Privacy Policy

1. Introduction

Expirely ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our grant management platform and related services.

This policy applies to all users of Expirely, including nonprofit organizations, educational institutions, and businesses using our platform to discover and manage grant opportunities.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, organization name, tax ID/EIN, job title
• Organization Profile: Mission statement, focus areas, NTEE categories, geographic location, annual budget, website URL
• Grant Application Data: Grant proposals, budgets, supporting documents, project descriptions, applicant information
• Payment Information: Billing address, payment method details (processed securely through Stripe)
• Communications: Support requests, feedback, survey responses

2.2 Information Collected Automatically

• Usage Data: Pages viewed, features used, time spent, search queries, grant interactions
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies and Tracking: See our Cookie Policy

2.3 Information from Third Parties

• Public Grant Databases: Federal grants (Grants.gov), foundation data (IRS Form 990s via ProPublica API)
• Authentication Providers: OAuth information when signing in with Google, Microsoft, etc.
• Payment Processors: Transaction data from Stripe

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: Provide personalized grant recommendations, track applications, send deadline reminders
• AI Features: Analyze your organization profile to match relevant grants, generate proposal content, provide foundation insights
• Communication: Send transactional emails (welcome sequences, saved search alerts), SMS deadline reminders, product updates
• Payment Processing: Process subscription payments and manage billing
• Platform Improvement: Analyze usage patterns, conduct A/B testing, fix bugs, optimize performance
• Security: Detect fraud, prevent abuse, enforce terms of service
• Legal Compliance: Respond to legal requests, protect our rights, comply with regulations

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data based on:

• Contract Performance: Processing necessary to provide our services
• Legitimate Interests: Improving our platform, fraud prevention, analytics
• Consent: Marketing communications, non-essential cookies
• Legal Obligation: Tax compliance, response to legal requests

5. How We Share Your Information

We do not sell your personal information. We share data only in these circumstances:

• Service Providers: Hosting (Vercel), database (Supabase), email (Resend), SMS (Twilio), AI (Google Gemini), payments (Stripe)
• Within Your Organization: Team members within your organization can access shared grant data
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: Any other sharing will require your explicit permission

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. After account deletion:

• Most data is deleted within 30 days
• Backup copies are retained for 90 days for disaster recovery
• Financial records retained for 7 years per legal requirements
• Anonymized analytics data may be retained indefinitely

7. Your Privacy Rights

All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your account and data
• Data Portability: Export your grant data in CSV format
• Opt-Out: Unsubscribe from marketing emails and SMS

GDPR Rights (EEA Residents)

• Right to restrict processing
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with your data protection authority

CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at privacy@expirely.co

8. Data Security

We implement industry-standard security measures to protect your data:

• TLS/SSL encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Multi-tenant data isolation with Row-Level Security (RLS)
• Regular security audits and penetration testing
• SOC 2 Type II compliance (in progress)
• Two-factor authentication available

For more details, see our Security page.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all third-party processors
• Privacy Shield Framework compliance (where applicable)

10. Children's Privacy

Expirely is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Email notification to your registered address
• Prominent notice on our website
• In-app notification upon login

Continued use of our services after changes indicates acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns: