Privacy Policy

This Privacy Policy describes how Davide Virdis ("we", "us", or "the Controller"), operating the VAINOM project, collects, uses, and protects personal data of users of the VAINOM software (Windows desktop application and Android companion app) and of the website vainom.com.

This Policy is issued in compliance with Regulation (EU) 2016/679 (GDPR) and applicable Italian data protection legislation (Legislative Decree 196/2003 as amended).

Contact for privacy-related matters: privacy@vainom.com

1. Data Controller

The Data Controller is Davide Virdis, an individual operating the VAINOM project, reachable at privacy@vainom.com.

At present, based on the current processing activities described in this Policy, we do not believe the appointment of a Data Protection Officer (DPO) is mandatory under Article 37 GDPR. Users may contact the Controller directly for any privacy-related request through the contact address above. We will reassess this position if the nature, scope, or scale of processing activities changes in the future.

2. Core Privacy Principle: Local-First, Zero-Cloud

VAINOM is designed as a local-first software. This means:

• The VAINOM desktop application (.exe) runs entirely on the user's computer.
• Conversations, cognitive memory, documents, calendar data, and any content processed by the AI assistant remain on the user's local device.
• We do not operate any server that collects, processes, or stores user content.
• We do not use analytics, telemetry, crash reporting, or any third-party SDK that transmits data about your usage of the Software.

The only processing of personal data by us occurs in the limited cases described in the following sections.

3. Data We Process

3.1 Email Correspondence

When a user writes to hello@vainom.com or privacy@vainom.com, we process the content of the message and the sender's email address for the sole purpose of responding.

Legal basis: legitimate interest in responding to communications received (Art. 6(1)(f) GDPR), or performance of a pre-contractual request (Art. 6(1)(b) GDPR) where applicable.

Retention: for the time necessary to handle the request, and subsequently archived for a reasonable period for the management of any follow-up.

Email provider: we use Cloudflare Email Routing (Cloudflare, Inc.) to route emails sent to @vainom.com addresses to our personal inbox. Cloudflare acts as a data processor under Art. 28 GDPR. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.

3.2 Website vainom.com

The website is hosted on Cloudflare Pages (Cloudflare, Inc.). Cloudflare may collect, for security and anti-abuse purposes, basic technical data such as IP addresses, user-agent, and access timestamps, in accordance with its own privacy policy available at cloudflare.com/privacypolicy.

The website does not use its own analytics, cookies profiling users, or advertising trackers. Any technical cookies strictly necessary for the operation of the site (e.g., Cloudflare security cookies) do not require prior consent under Art. 122 of the Italian Privacy Code and the Italian Data Protection Authority's guidelines on cookies and other tracking tools of 10 June 2021.

The website does not operate any mailing list, newsletter subscription, or other form of automated communication collection.

3.3 VAINOM Desktop Software (.exe)

The VAINOM desktop software does NOT transmit personal data to us or to third parties for tracking, telemetry, analytics, or crash reporting purposes. Specifically:

• All conversations with the AI assistant are processed locally on the user's computer.
• Cognitive memory and indexed documents are stored locally on the user's computer.
• AI models run locally via the integrated INFEROX runtime.
• No telemetry, analytics, crash reporting, or external SDKs are included.

AI Model Download (with explicit consent): On first launch, the Software displays a dedicated "Initial setup" dialog informing the user that VAINOM can download the default embedding model (bge-m3, approximately 1.16 GB) and the default chat model (Gemma 4 E4B, approximately 5.48 GB) from the Hugging Face public repository (huggingface.co). The user can either authorize the download by clicking "Download", or skip it by clicking "Close" and place their own GGUF model files in the models directory.

When the user authorizes the download, the Software establishes an HTTPS connection to huggingface.co. As part of standard HTTP communication, Hugging Face may receive the user's IP address, user-agent string, and technical request metadata, as described in Hugging Face's privacy policy (huggingface.co/privacy). No additional personal data is transmitted by VAINOM. We do not receive any data from this operation.

Peer-to-Peer Messaging (planned feature, NOT active in the current beta release): The Software contains residual code for a future end-to-end encrypted peer-to-peer messaging feature ("VAINOM Messenger"). This feature is currently not exposed in the user interface and cannot be activated by the user in the current beta release. No peer-to-peer communication occurs. When and if this feature is enabled in a future release, this Privacy Policy will be updated accordingly to describe the relevant processing.

3.4 VAINOM Android App (.apk)

The VAINOM Android app does NOT perform any connection to our servers or to third-party services for tracking, telemetry, analytics, or advertising purposes. Specifically:

• It communicates exclusively with the user's own VAINOM desktop instance via an encrypted end-to-end tunnel.
• It does not integrate Firebase, Google Analytics for Firebase, Crashlytics, AdMob, or any other telemetry or advertising SDK.
• The QR code scanning (pairing with the desktop instance) occurs locally on the device, via CameraX and Google ML Kit barcode scanning in on-device mode (no data sent to Google).
• The camera permission is used solely for QR code scanning during the pairing phase.
• The notification permission is used solely to display messages received from the user's own VAINOM desktop instance.

4. Data We Do NOT Collect

To ensure maximum transparency, we explicitly declare that we do NOT collect:

• browsing data or device telemetry;
• AI assistant usage statistics;
• content of conversations with the AI;
• content of documents processed by the Software;
• IP addresses of Software users (we only see those of website visitors, via Cloudflare for security purposes);
• persistent identifiers (IMEI, MAC address, Android Advertising ID, etc.);
• location data;
• contacts, photos, or other device content;
• email addresses for marketing or newsletter purposes.

5. Data Recipients

Personal data voluntarily provided via direct email correspondence is not sold, rented, or communicated to third parties, except:

• to the technical provider strictly necessary for processing (Cloudflare for website hosting and email routing), which acts as a data processor under Art. 28 GDPR;
• to competent authorities if required by law or judicial order.

We do not transfer data to third parties for marketing purposes.

6. International Data Transfers

The processor mentioned in this Policy may process data outside the European Economic Area:

• Cloudflare, Inc. (website hosting and email routing): headquartered in the United States. Transfers take place on the basis of Standard Contractual Clauses approved by the European Commission and, where applicable, the EU-US Data Privacy Framework (Art. 46 and 45 GDPR).
• Hugging Face, Inc. (only when the user authorizes the AI model download as described in Section 3.3): headquartered in the United States. The user interacts directly with Hugging Face; we are not the recipient of any data from this interaction.

7. Data Subject Rights

Under Articles 15 to 22 GDPR, the user has the right to:

• Access (Art. 15): obtain confirmation of the existence of personal data processing and access to the data.
• Rectification (Art. 16): obtain correction of inaccurate data.
• Erasure (Art. 17): obtain deletion of data ("right to be forgotten").
• Restriction of processing (Art. 18).
• Data portability (Art. 20): receive data in a structured, commonly used, machine-readable format.
• Object to processing (Art. 21).
• Withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise these rights, write to privacy@vainom.com. We will respond within 30 days of receiving the request, as required by Art. 12(3) GDPR.

Right to lodge a complaint: the user has the right to lodge a complaint with the supervisory authority, which in Italy is the Garante per la protezione dei dati personali (www.gpdp.it).

8. Data Security

We adopt reasonable technical and organizational measures to protect the personal data we process, including:

• use of a provider (Cloudflare) that adopts recognized security standards;
• transit encryption (HTTPS/TLS) for all communications with the website and email services;
• limitation of access to email accounts to the Controller only;
• no storage of personal data on servers of our own beyond the indicated processor.

Given the local-first architecture, most processing of data relating to the use of the Software occurs on the user's device, whose security depends on measures adopted by the user themselves (operating system up to date, antivirus, secure local authentication, etc.).

9. Minors

The Software is not directed at minors under 14 years of age (age threshold provided for by Italian law under Art. 2-quinquies of the Privacy Code). We do not knowingly collect data from minors under that age. If we become aware of such processing, we will promptly delete the relevant data.

10. Policy Changes

We reserve the right to update this Privacy Policy to reflect changes in the law, technical providers used, or features of the Software. The version in force is the one published on vainom.com and in the GitHub repository, with the date of entry into force indicated at the top of the document.

11. Contact

For any request relating to this Privacy Policy or the processing of your personal data:

Email: privacy@vainom.com

General contact: hello@vainom.com