GDPR & Data Processing

Effective date: 17 March 2026

This page supplements our Privacy Policy with detailed information about sub-processors, data retention, international transfers, your rights under the GDPR, and our data breach procedures. Together, these documents form our complete data protection disclosure as required by GDPR Articles 13 and 14.

1. Sub-Processors

The following third-party services process personal data on behalf of Expedait. We have entered into Data Processing Agreements (DPAs) with each sub-processor as required by GDPR Article 28.

Processor	Purpose	Data Shared	Location	Transfer Safeguard	Retention
Anthropic (Claude)	AI page assistance & scoring	Page content, chat messages, page type requirements	USA	SCCs + Transfer Impact Assessment	Not retained after processing (per Anthropic API data policy; not used for training)
OpenAI (GPT)	AI page assistance & scoring	Page content, chat messages, page type requirements	USA	EU-US Data Privacy Framework	Not retained (API data usage policy; not used for training)
Google (Gemini)	AI page assistance, scoring & image generation	Page content, chat messages, page type requirements, image prompts	USA	EU-US Data Privacy Framework	Not retained (API policy; not used for training)
PostHog	Product analytics (consent-based)	User ID, email, name, tenant, page events, AI usage metrics	EU (eu.i.posthog.com)	SCCs + Transfer Impact Assessment	Configurable, default 1 year
Google OAuth	Social login authentication	Google user ID, email, name, profile picture URL	USA	EU-US Data Privacy Framework	Session duration only; profile data stored in our database
GitHub	Repository integration	Repo names, issues, PRs, branch info, GitHub usernames	USA	EU-US Data Privacy Framework	Cached in-memory only during active session
Notion	Source link detection & content integration	Page URLs, page titles, workspace metadata	USA	EU-US Data Privacy Framework	Cached in-memory only during active session
PostgreSQL (self-hosted)	Primary database	All application data	Same region as hosting provider	N/A (EEA hosting)	Until account deletion or workspace deactivation

We will update this table when sub-processors change and notify affected users in advance of any material changes.

2. Data Retention Periods

Data Category	Retention Period	Deletion Trigger
Account data (name, email, password hash)	Duration of account	Account deletion or workspace deactivation
Page content & versions	Duration of workspace	Explicit deletion by user, or workspace deactivation
Chat history (AI conversations)	Duration of page	User clears history, page deletion, or workspace deactivation
Page files (attachments)	Duration of page	Explicit deletion by user, page deletion, or workspace deactivation
Analytics events (PostHog)	Up to 1 year	Automatic expiry in PostHog
LLM API calls (Anthropic, OpenAI, Google)	Not retained	Discarded after processing; not used for model training
Audit trail (approvals, state changes)	Lifetime of the page	Page deletion or workspace deactivation
Post-termination data export window	30 days after account/workspace termination	Permanent deletion after export window

3. Your Rights Under GDPR

As a data subject, you have the following rights under the General Data Protection Regulation (Articles 15–22, 77) and the Belgian Law of 30 July 2018:

Right of access (Art. 15): Request a copy of all personal data we hold about you, including a description of processing purposes, categories of data, and recipients
Right to rectification (Art. 16): Update your profile information or edit your content at any time through the platform. You may also request corrections by contacting us.
Right to erasure (Art. 17): Request deletion of your account and all associated data ("right to be forgotten"). Workspace owners can deactivate their entire workspace through Settings.
Right to restrict processing (Art. 18): Request that we limit how we process your data in certain circumstances (e.g., while we verify the accuracy of your data or assess an objection request)
Right to data portability (Art. 20): Request an export of your data in a standard, machine-readable format (JSON). Available via our data export functionality or by request.
Right to object (Art. 21): Object to processing based on legitimate interest (e.g., analytics). We will cease the processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., analytics cookies), you may withdraw it at any time without affecting the lawfulness of prior processing
Right not to be subject to automated decision-making (Art. 22): See Section 4 of our Privacy Policy for details on how AI scoring works and why it does not constitute solely automated decision-making

4. How to Exercise Your Rights

To exercise any of the rights listed above, contact our Data Protection Officer at:

Email: dpo@expedait.org

What to include: Your full name, email address associated with your account, and a description of the right you wish to exercise.

Response time: We will acknowledge your request within 5 business days and respond substantively within 30 days (GDPR Article 12(3)). If your request is complex or we receive a large number of requests, we may extend this period by up to two additional months and will inform you of the extension and the reasons for the delay within the initial 30-day period.

Verification: We may ask you to verify your identity before processing your request, to protect your data from unauthorized access.

No charge: Exercising your rights is free of charge. We may charge a reasonable fee only if requests are manifestly unfounded or excessive (GDPR Article 12(5)).

5. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR or Belgian data protection law, you have the right to lodge a complaint with the Belgian supervisory authority:

Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Drukpersstraat / Rue de la Presse 35
1000 Brussels, Belgium

Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be

Complaint process:

Submit a written, dated, and signed complaint (by email or through the GBA/APD online portal). Filing is free of charge.
The Front-Line Service (Eerstelijns dienst) may first attempt mediation.
If unresolved, the Inspection Service (Inspectiedienst) may conduct a formal investigation.
The Litigation Chamber (Geschillenkamer) can impose corrective measures and administrative fines.

You also have the right to lodge a complaint with the supervisory authority of the EU member state of your habitual residence or place of work (GDPR Article 77).

6. Data Breach Notification

In the event of a personal data breach, we follow the notification procedure required by GDPR Articles 33–34 and Belgian DPA guidelines:

Notification to the Belgian DPA: Within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, we will notify the GBA/APD via the Belgian eGov data breach notification portal. We will complete the initial notification within 72 hours and provide a full report within 21 calendar days.
Notification to affected individuals: Without undue delay when the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly by email with a description of the breach, the likely consequences, the measures taken, and your point of contact.
Documentation: We document all breaches (including those not requiring notification) in our internal breach register, as required by GDPR Article 33(5).

7. Data Protection Impact Assessments

In accordance with GDPR Article 35 and the Belgian DPA's list of processing operations requiring a Data Protection Impact Assessment (DPIA), we have conducted DPIAs for:

LLM/AI data processing: Sending user-created page content and chat messages to third-party AI providers constitutes large-scale processing using new technology. Our DPIA assessed the risks, concluded that appropriate safeguards are in place (DPAs with providers, no training on user data, no data retention by providers), and identified mitigating measures.
Automated page scoring: Although scoring does not constitute solely automated decision-making (see Privacy Policy Section 4), we assessed the impact of automated quality scoring on user content.

DPIA records are maintained internally and are available to the Belgian DPA upon request.

8. Data Protection Officer

Expedait BV (in oprichting) has designated a Data Protection Officer (DPO) to oversee compliance with the GDPR and applicable Belgian data protection legislation:

Data Protection Officer: Bruno Coussement
Email: dpo@expedait.org

You may contact the DPO for any enquiries related to the processing of your personal data or the exercise of your rights under the GDPR.

9. Multi-Tenant Data Isolation

Expedait operates a strict multi-tenant architecture. Your workspace data is logically isolated from other tenants at the database level. This means:

Users in one workspace cannot access data from another workspace
AI coaching and scoring only use content from within your own workspace and project
Analytics data is segmented by tenant
Workspace deactivation permanently removes all associated data after the export window (see Section 2)

10. Belgian Framework Act Provisions

The following provisions of the Belgian Law of 30 July 2018 are relevant to our processing:

National identification numbers (Art. 46): Expedait does not process Belgian national register numbers (rijksregisternummer / numéro de registre national)
Special categories of data (Art. 9 GDPR): Expedait does not intentionally collect or process special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.). Users should avoid including such data in their page content.
Criminal convictions data (Belgian Framework Act Art. 10): Expedait does not process data relating to criminal convictions or offences