Privacy Policy
1. Who We Are
4expats, Inc. ("4expats", "we", "us", or "our") is a Delaware corporation operating the 4expats Community platform at www.4expats.ai. For purposes of the GDPR, 4expats is the data controller of the personal data described in this Policy.
1.1 Data Protection Contact
Our designated Data Protection Contact is the 4expats Founder, reachable at privacy@4expats.ai. At our current scale, a formal Data Protection Officer (DPO) is not required under GDPR Article 37, but we will appoint one as the platform grows.
1.2 EU Representative (GDPR Article 27)
As a non-EU company that processes personal data of individuals located in the EU/EEA, 4expats is required to designate an EU Representative under GDPR Article 27. Our EU Representative is:
EU Representative: appointment in progress. The name and contact details of our EU Representative will be published in this section as soon as the appointment is confirmed.
Until the appointment is confirmed and this section updated, EU/EEA residents may direct privacy inquiries and data subject rights requests to privacy@4expats.ai. We will respond to all requests within applicable statutory timeframes regardless of the representative appointment status.
2. Data We Collect
2.1 Registration Data (All Members)
When you create a member account, we collect:
- First name and last name
- Email address
- Password (stored as a one-way cryptographic hash — we never store plain-text passwords)
- Date of birth (used to verify that you meet the 18+ age requirement)
- Nationality (one or more)
- Current city and country of residence
- Preferred language (English or Spanish)
- Languages you are comfortable using for services
- Up to 3 affinity selections (cultural or life-stage communities)
- Current neighborhood or area (optional)
Special category data notice (GDPR Article 9): Nationality and cultural affinity selections may constitute data revealing racial or ethnic origin under GDPR Article 9. We process this data based on your explicit consent given at registration. This data is fundamental to delivering the affinity-based matching that is the core purpose of the Platform. You may withdraw this consent at any time by contacting privacy@4expats.ai, which will result in the removal of affinity-based matching features from your account.
2.2 Enhanced Verification Data (Verified Members)
If you choose to complete enhanced verification to unlock vouching and provider contact features:
- LinkedIn or Google OAuth identity confirmation (we receive your public profile identifier and name — we do not receive your social media password)
- Expat journey category (selected from a predefined list)
- Previous expat cities (optional, free text)
- Relocation corridor (from/to — optional)
2.3 Provider Data
If you register as a service provider, in addition to member data we collect:
- Business name and provider type
- Business description and service categories
- Logo, cover photo, and social media links
- Contact email and phone (optional)
- Physical location addresses
- Service area and remote service scope
- Availability and pricing transparency information
- Professional license numbers, regulatory registrations, and verification documents
- Years in business
Notice for EU-resident providers: If you are physically located in the European Union or EEA and apply to list on 4expats — regardless of which city you are listed in — 4expats processes your personal data as a data controller subject to the GDPR. This includes the identity documents, credential records, and contact details submitted during the provider application and verification process. You hold all rights described in Section 7.1 of this Policy (access, rectification, erasure, portability, objection, and complaint) with respect to your provider profile data. Verification documents are deleted within 30 days of provider removal (see §6.2). To exercise your rights, contact privacy@4expats.ai.
Notice for Canadian-resident providers: If you are physically located in Canada and apply to list on 4expats, your personal data is processed in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Law 25 (Act respecting the protection of personal information in the private sector). Your rights under these laws are described in Section 7.5 of this Policy.
2.4 Activity and Interaction Data
When you use the Platform, we collect:
- Vouches cast and vouches retracted (recorded with provider ID and timestamp)
- Private comments submitted about providers
- Express Interest requests sent to providers
- Invitation links generated and referrals made
- Search queries and filters used
- Provider profiles viewed
- Credits earned through platform activity
- Feedback submissions (bugs, suggestions, questions)
2.5 Technical and Device Data
Automatically collected when you access the Platform:
- IP address
- Browser type and version
- Device type and operating system
- Session timestamps and page navigation data
- Referral URLs
We use session cookies and authentication tokens required for Platform functionality. We do not use tracking cookies for advertising purposes. See Section 11 for the full cookie inventory.
2.6 Referral and Waitlist Contact Data
When you refer someone to the Platform, we collect the referred person's email address in order to send them a single invitation and attribute the referral to your account. This email address is held temporarily and:
- Is used only to send the referral invitation
- Is deleted within 12 months if the referred person does not sign up
- Is never used for marketing or shared with third parties
All referral invitation emails include a clear notice to the recipient explaining that their email was shared with 4expats by the referring member, what we use it for, and how to request deletion. This is required by GDPR Article 14, which governs data collected about individuals who have not directly provided it to us.
Waitlist email addresses are retained until admission or 12 months from submission, whichever comes first.
3. How We Use Your Data
3.1 Legal Bases for Processing (GDPR)
We process your personal data under the following legal bases:
Contract Performance: Data necessary to create and manage your account, verify your identity, and deliver the core services you have requested.
Explicit Consent (GDPR Article 9): Nationality and cultural affinity data, which may constitute special category data revealing ethnic or national origin. This consent is collected separately at registration and may be withdrawn at any time.
Consent: AI processing of your private comments to generate community summaries (obtained at registration). Processing of optional data fields. Marketing communications (where applicable and separately consented).
Legitimate Interests: Platform security, fraud prevention, vouch integrity monitoring, improving the Platform, and communicating platform updates. We have assessed that these interests do not override your fundamental rights and freedoms.
Legal Obligation: Retaining contact request logs for audit purposes and complying with applicable law.
3.2 Specific Processing Purposes
- Account creation, authentication, and profile management
- Age verification using date of birth
- Identity verification through LinkedIn/Google OAuth
- Displaying affinity-aggregated trust signals on provider profiles
- Generating AI-powered community summaries from private comments
- Sending Express Interest notifications to providers
- Tracking referrals and calculating credit balances
- Sending transactional emails (verification, welcome, Express Interest confirmations, community milestones) via Resend
- Monitoring for and preventing fraudulent activity and vouch manipulation
- Scanning messages for contact information shared outside the platform (see Section 3.3)
- Ensuring community safety and enforcing Community Guidelines
- Analysing platform usage to improve features and resolve bugs
- Complying with legal obligations
3.3 Message Content Scanning
To protect the integrity of the Platform's credit and referral system, automated systems scan messages exchanged through the Platform to detect whether contact information (email addresses, phone numbers, social media handles) is being shared directly between members and providers outside the intended platform flow. This scanning:
- Is performed by automated pattern-matching systems, not human moderators
- Does not result in the content of messages being read or reviewed by staff unless a separate report or flag triggers a moderation review
- Is disclosed here under our legitimate interest to protect the community
4. AI Processing and Community Summaries
4.1 What We Process and Why
Private comments you submit about providers are processed by AI systems to generate aggregate community summaries that appear publicly on provider profiles. This processing is based on your explicit consent, obtained at registration.
4.2 How It Works
- Comment text is sent to a third-party large language model (LLM) API provider via a secure Supabase Edge Function
- The LLM processes the text and returns a summary; comment text is not stored by the LLM provider beyond the duration of the API request
- We do not permit our LLM provider to use your comments, summaries, or any 4expats data for model training purposes
- Summaries are cached on our servers and refreshed periodically as new comments are received
4.3 Safeguards
- Comments are attributed to affinity groups (e.g., "Italian expats"), never to individuals
- No personally identifying information about comment authors is included in summaries
- AI systems are instructed to summarise only what was stated — not to infer, extrapolate, or fabricate
- Summaries are generated only when the minimum threshold of 5 distinct comment authors is met, to protect individual privacy
- AI-generated summaries are labelled as such on provider profiles
4.4 Your Rights Regarding AI Processing
- Withdraw consent: Contact privacy@4expats.ai to withdraw consent for AI processing. Your future comments will be excluded from summary generation. Previously generated summaries that included your anonymised input as part of an aggregate group may persist, as they cannot be attributed back to you.
- Providers: Providers who believe an AI-generated summary is materially inaccurate may request a review by contacting support@4expats.ai. 4expats will review the underlying comments and may regenerate or remove the summary at its discretion.
4.5 LLM Provider Data Handling
Our LLM provider is currently being defined and will be named in this section once selected. Any provider we engage will process data under a data processing agreement that prohibits:
- Using 4expats user data to train, fine-tune, or improve their models
- Retaining input or output data beyond the duration of the API request
- Sharing 4expats data with any third party
The identity of our LLM provider may change over time. We will update this section accordingly and notify users of material changes at least 14 days in advance.
5. Data Sharing and Disclosure
5.1 With Providers
When you submit an Express Interest request, we share your first name, the affinity group(s) you belong to, and the date of the request with the relevant provider. We do not share your email address or full profile data with providers.
5.2 Aggregated Trust Signals
Provider profiles display aggregated vouch counts by affinity group (e.g., "Trusted by 8 Italian expats in Miami"). Individual voucher identities are never disclosed to providers or other members.
5.3 Sub-Processors
We share data with the following third-party sub-processors who process it on our behalf. All sub-processors are bound by data processing agreements and may not use your data for their own purposes beyond what is necessary to provide services to us.
| Sub-Processor | Purpose | Data Shared | DPA in Place |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All platform data | Yes |
| Resend | Transactional email delivery | Email address, name, notification content | Yes |
| LLM provider (currently being defined) | AI processing of private comments for community summaries | Anonymous comment text | Yes |
| LinkedIn / Google | Identity verification via OAuth | Name, public profile identifier | Governed by their own privacy policies |
| Vercel (or equivalent hosting) | Platform infrastructure | Technical/session data | Yes |
We maintain a current sub-processor list. Material additions or changes to sub-processors will be communicated to members at least 14 days in advance.
5.4 Legal Requirements
We may disclose your data if required to do so by applicable law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of 4expats, our members, or the public.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you via email and in-platform notice before your data is subject to a different privacy policy.
5.6 No Sale of Data
4expats does not sell, rent, or trade your personal data to third parties for marketing purposes. We do not display advertising on the Platform and do not share data with advertising networks.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, and protect our legitimate interests.
6.1 Active Accounts
| Data Category | Retention Period | Justification |
|---|---|---|
| Account and profile data | Duration of active account | Service delivery (contract performance) |
| Date of birth | Duration of active account; deleted at deletion | Age verification (legal obligation / contract) |
| Vouches cast | Duration of active account | Core platform feature |
| Private comments | Duration of active account | AI summary generation (consent) |
| Credits ledger | Duration of active account | Feature delivery (contract performance) |
| Referral records | Duration of active account | Feature delivery (contract performance) |
| Express Interest logs | 12 months from date of request | Audit and dispute resolution (legitimate interest) |
| Feedback submissions | 24 months from submission | Product improvement (legitimate interest) |
| Technical and IP logs | 90 days (rolling) | Platform security (legitimate interest) |
| Waitlist entries | Until admission or 12 months, whichever comes first | Legitimate interest |
| Referred email addresses (non-members) | Until signup or 12 months, whichever comes first | Referral feature (legitimate interest) |
6.2 After Account Deletion
When you request account deletion, the following process applies:
| Data Category | What Happens | Timeline |
|---|---|---|
| Account and profile data | Retained during grace period, then permanently deleted | 30-day grace period, then purged |
| Date of birth | Permanently deleted | At end of grace period |
| Vouches | Anonymised — member ID removed, vouch record retained as anonymous aggregate | At deletion |
| Private comments | Anonymised — author identity removed, comment text retained for existing AI summaries | At deletion |
| Credits ledger | Retained for financial audit, then deleted | 90 days after deletion |
| Express Interest logs | Retained for dispute resolution, then deleted | 12 months from original request date |
| Referral records | Anonymised — referrer identity removed | At deletion |
| Provider verification documents | Deleted | 30 days after provider removal |
| Storage files (avatars, logos) | Deleted from storage buckets | 30 days after deletion |
6.3 Data Shared with Third Parties
Data shared with providers through Express Interest (your first name, affinity group, and request date) cannot be recalled after delivery. Providers are responsible for their own handling of that information.
6.4 Anonymised Data
Anonymised data — where the information can no longer be connected to an identifiable person — is not subject to GDPR retention limits and may be retained indefinitely for statistical analysis and platform improvement.
7. Your Rights
7.1 GDPR Rights (EU/EEA/UK Residents)
If you are located in the EU, EEA, or UK, you have the following rights under the GDPR:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
- Right to Restriction: Request that we restrict processing of your data in certain circumstances
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based (including AI comment processing and special category affinity/nationality data)
- Right to Lodge a Complaint: With your national data protection supervisory authority (e.g., CNPD in Portugal, AEPD in Spain, Garante in Italy)
7.2 CCPA / CPRA Rights (California Residents)
If you are a California resident, you have the following rights under the CCPA/CPRA:
- Right to Know: What personal information we collect, use, share, or sell
- Right to Delete: Request deletion of your personal information (subject to exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioural advertising
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary for the services you requested
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
7.3 LGPD Rights (Brazilian Residents)
If you are a Brazilian resident, you have the following rights under Brazil's General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law 13,709/2018):
- Right of Confirmation and Access: Confirm whether we process your personal data and request access to it
- Right to Correction: Request correction of incomplete, inaccurate, or outdated data
- Right to Anonymisation, Blocking, or Deletion: Of unnecessary, excessive, or non-compliant data
- Right to Data Portability: Transfer your data to another service provider
- Right to Information about Sharing: Know with which entities we share your data
- Right to Revoke Consent: Withdraw consent at any time
- Right to Lodge a Complaint: With Brazil's national data protection authority (Autoridade Nacional de Proteção de Dados — ANPD)
7.5 PIPEDA / Quebec Law 25 Rights (Canadian Residents)
If you are a Canadian resident — including service providers listed on the Platform who are based in Canada — you have the following rights under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Act respecting the protection of personal information in the private sector (Law 25):
- Right of Access: Request access to the personal information we hold about you
- Right to Correction: Request correction of inaccurate or incomplete personal information
- Right to Withdraw Consent: Withdraw consent to collection or use of your personal information, subject to legal or contractual restrictions and reasonable notice
- Right to Know: Be informed of the purposes for which your personal information is collected, used, or disclosed
- Right to Lodge a Complaint: With the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or, for Quebec residents, with the Commission d'accès à l'information (CAI) at www.cai.gouv.qc.ca
Quebec residents have additional rights under Law 25, including the right to data portability and the right to request de-indexation of information that could harm them. Contact privacy@4expats.ai to exercise any of these rights.
7.4 How to Exercise Your Rights
Submit requests by email to privacy@4expats.ai with the subject line "Privacy Rights Request." Include your account email and the specific right you are exercising. We will respond within 30 days (GDPR/LGPD) or 45 days (CCPA).
Data export is available directly from your account Settings in JSON or CSV format. For deletion, use the account deletion flow in Settings, which initiates the 30-day grace period.
8. International Data Transfers
4expats operates primarily from the United States. If you are located in the EU, EEA, or UK, your data is transferred to the US and processed there. We rely on the following mechanisms for international transfers:
- Standard Contractual Clauses (SCCs): We have executed SCCs (EU Commission Implementing Decision 2021/914) with all sub-processors that receive EU personal data, including Supabase and Resend
- Adequacy Decisions: Where the European Commission has issued an adequacy decision for a destination country, we rely on that decision
- Sub-processor Commitments: All sub-processors are contractually bound to apply equivalent safeguards to EU personal data
By using the Platform from the EU/EEA/UK, you acknowledge that your data will be transferred to the US and processed in accordance with this Privacy Policy and the transfer mechanisms described above. You have the right to request a copy of the applicable SCCs by emailing privacy@4expats.ai.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include:
- Encrypted data transmission (TLS/HTTPS)
- One-way cryptographic hashing of passwords
- Row-level security in our database infrastructure
- Access controls limiting staff access to personal data on a need-to-know basis
- IP rate limiting and duplicate account detection
In the event of a personal data breach, we will notify affected users and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR).
10. Children's Privacy
The Platform is not directed at persons under the age of 18. We collect date of birth at registration solely to verify that users meet this requirement. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact privacy@4expats.ai and we will delete it promptly.
11. Cookies and Local Storage
11.1 Cookies We Use
The Platform uses only essential cookies and local storage required for core functionality:
| Name / Key | Type | Purpose | Duration | Category |
|---|---|---|---|---|
sb-access-token |
Cookie | Supabase authentication session token | Session (expires on logout or after inactivity) | Strictly essential |
sb-refresh-token |
Cookie | Supabase token refresh for persistent login | 7 days (configurable) | Strictly essential |
i18nextLng |
Local storage | Stores your language preference (EN or ES) | Persistent until cleared | Strictly essential |
supabase.auth.token |
Local storage | Persists authentication state across browser sessions | Until logout | Strictly essential |
11.2 Google Fonts
Our Platform currently loads the DM Sans typeface from Google Fonts servers (fonts.googleapis.com) on page load. This request transmits your IP address to Google's servers as an inherent consequence of the HTTP request. No cookie is set, and no persistent tracking occurs. We are in the process of migrating to self-hosted fonts to eliminate this external request entirely. Until that migration is complete, loading Google Fonts is disclosed here as a necessary technical data transfer.
11.3 No Third-Party Tracking Cookies
We do not use:
- Advertising or retargeting cookies
- Analytics cookies (Google Analytics, Mixpanel, etc.)
- Social media tracking pixels
- Any cookie that shares data with third-party advertising networks
11.4 Your Controls
You may disable cookies or clear local storage in your browser settings. However, doing so will log you out and may impair your ability to use the Platform. Because we use only strictly essential cookies, no consent banner is required under the ePrivacy Directive or GDPR beyond the disclosures in this section.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered members by email at least 14 days before they take effect. The current version is always available at www.4expats.ai/legal/privacy.
13. Contact and Complaints
For privacy questions, to exercise your rights, or to submit a concern:
- Email: privacy@4expats.ai
- Platform: www.4expats.ai
EU/EEA/UK residents who are not satisfied with our response have the right to lodge a complaint with their national data protection authority. Portuguese residents may contact the CNPD (Comissão Nacional de Proteção de Dados) at www.cnpd.pt.