Data Processing Agreement
Effective Date: 4/17/2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between ExpatriaHub (“we”, “us”, or “ExpatriaHub”) and you (“you” or “User”) regarding the processing of personal data in connection with the ExpatriaHub platform.
1. Definitions
For the purposes of this DPA:
- “Personal Data” means any information relating to an identified or identifiable natural person
- “Processing” means any operation performed on Personal Data, such as collection, storage, use, or disclosure
- “Data Controller” means the entity that determines the purposes and means of processing Personal Data
- “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller
- “GDPR” means the General Data Protection Regulation (EU) 2016/679
2. Roles and Responsibilities
2.1 Data Controller
For Personal Data you provide when creating your account, posting reviews, or managing your business listings, you are the Data Controller and ExpatriaHub acts as Data Processor.
2.2 Data Processor
ExpatriaHub processes Personal Data on your behalf to provide the platform services, including hosting business listings, managing reviews, and processing payments.
3. Data Processing Scope
3.1 Types of Personal Data
We process the following categories of Personal Data:
- Account Information: Name, email address, password (encrypted)
- Profile Data: Profile picture, nationality, language preferences
- Business Information: Business name, description, location, contact details
- Transaction Data: Subscription history, payment information (via Stripe)
- User Content: Reviews, ratings, comments
- Technical Data: IP address, browser type, device information
- Analytics Data: Usage patterns, page views (via Google Analytics)
3.2 Purpose of Processing
We process Personal Data for the following purposes:
- Providing and maintaining the ExpatriaHub platform
- Managing user accounts and authentication
- Processing subscriptions and payments
- Displaying business listings and reviews
- Communicating with users about their accounts
- Improving our services through analytics
- Complying with legal obligations
4. Sub-Processors
We engage the following sub-processors to assist in providing our services:
- Supabase (PostgreSQL) - Database hosting and authentication (EU/US data centers)
- Vercel - Application hosting and CDN (Global edge network)
- Stripe - Payment processing (PCI DSS compliant)
- Google Analytics - Usage analytics (Privacy-safe configuration)
- Resend - Email delivery services
- Google Maps / Mapbox - Location services
All sub-processors are carefully selected and bound by data protection obligations equivalent to those in this DPA.
5. Data Security
5.1 Security Measures
We implement appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Access controls and authentication (Row-Level Security)
- Regular security updates and patches
- Audit logging of sensitive operations
- Secure password hashing (bcrypt)
- Regular backups and disaster recovery procedures
5.2 Data Breach Notification
In the event of a personal data breach, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
6. Data Subject Rights
We facilitate the exercise of data subject rights under the GDPR:
- Right of Access (Article 15): Export your data via the Privacy & Data Management page
- Right to Rectification (Article 16): Update your profile and business information at any time
- Right to Erasure (Article 17): Delete your account and personal data via the Privacy & Data Management page
- Right to Data Portability (Article 20): Export your data in JSON format
- Right to Object (Article 21): Opt out of marketing communications
To exercise these rights, visit your Privacy & Data Management page or contact us at privacy@expatriahub.com.
7. Data Retention
We retain Personal Data for as long as necessary to provide our services and comply with legal obligations:
- Active Accounts: Retained while your account is active
- Deleted Accounts: Personal data deleted within 30 days of account deletion
- Financial Records: Retained for 7 years for tax and accounting purposes (anonymized where possible)
- Legal Hold: Data may be retained longer if required by law or legal proceedings
8. International Data Transfers
Your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission
- Privacy Shield Framework (where applicable)
9. Audit Rights
Upon reasonable notice, you may request information about our data processing practices to verify compliance with this DPA. We will provide such information within 30 days.
10. Data Protection Officer
For any questions about data processing or to exercise your rights, contact our Data Protection Officer:
Email: privacy@expatriahub.comAddress: ExpatriaHub, 8 Firbank Road, Manchester, M23 2GB, United Kingdom
11. Amendments
We may update this DPA from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes via email or platform notification.
12. Governing Law
This DPA is governed by the laws of England and Wales and the GDPR. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.
Last Updated: 4/17/2026
Privacy Policy | Terms of Service | Privacy & Data Management