15th Anniversary Xpand Special Offer For Upgrades – Up to 15% Off
Privacy Policy
Xpand Privacy Statement
Introduction
Xpand Ukraine LLC (“Xpand”, “we”, “us”, “our”, “Company”) cares for your privacy.
We are determined to keep you aware of who we are (read Xpand Impressum), the categories of personal data we collect about you, how we use it, and which rights you have with respect to your personal data (“personal data”) in order to provide you with our services and products.This Privacy Policy (“Policy”, “Privacy Statement”) will help you to understand how we process the data you provide us with through visiting websites affiliated with Xpand, such as:
● our main website https://www.xpandsoftware.com (hosted by HostPro.ua, Ukraine);
● our help center for Xpand products https://help.xpandsoftware.com (hosted by Xpand Ukraine LLC at Microsoft Azure cloud data centers for hosting providers, West Europe);
● our web-based platforms for Partners powered by Xpand Portal https://partner.xpandsoftware.com/, https://env.xpandportal.com (hosted by Xpand Ukraine LLC at Microsoft Azure cloud data centers for hosting providers, West Europe);
● our social media accounts.
When visiting the listed web sources or using our products and services, you are accepting and consenting to the practices described in this Policy.
We confirm that we will keep your information secure and that we comply fully with current applicable data protection legislation and regulations.
Please read the following carefully to understand what happens to personal data that you choose to provide to us, or that we collect from you.
Definitions
To assist in your understanding of this Policy, we explain the usage of the definitions listed here in accordance with the international regulations of data processing. We use the following definitions:
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), effective May 25, 2018, aimed to harmonize data privacy laws across Europe.
“Data Controller” means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and how any personal data is processed.
“Data Processor” means the natural or legal person who processes personal data on behalf of the Data Controller.
“Data subject” is any living individual who is using our websites or products.
“Personal data” means any information relating to you and helping identify you (directly or indirectly) such as your name, nickname, last name, email data, or data provided in CVs.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Joint controllers” means two or more controllers jointly determining the purposes and means of processing.
“Ukrainian Data Protection Law” means the Law of Ukraine “On Personal Data Protection” No. 2297-VI dated June 1, 2010.
Applicable Legislation
We are subject to provisions of GDPR, the Ukrainian Data Protection Law, as well as other relevant data protection legislation.
Why we collect your data
We collect your personal data through websites and social media accounts as a Data Controller, while you are visiting our websites and social media pages in such cases:
● you are a visitor, when you merely surf our web sources;
● you are a lead client’s representative, when you submit your contact details through our web sources contact forms or via provided contact details leave any query to ask questions regarding our services and products, get quote calculations;
● you are a prospective service supplier, when you submit personal data, including commercial offers, through the web sources contact forms to offer your services and knowledge to us;
● you are a current or prospective employee, when you submit personal data, including CVs, through our websites or social media pages to offer your services and knowledge to us.
When you submit your personal data to the contact forms through our websites, you will be asked to express consent to our collection and processing of your personal data as explained in this Policy to enable us to provide you with the information or service requested, if no other legal ground can be used.
We collect your personal data only for the purposes listed below:
● to customize our websites, products, and services according to your online behavior and personal preferences;
● to process clients’ queries;
● to send users promotional emails, and surveys and participate in other types of marketing research;
● to process CV applications.
We do NOT collect or process personal data of children under the age of 16.
We do NOT collect or share sensitive personal data.
We do NOT sell personal information.
We do NOT use automated decision-making and profiling.
What user data we collect
As a Data Controller Xpand may collect, store, and use in our operational activities the following kinds of personal information about individuals who visit our websites as well as use our products and services:
● Information you supply to us. You may supply us with information about you by filling in forms on our website. This includes information you provide when you request a quote, contact our team, apply for a vacancy, request support, etc. The information you give us may include:
o your name;
o e-mail address;
o partner/customer/company representatives’ contacts, you may provide us with through the message field of the “Contact us” form;
o your personal information submitted via the applicant’s CV, you may provide us with through the attachment to the “Apply” form;
o permission to associate your social network account (such as Facebook, Google, Microsoft, or Disqus) with an account you use within our web-based products and/or when commenting/sharing our “Blogs” pages.
● Information our websites and products automatically collect about you. With regard to each of your visits to our websites or when you use our products or services, we may automatically collect information including the following:
o technical information, including a truncated and anonymized version of your Internet protocol (IP) address;
o browser type and version;
o operating system and platform;
o information about your visit, including what pages you visited, when you signed in, how long you are on the site, how you got to the site (including date and time);
o page response times;
o length of visit;
o what you click on;
o documents downloaded;
o download errors.
Below you can find detailed information on the types and purposes of personal data we collect:
| Purposes | Type of personal data | Legal grounds | Third Parties recipients | via | Source |
|---|---|---|---|---|---|
| To provide answers to the requests submitted through the feedback form | Contact Information: email address, name, information in the message and comment | Art. 6.1.(a) of the GDPR: consent of the data subject or Article 6.1.(b): contract (depends on the request) | Service suppliers | Cookies, Other technologies | Website |
| To provide the users with the possibility to send their CVs to the Company | Contact Information: email address, name, information in the message and CV; implied place of residence; profession, education, training, knowledge | Art. 6.1.(a) of the GDPR: consent of the data subject or Article 6.1.(b): contract (depends on the request) | Service suppliers | Cookies, Other technologies | Website, Email, Social media accounts at the discretion of the user |
| To allow our website users to discuss our articles website or on social media and receive notifications on the answers to their comments | Contact Information: name, photo (if any), information in the comment | Art. 6.1.(a) of the GDPR: consent of the data subject | Disqus | Cookies, Email, Other technologies | Website, Disqus |
| To suggest and notify the data subject about the services and products of the Company | Contact Information: email address, name, photo, profile data (and link to the profile data) | Art. 6.1.(a) of the GDPR: consent of the data subject | Service suppliers, Google, Facebook, LinkedIn, Instagram, Youtube | Cookies, Other technologies | Website, Google, Facebook, LinkedIn, Instagram |
| To enable the data subjects to share and comment on the posts of the Company on social media | Contact Information: email address, name, photo, profile data (and link to the profile data) | Art. 6.1.(a) of the GDPR: consent of the data subject | Service suppliers, Google, Facebook, LinkedIn, Instagram, Youtube | Cookies (including “like” and “dislike” buttons), Other technologies | Website, Google, Facebook, LinkedIn, Instagram |
| To help the Company develop and improve our services and functionality of the website | Usage data: time spent on the site, pages visited, links clicked, and the pages that led or referred the users to the Website, date and time | Art. 6.1.(f) of the GDPR: legitimate interest of the Company | Service suppliers, Google Analytics | Cookies, Other technologies | Website |
| To register a data subject as a unique visitor | Identifiers: IP address, operating system, browser ID, and other information about the data subject's system and connection | Art. 6.1. (f) of the GDPR- necessary to ensure Our legitimate interest | Service suppliers, Google Analytics | Cookies, Other technologies | Website |
| To prevent any fraudulent actions or intervention of the malware | Identifiers: IP address,
operating system, browser ID, and other information about the data subject's system and connection
Usage data: time spent on the site, pages visited, links clicked, and the pages that led or referred the users to the Website, date and time |
Art. 6.1. (f) of the GDPR- necessary to ensure Our legitimate interest | Service suppliers, Google Analytics | Cookies, Other technologies | Website |
| To ensure the functionality of the website | Identifiers: IP address, operating system, browser ID, and other information about the data subject's system and connection | Art. 6.1. (f) of the GDPR- necessary to ensure Our legitimate interest | Service suppliers, Google Analytics | Cookies, Other technologies | Website |
| To record the processing activities under art. 30 of the GDPR | Identifiers: IP address,
operating system, browser ID, and other information about the data subject's system and connection
Usage data: time spent on the site, pages visited, links clicked, and the pages that led or referred the users to the Website, date and time Contact Information: email address, name |
Art. 6.1(c) of the GDPR is necessary for compliance with legal obligations to which Xpand is subject | Service suppliers | Cookies, Other technologies | Website |
Cookies
Our websites, as well as web-based products, use cookies.
“Cookies” are small data files that are transferred to your computer that allow us to remember certain information about you. We use them to distinguish you from other users when you browse our websites or use our products, to enhance your user experience, and to provide a significant level of protection to your personal data.
We need your consent for the use of cookies before you can visit our website for the first time. You can choose not to allow some types of cookies or cancel/adjust your cookies selection at any time under the settings of our Cookies Consent Form. However, please bear in mind that blocking necessary cookies may damage your experience on the website (some features will not be available or will not work properly). Also please note that cookies don't allow us to gain control of your computer in any way. They are strictly used for performance, readability, and experience purposes as well as to monitor which pages you find useful and which you do not, so that we can provide a better experience for you.
You can find more detailed information on the categories of cookies we use in our Cookies Policy.
Please bear in mind that our websites may contain links to and from third-party websites. If you follow a link to any of such websites, please note that they have their own privacy and cookies policies and that we do not accept any responsibility or liability for them. Please check the third-party websites’ policies before you submit any personal data to them.
Grounds for processing
We collect and process your personal data in accordance with the provisions of the GDPR (more information can be found here https://gdpr.eu/). GDPR provides an exclusive list of bases allowing us to process your personal data, namely:● Article 6.1(a): consent
We only collect the information you choose to give us, and we process it with your consent. We require the minimum amount of your personal data that is necessary to fulfil the purpose of your interaction with our website (provide you with quote, look through the CV, send you an offer or newsletter, etc.).● Article 6.1(b): performance of a contract
When you send us your CV or use the feedback form to get in contact with us to discuss our services you’d be interested in buying, this can be deemed the request of the data subject to form a contract. However, we may ask you to give us clear consent in case of doubt.
● Article 6.1(c): legal obligation
We process your personal data to fulfill the applicable legal obligations arising mainly from the GDPR.● Article 6.1(f): legitimate interests
We process your personal data to prevent any fraudulent actions and to provide you with the desired information and services. Also, we need some data to enable our website to run smoothly and give you a pleasant user experience. We use only strictly necessary data.
Data Security and Retention
We have implemented organizational, technical, administrative, and physical security measures that are designed to protect your personal data from unauthorized access, disclosure, use, and modification. We regularly review our security procedures to consider appropriate new technology and methods.● browser data and usage data.
Your comments, reactions, reposts, and messages left within the social media platforms and Disqus tool will be kept visible as long as the privacy policies of these platforms promise you.Data Sharing and Disclosure
We do not intentionally share or sell any personal information, that we collect via our websites or social network pages. We use it strictly for the purposes of our business operations.
We may share your personal data with third parties only, where at least one applies:
• you give us the explicit consent to such disclosure;
• the disclosure of your personal data is required by the appropriate laws;
• the disclosure secures our legitimate interests and does not override your rights and freedoms;
• the disclosure of your personal data is necessary for the public authorities to fulfill their official obligations and duties.
Sharing personal data with other Joint Data Controllers
Sometimes we can be considered as joint controllers. As we are determined to provide you with a variety of possibilities to discover our services and share your experience, we use the products of third parties, acting as controllers. For example, when you use social media buttons to share our blog post or see the targeted advertisement when scrolling your newsfeed, we may become joint controllers with the social media you use. Usually, you may make Facebook, Instagram, LinkedIn, and YouTube our joint controllers by using their “Like” and “Share” buttons.• Microsoft Corporation: as our operations use licensed Microsoft 365 software applications for communication and data storage. In addition, we could share personal data among Microsoft-controlled affiliates and subsidiaries. You may familiarize yourself with Microsoft Privacy Policy here.
• Google, LLC: to use data analytics to improve our website and your experience as well as deliver the functionality of the website. You may familiarize yourself with its Privacy Policy here.
• Social Media Networks: to allow users to contact us on social media or share any news of the Company on their pages. You may familiarize yourself with the most common social media platforms’ Privacy Policies here: LinkedIn, Meta, and Google.
Sharing personal data with the Data Processors
There are a lot of features necessary to provide you with the service that we may not complete ourselves, thus we use third-party help and may grant access to your personal data, in full or in part, to such third parties as Data Processors to perform the necessary services for us under the contracts with the obligatory signing of non-disclosure clauses. We have supplier assessment procedures in place to ensure we choose trusted partners and we have implemented a need-to-know approach to range the scope of access granted to each category of sub-processors depending on the operations they ensure and purposes they need the personal data for.• Disqus, Inc. to improve your experience in the blog at the website as well as deliver the functionality of the blog. You may read its Privacy Policy here.
• Hurma System to automate CV processing for recruiting purposes. You may read its Privacy Policy here.
• Service suppliers to perform websites’ processing operations: to improve our website and your experience as well as deliver the functionality of the website.
Your rights
You may exercise the following rights under the General Data Protection Act (GDPR) by contacting us through compliance@xpandsoftware.com or by filling in the Request and Complaints Form:
• right of access means that you may ask us to send you a copy of your personal data collected together with information regarding the nature, processing, and disclosure of that personal data;
• right to rectification means that you may ask us to update and correct the false data, missing or incomplete personal data;
• right to erasure (to be “forgotten”) means that you may ask us to delete your personal data collected, except insofar it is prohibited by applicable law. Normally, we delete your personal data right after your request. We may either anonymize or retain your personal data for a bit longer after the deletion request;
• right to restriction of processing means that you may ask us to restrict processing where:
1) your personal data is not correct or outdated
2) the processing is unlawful
• right to object to the processing means that you may raise objections on grounds relating to your particular situation;
• right to data portability means that you may ask us to transfer a copy of your personal data to another organization or to you;
• right to withdraw the consent when your personal data is processed (see section Grounds for processing);
• right to lodge a complaint with the Supervisory Data Protection Authority pertaining to the processing of your personal data (you may submit the complaint to the Supervisory Data Protection Authority as stated in this Policy).
User Age
We do not knowingly collect personal data from people under the age of 16. If you become aware that the Company is processing the personal data of anyone under 16 years old, please notify us by writing to compliance@xpandsoftware.com. If we discover that we have unintentionally collected personal data from a child under 16 years old without parental consent, we will take steps to delete such data.
Cross-Border Data Transfer
The storage and processing of your personal data take place in Ukraine or other countries within the European Economic Area. We may also transfer your personal data to countries outside these regions, which may not have the same level of data protection laws as the country where you originally provided the data. In such cases, we comply with applicable laws to ensure an adequate level of data protection for the transfer of your Personal Data to third countries. To safeguard these international transfers, we rely on the GDPR mechanisms provided therein.
Data Protection Authority
Our organization is established in Ukraine. Thus, privacy violations may be subject to the Ukrainian Data Protection Law and GDPR. Considering that data processing by our Company does not consist of the processing of special categories of personal data on a large scale, we decided not to appoint a Data Protection Officer - the responsibilities of the DPO at Xpand are carried out by Compliance Officer (contact email: compliance@xpandsoftware.com).
However, we have also appointed our EU representative located in Belgium to make it possible to handle complaints lodged against violations of the General Data Protection Regulation within the EU and the relevant national laws (according to the requirements of Chapter 4 Article 27 of GDPR: Representatives of controllers or processors not established in the European Union).
In the event of a personal data breach (if a risk to data subjects is likely), the Company reports the personal data breach to the supervisory authority without undue delay, and not later than 72 hours. The breach notification can be made by email, phone, or letter.
If the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the Company notifies the data subjects affected immediately by email.
Information to Ukrainian residents
As we set our goal to meet GDPR standards, we have implemented the best practices to uphold your data protection rights under GDPR. At the same time, we also ensure compliance with national law. Accordingly, we hereby inform Ukrainian residents of their rights under Article 8 of the Ukrainian Data Protection Law, which can be found via this link. If you have any further questions regarding how we exercise your data protection rights under Ukrainian legislation, you can contact us through provided means.
Changes to the Privacy Policy
We may change this Policy from time to time due to the implementation of new technologies, laws’ requirements, or for other purposes. We will send notice to you if these changes are dramatic and where required by applicable laws, we will obtain your consent. Such notification may be provided via your email address, posted on our social media accounts, or announced on the website and/or by other means, consistent with applicable law.
Also, we encourage you to regularly review this Policy to check for any changes.
Contacts
Please contact us if you have any questions about your personal data or any specific data protection concerns, or complaints, or wish to withdraw your personal information.
Do not hesitate to contact us directly at e-mail address compliance@xpandsoftware.com or by filling in the Request and Complaints Form.
Information in answer to such requests must be provided by the Company without undue delay within at most 30 days from the date the appropriate request is received. If the request is complex or if multiple requests are made, this period may be extended by an additional 60 days.
Last update: February 20, 2025