Expandigo Expandigo

Privacy Policy

Version 1.0 - Last updated: 2026-04-20

Draft for legal review. Contents below are scaffolding. Must be reviewed by qualified counsel (EU + US) before production.

In plain English

We collect only what we need to run Expandigo. Your workspace data lives in the EU. We never train shared AI models on your content. You can export or delete your account with one click inside the platform, any time.

1. Data controller

Huberway LLC ("we", "us", "Expandigo"), a Wyoming limited liability company, registered at 1309 Coffeen Avenue, Suite 1200, Sheridan, WY 82801, USA. Federal EIN 35-2903558.

Sole Member: Gennaro Ereditata. Privacy contact: privacy@expandigo.com.

2. EU Representative (Art. 27 GDPR)

As an entity established outside the EU that offers services to individuals in the EU, we have appointed an EU Representative under Article 27 GDPR. You may contact them directly for GDPR-related matters:

[EU Representative - to be appointed]
Email: eu-representative@expandigo.com

3. What we collect and why

We process the following categories:

  • Account data - name, work email, company - to provide the service (Art. 6.1.b GDPR - contract).
  • Workspace content - chats, documents, saved searches, Company Profile axes - to deliver features (contract).
  • Usage data - anonymous, aggregated telemetry via Plausible Analytics (cookieless) - legitimate interest (Art. 6.1.f).
  • Payment data - processed by Stripe on our behalf - contract + legal obligation (Art. 6.1.c, invoicing).
  • Marketing data - email to prospects only with consent (Art. 6.1.a).
  • Cookies - non-essential cookies only with consent (ePrivacy + Art. 6.1.a).

4. Recipients and sub-processors

We share data only with selected sub-processors necessary for the service. The current list is available in the Data Processing Agreement and includes AWS (hosting, EU regions), Stripe (payments), Resend (transactional email), Plausible (analytics), Anthropic and OpenAI (LLM providers), Apollo.io (data enrichment).

5. International data transfers

Huberway LLC is a US entity. Some sub-processors are in the United States. Transfers outside the EU are protected by Standard Contractual Clauses (Commission Decision 2021/914), complementary technical measures (encryption in transit and at rest, EU-first data residency where possible), and Transfer Impact Assessments on critical data flows.

6. Retention

Retention depends on the data category:

  • Workspace content - until you delete or close your account, plus 30-day grace period for export.
  • Authentication tokens - 30 days rolling.
  • Audit logs - 12 months.
  • Invoices and fiscal records - 10 years as required by law.
  • Backups - 30 days rolling, encrypted at rest.

7. Your rights under GDPR

You have the right to access, rectify, erase, receive in portable format, restrict, and object to the processing of your data, and to not be subject to solely automated decision-making.

In-platform deletion - Your Expandigo workspace includes a one-click "Delete account" feature. Click it and your data moves to a 30-day read-only export window, then is permanently erased. No email to support required, no tickets, no delays.

To exercise any right, email privacy@expandigo.com. We respond within 30 days (extendable by 60 for complex requests, with notice).

You may also lodge a complaint with a supervisory authority, in particular in the Member State of your residence (for Italy: Garante per la protezione dei dati personali).

8. Automated decision-making

Expandigo computes a "fit score" to rank contacts and companies against your Company Profile. This scoring does not produce legal effects on third parties. You can disable scoring from Settings and always request human review of any automated output.

9. Security

We implement technical and organizational measures including encryption in transit (TLS 1.2+) and at rest (AES-256), one-time passcode authentication (no passwords stored), role-based access control, audit logging, SOC 2 Type II (in progress), and a documented incident response procedure with 72-hour breach notification.

10. Cookies

We use strictly necessary cookies by default, and analytics, marketing or functional cookies only with your explicit consent. Details in our Cookie Policy. You can change your preferences any time via "Manage cookies" in the footer.

11. Changes to this policy

We version every change. Material changes are announced 30 days in advance via email to workspace administrators. Older versions remain accessible on request.

12. Contact

Huberway LLC - 1309 Coffeen Avenue, Suite 1200, Sheridan, WY 82801, USA
Privacy inquiries: privacy@expandigo.com
Security incidents: security@expandigo.com