E
Expandable
🇨🇭 Swiss Data Protection Law & GDPR Compliant

Privacy Policy

How we collect, use, and protect your personal information

Last updated: May 2025

Effective date: May 2025

Data Controller Information

Company

Expandable Labs

Address

Lindenstrasse 31
9000 St. Gallen
Switzerland

Contact

Email: privacy@expandable.app
General: hello@expandable.app

Table of Contents
1. Overview2. Personal Data We Collect3. Legal Basis for Processing4. How We Use Your Data5. Data Sharing and Disclosure6. Data Security7. Data Retention8. Your Rights9. Cookies and Tracking10. International Data Transfers11. Children's Privacy12. Changes to This Policy

1. Overview

At Expandable Labs ("we," "us," or "our"), we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our quiz platform and related services (the "Service").

This policy complies with the Swiss Federal Data Protection Act (nDSG) and the EU General Data Protection Regulation (GDPR). As a Swiss company, we are subject to Swiss data protection laws, which provide strong privacy protections equivalent to GDPR standards.

2. Personal Data We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password (encrypted)
  • Profile Information: Educational institution, role, preferences
  • Content Data: Quizzes, questions, answers, study materials you create
  • Communication Data: Messages sent through our support system
  • Payment Information: Billing details (processed by Stripe, not stored by us)

2.2 Information We Collect Automatically

  • Usage Data: Quiz attempts, scores, learning progress, time spent
  • Technical Data: IP address, browser type, device information, operating system
  • Analytics Data: Performance metrics, feature usage, error logs
  • Cookies and Similar Technologies: Session data, preferences, authentication tokens

4. How We Use Your Data

Service Provision

  • Create and manage your account
  • Provide quiz creation and taking functionality
  • Generate analytics and progress reports
  • Process payments and subscriptions
  • Provide customer support

Service Improvement

  • Analyze usage patterns and performance
  • Develop new features and improvements
  • Ensure security and prevent fraud
  • Conduct research and development
  • Optimize user experience

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

5.1 Service Providers

  • Supabase (Database): Swiss-hosted infrastructure for data storage. Learn more
  • Stripe (Payments): Payment processing (PCI DSS compliant). Learn more
  • Vercel (Hosting): EU-based hosting and content delivery. Learn more
  • Microsoft Azure: Storage and other infrastructure. Learn more
  • Amazon Web Services (AWS): Storage and other infrastructure. Learn more
  • Google Cloud einschliesslich Google Cloud Platform (GCP): Storage and other infrastructure. Learn more
  • Resend (Email): Email delivery for notifications. Learn more

5.2 Legal Requirements

We may disclose your information if required by Swiss or EU law, court order, or to protect our rights, property, or safety, or that of others.

6. Data Security

Technical Measures

  • End-to-end encryption (AES-256)
  • TLS 1.3 for data transmission
  • Regular security audits and penetration testing
  • Multi-factor authentication
  • Automated backup and disaster recovery

Organizational Measures

  • Access controls and principle of least privilege
  • Employee training on data protection
  • Incident response procedures
  • Regular policy reviews and updates
  • Data minimization practices

7. Data Retention

Retention Periods

  • Account Data: Until account deletion + 30 days for security purposes
  • Quiz Content: Until deletion by user or account closure
  • Usage Analytics: Aggregated data retained for 3 years
  • Communication Records: 2 years for support quality assurance
  • Financial Records: 10 years as required by Swiss law
  • Security Logs: 1 year for incident investigation

We regularly review and delete data that is no longer necessary for the purposes for which it was collected.

8. Your Rights

Under Swiss DSG and GDPR, you have the following rights regarding your personal data:

Access Rights

  • Right to access your personal data
  • Right to data portability
  • Right to information about processing

Control Rights

  • Right to rectification (correction)
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing

Objection Rights

  • Right to object to processing
  • Right to withdraw consent
  • Right to opt-out of marketing

Legal Rights

  • Right to lodge a complaint
  • Right to judicial remedies
  • Right to compensation for damages

Exercising Your Rights

To exercise any of these rights, contact us at: privacy@expandable.app

We will respond within 30 days (Swiss DSG) or 1 month (GDPR). For complex requests, we may extend this period by up to 2 additional months with notification.

9. Cookies and Tracking

Essential Cookies

Required for service functionality

  • Authentication sessions
  • Security tokens
  • User preferences

Analytics Cookies

Help us improve our service

  • Usage statistics
  • Performance metrics
  • Error tracking

Marketing Cookies

Optional, require consent

  • Advertising tracking
  • Social media integration
  • Personalization

You can manage cookie preferences through our cookie banner or your browser settings. Disabling essential cookies may affect service functionality.

10. International Data Transfers

EU/EEA Focus

Your personal data is primarily processed within Switzerland and the EU/EEA. Switzerland has an adequacy decision from the European Commission, ensuring equivalent data protection standards to the EU.

Third Country Transfers

If we transfer data outside the EU/EEA, we ensure adequate protection through:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Certification schemes or binding corporate rules
  • Specific derogations for particular situations

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Sending email notification to registered users
  • Displaying a prominent notice in our application
  • Updating the "Last updated" date at the top of this policy
Contact Information

Data Protection Officer

For questions about this Privacy Policy or your personal data:

Email: privacy@expandable.app
Address: Expandable Labs, Lindenstrasse 31, 9000 St. Gallen, Switzerland

Supervisory Authorities

Switzerland

Federal Data Protection and Information Commissioner (FDPIC)

Website: www.edoeb.admin.ch

European Union

Your local data protection authority

Find your DPA: ec.europa.eu