Privacy Policy / GDPR Notice
Last updated: 4 May 2026
This Privacy Policy explains how Expanderhub SRL processes personal data in connection with the ExpanderHub website, digital business cards, account dashboard, contacts, connections, meetings, opportunities, messages, notifications and related services.
1. Applicable law
We process personal data in accordance with Regulation (EU) 2016/679, also known as the General Data Protection Regulation (GDPR), and applicable Romanian data protection legislation, including Law no. 190/2018 where relevant.
2. Who this policy applies to
This policy applies to website visitors, users who create digital business cards, account holders, people who interact with cards or QR codes, business contacts added by users, meeting participants, message recipients and senders, and people who contact us.
3. Categories of personal data we may process
| Category | Examples |
|---|---|
| Account and identification data | Name, surname, username, account ID, password hash, login details, account status. |
| Business card data | Professional title, company, phone number, email address, website, social media links, business address, profile photo, logo, video, QR code and public card link. |
| Contact and networking data | Saved cards, connections, notes, interaction history, invitations, opportunity interactions. |
| Meeting data | Meeting title, participants, invitations, reminders, timing, joining information and meeting-related metadata. |
| Messaging and notification data | Messages, replies, notification preferences, delivery metadata and timestamps. |
| Technical data | IP address, device type, browser, operating system, pages visited, logs, security events, cookies and similar identifiers. |
| Payment and subscription data | Plan type, billing status, transaction references, invoice data where paid features are used. Full card data is normally handled by payment processors, not stored by us unless explicitly stated. |
| Support and communication data | Email messages, support requests, feedback, complaints and correspondence. |
4. Sources of data
We collect data directly from you when you create a card, register, update your profile, use Platform features, contact us or consent to cookies. We may also receive data from other users when they add your business card, invite you to a meeting, message you or interact with you through an opportunity. Technical data may be collected automatically through logs, cookies and security tools.
5. Purposes and legal bases
| Purpose | Legal basis under GDPR |
|---|---|
| Creating and displaying digital business cards and QR links | Performance of a contract or steps requested before entering into a contract; legitimate interest for basic platform operation. |
| Providing account dashboard, connections, meetings, opportunities, messages and notifications | Performance of a contract; legitimate interest for service functionality and user communication. |
| Managing accounts, authentication, security and fraud prevention | Legitimate interest; legal obligation where applicable. |
| Customer support and responding to requests | Performance of a contract; legitimate interest; legal obligation for certain data protection requests. |
| Billing, accounting, invoices and tax records | Legal obligation; performance of a contract. |
| Service analytics and improvement | Legitimate interest for strictly necessary/internal measurements where permitted; consent for non-essential analytics cookies or similar technologies. |
| Marketing communications, newsletters or promotional updates | Consent where required; legitimate interest for limited B2B communications where legally permitted, with opt-out rights. |
| Legal claims, compliance and enforcement of Terms | Legitimate interest; legal obligation. |
6. Public and shared information
Digital business cards are intended to be shared. The information you choose to place on your card may be accessible through the card link, QR code or platform features. Do not include personal data, confidential data or third-party data unless you have the necessary rights and authorization.
When you use networking, meeting, opportunity or messaging features, certain information may be visible to other participants, recipients or relevant users as necessary for the feature to work.
7. Cookies and similar technologies
We use cookies and similar technologies as described in our Cookies Policy. Strictly necessary cookies may be used without consent because they are required for security and core functionality. Analytics, marketing or optional third-party cookies are used only where valid consent has been obtained.
8. Recipients and processors
We may share personal data with trusted service providers acting as processors or independent controllers, depending on the service. These may include hosting providers, email delivery providers, payment processors, security tools, analytics providers, communication tools, video/meeting services, support tools and professional advisers. We require processors to apply appropriate confidentiality, security and data protection measures.
We may also disclose data to public authorities, courts, regulators or law enforcement where legally required or necessary to defend our rights.
9. International transfers
Where personal data is transferred outside the European Economic Area, we use appropriate safeguards such as European Commission Standard Contractual Clauses, adequacy decisions, supplementary security measures or other mechanisms permitted by GDPR.
10. Retention periods
| Data type | Typical retention |
|---|---|
| Account and business card data | For as long as the account/card is active, then a limited period for backup, legal claims and compliance. |
| Messages, meetings and networking data | For as long as needed to provide the feature, until deletion by the user where available, or according to account retention rules. |
| Billing and accounting records | For the period required by Romanian tax and accounting laws. |
| Security logs | For a limited period necessary for security, fraud prevention and incident investigation. |
| Cookie consent records | For the period needed to prove and manage consent, then deleted or anonymized. |
| Support correspondence | For the period needed to resolve the request and handle follow-up or legal claims. |
11. Your GDPR rights
Subject to legal conditions, you have the right to request access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent at any time where processing is based on consent. Withdrawal does not affect processing that occurred before withdrawal.
You may exercise these rights by contacting dataprotection@expanderhub.com. We may need to verify your identity before responding.
12. Right to complain
You may lodge a complaint with the Romanian supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), headquartered in Bucharest, Romania. You may also contact the supervisory authority in your EU Member State of residence, work or where an alleged infringement occurred.
13. Security
We use technical and organizational measures designed to protect personal data, including access controls, authentication, hosting security, backups, logging, confidentiality measures and secure development practices. No online service can guarantee absolute security, so users should also protect their credentials and devices.
14. Children
The Platform is intended for professional and business users and is not directed to children. We do not knowingly collect data from children through the Platform.
15. Automated decision-making
We do not intend to use personal data for decisions based solely on automated processing that produce legal or similarly significant effects. If this changes, we will provide the information required by GDPR.
16. Updates to this policy
We may update this Privacy Policy to reflect legal, technical or business changes. The latest version will be published on the website with the updated date.