Privacy Policy

Effective Date: October 2, 2025
Last Updated: October 8, 2025
Version: 1.2

ExpandData ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our address enrichment and intelligence services through our Google Sheets Add-on, Zapier integration, or API.

1. Overview

ExpandData provides address processing and enrichment services that transform basic address data into comprehensive business and environmental intelligence. Our services include:

T1 (Basic Geocoding): Address to coordinates conversion
T2 (Premium Intelligence): Business environment and market analysis
T3 (Environmental Intelligence): Air quality, solar potential, and pollen data

Privacy-First Design: We employ a privacy-first architecture with 24-hour result retention to support recovery while minimizing data exposure.

2. Information We Collect

2.1 Authentication Information

Email Address (Hashed): We collect your email address during authentication and immediately hash it using SHA-256. The plaintext email is never stored in our database.
OAuth Tokens: When you authenticate via Google OAuth, we receive an OAuth token which we use to create short-lived JWT session tokens (30-minute expiration).
API Keys: For automation platforms (Zapier, Make.com), you can generate API keys. These are hashed using SHA-512 before storage - the actual key is never retrievable after generation.

2.2 Address and Processing Data

User-Provided Addresses: Addresses you submit for processing
Processing Metadata: Job IDs, processing tier (T1/T2/T3), address counts, timestamps, processing status
Processing Results: Enrichment results temporarily stored for 24-hour recovery window

Processing Data Lifecycle:

Active Processing: Address data processed in-memory during API request (typically 2-10 seconds)
Result Storage: Enrichment results stored encrypted and compressed for 24 hours to enable recovery
Automatic Deletion: Results automatically deleted after 24-hour expiration (GDPR data minimization)

Recovery Feature: If you lose results or experience a download error, you can recover your processing results within 24 hours of job completion using your transaction ID. The recovery endpoint (/v1/billing/transactions/{transaction_id}/recover) validates your identity and checks the expiration window before returning results. After 24 hours, results are permanently deleted and cannot be recovered.

2.3 Billing and Transaction Information

Credit Balance: Your current credit balance for service usage
Purchase History: Transaction amounts, dates, and Stripe payment IDs
Usage Metrics: Credits consumed per job, processing tier usage

Payment Card Data: We never store, process, or transmit credit card information. All payment processing is handled exclusively by Stripe (PCI-DSS Level 1 compliant).

2.4 Technical and Usage Information

Session Information: JWT tokens, session duration, refresh tokens
Rate Limiting Data: API request counts for fair usage enforcement
Error Logs: Generic error messages and system diagnostics (sanitized of user data)

3. How We Use Your Information

3.1 Service Delivery

Address Processing: Convert addresses to coordinates, enrich with business intelligence, environmental data, and AI-generated analyses
Authentication: Verify your identity and maintain secure sessions
Billing: Process payments, track credit usage, maintain transaction records

3.2 Service Operation

Rate Limiting: Prevent abuse and ensure fair usage (100 requests/minute per user)
Error Tracking: Diagnose and fix technical issues
Performance Monitoring: Optimize processing speed and reliability

3.3 Compliance and Legal

Transaction Records: Retain billing records for 7 years per financial compliance requirements
Audit Trails: Maintain logs for security and compliance purposes (30-day retention)

4. Data Processing and Third-Party Services

ExpandData integrates with third-party services to deliver our address enrichment capabilities. All third-party services are paid-tier, enterprise-grade services with data protection agreements.

4.1 Google Cloud Platform Services

Services Used:

Google Maps Geocoding API (address to coordinates)
Google Places API (business intelligence)
Google Air Quality API (environmental data)
Google Solar API (solar energy potential)
Google Pollen API (allergen data)
Google Vertex AI (AI-powered analysis generation)

Data Shared: User-provided addresses, derived coordinates, analysis prompts
Purpose: Geocoding, business intelligence, environmental data, AI analysis generation
Privacy Policy: Google Privacy Policy
Terms of Service: Google Cloud Terms

AI/ML Transparency:

Model Used: Gemini 2.0 Flash (gemini-2.0-flash-001)
Model Tier: Paid/Stable Production (NOT experimental or free tier)
Training Policy: Your data is NOT used for model training or improvement
Data Processing Agreement: Google Cloud Data Processing Agreement applies
Pricing: $0.15/million input tokens, $0.60/million output tokens (demonstrating paid-tier usage)

Attribution: Results powered by Google Maps Platform, Google Places API, Google Environmental APIs, and Google Vertex AI

4.2 Stripe Payment Processing

Purpose: Process credit purchases and payment transactions
Data Shared: Payment amounts, customer email (hashed), transaction metadata
Payment Card Handling: Stripe handles all credit card data - ExpandData never stores card information
PCI Compliance: Stripe is PCI-DSS Level 1 compliant
Privacy Policy: Stripe Privacy Policy
Terms of Service: Stripe Legal

Attribution: Payments processed by Stripe

4.3 Neon Database Hosting

Purpose: Database hosting for user accounts, billing records, and transaction history
Data Stored: Hashed user identifiers, credit balances, transaction records, job metadata
Data Protection: Encrypted at rest (AES-256), access-controlled
Location: Cloud-hosted (region configurable)

5. Data Storage and Retention

5.1 What We Store

Data Type	Storage Duration	Purpose	Privacy Design
User Accounts	Active duration	Authentication	Email hashed (SHA-256)
Session Tokens	30 min - 30 days	Authentication	Auto-expiring JWT tokens
API Keys	Until revoked	Automation access	Hashed (SHA-512), key never retrievable
Processing Results	24 hours	Result recovery	Encrypted, compressed, auto-deleted
Billing Records	7 years	Financial compliance	Hash-based user ID only
Transaction History	7 years	Financial compliance	No card data (Stripe handles)
Processing Jobs	90 days	Job tracking	Metadata only - no address data
Application Logs	30 days	Diagnostics	Sanitized of user data

5.2 What We DON'T Store

❌ User Addresses (plaintext): Never stored - processed in-memory only (2-10 seconds), then discarded
❌ Enrichment Results (beyond 24h): Automatically deleted after 24-hour recovery window
❌ Plaintext Email Addresses: Only SHA-256 hashes stored
❌ Payment Card Data: Handled exclusively by Stripe
❌ API Keys (plaintext): Only hashes stored after generation

5.3 Data Retention Timeline

Address Processing Data: In-memory only (2-10 seconds). Processed, returned to user, and immediately deleted—never persisted to storage.
Processing Results: 24-hour recovery window. Results are stored encrypted and compressed to enable recovery if you lose data or experience download errors. Automatically deleted after 24 hours in compliance with GDPR data minimization principles.
Session Tokens: 30 minutes to 30 days. Access tokens expire after 30 minutes; refresh tokens expire after 30 days. All tokens are automatically deleted upon expiration.
Processing Jobs: 90 days. Job metadata only (contains no address or enrichment data). Automatically purged after 90 days.
Application Logs: 30 days. Error logs and diagnostics for service improvement. Auto-deleted after 30 days.
Transaction Records: 7 years. Required by financial compliance regulations. Contains no address or enrichment data—only billing information.

6. Data Security

We employ industry-standard security measures to protect your information:

6.1 Encryption

Data in Transit: TLS 1.3 (HTTPS) for all API communications with forward secrecy
Data at Rest: AES-256 encryption for database storage
Secrets Management: Google Cloud Secret Manager for API keys and credentials
End-to-End Security: Encrypted communication from user to third-party APIs

6.2 Authentication Security

Hash-Based Identification: User emails hashed with SHA-256, never stored in plaintext
JWT Tokens: Cryptographically signed with HS256 algorithm
Short Expiration Times: 30-minute access tokens minimize exposure window
API Key Hashing: SHA-512 one-way hashing for API keys
Multi-Factor Authentication: Available for enhanced account security (optional)

6.3 Access Controls

Role-Based Access Control (RBAC): Granular permissions based on user roles
Rate Limiting: 100 requests per minute per user, 1000 addresses per request maximum
Authentication Required: All endpoints require valid JWT tokens or API keys
Internal Access: Restricted to authorized system administrators only with RBAC
Audit Logging: All access attempts logged for security monitoring
Least Privilege Principle: Users and services granted minimum necessary permissions

6.4 Infrastructure Security

Cloud Platform: Google Cloud Run with automatic security updates and patches
Database Security: Neon PostgreSQL with access controls, encryption, and network isolation
Secret Storage: Google Cloud Secret Manager (no hardcoded credentials)
Network Security: Private networking for database connections, VPC isolation
Automated Security Scanning: Continuous vulnerability scanning and dependency checks
Security Monitoring: 24/7 automated threat detection and intrusion prevention
DDoS Protection: Google Cloud's built-in DDoS protection
Container Security: Regularly updated base images with security patches

6.5 Application Security

Input Validation: All user inputs validated and sanitized
SQL Injection Prevention: Parameterized queries and ORM usage
XSS Protection: Output encoding and Content Security Policy headers
CSRF Protection: Token-based CSRF prevention
Dependency Management: Regular updates and security patch monitoring

7. Data Sharing and Disclosure

7.1 Third-Party Service Providers

We share data with third-party service providers ONLY as necessary to deliver our services:

Provider	Purpose	Data Shared	Legal Basis
Google Cloud Platform	Geocoding, intelligence, AI	Addresses, coordinates, prompts	Service delivery
Stripe	Payment processing	Payment amounts, email hash	Payment processing
Neon	Database hosting	User hashes, billing records	Service operation
SendGrid (Twilio)	Transactional emails	Email addresses, notification content	Service communication

Data Protection Agreements: All third-party providers have data processing agreements ensuring GDPR/CCPA/PIPEDA compliance.

Email Communications: SendGrid is used exclusively for transactional emails (account notifications, receipts, security alerts). Email addresses are not used for marketing purposes or shared with third parties for advertising.

7.2 What We DON'T Do

❌ No Data Sales: We do not sell, rent, or trade your data
❌ No Advertising: No data shared for advertising purposes
❌ No Cross-Service Tracking: No behavioral tracking across services
❌ No Marketing Data Sharing: No data shared with marketing platforms
❌ No Data Brokers: No data shared with data brokers or aggregators

7.3 Legal Disclosure

We may disclose information if required by law, such as:

Court orders or subpoenas
Legal process requiring disclosure
Protection of our rights or safety
Investigation of fraud or security issues

8. Your Privacy Rights

8.1 Access and Portability (GDPR Art. 15, 20)

Right: Access your stored data and receive a copy in machine-readable format
How to Exercise: Contact privacy@expanddata.com
Response Time: Within 30 days
What You'll Receive: Account information, billing records, transaction history (JSON or CSV format)

8.2 Rectification (GDPR Art. 16)

Right: Correct inaccurate or incomplete data
How to Exercise: Update account preferences via API or contact support
Response Time: Immediate (for account settings) or within 7 days (for other corrections)

8.3 Deletion (GDPR Art. 17, CCPA)

Right: Request deletion of your account and associated data
How to Exercise: Contact privacy@expanddata.com with subject "Account Deletion Request"
Response Time: Within 30 days

What Will Be Deleted:

User account and authentication data
Session tokens and API keys
Processing job metadata
Billing balance information

Retention Exception: Transaction records retained for 7 years per financial compliance requirements (GDPR Art. 17(3)(b))

8.4 Data Portability (GDPR Art. 20)

Right: Export your data in structured, machine-readable format
How to Exercise: Contact privacy@expanddata.com
Response Time: Within 30 days
Available Formats: JSON, CSV

8.5 Restriction of Processing (GDPR Art. 18)

Right: Request limitation of how we process your data
How to Exercise: Contact privacy@expanddata.com
Response Time: Within 7 days

8.6 Objection (GDPR Art. 21)

Right: Object to processing based on legitimate interests
How to Exercise: Contact privacy@expanddata.com
Response Time: Within 14 days

8.7 Withdraw Consent (GDPR Art. 7(3))

Right: Withdraw consent for data processing at any time
How to Exercise: Delete your account or contact privacy@expanddata.com
Effect: Service access will be terminated

8.8 Do Not Sell My Personal Information (CCPA)

Status: ExpandData does NOT sell personal information. This right is automatically honored.

9. Children's Privacy (COPPA Compliance)

ExpandData services are not directed to individuals under 13 years of age (COPPA) or 18 years of age (general policy). We do not knowingly collect personal information from children.

COPPA Compliance: Our services comply with the Children's Online Privacy Protection Act (COPPA). We do not:

Knowingly collect personal information from children under 13
Use children's data for targeted advertising
Condition participation on providing more information than necessary

Parental Rights: If we become aware that we have collected data from a child without verified parental consent, we will delete it immediately. Parents can contact privacy@expanddata.com to:

Review their child's personal information
Request deletion of their child's information
Refuse further collection of their child's information

10. International Data Transfers

Company Location: Canada (Headquarters)
Processing Location: United States (us-central1 - Google Cloud)
Legal Basis for Transfers:

Google Cloud Data Processing Agreement (GDPR-compliant)
Standard Contractual Clauses (SCCs) for EU-US data transfers

Data Protection: All transfers comply with GDPR adequacy requirements
Cross-Border Transfers: Data may be transferred between Canada and United States for processing purposes

11. Compliance Frameworks

11.1 GDPR (General Data Protection Regulation)

Applicability: EU/EEA users
Legal Basis: Contract (service delivery) and Legitimate Interest (payment processing)
User Rights: Access, rectification, erasure, portability, restriction, objection
Data Protection Officer: TBD (to be designated)
Data Breach Notification: 72-hour notification requirement implemented
Representative: TBD (for EU operations)

11.2 CCPA (California Consumer Privacy Act)

Applicability: California residents
User Rights: Right to know, delete, opt-out of sale (N/A - no data sales)
Do Not Sell: ExpandData does NOT sell user data
Categories of Data Collected: Identifiers (email hash), payment information (via Stripe), usage data
Business Purpose: Service delivery, payment processing, service operation

11.3 PIPEDA (Personal Information Protection and Electronic Documents Act)

Applicability: Canadian users and operations
Compliance Status: Compliant with PIPEDA requirements

Key Principles:

Consent: Users explicitly consent to data processing through service use
Purpose Limitation: Data used only for stated purposes
Individual Access: Users can access and correct their information
Safeguards: Appropriate security measures implemented
Accountability: ExpandData is accountable for data protection

11.4 COPPA (Children's Online Privacy Protection Act)

Applicability: Users under 13 years of age (U.S.)
Compliance Status: Compliant - services not directed at children
Key Protections: No knowingly collection of children's data, parental consent required if collected
Parental Rights: Access, deletion, and control over children's information

11.5 PCI-DSS (Payment Card Industry Data Security Standard)

Applicability: Indirect - Stripe handles all payment card data
Compliance: ExpandData never stores, processes, or transmits credit card data
Payment Processor: Stripe (PCI-DSS Level 1 compliant)

12. Cookies and Tracking Technologies

Google Sheets Add-on: No cookies used (authentication via OAuth tokens stored in Google Apps Script properties)
API/Zapier: No cookies used (authentication via API keys in headers)
Website (if applicable): May use essential cookies for functionality only (no tracking/advertising cookies)

13. Data Breach Notification and Incident Response

In the unlikely event of a data breach or security incident involving your personal information:

13.1 Incident Response Timeline

Initial Response: 24-hour incident response SLA (detection to containment)
User Notification: Within 72 hours of breach discovery (GDPR requirement)
Regulatory Notification: Within 72 hours to appropriate authorities (GDPR requirement)

13.2 Notification Process

Notification Method: Email to your registered address

Information Provided:

Nature and scope of the breach
Types of data affected
Estimated number of users affected
Remediation steps taken
Recommended user actions
Contact information for questions

Regulatory Notification: Appropriate authorities notified as required by:

GDPR (EU supervisory authorities)
CCPA (California Attorney General)
PIPEDA (Office of the Privacy Commissioner of Canada)
Other applicable regulations

13.3 Incident Response Procedures

Security Monitoring: 24/7 automated security monitoring and alerting
Response Team: Dedicated incident response team with 24-hour availability
Containment: Immediate containment measures to limit breach scope
Investigation: Forensic investigation to determine cause and extent
Remediation: Patching vulnerabilities and implementing additional controls
Post-Incident Review: Comprehensive review and security improvements

14. Privacy Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

Notification of Changes:

Material changes: Email notification + 30-day advance notice
Non-material changes: Posted on website with "Last Updated" date

User Action: Continued use of services after changes constitutes acceptance. If you disagree, you may delete your account.

15. Contact Information

Privacy Inquiries and Rights Requests

Email: privacy@expanddata.com

Subject Line Formats:

Data Access Request
Data Deletion Request
Data Export Request
Privacy Question

Response Time: Within 30 days of verified request
Verification: We may request additional information to verify your identity before processing requests

General Support

Email: support@expanddata.com
Website: https://www.expanddata.com
Documentation: https://docs.expanddata.com

16. Privacy-First Design Principles

ExpandData is built on privacy-first principles:

Minimal Data Collection: We collect only what's necessary for service delivery
In-Memory Processing: Address data never persisted to database
24-Hour Result Retention: Processing results automatically deleted after 24 hours (GDPR data minimization)
Hash-Based Identification: Email addresses never stored in plaintext
Short Retention Periods: Data deleted as soon as legally permissible
Transparent Processing: Clear disclosure of all data uses
User Control: Easy access to your data and deletion rights, plus 24-hour recovery window
Security by Design: Encryption, access controls, and security best practices
No Data Sales: Your data is never sold or shared for advertising

17. API Attributions

ExpandData services are powered by:

Google Maps Platform - Geocoding and location services
Google Places API - Business intelligence data
Google Air Quality API - Environmental air quality data
Google Solar API - Solar energy potential analysis
Google Pollen API - Allergen and pollen data
Google Vertex AI - AI-powered business analysis generation
Stripe - Secure payment processing

All third-party services used are paid-tier, enterprise-grade services with data protection guarantees.

18. Specific Disclosures for Google Workspace Marketplace

Google OAuth Scopes Requested:

userinfo.email - For user authentication (email is immediately hashed)
spreadsheets - For Google Sheets integration (read/write access to user's sheets only)

Data Usage:

Email: Authentication only (hashed immediately, never stored in plaintext)
Spreadsheet Access: Read addresses for processing, write enrichment results
No access to other Google services or user data

Google User Data Policy Compliance:

Limited Use: Data used only for providing services as disclosed
No Advertising: User data not used for advertising purposes
No Human Access: Address data processed by automated systems only
Secure Transmission: All data transmitted over HTTPS (TLS 1.3)

19. Specific Disclosures for Zapier Integration

Authentication: API key-based (generated by user, hashed on our servers)
Data Access: Only address data sent by user via Zapier workflows
Data Retention: In-memory processing only (2-10 seconds)
Rate Limits: 1000 requests per hour per API key
Webhook Security: Signed webhook payloads for verification

20. Legal Basis for Processing (GDPR)

Processing Activity	Legal Basis	GDPR Article
Account creation and authentication	Contract (Art. 6(1)(b))	Necessary for service delivery
Address processing	Contract (Art. 6(1)(b))	Necessary for service delivery
Payment processing	Contract (Art. 6(1)(b))	Necessary for service delivery
Transaction record retention	Legal obligation (Art. 6(1)(c))	Financial compliance (7-year retention)
Service improvement and diagnostics	Legitimate interest (Art. 6(1)(f))	Improve service quality
Security and fraud prevention	Legitimate interest (Art. 6(1)(f))	Protect our systems and users

21. Automated Decision-Making

AI-Generated Analyses: ExpandData uses Google Vertex AI (Gemini 2.0 Flash) to generate business environment analyses. These are provided as informational insights only and do not constitute automated decision-making that produces legal effects or similarly significantly affects you (GDPR Art. 22).

User Control: You can choose not to use T2/T3 tiers that include AI-generated analyses.

22. Attestations and Certifications

We certify that:

✅ No AI Training on User Data: We use ONLY paid-tier AI services (Vertex AI Gemini 2.0 Flash - stable version gemini-2.0-flash-001) where customer data is NOT used for model training or improvement
✅ 24-Hour Data Minimization: User addresses processed in-memory only; enrichment results automatically deleted after 24 hours (GDPR Art. 5(1)(e) compliance)
✅ Hash-Based Privacy: User email addresses are hashed using SHA-256 and stored as hashes only
✅ PCI Compliance: We never store, process, or transmit credit card data - all handled by Stripe (PCI-DSS Level 1 compliant)
✅ API Attribution: All third-party APIs properly attributed per terms of service
✅ No Data Sales: We do not sell, rent, or trade user data

Appendix A: Data Processing Record (GDPR Art. 30)

Controller: ExpandData
Processing Activities: Address enrichment services, billing, authentication
Categories of Data Subjects: Google Sheets users, API users, Zapier users
Categories of Personal Data: Email addresses (hashed), billing information, usage metadata
Categories of Recipients: Google Cloud Platform (service provider), Stripe (payment processor), Neon (database hosting)
International Transfers: United States (us-central1) with adequate data protection
Retention Periods: See Section 5 (Data Storage and Retention)
Security Measures: See Section 6 (Data Security)

Last Updated: October 8, 2025
Version: 1.2
Effective Date: October 2, 2025

Questions or Concerns?
Contact us at privacy@expanddata.com

We are committed to protecting your privacy and will respond to all inquiries within 30 days.

← Back to Home