Privacy policy: RFQ Classifier Extension
Last updated: April 2026
1. Who We Are
This browser extension ("RFQ Classifier") is operated by:
Vanilla Steel GmbH
Schönhauser Allee 36, 10435 Berlin, Germany
Commercial Register: HRB 218619 B, Amtsgericht Charlottenburg
VAT ID: DE332534899
Managing Directors: Clifford Ondara, Simon Zühlke
For privacy inquiries: clifford.ondara@vanillasteel.com
2. What This Extension Does
The Vanilla Steel RFQ Classifier automatically identifies Request for Quotation (RFQ) emails in your Microsoft Outlook inbox. It uses a machine learning model that runs entirely in your browser to classify emails. Only emails identified as RFQs are sent to Vanilla Steel's servers for business processing.
3. Information We Collect
Information collected by the extension:
| Data Type | Source | Where Processed |
|---|---|---|
| Email subject, body, and sender | Microsoft Graph API (with your permission) | Locally in your browser for classification |
| RFQ-classified emails only | After local classification confirms RFQ | Sent to Vanilla Steel servers |
| Your name and email address | Microsoft profile (User.Read permission) | Used to identify your account |
| Authentication tokens | Microsoft OAuth 2.0 | Stored locally in your browser |
| Classification statistics | Generated by the extension | Stored locally in your browser |
Information we do NOT collect:
- Non-RFQ emails — these never leave your browser
- Browsing history or web activity
- Contacts or address book data
- Calendar or appointment data
- Passwords or financial information
- Location data
4. How We Use Your Information
Email classification — We access email subjects and bodies via Microsoft Graph API (Mail.Read permission) solely to determine if they are RFQs. This classification happens locally in your browser using an on-device machine learning model. No email content is sent to any external server for classification.
Account identification — We access your basic profile (User.Read permission) to identify your account and associate classified RFQs with the correct user.
RFQ processing — Emails classified as RFQs (subject, sender, body text, and classification confidence score) are transmitted to our backend API for business processing within the Vanilla Steel platform.
Authentication — We use Microsoft OAuth 2.0 tokens to access your email on your behalf. Tokens are stored locally in your browser's extension-isolated storage and refreshed silently.
We do NOT use your data for:
- Advertising, marketing, or profiling
- Training AI or machine learning models on your email content
- Selling, renting, or sharing with third parties
- Creditworthiness assessment or lending decisions
- Any purpose unrelated to RFQ classification
5. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
Consent (Art. 6(1)(a) GDPR) — When you connect your Microsoft account and approve the Mail.Read and User.Read permissions, you give explicit consent for the extension to access your email and profile data.
Contract performance (Art. 6(1)(b) GDPR) — The classification of your emails, identification of RFQs, and transmission of RFQ data to our servers is necessary to provide the RFQ classification service you or your organization subscribed to.
6. How We Share Your Information
| Recipient | What Data | Purpose |
|---|---|---|
| Microsoft Corporation (graph.microsoft.com, login.microsoftonline.com) | Authentication tokens | To authenticate you and read your emails on your behalf |
| Vanilla Steel GmbH (api.vanillasteel.com) | RFQ-classified emails only | Business processing of RFQ requests |
We do not sell, rent, or otherwise share your personal data with any other third parties. We do not use advertising networks. We do not use tracking pixels or analytics in the extension.
7. Data Storage and Security
- All data in transit is encrypted via HTTPS/TLS.
- Authentication tokens are stored in Chrome's extension-isolated storage (chrome.storage.local), not accessible to websites or other extensions.
- RFQ email data stored on our servers is held in encrypted PostgreSQL databases hosted in the European Union.
- Access to backend systems is restricted to authorized Vanilla Steel personnel.
- The ML classification model is bundled with the extension and runs entirely in your browser — no email content is transmitted for classification.
8. Data Retention
Local browser data (tokens, preferences, classification cache) — Retained until you sign out of the extension or uninstall it. You can clear this at any time via your browser's extension settings.
RFQ email data on our servers — Retained for 12 months from the date of classification, then automatically deleted.
Authentication records — Deleted when you revoke access or upon account deletion request.
You may request early deletion of all your data at any time (see Your Rights below).
9. Your Rights
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Request correction of inaccurate or incomplete data
- Right to erasure — Request deletion of your personal data ("right to be forgotten")
- Right to data portability — Request your data in a structured, machine-readable format
- Right to restrict processing — Request that we limit how we use your data
- Right to object — Object to processing based on legitimate interest
- Right to withdraw consent — Withdraw your consent at any time without affecting prior processing
To exercise any of these rights, contact us at clifford.ondara@vanillasteel.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) or your local supervisory authority.
10. How to Revoke Access
You can revoke this extension's access to your email at any time by:
- Clicking the extension icon → "Sign out"
- Removing the extension from your browser (chrome://extensions)
- Revoking the app's permissions in your Microsoft account settings
Revoking access stops all future email processing immediately. To also delete previously collected RFQ data from our servers, email clifford.ondara@vanillasteel.com.
11. International Data Transfers
Your email data is classified locally in your browser. However, the extension communicates with Microsoft's servers (graph.microsoft.com, login.microsoftonline.com) to authenticate your account and retrieve email content. Microsoft may process this data in locations outside the EEA, subject to Microsoft's own data processing agreements and safeguards.
RFQ-classified emails are transmitted to Vanilla Steel servers located in the European Union. If you are accessing the service from outside the EU, your RFQ email data will be transferred to the EU for processing.
We rely on the European Commission's adequacy decisions and Standard Contractual Clauses (SCCs) where necessary for any transfers outside the EEA.
12. Children's Privacy
This extension is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
13. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted at this URL with an updated "Last updated" date. If we make material changes that affect how we handle your email data, we will notify users through the extension or via email.
14. Chrome Web Store Compliance
The use and transfer of information received from APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.
15. Contact
Vanilla Steel GmbH
Schönhauser Allee 36
10435 Berlin, Germany
Email: clifford.ondara@vanillasteel.com
Website: https://vanillasteel.com