๐Ÿš€ Beta Launch โ€” Join free and become a founding member. Get beta access โ†’

โ†Back to ExpatPilot
โœˆ
ExpatPilot

Legal

Privacy Policy

Last updated: June 2026 ยท GDPR compliant

๐Ÿ”’ GDPR Compliant๐Ÿ‡ณ๐Ÿ‡ฑ Dutch Law (AP)๐Ÿšซ No letter storage๐Ÿ” Encrypted dataโœ‰๏ธ hello@expatpilot.nl

1. Who We Are

ExpatPilot is operated by:

  • Business name: ExpatPilot
  • KVK number: 86009613
  • VAT number: NL004175627B43
  • Address: Eindhoven, Netherlands
  • Email: hello@expatpilot.nl
  • Website: expatpilot.nl

We are the data controller for personal data processed through this website. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and Dutch privacy law (Uitvoeringswet AVG).

2. What Data We Collect

Data typeWhen collectedPurposeRetention
Email addressWaitlist / newsletter signupBeta access notifications, newsletterUntil you unsubscribe
NameIf provided on signup or contact formPersonalised communicationUntil you request deletion
Usage analyticsVisiting any pageImprove website (no personal ID)90 days aggregated
Contact messagesVia contact form or emailResponding to your enquiry1 year
Cookie preferencesCookie bannerRespecting your consent1 year

What we do NOT collect or store:

  • Letter or document content from the Letter Translator tool
  • Salary figures entered in the Salary Calculator
  • Financial details entered in the Benefits Checker
  • Chat conversation content (processed in session only)

3. Letter Translator โ€” Special Notice

๐Ÿ”’ Your documents are never stored on our servers

When you use the Letter Translator, your uploaded photos, scans, or pasted text are:

  • Transmitted directly to Anthropic Claude AI for analysis
  • Returned to you as a translation result
  • Immediately discarded โ€” not saved to any database

Only anonymised metadata is stored (letter type, whether it had a deadline, number of pages) โ€” no personal data, no document content, no images.

We recommend you do not upload: passport photo pages, documents containing full bank account numbers (IBAN), BSN number documents, or any document containing your digital signature.

Letters processed through the translator are also subject to Anthropic's privacy policy at anthropic.com/privacy. Anthropic may retain API inputs for safety monitoring for up to 30 days under their standard API terms.

4. AI Services โ€” Third Party Data Processors

ExpatPilot uses the following AI services as data processors (Article 28 GDPR). When you interact with our AI tools, your inputs may be processed by these services:

ProcessorServiceData processedPrivacy policy
AnthropicClaude AI โ€” chat, translation, KB generationChat messages, letter text/images (not stored by us)anthropic.com/privacy
OpenAIChatGPT โ€” KB research and multi-AI answersKB research queries (admin use only)openai.com/privacy
GoogleGemini AI โ€” multi-AI KB researchKB research queries (admin use only)policies.google.com/privacy
Perplexity AISonar โ€” fact verificationKB research queries (admin use only)perplexity.ai/privacy
RedditPublic API โ€” community researchPublic post titles and content onlyredditinc.com/policies/privacy-policy

ChatGPT, Gemini, Perplexity and Reddit are used exclusively by ExpatPilot administrators for knowledge base building โ€” they are never used to process user personal data directly.

5. Other Third Party Services

ServicePurposeData sharedPrivacy policy
VercelWebsite hosting (USA, EU regions)Server logs, IP addressesvercel.com/legal/privacy-policy
SupabaseDatabase (EU Ireland)Account data, waitlist emailssupabase.com/privacy
BeehiivNewsletter platformEmail address, newsletter preferencesbeehiiv.com/privacy
HostingerEmail hostingEmails sent/received at hello@expatpilot.nlhostinger.com/privacy-policy

6. Legal Basis for Processing

Processing activityLegal basis (GDPR Article 6)
Sending newsletterConsent (Art. 6(1)(a)) โ€” you can withdraw anytime
Beta waitlist notificationsLegitimate interest (Art. 6(1)(f)) โ€” you signed up for beta
Responding to contact messagesLegitimate interest (Art. 6(1)(f))
Analytics (no personal ID)Legitimate interest (Art. 6(1)(f))
Letter translation (no storage)No processing of personal data โ€” tool processes in transit only

7. Your Rights (GDPR)

Under GDPR you have the following rights:

  • Right of access โ€” request a copy of all data we hold about you
  • Right to rectification โ€” request correction of inaccurate data
  • Right to erasure โ€” request deletion of your data ("right to be forgotten")
  • Right to restrict processing โ€” request we limit how we use your data
  • Right to data portability โ€” receive your data in a machine-readable format
  • Right to object โ€” object to processing based on legitimate interest
  • Right to withdraw consent โ€” unsubscribe from newsletter at any time

To exercise any right, email hello@expatpilot.nl with the subject "GDPR Request". We respond within 30 days. No fee is charged for reasonable requests.

8. Data Security

We take the following technical and organisational security measures:

  • HTTPS everywhere โ€” all traffic encrypted in transit (TLS 1.3)
  • AES-256 encryption โ€” database encrypted at rest (Supabase)
  • Row Level Security โ€” database access restricted per user role
  • HTTP security headers โ€” CSP, HSTS, X-Frame-Options, XSS protection
  • Rate limiting โ€” API endpoints protected against abuse
  • Admin 2FA โ€” two-factor authentication for admin dashboard
  • No letter storage โ€” document content never persisted
  • Environment secrets โ€” API keys stored securely, never client-side

In the event of a data breach affecting your personal data, we will notify you and the Autoriteit Persoonsgegevens within 72 hours as required by GDPR Article 33.

9. Cookies

CookieTypePurposeDuration
cookie_consentFunctionalRemembers your cookie choice1 year
admin_tokenStrictly necessarySecure admin session (httpOnly, not accessible by JS)8 hours
_vercel_analyticsAnalyticsPrivacy-friendly page analytics (no personal ID)Session

We do not use advertising cookies, tracking pixels, or third-party social media cookies.

10. International Data Transfers

Some data processors are based outside the EU/EEA. Where this occurs we ensure appropriate safeguards:

  • Anthropic (USA) โ€” EU Standard Contractual Clauses (SCCs)
  • OpenAI (USA) โ€” EU Standard Contractual Clauses (SCCs)
  • Vercel (USA) โ€” EU region deployment + SCCs
  • Supabase (EU Ireland) โ€” within EU, no transfer

11. Children's Privacy

ExpatPilot is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, email hello@expatpilot.nl immediately.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email to registered users. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact & Complaints

Privacy questions: hello@expatpilot.nl

Data Protection Authority (Netherlands):
Autoriteit Persoonsgegevens
autoriteitpersoonsgegevens.nl
Tel: +31 (0)70 888 8500

You have the right to lodge a complaint with the AP if you believe your data has been processed unlawfully.

โ†‘