Privacy Policy
Last updated: 2026-06-10 | Version: v1.1
1. Privacy at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. For detailed information on data protection, please refer to the privacy policy set out below.
Data Collection on This Website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the "Information on the Controller" section of this privacy policy.
How do we collect your data?
Your data is collected, on the one hand, when you provide it to us. This may, for example, be data you enter in a contact form or during registration. Other data is collected automatically or with your consent when you visit the website, by means of our IT systems. This is primarily technical data (e.g. internet browser, operating system or time the page was accessed).
What do we use your data for?
Some of the data is collected to ensure the error-free provision of the website. Other data is used for the initiation and performance of contracts, for registration and the provision of our services, and for communication with you.
What rights do you have regarding your data?
You have the right to receive information free of charge at any time about the origin, recipients and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent, you may withdraw this consent at any time with effect for the future. In addition, under certain circumstances, you have the right to request the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
Information About Our Services and Apps
This privacy policy applies to the website xpandai.one. For the use of the AI platform xpandAI workspace, the separate Workspace privacy notices apply in addition. Standalone applications under their own address (Custom Apps) each have their own privacy notices. Details can be found in Section 5.
2. Hosting
We host the content of this website with the following provider.
Hostinger
The provider is HOSTINGER operations, UAB, Švitrigailos str. 34, 03230 Vilnius, Lithuania (hereinafter "Hostinger"). When you visit our website, Hostinger processes various data, including your IP address and server log data. For details, please refer to Hostinger's privacy policy.
The personal data collected on this website is stored on Hostinger's servers. This may primarily include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.
Hosting is carried out for the purpose of fulfilling our contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of secure, fast and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR). Where consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent covers the storage of cookies or access to information on the end device. Consent can be withdrawn at any time.
Data processing agreement: We have concluded a data processing agreement (DPA) with Hostinger. Insofar as data is processed outside the EU/EEA, this is safeguarded in the Hostinger DPA by EU standard contractual clauses.
Note: xpandAI workspace runs on a Hostinger VPS. The German model path runs separately via IONOS. IONOS is not a website host but a model provider; details can be found in the Workspace privacy notices and the list of subprocessors.
3. General Information and Mandatory Disclosures
Data Protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. We would like to point out that data transmission over the internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.
Information on the Controller
The controller responsible for data processing on this website is:
xpand Deutschland GmbH
Ernst-Penzoldt-Weg 9
91080 Spardorf, Germany
Phone: +49 821 21700080
Email: office@xpand.pro
The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Protection Officer
We have appointed a data protection officer:
Ricardo Wiedenbrüg
Ernst-Penzoldt-Weg 9
91080 Spardorf, Germany
Phone: +49 821 21700080
Email: datenschutz@xpand.pro
Storage Period
Unless a more specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for processing it no longer applies. If you assert a legitimate request for deletion or withdraw your consent, your data will be deleted unless we have other legally permissible grounds for storing it (e.g. tax or commercial retention periods); in the latter case, deletion takes place once these grounds no longer apply.
General Information on the Legal Bases
Insofar as you have consented to the data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, where special categories of data are processed in accordance with Art. 9(1) GDPR. In the case of explicit consent to the transfer of personal data to third countries, processing is additionally based on Art. 49(1)(a) GDPR. Insofar as you have consented to the storage of cookies or to access to information on your end device, processing is additionally based on Section 25(1) TDDDG. If your data is required for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data to fulfil legal obligations on the basis of Art. 6(1)(c) GDPR. Processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR.
Recipients of Personal Data
As part of our business activities, we work with various external parties. In some cases, this requires the transfer of personal data to these parties. We only pass on personal data where this is necessary for the performance of a contract, where we are legally obliged to do so, where we have a legitimate interest pursuant to Art. 6(1)(f) GDPR in passing it on, or where another legal basis permits this. When using processors, we only pass on personal data on the basis of a valid data processing agreement. You can find a continuously maintained overview of the service providers used within the platform in our list of subprocessors.
Information on Data Transfer to Third Countries
We process some data with the help of services whose providers are based in third countries (in particular the USA) or process data there. When these services are active, your personal data may be transferred to these countries and processed there. In third countries without an adequacy decision, a level of data protection comparable to that of the EU cannot be guaranteed.
Where applicable, we base any transfer to the USA and other third countries on an adequacy decision, on the recipient's certification under the EU-US Data Privacy Framework (DPF), or on EU standard contractual clauses together with supplementary safeguards. The respective applicable basis for each provider can be found in the following sections, in the Workspace privacy notices, the list of subprocessors and the Third-Country and Model-Path Module.
Withdrawal of Your Consent
Many data processing operations are only possible with your explicit consent. You may withdraw consent you have already given at any time. The lawfulness of the data processing carried out until the withdrawal remains unaffected.
Right to Object (Art. 21 GDPR)
If the data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right at any time to object, on grounds relating to your particular situation, to the processing of your personal data; this also applies to any profiling based on these provisions. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (objection pursuant to Art. 21(1) GDPR).
If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is connected with such direct marketing (objection pursuant to Art. 21(2) GDPR).
Right to Lodge a Complaint with the Competent Supervisory Authority
In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement. The competent authority for the controller is the Bavarian State Office for Data Protection Supervision (BayLDA).
Right to Data Portability
You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
Access, Rectification and Erasure
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of the data processing, and, where applicable, a right to rectification or erasure of this data.
Right to Restriction of Processing
You have the right to request the restriction of the processing of your personal data. This right exists in the following cases: if you contest the accuracy of your data (for the duration of the verification); if the processing is unlawful and you request restriction instead of erasure; if we no longer need the data but you need it to assert, exercise or defend legal claims; or if you have objected pursuant to Art. 21(1) GDPR and it has not yet been determined whose interests prevail.
SSL/TLS Encryption
For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the fact that the browser's address line changes from "http://" to "https://" and by the padlock symbol in your browser line.
4. Data Collection on This Website
Server Log Files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser transmits automatically. These are: browser type and version, the operating system used, referrer URL, the host name of the accessing computer, the time of the server request and the IP address. This data is not merged with other data sources. Collection is based on Art. 6(1)(f) GDPR; we have a legitimate interest in the technically error-free presentation and security of our website.
Cookies
Our web pages use cookies. Cookies are small data packets and do not cause any damage to your device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Cookies may originate from us (first-party cookies) or from third-party companies (third-party cookies).
Technically necessary cookies are stored on the basis of Art. 6(1)(f) GDPR unless another legal basis is specified. Where consent has been requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG); consent can be withdrawn at any time.
Consent with Borlabs Cookie
Our website uses the consent technology of Borlabs Cookie to obtain your consent to the storage of certain cookies or the use of certain technologies and to document this in a data-protection-compliant manner. The provider is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany (hereinafter "Borlabs"). When you enter our website, a Borlabs cookie is stored in which your consents or their withdrawal are recorded. This data is not passed on to Borlabs. The legal basis is Art. 6(1)(c) GDPR; we are legally obliged to make the use of certain technologies dependent on valid consent.
Contact Form
If you send us enquiries via the contact form, your details, including the contact data you provide there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. Processing is based on Art. 6(1)(b) GDPR if your enquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in handling enquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR).
Enquiry by Email or Telephone
If you contact us by email or telephone, your enquiry, including all resulting personal data, will be stored and processed by us for the purpose of handling your request. The legal bases correspond to those of the contact form.
Registration and Login
You can register on this website in order to use our paid services. We use the data entered for this purpose only for the use of the respective offering. Mandatory information must be provided in full, otherwise we will refuse the registration. Processing is carried out for the performance of the usage relationship and for the initiation of further contracts (Art. 6(1)(b) GDPR).
Our offering is aimed exclusively at entrepreneurs and persons acting in a professional or commercial capacity, not at consumers.
For registration, membership and login we use the following components:
WordPress
WordPress as the website and account system. WordPress is operated as part of our hosting setup with Hostinger.
MemberPress
MemberPress for managing memberships, packages, course access, course progress, certificates, corporate accounts and permissions. MemberPress is operated as a plugin within our WordPress system hosted at Hostinger. In doing so, we process in particular name, email address, access data, membership and contract data, course access, course progress and permission data. When operated locally, this data remains within our own WordPress/hosting environment. The legal basis is Art. 6(1)(b) GDPR. With local operation, there is no independent transfer of visitor-related frontend data to memberpress.com; the payment processing via Stripe and the GeoIP/VAT detection described below must be considered separately.
miniOrange OAuth Server/Provider
miniOrange OAuth Server/Provider as a login or SSO bridge between WordPress and connected applications such as xpandAI workspace. In doing so, we process in particular user ID, email address, role and attribute data, token and session data, and, where applicable, profile data transmitted to connected applications. The component is operated as a plugin within our WordPress system. The legal basis is Art. 6(1)(b) GDPR. When using our locally operated OAuth server, there is no independent transfer of visitor-related data to miniorange.com or xecurify.com.
5. AI Platform, Academy and Own Apps
5.1 xpandAI workspace
Through this website, you gain access to our AI platform xpandAI workspace. The platform provides access to language models from various providers via standardised interfaces. xpand does not train its own models but provides access to externally developed and operated models and combines these with its own platform and assistance functions.
When using the workspace, xpand processes personal data partly as a controller in its own right (e.g. registration, contract and package management, billing, security, support) and partly on behalf of the customer (content, prompts, files and other data that customers or their users bring into the workspace). For processing on behalf of customers, the data processing agreement pursuant to Art. 28 GDPR applies as an annex to the General Terms and Conditions. The statement that responsibility lies solely with the respective model provider is incorrect; xpand remains responsible or a processor to the extent described.
Which model paths are used depending on the package, in which regions processing takes place and on what basis transfers to third countries are made, are described in detail in the Workspace privacy notices, the list of subprocessors and the Third-Country and Model-Path Module.
5.2 Academy and Online Courses
In addition, we offer online courses, learning content and training materials (Academy). In doing so, we process in particular registration and account data, information on booked courses, learning progress and completions, and, where applicable, issued certificates of participation. The legal basis is the performance of the usage or contractual relationship (Art. 6(1)(b) GDPR).
The Academy is provided within our WordPress and member area (MemberPress) hosted at Hostinger; the data mentioned remains within this environment.
In connection with the Academy, registration and individual display and account functions, the following external services may be used, insofar as the respective function is called up:
Bunny Stream (video hosting for the Academy)
The provider is BunnyWay d.o.o., Dunajska cesta 165, 1000 Ljubljana, Slovenia. Integration takes place via iframe.mediadelivery.net and is assigned in our consent management to the Borlabs service group "External Media" with the content blocker bunnystream. The video is only loaded after you have given consent. In this context, in particular IP address, technical browser data, access times and video usage data may be processed. The legal basis is your consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG). According to the current status, no third-country transfer takes place, as the provider is based in Slovenia.
Stripe (payment processing)
The provider for the European area is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland; affiliated recipients may include in particular Stripe, Inc., USA. Stripe is not loaded across the entire website but only on booking and registration pages where Stripe.js v3 and Stripe Elements are used for payment processing. In this context, in particular order and payment data, invoicing and identification data, device and browser data and the IP address may be processed. The legal basis is Art. 6(1)(b) GDPR. Insofar as Stripe entities in the USA are involved, the transfer is based on the guarantees provided by Stripe pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses and, where applicable, further transfer mechanisms in accordance with the Stripe documentation.
Font Awesome (icon fonts)
The provider is Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, MA 02140, USA. When the website is accessed, requests may be made to use.fontawesome.com to display icons. In this context, in particular IP address, browser and device data and the time of access may be processed. The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in a consistent and functional presentation of the website. Insofar as a transfer to the USA takes place, we base this on the guarantees provided by the provider pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses, where applicable.
Gravatar (profile pictures)
The provider is Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. When profile pictures are retrieved via secure.gravatar.com, in particular a hashed email address, IP address, browser and device data and the time of access may be processed. The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in the user-friendly display of profile pictures in account and community areas. Insofar as a transfer to the USA takes place, we base this on the guarantees provided by the provider pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses, where applicable.
MemberPress GeoIP / VAT detection
For country- and tax-related detection, a request may be made to the endpoint cspf-locate.herokuapp.com, which is hosted on US infrastructure in connection with MemberPress / Caseproof. According to the current status, the service is triggered via mpvat.js and processes in particular the IP address, browser/device data and the time of access in order to determine the country for VAT and localisation purposes. The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in an accurate country- and tax-related provision and the preparation of correct VAT logic. Insofar as data is transferred to the USA in this context, this is done on the basis of appropriate guarantees pursuant to Art. 44 et seq. GDPR.
5.3 Own Apps (Custom Apps)
Insofar as we provide standalone applications under their own address, separate privacy notices apply to these on the respective application. This privacy policy applies to the website xpandai.one.
5.4 Transparency under the EU AI Act
xpand fulfils the transparency obligations of the EU AI Act by labelling AI-generated content as such and informing users when they are interacting with an AI system. There is no guarantee as to the factual accuracy or legal usability of generated content; reviewing and the final use of such content is your responsibility. You can report problematic or discriminatory AI outputs to support-xpandai@xpand.pro.
6. Plugins and Tools
6.1 SolidWP
We have integrated SolidWP on this website. The provider is iThemes Media LLC, 1720 South Kelly Avenue, Edmond, OK 73013, USA (hereinafter "SolidWP"). SolidWP serves to protect our website against unwanted access and cyberattacks and, for this purpose, records, among other things, your IP address, the time and source of login attempts, and log data. SolidWP is operated locally on our servers. It is used on the basis of Art. 6(1)(f) GDPR; we have a legitimate interest in the effective protection of our website.
6.2 AI Functions via OpenAI (direct integration)
For individual website functions, we use OpenAI directly. Depending on the contractual and recipient constellation, the provider is in particular OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, as well as OpenAI OpCo, LLC or OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA.
According to the current status, this concerns in particular:
- a voice-based assistant with a direct connection to api.openai.com/v1/realtime via WebRTC, and
- text-based AI functions that are transmitted to OpenAI server-side via our own route.
A transfer to OpenAI only takes place when you actively use the respective AI function, not already upon merely accessing the page. In this context, in particular text inputs, prompts, responses, technical metadata, IP address and, when using the voice assistant, also audio or voice data may be processed.
The legal basis is Art. 6(1)(b) GDPR, insofar as the processing is necessary to provide the AI function you have requested or to handle your request. Insofar as consent is required for the use of additional end-device functions or comparable technologies, processing is additionally based on Art. 6(1)(a) GDPR and Section 25(1) TDDDG.
For transfers to the USA, we currently rely, according to the present state of evidence, on the data processing agreement concluded with OpenAI and on EU standard contractual clauses together with supplementary safeguards. A confirmed DPF certification is currently not relied upon for OpenAI.
6.3 MailerLite (currently under review)
A REST namespace referring to MailerLite is detectable in the WordPress system. The provider would in this respect be UAB MailerLite, J. Basanavičiaus 15, LT-03108 Vilnius, Lithuania. Whether and to what extent newsletter or email marketing functions are used productively and which personal data is processed in this context is currently being reviewed. This service will only be finally included in this privacy policy after technical and organisational confirmation.
6.4 Hostinger AI Assistant (currently under review)
A plugin "hostinger-ai-assistant" is present in the WordPress system. The purpose, actual productive use and data flows of this service have not yet been conclusively confirmed. The service will only be finally included in this privacy policy after a technical review, with a specific description of its functionality, data categories, legal basis and any recipients.
7. eCommerce and Payment Providers
Processing of Customer and Contract Data
We collect, process and use personal customer and contract data for the establishment, substantive design and amendment of our contractual relationships. We only process personal data about the use of this website (usage data) insofar as this is necessary to enable the user to use the service or to bill for it. The legal basis is Art. 6(1)(b) GDPR. The collected customer data is deleted after completion of the order or termination of the business relationship and the expiry of any statutory retention periods.
Payment Services
We integrate payment services of third-party companies. When you make a purchase, your payment data is processed by the payment service provider for the purpose of payment processing. They are used on the basis of Art. 6(1)(b) GDPR (contract performance) and in the interest of a smooth and secure payment process (Art. 6(1)(f) GDPR).
Stripe
The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. On this website, Stripe is only loaded on booking and registration pages where payment processing takes place via Stripe.js v3 and Stripe Elements. In this context, payment, order, invoicing, identification, device and browser data and the IP address may be processed. The legal basis is Art. 6(1)(b) GDPR. Insofar as Stripe entities in the USA are involved, the transfer is based on the guarantees provided by Stripe pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses and, where applicable, further transfer mechanisms in accordance with the Stripe documentation. For details, see https://stripe.com/privacy.