Privacy Policy
Effective date: 17 March 2026
1. Data Controller
The data controller for personal data collected through the Expedait platform ("Service") is:
- Expedait BV (in oprichting)
- Belgium
- Email: legal@expedait.org
Expedait BV is currently a company in formation (besloten vennootschap in oprichting / société à responsabilité limitée en formation). Upon incorporation and registration with the Crossroads Bank for Enterprises (BCE/KBO), this policy will be updated with the enterprise number and registered office address.
This policy is provided in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data ("Belgian Framework Act").
2. Personal Data We Collect
2.1 Data you provide directly
- Account information: Full name, email address, and password (stored as a bcrypt hash -we never store your plain-text password)
- Profile data: Your role assignments within workspaces
- Content you create: Pages, documents, chat messages, file attachments, comments, and version history
2.2 Data from third-party sources (GDPR Art. 14)
- Google OAuth: If you sign in with Google, we receive your Google user ID, email, name, and profile picture URL from Google's authentication service
- GitHub: If your workspace connects a GitHub account, we receive repository names, issue and PR metadata, branch information, and GitHub usernames via the GitHub API
- Notion: If your workspace connects a Notion account, we receive page URLs, page titles, and workspace metadata via the Notion API for source link detection
2.3 Data collected automatically
- Usage data: Pages viewed, features used, AI interactions, and general platform activity (collected via PostHog analytics, subject to your consent -see Section 5)
- Technical data: Browser type, IP address, and device information collected automatically through standard web protocols
Providing your data: Account information (name, email, password) is required to use the Service. If you choose not to provide this data, you will not be able to create an account. All other data collection is either part of normal Service usage or optional.
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Service delivery (authentication, workspace management, content storage) | Account info, profile, content | Contract performance (Art. 6(1)(b)) |
| AI coaching & scoring (sending content to LLM providers) | Page content, chat messages, page type requirements | Contract performance (Art. 6(1)(b)) -AI features are a core part of the Service |
| Product analytics (PostHog) | Usage data, anonymised identifiers | Consent (Art. 6(1)(a)) -opt-in only |
| Security monitoring & fraud prevention | Technical data, access logs | Legitimate interest (Art. 6(1)(f)) -protecting the Service and users |
| Service notifications (invitations, critical updates) | Email address | Contract performance (Art. 6(1)(b)) |
Legitimate interest balancing test: For security monitoring, we have assessed that our interest in preventing unauthorized access and protecting user data outweighs the minimal impact on your privacy, as we only process technical metadata and do not use it for profiling or marketing.
4. Automated Decision-Making & AI Processing
Expedait uses AI/LLM technology for:
- Page quality scoring: An automated system scores your pages against defined criteria. Scores are informational and do not restrict your access to features or block your workflow. You may continue editing and submitting pages regardless of the score.
- AI chat coaching: Conversational AI provides suggestions based on your page content and role context. All suggestions are advisory only.
These features do not constitute solely automated decision-making with legal or similarly significant effects as defined in GDPR Article 22, because they do not produce binding decisions -scores are guidance, not gatekeepers. If you have concerns about automated processing of your data, you may contact us at legal@expedait.org.
5. Cookies & Tracking
In compliance with the Belgian Law of 13 June 2005 (Article 129, transposing the ePrivacy Directive), we distinguish between essential and non-essential cookies:
5.1 Essential (no consent required)
- Authentication token: A JWT stored in localStorage to keep you signed in. Required for the Service to function. Not a cookie, but functionally equivalent under ePrivacy rules.
5.2 Analytics (consent required)
- PostHog analytics: Product analytics to understand usage patterns. PostHog may set cookies for session tracking. These are only loaded after you give explicit opt-in consent via our consent mechanism. You may decline analytics without any impact on Service functionality.
Your choices: When you first visit the platform, you will be presented with a consent mechanism that allows you to accept or reject analytics tracking. You may change your preference at any time. We provide an equally prominent "Reject All" option alongside "Accept" in compliance with Belgian DPA guidance.
We do not use advertising cookies, marketing trackers, or sell your data to third parties.
6. Third-Party Services & Sub-Processors
We share data with third-party service providers solely to deliver the Service. We have entered into Data Processing Agreements (DPAs) with each sub-processor as required by GDPR Article 28. For the complete list of sub-processors, data shared, retention periods, and international transfer safeguards, see our GDPR & Data Processing page.
7. Data Security
We implement appropriate technical and organisational measures to protect your data (GDPR Article 32), including:
- Encrypted storage of LLM API keys (write-only -never exposed via API responses)
- JWT-based authentication with token expiration
- Bcrypt password hashing with salting
- HTTPS/TLS encryption for all data in transit
- Role-based access control and strict multi-tenant data isolation (one tenant cannot access another tenant's data)
- Regular security reviews and dependency updates
8. International Data Transfers
Several of our sub-processors are based in the United States. When your data is transferred outside the European Economic Area (EEA), we rely on the following safeguards in accordance with GDPR Chapter V:
| Provider | Transfer Safeguard |
|---|---|
| OpenAI | EU-US Data Privacy Framework (DPF certified) |
| Google (Gemini, OAuth) | EU-US Data Privacy Framework (DPF certified) |
| GitHub (Microsoft) | EU-US Data Privacy Framework (DPF certified) |
| Notion | EU-US Data Privacy Framework (DPF certified) |
| Anthropic | Standard Contractual Clauses (SCCs) + Transfer Impact Assessment |
| PostHog | Standard Contractual Clauses (SCCs) + Transfer Impact Assessment |
We periodically verify that our US-based processors maintain their DPF certifications and review the adequacy of transfer safeguards. You may request a copy of the relevant SCCs by contacting legal@expedait.org.
9. Data Retention
We retain your data only as long as necessary for the purposes described in this policy. For specific retention periods per data category, see our GDPR & Data Processing page.
10. Children's Privacy
Expedait is a B2B platform not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legal@expedait.org and we will take steps to delete it.
11. Your Rights
Under the GDPR, you have extensive rights regarding your personal data, including the right to access, rectify, erase, restrict, port, and object to processing. For a full description of your rights and how to exercise them, see our GDPR & Data Processing page.
You may lodge a complaint with the Belgian Data Protection Authority (GBA/APD) at any time -see our GDPR page for full contact details.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes at least 30 days in advance via email or through the Service. The "Effective date" at the top of this page indicates when the policy was last revised.
13. Contact
For privacy-related enquiries, please contact us at:
Expedait BV (in oprichting)
Belgium
Email: legal@expedait.org