in place, such as Standard Contractual Clauses (Art. 46(2)(c) GDPR).

In the limited case of WhatsApp message delivery, Meta may process certain metadata in accordance with Meta’s own data transfer mechanisms and compliance with GDPR.

8. Sub-processors

We use the following sub-processors to deliver our services:

• Microsoft Azure — Cloud infrastructure, hosting, and AI processing (EU West Europe — Netherlands)
• Meta Platforms / WhatsApp — WhatsApp Business API messaging infrastructure (EU Ireland / Global)
• Cloudflare — CDN, DDoS protection, and website security (Global with EU-preferred routing)
• Stripe, Inc. / Stripe Payments Europe, Ltd. — Payment processing for subscriptions. Stripe receives your billing name, email, and payment-method details directly; Vanaheim SRL never stores full card numbers or CVC codes. Stripe is a PCI-DSS Level 1 certified processor. See stripe.com/privacy.
• DeepL SE — Machine translation for marketing content (Germany, EU). No customer data is sent to DeepL.

We maintain Data Processing Agreements with all sub-processors in accordance with Art. 28 GDPR.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability scanning
• Employee data protection training
• Incident response and breach notification procedures

10. Children’s Data

Lambda’s services are designed for use by businesses (B2B). We do not knowingly collect personal data directly from individuals under the age of 16. Where a business processes data related to minors, the business is responsible for ensuring appropriate parental consent as required by GDPR Art. 8 and Romanian Law 190/2018.

11. Cookies

Our website uses cookies. For detailed information about the cookies we use and your choices, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page indicates the most recent revision.

13. Contact Us

If you have any questions about this Privacy Policy or your personal data, contact us at:

Vanaheim SRL
Romania, European Union
Corporate website: vanaheim.io
Product website: onlambda.com
Email: [email protected]
Privacy questions: [email protected]

You also have the right to lodge a complaint with the Romanian supervisory authority:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
Website: anspdcp.ro