Privacy Policy

Effective date: 17 March 2026

1. Data Controller

The data controller for personal data collected through the Expedait platform ("Service") is:

Expedait BV (in oprichting)
Belgium
Email: legal@expedait.org

Expedait BV is currently a company in formation (besloten vennootschap in oprichting / société à responsabilité limitée en formation). Upon incorporation and registration with the Crossroads Bank for Enterprises (BCE/KBO), this policy will be updated with the enterprise number and registered office address.

This policy is provided in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data ("Belgian Framework Act").

2. Personal Data We Collect

2.1 Data you provide directly

Account information: Full name, email address, and password (stored as a bcrypt hash -we never store your plain-text password)
Profile data: Your role assignments within workspaces
Content you create: Pages, documents, chat messages, file attachments, comments, and version history

2.2 Data from third-party sources (GDPR Art. 14)

Google OAuth: If you sign in with Google, we receive your Google user ID, email, name, and profile picture URL from Google's authentication service
GitHub: If your workspace connects a GitHub account, we receive repository names, issue and PR metadata, branch information, and GitHub usernames via the GitHub API
Notion: If your workspace connects a Notion account, we receive page URLs, page titles, and workspace metadata via the Notion API for source link detection

2.3 Data collected automatically

Usage data: Pages viewed, features used, AI interactions, and general platform activity (collected via PostHog analytics, subject to your consent -see Section 5)
Technical data: Browser type, IP address, and device information collected automatically through standard web protocols

Providing your data: Account information (name, email, password) is required to use the Service. If you choose not to provide this data, you will not be able to create an account. All other data collection is either part of normal Service usage or optional.

3. How We Use Your Data

We process your personal data for the following purposes:

Purpose	Data Used	Legal Basis (GDPR Art. 6)
Service delivery (authentication, workspace management, content storage)	Account info, profile, content	Contract performance (Art. 6(1)(b))
AI coaching & scoring (sending content to LLM providers)	Page content, chat messages, page type requirements	Contract performance (Art. 6(1)(b)) -AI features are a core part of the Service
Product analytics (PostHog)	Usage data, anonymised identifiers	Consent (Art. 6(1)(a)) -opt-in only
Security monitoring & fraud prevention	Technical data, access logs	Legitimate interest (Art. 6(1)(f)) -protecting the Service and users
Service notifications (invitations, critical updates)	Email address	Contract performance (Art. 6(1)(b))

Legitimate interest balancing test: For security monitoring, we have assessed that our interest in preventing unauthorized access and protecting user data outweighs the minimal impact on your privacy, as we only process technical metadata and do not use it for profiling or marketing.

4. Automated Decision-Making & AI Processing

Expedait uses AI/LLM technology for:

Page quality scoring: An automated system scores your pages against defined criteria. Scores are informational and do not restrict your access to features or block your workflow. You may continue editing and submitting pages regardless of the score.
AI chat coaching: Conversational AI provides suggestions based on your page content and role context. All suggestions are advisory only.

These features do not constitute solely automated decision-making with legal or similarly significant effects as defined in GDPR Article 22, because they do not produce binding decisions -scores are guidance, not gatekeepers. If you have concerns about automated processing of your data, you may contact us at legal@expedait.org.

5. Cookies & Tracking

In compliance with the Belgian Law of 13 June 2005 (Article 129, transposing the ePrivacy Directive), we distinguish between essential and non-essential cookies:

5.1 Essential (no consent required)

Authentication token: A JWT stored in localStorage to keep you signed in. Required for the Service to function. Not a cookie, but functionally equivalent under ePrivacy rules.

5.2 Analytics (consent required)

PostHog analytics: Product analytics to understand usage patterns. PostHog may set cookies for session tracking. These are only loaded after you give explicit opt-in consent via our consent mechanism. You may decline analytics without any impact on Service functionality.

Your choices: When you first visit the platform, you will be presented with a consent mechanism that allows you to accept or reject analytics tracking. You may change your preference at any time. We provide an equally prominent "Reject All" option alongside "Accept" in compliance with Belgian DPA guidance.

We do not use advertising cookies, marketing trackers, or sell your data to third parties.

6. Third-Party Services & Sub-Processors

We share data with third-party service providers solely to deliver the Service. We have entered into Data Processing Agreements (DPAs) with each sub-processor as required by GDPR Article 28. For the complete list of sub-processors, data shared, retention periods, and international transfer safeguards, see our GDPR & Data Processing page.

7. Data Security

We implement appropriate technical and organisational measures to protect your data (GDPR Article 32), including:

Encrypted storage of LLM API keys (write-only -never exposed via API responses)
JWT-based authentication with token expiration
Bcrypt password hashing with salting
HTTPS/TLS encryption for all data in transit
Role-based access control and strict multi-tenant data isolation (one tenant cannot access another tenant's data)
Regular security reviews and dependency updates

8. International Data Transfers

Several of our sub-processors are based in the United States. When your data is transferred outside the European Economic Area (EEA), we rely on the following safeguards in accordance with GDPR Chapter V:

Provider	Transfer Safeguard
OpenAI	EU-US Data Privacy Framework (DPF certified)
Google (Gemini, OAuth)	EU-US Data Privacy Framework (DPF certified)
GitHub (Microsoft)	EU-US Data Privacy Framework (DPF certified)
Notion	EU-US Data Privacy Framework (DPF certified)
Anthropic	Standard Contractual Clauses (SCCs) + Transfer Impact Assessment
PostHog	Standard Contractual Clauses (SCCs) + Transfer Impact Assessment

We periodically verify that our US-based processors maintain their DPF certifications and review the adequacy of transfer safeguards. You may request a copy of the relevant SCCs by contacting legal@expedait.org.

9. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. For specific retention periods per data category, see our GDPR & Data Processing page.

10. Children's Privacy

Expedait is a B2B platform not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legal@expedait.org and we will take steps to delete it.

11. Your Rights

Under the GDPR, you have extensive rights regarding your personal data, including the right to access, rectify, erase, restrict, port, and object to processing. For a full description of your rights and how to exercise them, see our GDPR & Data Processing page.

You may lodge a complaint with the Belgian Data Protection Authority (GBA/APD) at any time -see our GDPR page for full contact details.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes at least 30 days in advance via email or through the Service. The "Effective date" at the top of this page indicates when the policy was last revised.

13. Contact

For privacy-related enquiries, please contact us at:

Expedait BV (in oprichting)
Belgium
Email:legal@expedait.org