Effective date: 22 May 2026 Last updated: 22 May 2026 Document version: 1.0
These Terms of Service ("Terms") govern access to and use of the cloud and software services made available by Vanilla Steel GmbH ("Vanilla Steel", "we", "us") to its business customers, including the web applications, browser-based interfaces, Outlook and Microsoft 365 add-ins, server-side ingestion services, APIs, authentication services, and supporting software listed in Section 2 and described in more detail in the Schedules at the end of these Terms (each a "Service" and collectively the "Services").
By installing, activating, signing in to, or otherwise using any of the Services, you agree to these Terms on behalf of yourself and the organisation you represent ("Customer", "you"). If you do not have authority to bind your organisation, do not use the Services.
The Services are intended for business customers only. They are not offered to consumers.
The Services are provided by:
Vanilla Steel GmbH Schönhauser Allee 36, 10435 Berlin, Germany Registered with the commercial register (Handelsregister) of the Amtsgericht Charlottenburg, HRB 218619 B Managing Directors (Geschäftsführer): Clifford Ondara, Simon Zühlke VAT ID: DE332534899
General, legal, contracts, and data protection contact: info@vanillasteel.com Security incident contact: security@vanillasteel.com
These Terms apply to the following Vanilla Steel Services:
a) Vanilla Steel RFQ Classifier: an Outlook add-in that classifies incoming emails as "RFQ" or "Not RFQ" and automatically forwards messages classified as RFQs to a customer-specific Vanilla Steel destination address. Described in Schedule A.
b) Vanilla Steel RFQ Extractor: a server-side service that, with your authorisation via OAuth, ingests email from connected Outlook (Microsoft 365) and Gmail (Google Workspace) mailboxes, extracts structured RFQ data using a large language model, and stores the extracted records for review. Described in Schedule B.
c) Vanilla Steel Quoting App: a web application used by your organisation to produce, review, and manage steel quotes generated from RFQs. Authentication uses Microsoft Entra ID Single Sign-On. Described in Schedule C.
The Service Schedules form an integral part of these Terms. In case of any conflict between these Terms and a Schedule, the Schedule controls solely for the Service it describes.
Vanilla Steel may add new Services to these Terms by publishing additional Schedules, with notice as described in Section 18.
Access to the Services may use third-party identity providers, including Microsoft Entra ID and Google Workspace.
Your organisation remains responsible for managing user identities, group membership, tenant configuration, provisioning and deprovisioning, and the protection of credentials. Vanilla Steel is not responsible for outages, configuration errors, or access decisions made by Microsoft, Google, or your tenant administrators.
Where a Service requests specific identity provider permissions, those permissions are listed in the applicable Schedule. The tenant administrator may revoke any granted permission at any time through the relevant admin centre, which will disable the affected functionality for the relevant tenant.
You may use the Services only in accordance with these Terms, applicable laws, the terms of any third-party platform on which a Service runs (including the Microsoft Online Services Terms and the Google Workspace Terms), and any written agreement between you and Vanilla Steel.
You are responsible for:
You must not use the Services to:
As between you and Vanilla Steel, you retain all right, title, and interest in the data you or your users submit to or generate through the Services, including (where applicable to a Service) the content of authorised mailboxes, attachments, RFQ records, quotes, and related metadata ("Customer Data").
You grant Vanilla Steel the rights necessary to host, process, transmit, display, and use Customer Data solely to provide, secure, support, and operate the Services as described in these Terms and the applicable Schedule. Vanilla Steel will not use Customer Data for any other purpose, and in particular will not use Customer Data to train AI models, build profiles unrelated to the Services, or sell or share Customer Data with third parties for their independent purposes.
Data residency. Customer Data is stored within the European Union. Processing by AI subprocessors may take place outside the European Economic Area; in that case, Vanilla Steel relies on the EU Standard Contractual Clauses and supplementary measures as described in the Privacy & Data Processing Notice.
Retention. Customer Data is retained for as long as the Service is active for your organisation. Upon termination of these Terms or upon your request, Vanilla Steel will delete Customer Data within thirty (30) days, except where retention is required by law or for the establishment, exercise, or defence of legal claims.
Export. During the term and for fourteen (14) days following termination, you may request an export of Customer Data in a structured, commonly used, and machine-readable format by contacting info@vanillasteel.com.
Vanilla Steel will handle personal data contained in Customer Data as a processor on your behalf, under our Privacy & Data Processing Notice available at https://vanillasteel.com/software/privacy-policy, which forms an integral part of these Terms and includes the data processing agreement required under Article 28 GDPR.
Certain Services perform automated processing of messages using machine-learning models. The architecture varies by Service:
The specific model and configuration used by each Service is described in the relevant Schedule. The current list of AI Subprocessors used by any Service is maintained at https://vanillasteel.com/software/subprocessors.
You acknowledge and agree that:
Vanilla Steel uses subprocessors to deliver the Services. A current list of subprocessors, including the AI Subprocessors, is maintained at https://vanillasteel.com/software/subprocessors and forms part of the Privacy & Data Processing Notice.
Vanilla Steel will give you at least thirty (30) days' prior notice of any new subprocessor or material change to the role of an existing subprocessor by updating the subprocessor list or by direct notice. You may object to the addition or change on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection; if it cannot be resolved, you may terminate the affected Service.
Vanilla Steel implements appropriate technical and organisational measures designed to protect the Services and Customer Data against unauthorised access, alteration, disclosure, or destruction. A summary of these measures is available on request and detailed in the Privacy & Data Processing Notice.
You are responsible for securing your accounts, devices, networks, identity-provider configuration, and administrative users.
You must notify Vanilla Steel promptly at security@vanillasteel.com if you become aware of unauthorised access, a security incident, or any other event involving Customer Data or the Services.
The Services integrate with third-party services, including:
Your use of any third-party service is governed by separate terms between you and that provider. Vanilla Steel is not responsible for the acts, omissions, availability, or terms of any third-party service outside its reasonable control.
Vanilla Steel may suspend access to a Service if:
Where reasonable and lawful, Vanilla Steel will give you prior notice and an opportunity to resolve the issue before suspending the Service.
You may stop using a Service and uninstall any add-in or revoke any OAuth grant at any time.
Vanilla Steel may terminate these Terms or any Service:
Upon termination, access to the affected Service will be disabled, Customer Data will be handled in accordance with Section 5, and any sections that by their nature should survive termination will survive (including Sections 5, 6, 8, 13, 14, 15, 16, 17, and 21).
Each party may receive information of the other that is marked confidential or that a reasonable person would understand to be confidential ("Confidential Information"). The receiving party will:
Confidentiality obligations survive for three (3) years after termination of these Terms. Confidential Information that qualifies as a trade secret remains protected for as long as it qualifies as such under applicable law.
Vanilla Steel and its licensors retain all right, title, and interest in the Services, including the underlying software, designs, workflows, models (other than Customer Data and models trained on Customer Data, which are not created under these Terms), documentation, and trademarks.
These Terms do not grant you any ownership of the Services or any Vanilla Steel intellectual property. All rights not expressly granted to you are reserved.
You grant Vanilla Steel a limited, non-exclusive, worldwide, royalty-free licence to use feedback, suggestions, and ideas you choose to provide about the Services, without restriction or compensation.
Except as expressly stated in these Terms or any separate written agreement signed by Vanilla Steel, the Services are provided "as is" and "as available". To the extent permitted by applicable law, Vanilla Steel disclaims all implied warranties, including warranties of merchantability, fitness for a particular purpose, and non-infringement.
Vanilla Steel does not warrant that the Services will be uninterrupted, error-free, free from harmful components, or that AI-produced outputs (including classifications and extracted records) will be accurate in every case. The Services are not designed as the sole basis for any business, legal, or contractual decision.
The Services are offered without a service-level commitment. Specific availability commitments are available only under a separate written agreement.
To the maximum extent permitted by applicable law:
a) Excluded damages. Neither party will be liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, lost revenue, lost goodwill, lost data, or loss of business opportunity, even if advised of the possibility of such damages.
b) Cap on direct damages. Each party's total aggregate liability arising out of or relating to these Terms or the Services, whether in contract, tort (including negligence), or otherwise, will not exceed the greater of (i) the amounts paid or payable by you to Vanilla Steel for the affected Service in the twelve (12) months preceding the event giving rise to the claim, and (ii) one thousand euros (EUR 1,000).
c) Mandatory carve-outs (German law). Nothing in these Terms excludes or limits any liability that cannot be excluded or limited under applicable mandatory law, including liability for intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit), for injury to life, body, or health, for fraudulent misrepresentation, or under the German Product Liability Act (Produkthaftungsgesetz).
d) Beta features. Any feature or Service designated by Vanilla Steel as "beta", "preview", "experimental", or similar is provided without warranty of any kind, and Vanilla Steel's liability in relation to such features or Services is limited to the maximum extent permitted by law.
Each party will comply with all applicable laws, including anti-bribery, anti-corruption, anti-money-laundering, sanctions, and export-control laws. You represent that you are not located in, organised under the laws of, or controlled by any person or entity that is the subject of sanctions imposed by the European Union, Germany, the United Kingdom, or the United States, and that you will not make the Services available to any such person or entity.
Vanilla Steel may update these Terms (including any Schedule) from time to time. If we make a material change, we will provide at least thirty (30) days' prior notice through the Service, by email to the administrator address on record, or by posting an updated version with a new effective date.
If you do not accept a material change, you may terminate the affected Service on written notice before the change takes effect. Continued use of the Service after the effective date of an updated version means you accept the updated Terms.
Formal notices to Vanilla Steel must be sent to info@vanillasteel.com, with a copy to the registered address in Section 1. Vanilla Steel will give notices to you using the administrator email on record or, where appropriate, in-product notification. Notices are deemed received on the next business day after sending.
a) Force majeure. Neither party is liable for delay or failure to perform caused by events beyond its reasonable control, including acts of God, war, terrorism, civil disturbance, labour disputes, governmental action, internet or telecommunications outages, or failures of upstream service providers.
b) Assignment. You may not assign these Terms or any rights under them without Vanilla Steel's prior written consent, except to a successor in connection with a merger, acquisition, or sale of substantially all of your assets. Vanilla Steel may assign these Terms to an affiliate or in connection with a corporate transaction.
c) Severability. If any provision is held unenforceable, the remaining provisions will continue in full force, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving its intent.
d) No waiver. A party's failure to enforce any right is not a waiver of that right.
e) Entire agreement. These Terms, together with the Schedules, the Privacy & Data Processing Notice, the subprocessor list, and any separate written agreement signed by both parties, constitute the entire agreement between the parties regarding the Services and supersede any prior or contemporaneous communications on the same subject.
f) Order of precedence. In case of conflict, the following order applies: (1) a separate written agreement signed by both parties; (2) the Schedules; (3) these Terms; (4) the Privacy & Data Processing Notice.
g) Language. These Terms are concluded in English. A German translation may be provided for convenience; in case of any conflict, the English version prevails.
These Terms are governed by the laws of the Federal Republic of Germany, excluding its conflict-of-laws rules and excluding the United Nations Convention on Contracts for the International Sale of Goods.
The courts of Berlin, Germany have exclusive jurisdiction over any dispute arising from or relating to these Terms or the Services, except where mandatory law provides otherwise.
For questions about these Terms or about how we handle personal data, please contact:
Vanilla Steel GmbH info@vanillasteel.com
For security issues, please contact security@vanillasteel.com.
The Vanilla Steel RFQ Classifier ("RFQ Classifier") is an Outlook add-in that helps your organisation process Requests for Quotation that arrive by email. With your authorisation, the RFQ Classifier:
Mail.Send permission) to a customer-specific Vanilla Steel destination address (for example, <your-organisation>-rfqs@vanillasteel.com) assigned to your organisation during onboarding. The forwarded message is then stored on Vanilla Steel infrastructure for the duration described in Section 5 of the main Terms.The RFQ Classifier requests the following Microsoft Graph permissions at install time. Each permission is used only for the purpose described.
| Permission | Purpose |
|---|---|
Mail.Read |
Read incoming and selected mailbox messages to classify them. |
Mail.ReadWrite |
Apply category, label, or flag to classified messages. |
Mail.Send |
Forward classified RFQ messages to the configured Vanilla Steel destination address. |
User.Read |
Identify the signed-in user for audit and account management. |
offline_access |
Maintain background processing of newly arriving messages without re-prompting. |
The tenant administrator may revoke these permissions at any time through the Microsoft Entra ID admin centre, which will disable the RFQ Classifier for the affected tenant.
Classification is performed by an open-source machine-learning model that runs locally in the user's browser. The current model is BAAI bge-micro-v2 (a sentence-embedding model of approximately 17 MB at INT8 quantisation), distributed through the ONNX Model Zoo governed by the Linux Foundation AI & Data Foundation (LF AI & Data).
The model weights are downloaded once and cached in the user's browser; classification thereafter occurs on-device without any network call. No Customer Data is transmitted to Vanilla Steel, to the ONNX project, to the original model author, or to any other third party for the purpose of classification. The model authors and the ONNX project are therefore not subprocessors of Vanilla Steel for this Service.
Vanilla Steel may replace the bundled classification model from time to time with another open-source model that runs under the same in-browser, no-data-transmission architecture; any such change will be reflected in this Schedule.
The Vanilla Steel RFQ Extractor ("RFQ Extractor") is a server-side service that ingests email from connected business mailboxes, extracts structured RFQ data using a large language model, and stores the extracted records for review in the Vanilla Steel Quoting App or another Vanilla Steel surface. With your authorisation, the RFQ Extractor:
When the RFQ Extractor is connected to a Microsoft mailbox, it requests the following Microsoft Graph permissions:
| Permission | Purpose |
|---|---|
Mail.Read |
Read incoming messages and selected existing messages for extraction. |
User.Read |
Identify the signed-in user for audit and account management. |
offline_access |
Maintain background processing of newly arriving messages without re-prompting. |
The tenant administrator may revoke these permissions at any time through the Microsoft Entra ID admin centre, which will disable the RFQ Extractor for the affected mailbox.
When the RFQ Extractor is connected to a Gmail mailbox, it requests the following Google OAuth scopes:
| Scope | Purpose |
|---|---|
https://www.googleapis.com/auth/gmail.readonly |
Read incoming messages and selected existing messages for extraction. |
https://www.googleapis.com/auth/userinfo.email and userinfo.profile |
Identify the signed-in user for audit and account management. |
Access can be revoked at any time from