Privacy Policy

1. Data Controller & Processor Role

ExpiryOS acts as a Data Processor on behalf of your company (the Data Controller). We process worker credential data according to your instructions and under the terms of a Data Protection Addendum. This means your company decides why data is collected and how it is used, while we handle the technical processing on your behalf.

2. Data We Collect

ExpiryOS collects the following categories of personal data:

• Worker Information: name, email address, phone number, assigned role
• Document Data: uploaded credential files (PDF, JPG, PNG) and extracted expiry dates via OCR
• Upload Tokens: tokenized links for secure document upload; token access logs
• Notification Records: delivery receipts and read status for renewal notifications
• Tenant Admin Information: email address, company name, billing contact details
• Audit Logs: all API requests with IP address, user agent, timestamp, and action performed
• Consent Records: timestamp and IP address at time of policy acceptance

3. Legal Basis & Retention

We process worker credential data on the following legal bases:

• Contractual Necessity: Processing is required to fulfill your employment compliance obligations
• Legitimate Interest: We have a legitimate interest in maintaining data for regulatory compliance and audit purposes

Data is retained according to the following schedules:

• Worker Data: Retained for the duration of employment, plus 30 days post-termination. After 30 days, all identifying information is pseudonymized.
• Audit Logs: IP address and user agent retained for 90 days. Full audit rows retained indefinitely for system integrity and compliance audits.
• Notification Logs: Retained for 12 months to maintain a complete compliance trail.
• Consent Records: Retained indefinitely to prove lawful basis for processing.
• Upload Tokens: Expired tokens are nullified. Renewal requests validated before processing.

Cookies: ExpiryOS uses Supabase authentication session tokens only. These are strictly necessary for authentication and are not used for analytics or tracking.

4. Third-Party Processors

Your data is processed by the following external service providers on our behalf:

• Supabase: Database hosting, authentication, and file storage. See Supabase Privacy Policy
• Resend: Email notification delivery to workers. See Resend Privacy Policy
• Twilio: SMS notification delivery to workers. See Twilio Privacy Policy
• Stripe: Billing and subscription management. See Stripe Privacy Policy
• Anthropic: OCR extraction of expiry dates from credential documents. See Anthropic Privacy Policy

5. Your Data Subject Rights

Under GDPR and US state privacy laws, you have the following rights:

Right of Access

You have the right to request a copy of your personal data in machine-readable format. We will provide a complete export of all data we hold about you, including documents and metadata.

Right to Erasure (Deletion)

You have the right to request deletion of your personal data. For workers, we will pseudonymize all identifying information (name, email, phone) while retaining the record for audit integrity. Admin users cannot be deleted but may request pseudonymization.

Right to Data Portability

You have the right to receive your personal data in portable format (JSON) and to transmit it to another service. This right applies to all structured data you have provided.

Right to Correction

You have the right to request correction of inaccurate personal data. You may correct worker information directly in the system, or request changes via our support team.

Right to Restriction

You have the right to request that we restrict processing of your personal data, limiting it to storage only while you resolve a dispute about accuracy.

Right to Withdraw Consent

Consent is NOT the legal basis for our processing. However, you may opt out of renewal notification communications at any time by contacting your tenant admin or reaching out to hello@expireOS.io.

To exercise any of these rights: Contact your company's privacy officer or tenant admin. Alternatively, email hello@expireOS.io with your request and we will facilitate the process within 30 days.

6. Data Protection Agreement (DPA)

ExpiryOS, as a Data Processor, has executed a Data Protection Addendum (DPA) with your company that outlines our obligations and your rights under GDPR Article 28. A copy of this DPA is available upon request. Please contact hello@expireOS.io to obtain a signed DPA.

7. Contact & Complaints

Data Controller

Contact your company's privacy officer, compliance department, or the tenant admin for questions about why data is collected or how your company uses ExpiryOS.

Data Processor

For questions about ExpiryOS's privacy practices or to exercise data subject rights:
Email: hello@expireOS.io
Website: https://expireOS.io

Supervisory Authority

You have the right to lodge a complaint with your national data protection authority:

• EU (GDPR): Your Member State's Data Protection Authority (DPA)
• California (CCPA/CPRA): California Attorney General (caag.ca.gov/privacy)
• Virginia (VCDPA): Virginia Attorney General (oag.state.va.us)
• Colorado (CPA): Colorado Attorney General (coag.gov/privacy)
• Connecticut (CTDPA): Connecticut Attorney General (ct.gov/privacy)