Draft document. This policy has not been reviewed by a lawyer. Replace all [PLACEHOLDER] fields before publishing.

Privacy Policy

Last updated: [PLACEHOLDER — add date before publishing]

1. Who we are

XpandR is a mobile running coaching application developed by [PLACEHOLDER — legal entity name], [PLACEHOLDER — address, city, country] ("we", "us", "XpandR").

We act as the data controller for the personal data processed through this website (xpandr.app). Contact us at info@xpandr.app for any data-related enquiries.

2. What data we collect and why

When you sign up for the XpandR beta program through this website, we collect:

Email address — to send you beta invitations and programme updates.
Consent timestamp — to record when and how you gave your consent (GDPR record-keeping).
Language preference (navigator.language) — to communicate with you in your preferred language.
IP address — collected transiently by our hosting infrastructure (Cloudflare) for security and rate-limiting purposes. We do not store it ourselves.

We do not use cookies, tracking pixels, or analytics scripts on this website.

3. Legal basis for processing

We process your email address and related data on the basis of your freely given, specific, and informed consent (Article 6(1)(a) GDPR; Art. 31 Swiss nDSG). You can withdraw your consent at any time — see Section 6.

4. How long we keep your data

We retain your email address and consent record until you unsubscribe or request deletion, or for a maximum of 24 months from the date of signup — whichever comes first. After this period, your data is deleted from our mailing list.

5. Who we share your data with

We use Brevo (formerly Sendinblue) as our email marketing platform and data processor. Brevo processes your email address on our behalf to manage the mailing list and send beta invitations.

Brevo SAS, 55 rue d'Amsterdam, 75008 Paris, France (EU-based).
Brevo is subject to GDPR as an EU entity.
Brevo's privacy policy: brevo.com/legal/privacypolicy

We also use Cloudflare Pages for website hosting. Cloudflare processes your IP address as part of request routing. Their privacy policy: cloudflare.com/privacypolicy.

We do not sell, rent, or otherwise share your personal data with any other third parties.

6. Your rights

Under GDPR and the Swiss nDSG, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate data.
Erase your data ("right to be forgotten").
Data portability — receive your data in a machine-readable format.
Withdraw consent at any time, without affecting the lawfulness of prior processing.
Object to processing or request restriction of processing.
Lodge a complaint with your supervisory authority. In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

To exercise any of these rights, email us at info@xpandr.app. We will respond within 30 days.

To unsubscribe from our mailing list, click the unsubscribe link in any email we send, or email us at info@xpandr.app.

7. Data security

We apply appropriate technical and organisational measures to protect your personal data. Our mailing list is stored by Brevo, which maintains industry-standard security practices. Our website is served over HTTPS via Cloudflare.

8. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you are on our list) or by updating the date at the top of this page. Continued use of the website after any changes constitutes acceptance of the updated policy.

9. Contact

For any questions or concerns about this Privacy Policy or how we handle your data:

[PLACEHOLDER — legal entity name]
[PLACEHOLDER — address]
info@xpandr.app