Version 2.2 – Last updated: 16 June 2025

Privacy Policy

Your privacy is our priority

Encryption
Transparency
User control
No data resale
Contact form

${t.title}

${t.lastUpdated}

Data Controller: WorldExpat OÜ (Estonian company), Tallinn, Estonia. Applicable legal framework: Regulation (EU) 2016/679 (GDPR) and equivalent local laws.

1${t.dataCollection}

We collect only strictly necessary data to deliver our services:

- Identity & contact: first name, last name, email, phone, country of residence;

- Payment data: processed exclusively by our PCI-DSS certified payment providers (Stripe and PayPal). SOS Expat does NOT store any card data;

- Call metadata: timestamps, duration, technical identifiers (call contents are NOT recorded by default);

- Connection data: IP address, session ID, user-agent, access logs;

- Request content: subject and description provided by the user.

2${t.dataProtection}

Encryption in transit (TLS 1.2+) and at rest where possible. Strong technical and organizational safeguards (access controls, audits, logging, data minimization). Breach notification within 72h as required by GDPR article 33.

3${t.dataSharing}

3.1. No resale

No data trading. No sharing with third parties for advertising purposes.

3.2. Processors (GDPR article 28)

We share strictly the minimum necessary with the following processors, under Data Processing Agreements (DPAs) compliant with GDPR:

| Processor | Purpose | Data location | Safeguards |

|---|---|---|---|

| Stripe Payments Europe Ltd. | Payment collection, KYC/AML, payouts to providers | Ireland (EU) + USA | EU SCCs, PCI-DSS Level 1 |

| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Alternative client payment, international payouts | Luxembourg (EU) | EU SCCs, PCI-DSS |

| Twilio Inc. | Phone connection (call routing, IVR, SMS, conference) | USA (DPF Data Privacy Framework) | DPF, EU SCCs |

| Google Cloud / Firebase (Google Ireland Ltd.) | Application hosting, database, authentication, serverless functions | EU (europe-west1, europe-west3) + USA (us-central1, nam7) | EU SCCs, ISO 27001/27017/27018, SOC 2 |

| Cloudflare Inc. | CDN, anti-DDoS, application security, edge cache | Global (DPF) | DPF, EU SCCs |

| Zoho Corporation B.V. | Business email, support, transactional messages | EU / India | EU SCCs |

This list is updated in case of material change. No new processor is added without prior notice.

3.3. International transfers

Transfers of data outside the EEA are governed by EU Standard Contractual Clauses approved by the European Commission, adequacy decisions, or the Data Privacy Framework (USA).

4${t.yourRights}

- ${t.rights[0]}

- ${t.rights[1]}

- ${t.rights[2]}

- ${t.rights[3]}

- ${t.rights[4]}

Retention: data is kept for the duration of the contractual relationship, then archived for statutory limitation periods (generally 5 to 10 years depending on data type and applicable legal obligation). Terms acceptance logs are kept for 10 years (eIDAS evidence).

5${t.contact}

Contact

For questions or to exercise your rights, please use the form below.

Contact form

Document editable from the admin console (EN/FR)

Data Collection

We collect only the information needed to deliver our assistance services. This includes your contact details, technical metadata (calls, messaging) and details strictly required for your request.

Data Protection

Your data is encrypted in transit and at rest where possible and stored securely. We apply technical and organizational measures to prevent unauthorized access.

Data Sharing

We never sell your personal data. We only share information necessary with vetted providers (payments, telephony, hosting) to deliver the requested service.

Social Media & Meta API

Our internal tool 'Mission Control' uses the official Meta APIs (Facebook, Instagram, Threads) and LinkedIn API ONLY to publish content on our own SOS-Expat business accounts. We do NOT collect Meta user data for commercial purposes. Comments received on our publications are temporarily stored to allow our editorial team to reply, then anonymized after 90 days. You can revoke access at any time from the 'Connected Apps' section of your Facebook / Instagram / LinkedIn account settings. For full data deletion, see our Data Deletion page.