Expand Data for Google Sheets Privacy Policy

Effective Date: November 16, 2025
Last Updated: November 16, 2025
Version: 1.0

Overview

Expand Data Inc. is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our AI-powered address enrichment service.

Company Information:

• Legal Name: EXPAND DATA INC
• Jurisdiction: British Columbia, Canada
• Contact: support@expanddata.com

What We Believe In

1. Data Minimization: We collect only what's necessary
2. Temporary Storage: Your address data is automatically deleted after 48 hours
3. User Control: You can delete your account and data at any time
4. Transparency: We're clear about what we do with your data
5. No Data Sales: We never sell your data to third parties

Information We Collect

Account Information

• Email Address: Stored for account identification and communication. Your email is stored both in plaintext (for operational purposes like support and notifications) and as a SHA-256 hash (for secure system identification)
• Authentication Tokens: Temporary session tokens (expire after 30 minutes)
• Account Metadata: Creation date, last login, platform preferences

Processing Data (48-Hour Recovery Window)

• Input Addresses: Stored encrypted and compressed for 48 hours to enable result recovery if downloads fail
• Enrichment Results: Geocoding, business intelligence, and environmental data stored for 48 hours
• Job Metadata: Job IDs, status, costs, and timestamps (retained for 90 days for billing reconciliation)
• Automatic Deletion: All addresses and enrichment results permanently deleted after 48 hours

Billing Data

• Credit Balance: Current credit balance and usage history
• Transaction Records: Purchase history, amounts, dates (retained for 7 years for tax compliance)
• Payment Methods: Only last 4 card digits, brand (Visa/Mastercard), and billing country (full card data handled exclusively by Stripe)

How We Use Your Information

1. Service Delivery: Process your address enrichment requests
2. Authentication: Verify your identity and maintain secure sessions
3. Billing: Calculate costs, process payments, issue refunds
4. Customer Support: Respond to your questions and technical issues
5. System Monitoring: Track performance and reliability (no user data in logs)

Third-Party Services

Google Cloud Platform

We use Google services to process your addresses:

• Google Maps Geocoding API: Converts addresses to coordinates
• Google Places API: Retrieves business and location data
• Google Environmental APIs: Air quality, solar potential, pollen data
• Google Vertex AI (Gemini): Generates AI-powered analyses

Important: We use paid-tier Google services where your data is NOT used for model training or advertising. Address data is sent to Google APIs for processing and results are returned to you. We store results for 48 hours; Google's retention is governed by their privacy policies.

Stripe

Payment Processing: All credit card processing handled by Stripe (PCI-DSS Level 1 compliant)

• We never see or store full credit card numbers, CVV codes, or expiry dates
• Only last 4 digits, card brand, and billing country stored for user convenience

What We DON'T Do

• ❌ We do NOT sell your data to anyone
• ❌ We do NOT use your data for advertising
• ❌ We do NOT share data with marketing companies
• ❌ We do NOT track you across other websites

Data Security

Protection Measures

• Encryption in Transit: TLS 1.2+ for all data transmission
• Encryption at Rest: AES-256 for database storage
• Hashed Identifiers: User IDs hashed with SHA-256
• Secure Sessions: 30-minute token expiration, cryptographically signed (JWT)
• Access Controls: Role-based access with principle of least privilege
• Secret Management: All API keys stored in Google Cloud Secret Manager

Data Breach Response

If a security incident occurs:

• Initial assessment within 24 hours
• User notification within 72 hours
• Regulatory reporting within 72 hours (GDPR, CCPA)
• Immediate remediation and system hardening

Data Retention

Your Rights

What You Can Do

• ✅ Access Your Data: View all account and billing information
• ✅ Export Your Data: Download transaction history and usage data
• ✅ Delete Your Account: Permanently remove your account (except transaction records required for tax compliance)
• ✅ Correct Information: Update your account details and preferences
• ✅ Opt-Out: Stop using the service at any time

How to Exercise Your Rights

Contact support@expanddata.com to:

• Request a copy of your data
• Delete your account
• Correct account information
• Ask questions about privacy

We respond to requests within 30 days.

Compliance

We comply with major privacy regulations:

• GDPR (European Union): Full compliance with data protection principles
• CCPA (California): Consumer privacy rights implemented
• PIPEDA (Canada): Personal information protection compliance
• PCI-DSS (Payment Cards): Via Stripe - we handle no card data directly

Data Location

• Primary Processing: Google Cloud us-central1 (United States)
• Database: Cloud SQL PostgreSQL in us-central1
• Backups: Encrypted backups in multiple geographic regions
• International Transfers: Standard Contractual Clauses for EU-US transfers

Children's Privacy

Expand Data is not intended for children under 13. We do not knowingly collect information from children. If we discover a child under 13 has provided information, we delete it immediately.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or regulations. When we do:

• Material changes: 30-day advance notice via email
• Version history maintained for reference
• Clear summary of what changed

Contact Information

Email: support@expanddata.com

EU Data Protection Authority: EU residents may contact their local Data Protection Authority with privacy concerns.

By using Expand Data, you acknowledge that you have read and understood this Privacy Policy.