Home

Privacy Policy

Last updated: April 2026

1. Who We Are (Data Controller)

Expatly (operated by Emin Yusifov, sole proprietor) provides informational tools for expats relocating to Spain. For all data protection matters, contact expatlyservice@gmail.com. The website is expatly.app.

2. Information We Collect

We collect only what we need to deliver the service you requested:

  • Email address — when you subscribe to the DNV guide, purchase a tax report, request an Apply-for-Me quote, or contact a partner.
  • Visa progress / family status / income range / language preference — to personalize your tax calculation and visa checklist.
  • Payment data — collected and processed by Stripe; we never see or store your card details.
  • Anonymous usage analytics — pages visited and feature usage (Vercel Analytics), no cross-site tracking.
  • Operational data — your unsubscribe token (HMAC-signed, no PII), follow-up email send-state, and order status.

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance — delivering paid reports, Apply-for-Me service, partner connections.
  • Consent — DNV guide subscription and follow-up emails (you opt in via checkbox; you can withdraw anytime via unsubscribe link).
  • Legitimate interest — anonymous analytics to improve our tools.

4. How We Use Your Data

  • To deliver your purchased tax report (PDF + email).
  • To send the DNV guide and optional follow-up emails (drip campaign — only with consent).
  • To process Apply-for-Me applications and connect you with vetted service partners.
  • To improve our calculators using anonymous, aggregate data.

5. Where Your Data Lives (Storage & Sub-processors)

Personal data is stored on Neon (PostgreSQL) servers in the EU (Frankfurt). We use industry-standard encryption (TLS in transit, AES at rest). We share data with the following sub-processors strictly to deliver our service:

  • Stripe — payment processing (privacy policy)
  • Resend — transactional and follow-up email delivery (privacy policy)
  • Neon — managed PostgreSQL database, EU region (privacy policy)
  • Upstash — Redis cache for rate limits and PDF caching (privacy policy)
  • Vercel — hosting and Vercel Analytics (anonymous, no cookies — privacy policy)
  • Sentry — error tracking (EU region — Frankfurt; processes anonymized stack traces, no PII by default — privacy policy)
  • Telegram — internal operational notifications only (no customer data exposed)

6. Data Retention

  • Email leads (DNV guide subscribers): retained until you unsubscribe; auto-purged after 24 months of inactivity.
  • Order records: retained for 7 years to comply with Spanish tax/accounting law.
  • Analytics: aggregated and anonymized within 90 days.

7. Your Rights (GDPR)

You have the right to:

  • Access — request a copy of your personal data we hold.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion ("right to be forgotten").
  • Restriction — limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Object — opt out of processing based on legitimate interest.
  • Withdraw consent — for any opt-in processing, at any time.
  • Lodge a complaint — with the Spanish data protection authority (AEPD, aepd.es).

To exercise any of these rights: expatlyservice@gmail.com. We respond within 30 days.

8. Cookies

We use only strictly-necessary cookies (e.g., for language preference and security). We do not use third-party advertising cookies, cross-site trackers, or sell data to data brokers. Vercel Analytics tracks page views without cookies, using only an anonymous, hashed signature derived from IP and User-Agent that is rotated daily.

9. International Transfers

All primary data storage is in the EU. Stripe and Resend may process data in the US under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

10. Children

Expatly is not intended for users under 18. We do not knowingly collect data from minors.

11. Changes to This Policy

We will notify subscribers by email of material changes. The "Last updated" date at the top of this page reflects the current version.

12. Contact

For privacy questions or to exercise your GDPR rights: expatlyservice@gmail.com