Privacy Policy

ExProTrack is a software-only SaaS platform for construction project budgeting and expense management. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you use ExProTrack. We apply a GDPR-standard baseline and honour the privacy rights available under applicable laws, including the India DPDP Act 2023, UAE PDPL, Qatar PDPPL, and similar data protection laws.

1. Who We Are

   ExProTrack is a software-only SaaS platform for construction project budgeting and expense management. For any enquiries, contact: support@exprotrack.com.

2. What Data We Collect

   We collect the minimum data needed to provide and secure the service.

   • Account data: name, email address, company name, and country.
   • Usage data: expense records, project data, comments, approvals, and receipt files you upload.
   • Technical data: IP address, browser type, device type, session metadata, and login timestamps.
   • Payment data: billing and payment details are handled entirely by Paddle, our Merchant of Record. We do not receive or store full card numbers.

3. How We Use Your Data

   • To provide the ExProTrack service and maintain your account.
   • To send transactional emails such as password reset messages, expense notifications, billing alerts, and service notices.
   • To improve the service using aggregated and anonymised analytics.
   • To comply with legal obligations, enforce our terms, and respond to lawful requests.

4. Legal Basis for Processing (GDPR)

   • Contract performance: account creation, authentication, support, and service delivery.
   • Legitimate interests: service security, fraud prevention, abuse detection, and operational monitoring.
   • Legal obligation: tax records, financial compliance, and lawful disclosures.
   • Consent: marketing emails and other optional communications, which are sent on an opt-in basis only.

5. Data Storage and Security

   • Data is stored on servers in the European Union using Render.com in the Frankfurt region.
   • All data is encrypted in transit using TLS 1.2+ and encrypted at rest.
   • Access to production data is restricted to authorised personnel only.
   • We conduct regular security reviews and operational checks to reduce risk.

6. Sub-processors

   • Render.com — cloud hosting and database storage (EU).
   • Paddle.com — payment processing and billing (UK/US).
   • Resend / Postmark — transactional email delivery.
   • Sentry — anonymised error monitoring.

7. Data Retention

   • Active account data is retained for the duration of your subscription plus 60 days.
   • After account deletion, data is permanently purged within 30 days unless a longer period is required for legal or security reasons.
   • Billing and tax records are retained for 7 years as required by applicable law.

8. Your Rights

   • Access: request a copy of your personal data.
   • Correction: request correction of inaccurate or incomplete information.
   • Erasure: request deletion of your account and related data.
   • Portability: export your data in CSV format where available.
   • Objection: object to processing based on legitimate interests.
   • To exercise any right, email support@exprotrack.com. We will respond within 30 days.

9. Cookies

   We use essential cookies only, primarily for session authentication and basic service continuity. We do not use advertising cookies, retargeting tags, or third-party tracking cookies. We do not use Google Analytics or advertising trackers.

10. Cross-Border Transfers

    Your data may be processed in the EU for hosting, the UK via Paddle, and the US via email providers or infrastructure services. Where cross-border transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses, processor commitments, or applicable adequacy mechanisms.

11. Children

    ExProTrack is a B2B service and is not directed at children under 18. We do not knowingly collect personal data from children.

12. Changes

    We may update this Privacy Policy from time to time. If changes are material, we will notify customers by email at least 14 days in advance. The “Last updated” date at the top of this page reflects the latest version.

13. Contact / DPO

    For privacy requests, email support@exprotrack.com. For GCC users, we acknowledge your rights under UAE PDPL, Qatar PDPPL, and KSA PDPL and will honour requests from residents of those jurisdictions within 30 days.