Expand Data Privacy Policy
Effective Date: November 16, 2025
Last Updated: June 11, 2026
Version: 2.0
Overview
Expand Data Inc. is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our services: the Expand Data – Locations add-on for Google Sheets (structured location data only — no AI), and the single-address Location Report PDF (which uses generative AI for its narrative text).
Company Information:
- Legal Name: EXPAND DATA INC
- Jurisdiction: British Columbia, Canada
- Contact: support@expanddata.com
What We Believe In
- Data Minimization: We collect only what's necessary
- Short-Lived Storage: Your job data is deleted within about 48 hours; cached results are kept at most 30 days (see Data Retention)
- User Control: You can delete your account and data at any time
- Transparency: We're clear about what we do with your data
- No Data Sales: We never sell your data to third parties
Information We Collect
Account Information
- Google Sign-In: You sign in to the Sheets add-on with your Google account; we receive and store your Google account email. For Location Reports, your email is collected at Stripe checkout for delivery.
- Email Address: Stored for account identification and communication. Your email is stored both in plaintext (for operational purposes like support and notifications) and as a SHA-256 hash (for secure system identification)
- Authentication Tokens: Temporary session tokens (expire after 30 minutes)
- Account Metadata: Creation date, last login, platform preferences
Processing Data
- Job Rows: Submitted addresses and their results are stored for about 48 hours to enable delivery and recovery, then deleted
- Cached Results: Location data retrieved from Google Maps Platform may be cached for up to 30 days (and place identifiers indefinitely), as permitted by Google's caching terms, so repeat lookups are faster and cheaper
- Job Metadata: Job IDs, status, costs, and timestamps (retained for 90 days for billing reconciliation)
Billing Data
- Credit Balance: Current credit balance and usage history
- Transaction Records: Purchase history, amounts, dates (retained for 7 years for tax compliance)
- Payment Methods: Only last 4 card digits, brand (Visa/Mastercard), and billing country (full card data handled exclusively by Stripe)
How We Use Your Information
- Service Delivery: Process your address enrichment requests
- Authentication: Verify your identity and maintain secure sessions
- Billing: Calculate costs, process payments, issue refunds
- Customer Support: Respond to your questions and technical issues
- System Monitoring: Track performance and reliability — logs carry technical diagnostics and pseudonymous identifiers, never your addresses, results, or email contents
Third-Party Services
Google Cloud Platform
We use Google services to process your addresses:
- Google Maps Platform APIs: Geocoding, Address Validation (with USPS data), Places, Places Aggregate, Air Quality, Pollen, Solar, Weather, Routes, Elevation, Time Zone, and Street View metadata — used to retrieve the location data we deliver to you
- Google Vertex AI (Gemini): Used only for the Location Report PDF, to generate its narrative analysis. Never used for the Sheets add-on, and never trained on your data
Important: We use paid-tier Google services where your data is NOT used for model training or advertising, and we never use your data to train AI models ourselves. Address data is sent to Google APIs for processing and results are returned to you; Google's retention is governed by their privacy policies.
Google Maps Platform: Location data in our services is provided via Google Maps Platform. By using our services you also agree to be bound by the Google Terms of Service, and the Google Privacy Policy applies to Google's handling of that data.
Stripe
Payment Processing: All credit card processing handled by Stripe (PCI-DSS Level 1 compliant)
- We never see or store full credit card numbers, CVV codes, or expiry dates
- Only last 4 digits, card brand, and billing country stored for user convenience
SendGrid
Transactional Email: SendGrid sends our service emails (receipts, job notifications, report delivery) on our behalf and processes your email address for that purpose only.
What We DON'T Do
- We do NOT sell your data to anyone
- We do NOT use your data for advertising
- We do NOT share data with marketing companies
- We do NOT track you across other websites
- We do NOT use your data to train AI models
Data Security
Protection Measures
- Encryption in Transit: TLS 1.2+ for all data transmission
- Encryption at Rest: AES-256 for database storage
- Hashed Identifiers: User IDs hashed with SHA-256
- Secure Sessions: 30-minute token expiration, cryptographically signed (JWT)
- Access Controls: Role-based access with principle of least privilege
- Secret Management: All API keys stored in Google Cloud Secret Manager
Data Breach Response
If a security incident occurs:
- Initial assessment within 24 hours
- User notification within 72 hours
- Regulatory reporting within 72 hours (GDPR, CCPA)
- Immediate remediation and system hardening
Data Retention
| Data Type |
Retention Period |
Reason |
| Job Rows (addresses & results) |
~48 hours |
Delivery and recovery, then deleted |
| Cached Location Data |
Up to 30 days (place IDs indefinitely) |
Google-compliant caching for speed and cost |
| Job Metadata |
90 days |
Billing reconciliation |
| Session Tokens |
30 minutes |
Security |
| Transaction Records |
7 years |
Tax and financial compliance |
| Account Data |
Until deletion |
Active account |
| Inactive Accounts |
2 years |
Then auto-deleted |
| System Logs |
30 days |
Debugging (no user data) |
Your Rights
What You Can Do
- Access Your Data: View all account and billing information
- Export Your Data: Download transaction history and usage data
- Delete Your Account: Permanently remove your account (except transaction records required for tax compliance)
- Correct Information: Update your account details and preferences
- Opt-Out: Stop using the service at any time
How to Exercise Your Rights
Contact support@expanddata.com to:
- Request a copy of your data
- Delete your account
- Correct account information
- Ask questions about privacy
We respond to requests within 30 days.
Compliance
We comply with major privacy regulations:
- GDPR (European Union): Full compliance with data protection principles
- CCPA (California): Consumer privacy rights implemented
- PIPEDA (Canada): Personal information protection compliance
- PCI-DSS (Payment Cards): Via Stripe - we handle no card data directly
Data Location
- Primary Processing: Google Cloud us-central1 (United States)
- Database: Cloud SQL PostgreSQL in us-central1
- Backups: Encrypted backups in multiple geographic regions
- International Transfers: Standard Contractual Clauses for EU-US transfers
Children's Privacy
Expand Data is not intended for children under 13. We do not knowingly collect information from children. If we discover a child under 13 has provided information, we delete it immediately.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or regulations. When we do:
- Material changes: 30-day advance notice via email
- Version history maintained for reference
- Clear summary of what changed
Contact Information
Email: support@expanddata.com
EU Data Protection Authority: EU residents may contact their local Data Protection Authority with privacy concerns.
By using Expand Data, you acknowledge that you have read and understood this Privacy Policy.