EXPATRIATION.IO, cost of living tools for expats
EN / FR

GDPR framework

Privacy policy

Last updated: April 26, 2026

Preamble

EXPATRIATION.IO places particular importance on the protection of its users' personal data. This policy describes the conditions under which personal data are collected, processed, and stored as part of the use of the app.expatriation.io site, in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of January 6, 1978 as amended.

1. Data controller

  • Sidney LAKEHAL, sole proprietorship (entreprise individuelle)
  • SIRET: 889 934 162 00013
  • Address: 78 Avenue des Champs-Élysées, Bureau 562, 75008 Paris, France
  • Contact: contact@expatriation.io

2. Personal data collected

Depending on the use of the site, the following categories of data may be collected:

  • Purchase data: email address provided at payment via Stripe Checkout, transaction information (reference, amount, date) transmitted by Stripe.
  • Salary simulation data: parameters entered by the user in the detailed simulation calculator (gross compensation, family status, sub-jurisdiction, comparison country). These parameters are temporarily stored in the Vercel KV service for a maximum duration of 2 hours, until Stripe payment is confirmed and the PDF report is generated. They are then immediately deleted.

    The parameters appear in the generated PDF, which is sent as an attachment to the email address provided by the customer at payment. The PDF then remains in the customer's inbox. Email delivery metadata (recipient, timestamp, delivery status) are kept by the Resend service provider in accordance with its own policy. The simulation parameters themselves are not recorded in Vercel server logs.
  • Anonymized technical data: anonymized audience measurement via Google Analytics 4 (anonymized IP), session duration, pages visited.
  • Technical logs: IP address, browser type, timestamp, request duration, kept in Vercel server logs for security and diagnostic purposes.

3. Purposes and legal bases

Purpose Legal basis
Performance of the sales contract (delivery of the digital product) Performance of the contract (Art. 6.1.b GDPR)
Transactional communication (delivery emails, customer service) Performance of the contract (Art. 6.1.b GDPR)
Accounting and tax retention Legal obligation (Art. 6.1.c GDPR)
Anonymized audience measurement Legitimate interest (Art. 6.1.f GDPR)
Security and technical diagnostics Legitimate interest (Art. 6.1.f GDPR)

4. Data recipients

Personal data may be transmitted to the following technical processors, acting on behalf of the data controller:

  • Stripe Payments Europe Ltd (Dublin, Ireland): payment processing.
  • Resend (San Francisco, United States): sending of transactional emails (product delivery, notifications).
  • Vercel Inc. (Covina, United States): hosting, serverless execution, infrastructure logs.
  • Vercel KV (Upstash, Inc., United States): temporary storage of Stripe event identifiers for idempotency purposes (TTL 30 days), as well as temporary storage of salary simulation parameters (TTL 2 hours).
  • Google LLC (Mountain View, United States): anonymized audience measurement via Google Analytics 4.

5. Transfers outside the European Union

Some processors are established in the United States. Data transfers to these processors are governed by the following mechanisms:

  • Data Privacy Framework (EU-US): Stripe Inc., Vercel Inc., and Google LLC are certified under the Data Privacy Framework for data transfers from the European Union to the United States.
  • Standard Contractual Clauses (SCC) of the European Commission, for processors not covered by the Data Privacy Framework.

6. Retention periods

Data category Retention period
Transaction data (invoices, accounting) 10 years (Article L123-22 of the French Commercial Code)
Purchase email (commercial relationship) Duration of the commercial relationship + 3 years
Vercel server logs 12 months
Stripe idempotency identifiers (Vercel KV) 30 days
Salary simulation parameters (Vercel KV, transit) 2 hours maximum, then deletion
Google Analytics 4 analytics data 14 months

7. Rights of data subjects

In accordance with Articles 15 to 22 of the GDPR and Article 85 of the French Data Protection Act as amended, you have the following rights:

  • Right of access to your personal data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing based on legitimate interest
  • Right to set instructions regarding the use of your data after your death

These rights are exercised by email at contact@expatriation.io. A response will be sent to you within a maximum period of 30 days.

8. Complaint to the supervisory authority

You have the right to lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL, the French data protection authority):

  • CNIL
  • 3 Place de Fontenoy, TSA 80715
  • 75334 Paris Cedex 07, France
  • Website: https://www.cnil.fr

9. Data security

The site is fully served via HTTPS (TLS encryption). Vercel hosting is SOC 2 certified. Payment processing is compliant with the PCI-DSS standard via Stripe. Technical secrets (API keys, tokens) are stored exclusively in encrypted environment variables.

10. Cookies and trackers

The use of cookies and trackers on the site is the subject of a dedicated policy, accessible on the Cookie policy page.

11. Modifications to this policy

This policy may be modified at any time to reflect technical, legal, or organizational developments. The date of last update is indicated at the top of the page.

Disclaimer

This information is provided for educational purposes and does not constitute tax, legal, or financial advice. For personal decisions, consult a qualified professional: tax attorney, certified accountant, notary, or immigration counsel depending on the nature of your situation.

← Back to home