Legal
GDPR Rights
Last updated: June 2026
This page sets out the rights available to individuals located in the European Union and European Economic Area ("EU/EEA") under the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Vantro Pty Ltd is committed to processing your personal data lawfully, fairly, and transparently in accordance with the GDPR.
1. Applicability
The rights and information described on this page apply to individuals who reside in the EU or EEA and whose personal data is processed by Vantro. If you are not located in the EU/EEA, please refer to our general Privacy Policy for information about how we handle personal data globally.
For the purposes of the GDPR, Vantro Pty Ltd acts as the data controller with respect to personal data collected from EU/EEA residents who use Vantro.ai.
2. Lawful Basis for Processing
We only process your personal data where we have a valid lawful basis to do so. Depending on the context, we rely on one or more of the following legal bases under Article 6 of the GDPR:
Contractual Necessity
Processing is necessary to perform our contract with you — for example, to create and manage your account, process payments, provide access to AI agents, and deliver the services you have subscribed to.
Legitimate Interests
We process certain data where it is in our legitimate interests and those interests are not overridden by your rights — for example, to improve the platform, detect fraud and abuse, and conduct internal analytics.
Legal Obligation
We may process data where required by applicable law — for example, to comply with tax regulations, respond to lawful requests by public authorities, or retain transaction records.
Consent
Where we rely on consent — for example, for marketing emails or optional analytics cookies — you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
3. Your Rights Under the GDPR
As a data subject under the GDPR, you have the following rights in relation to your personal data:
Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed.
Right to Rectification (Art. 16)
You have the right to have inaccurate personal data corrected without undue delay. You may also request that incomplete data be completed, including by providing a supplementary statement.
Right to Erasure (Art. 17)
You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you withdraw consent (where consent is the basis), or you object to processing and there are no overriding legitimate grounds, among other circumstances.
Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
Right to Object (Art. 21)
You have the right to object to processing of your personal data based on our legitimate interests, including profiling based on those interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment or defence of legal claims.
Right to Restriction (Art. 18)
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, where you contest the accuracy of the data or have objected to processing pending verification of our legitimate grounds.
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 4 below. We will respond to all verifiable requests within 30 days. Where requests are complex or numerous, we may extend this period by a further two months, in which case we will notify you promptly.
4. Data Protection Officer
We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing compliance with this policy and the GDPR. If you have any questions about how we handle your personal data, wish to exercise your rights, or have a concern about our data practices, please contact our DPO:
Data Protection Officer — Vantro Pty Ltd
Email: dpo@vantro.ai
Please include "GDPR Rights Request" in the subject line of your email.
5. International Data Transfers
Vantro Pty Ltd is incorporated in Australia. When we transfer personal data from the EU/EEA to Australia or other third countries, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions — Australia has frameworks that align with GDPR principles, and we rely on SCCs where an adequacy decision is not yet in effect.
- Binding Corporate Rules or other approved transfer mechanisms where applicable.
You may request a copy of the relevant transfer mechanism by contacting our DPO at dpo@vantro.ai.
6. Right to Complain to a Supervisory Authority
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may do so in the EU/EEA member state where you reside, where you work, or where the alleged infringement took place.
A list of EU supervisory authorities and their contact details is available on the European Data Protection Board (EDPB) website at www.edpb.europa.eu.
We would, however, welcome the opportunity to address your concerns directly before you approach a supervisory authority. Please contact our DPO in the first instance.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When determining the appropriate retention period, we consider the amount and sensitivity of the data, the potential risk of harm from unauthorised use, the purposes for which we process it, and whether those purposes can be achieved by other means.
Upon account closure, we will delete or anonymise your personal data within 90 days, except where we are required to retain it to comply with a legal obligation, resolve disputes, or enforce our agreements.
8. Contact
For all GDPR-related enquiries, to exercise your rights, or for any questions about our data protection practices, please contact: