Expato
GuidesDirectoryAI AssistantCommunityDocs
Sign In
Back to index

Privacy Policy

Last updated: June 3, 2026

1. Data Controller

The data controller for personal data collected through expato.eu is:

Oleh Veheria (trade name: "Futurist Systems"), self-employed (autónomo) registered in the Spanish Special Scheme for Self-Employed Workers (RETA), Spanish tax ID NIF Z2284211V, registered address at Calle Ríos Besos, 16, P01 E, 30700 Torre-Pacheco (Murcia), Spain.

Privacy contact: oleh@veheria.tech

2. Data We Collect

We collect personal data only when you provide it or when strictly necessary to deliver the service:

  • Email address — when you subscribe to the newsletter or create an account (magic link)
  • User profile — preferred language, city, whether you have pets (optional)
  • User-generated content — forum posts, replies, directory listings
  • Business data — if you create a listing: business name, description, phone, website, address
  • Payment data — if you subscribe to a premium plan; processed entirely by Stripe (we do not store card data)
  • Technical data — IP address, browser, operating system, pages visited (for security and aggregated analytics)
  • Technical and consent cookies — details in the Cookie Policy

3. Purposes and Legal Basis

PurposeLegal basis (GDPR Art. 6)
Creating and managing your user accountPerformance of contract (Art. 6.1.b)
Sending the newsletterConsent (Art. 6.1.a)
Providing directory and forum servicesPerformance of contract (Art. 6.1.b)
Processing payments and issuing invoicesContract + legal obligation (Art. 6.1.b, c)
Complying with tax and accounting obligationsLegal obligation (Art. 6.1.c)
Security, fraud prevention, and moderationLegitimate interest (Art. 6.1.f)
Aggregated analytics and service improvementLegitimate interest / consent
AI assistant (processing your queries)Performance of contract + consent

4. Recipients (Processors)

Your data is shared only with providers necessary to operate the service. All are based in the EEA or comply with GDPR safeguards (Standard Contractual Clauses):

ProviderPurposeLocation
Supabase (Supabase Inc.)Database, authentication, storageEEA (Frankfurt)
Vercel Inc.Hosting, CDNGlobal (SCCs in place)
Resend (Resend, Inc.)Transactional and newsletter emailUSA (SCCs)
Stripe (Stripe Payments Europe, Ltd.)Payment processingIreland (EEA)
Anthropic (Anthropic PBC)AI assistant — query processingUSA (SCCs, Art. 46 GDPR)
OpenRouter (OpenRouter, Inc.)AI assistant — query routing to LLM providersUSA (SCCs, Art. 46 GDPR)

We do not sell or rent your data to third parties for advertising.

5. International Transfers

Some providers (Vercel, Resend, Anthropic, OpenRouter) process data outside the EEA. In all cases, Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR apply, providing an equivalent level of protection.

6. Retention Periods

  • User accounts: as long as your account is active, plus 30 days after a deletion request
  • Billing and payment records: 6 years, per Spanish Commercial Code and tax obligations
  • Newsletter subscriptions: until you unsubscribe
  • Public forum/directory content: remains published unless you request deletion
  • Technical logs: maximum 90 days

7. Your Rights (GDPR)

You have the right to:

  • Access — obtain a copy of your data
  • Rectification — correct inaccurate data
  • Erasure ("right to be forgotten") — request deletion of your data
  • Restriction of processing
  • Portability — receive your data in a structured format
  • Object — to processing based on legitimate interest
  • Withdraw consent at any time, without retroactive effect

You can exercise these rights by emailing oleh@veheria.tech from the address associated with your account. We will respond within one month.

If you believe your rights have not been respected, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) — www.aepd.es — or your local EU supervisory authority.

8. Security

We apply appropriate technical and organizational measures:

  • TLS encryption in transit and encryption at rest for the database
  • Row Level Security (RLS) in PostgreSQL to isolate data between users
  • Passwordless authentication (magic link) — we do not store passwords
  • Access to personal data restricted to the data controller
  • Webhook signature verification for payment events (Stripe)

9. Minors

Expato is not directed at children under 16. We do not knowingly collect data from minors. If you discover a minor has provided us with data, please contact us and we will delete it.

10. Changes to This Policy

We may update this policy to reflect legal or service changes. The last update date appears at the top. Significant changes will be notified to registered users by email at least 30 days in advance.

11. Contact

For any questions regarding your personal data or this policy:

Email: oleh@veheria.tech Postal address: Oleh Veheria, Calle Ríos Besos, 16, P01 E, 30700 Torre-Pacheco (Murcia), Spain

Expato

Expato

Community for expats in Spain

Navigation

  • Guides
  • Directory
  • Community

Guides

  • Getting NIE
  • Opening a bank account
  • Moving with pets
  • Renting property

Company

  • About us
  • Blog
  • Contacts

© 2026 Expato. All rights reserved.

Privacy PolicyTerms of ServiceCookiesLegal Notice