Legal

Privacy Policy

Last updated: May 24, 2026

This policy explains what information ExpiresOS, Inc. (“ExpiresOS”, “we”, “us”) collects when you use our service, why we collect it, and what control you have over it.

Information we collect

  • Account information — name, email address, and profile photo, provided through Clerk when you sign up.
  • Organization information — your org name, membership list, role, and current plan.
  • Compliance records — the titles, categories, dates, costs, notes, and tags you create.
  • Documents — PDFs and images you upload. These may contain personal information (names, license numbers, signatures); we treat their contents as confidential customer data.
  • Payment information — handled by Stripe. We never see or store full card numbers. We store the Stripe customer and subscription identifiers needed to bill you.
  • Reminder delivery details — the email addresses and phone numbers you choose to receive renewal reminders on.
  • Operational logs — IP address, user agent, and an audit log of state-changing actions you take in the app.
  • Partner-offer clicks — on the free plan, when you click a partner card we record the click for revenue attribution. Clicks are not joined to any other identifier.

How we use it

  • Deliver the service — store your records, send reminders, render the UI.
  • Bill paid plans and prevent abuse.
  • Operate, secure, and improve the product. Aggregate, non-identifying usage analytics may inform product decisions.
  • Communicate with you about your account, security, and material changes to this policy.

We do not sell your personal information.

Who processes it on our behalf

We rely on a short list of vendors (“subprocessors”) to run the service. Each one processes data only on our written instructions. The full, current list is at expiresos.com/subprocessors.

Retention

  • Account, organization, and record data — until you delete it.
  • Uploaded documents — until you or your org admin deletes them.
  • Audit log entries — rolling 12 months.
  • After an organization is closed — a 30-day grace period during which an admin can restore it, then permanent deletion of the tenant’s data.

Your rights

Depending on where you live (GDPR, UK GDPR, CCPA, and similar laws), you have the following rights. We honour them for everyone:

  • Access — export your records and documents from the dashboard.
  • Correction — edit your profile, organization, and records.
  • Deletion — delete individual records and documents from the app, or write to privacy@expiresos.com to delete your account and organization.
  • Portability — exports are JSON / CSV.
  • Objection / restriction — disable reminders or uninstall at any time. You can ask us not to process your data for specific purposes by writing to privacy@expiresos.com.
  • Complain to a regulator — EU/UK users may complain to their local data-protection authority.

Security

We use mandatory MFA, row-level isolation per organization, encryption at rest, signed time-limited download URLs, and an immutable audit log. Full details are at expiresos.com/security.

International transfers

Our infrastructure runs in the United States. If you are in the EEA, UK, or Switzerland, your data is transferred under Standard Contractual Clauses with our subprocessors.

Children

ExpiresOS is not intended for users under 13 and we do not knowingly collect data from them. If you believe a child has provided personal data, write to privacy@expiresos.com and we will delete it.

Changes

We will notify you of material changes to this policy by email and an in-app banner at least 30 days before they take effect. The “last updated” date at the top reflects the most recent revision.

Contact

Questions or requests: write to privacy@expiresos.com.