Privacy Policy

We collect information you provide directly to us, and information generated automatically through your use of the platform. We limit collection to what is necessary to provide and improve the service.

Account Information

When you register, we collect your full name, email address, and password. Passwords are never stored in plain text — they are irreversibly hashed using the Argon2id algorithm before being written to our database. If you choose to sign in via Google OAuth, we receive your name, email address, and a Google account identifier. We never receive or store your Google password.

Usage Data

We record platform interactions such as countries and visa programs you view, quiz responses, saved items, and dashboard activity. This data is associated with your account and used exclusively to personalise your experience and generate the features that require it (e.g., your saved items list, your Expat Archetype result).

Technical & Device Data

We automatically collect certain technical data when you access the platform: IP address, browser type and version, operating system, device type, referring URL, and pages visited along with timestamps. This data is used for security monitoring, debugging, and fraud prevention, and is not used for targeted advertising.

Contact Form Submissions

If you submit a message via our contact form, we store your name, email address, selected subject, and message content. This is used solely to respond to your enquiry and is retained as described in Section 5.

We use the information we collect for the following purposes:

• Account management — creating, authenticating, and maintaining your account; issuing and validating JWT access and refresh tokens.
• Personalised experience — delivering your saved items, Expat Archetype result, and relevant country recommendations.
• Transactional communications — sending OTP verification codes, password reset emails, and contact form acknowledgements.
• Platform security — detecting and preventing unauthorised access, fraud, or abuse of the platform.
• Analytics and improvement — understanding aggregate usage patterns to improve the platform. Analytics data is anonymised before analysis.
• Legal compliance — fulfilling obligations under applicable laws, including responding to lawful data requests.

We do not use your data for targeted advertising, automated profiling that produces legal or similarly significant effects, or any purpose not listed above without obtaining your prior consent.

We use a minimal set of cookies and browser storage to operate the platform. We do not use advertising cookies or third-party tracking pixels.

You can opt out of Google Analytics at any time using the Google Analytics Opt-out Browser Add-on. Disabling essential storage will prevent you from using authenticated features of the platform.

We do not sell, rent, or broker your personal data. We share data only with the following third-party services that are operationally necessary to run ExpatHavenHub. Each integration is scoped to the minimum data required.

• Google (OAuth & Analytics) — Google sign-in sends your Google profile to us; GA4 sends anonymous event data to Google. Both are governed by Google's Privacy Policy and processed under a Data Processing Agreement.
• GNews API — We query GNews to retrieve publicly available news articles. No user data is transmitted to GNews in these requests.
• Email delivery (SMTP) — Transactional emails (OTP codes, contact confirmations) are dispatched via our configured SMTP provider. Only your email address and the email content are involved.
• Hosting infrastructure — Our servers and database are hosted on infrastructure providers under confidentiality and data processing agreements. Providers do not have access to your data beyond what is necessary for hosting.

We may disclose your personal data if required by a court order, regulatory body, or applicable law. Where legally permitted, we will notify you before complying with such a request.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Specific retention periods are:

• Account data (name, email, hashed password) — retained until you delete your account or submit a deletion request.
• Usage logs and background job records — automatically purged after 60 days.
• Job event logs — automatically purged after 21 days.
• Contact form submissions — retained for up to 12 months for support record-keeping, then permanently deleted.
• Access tokens — expire after 15 minutes and are not persisted server-side.
• Refresh tokens — expire after 30 days and are invalidated on use (rolling rotation).

Upon account deletion, we initiate erasure of all associated personal data within 30 days. Anonymised or aggregated data that cannot identify you may be retained indefinitely for analytical purposes.

Depending on your country of residence, you may hold the following rights in relation to your personal data. We will respond to verified requests within 30 days.

GDPR — EEA, UK, and Switzerland

• Right of access (Art. 15) — Obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request permanent deletion of your account and personal data ("right to be forgotten").
• Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests.
• Right to restriction (Art. 18) — Request that we limit how we process your data while a dispute is resolved.
• Right to withdraw consent — Where processing is consent-based, you may withdraw consent at any time without affecting prior processing.

CCPA — California Residents

• You have the right to know what categories of personal data we collect, the purposes for collection, and whether it is disclosed to third parties.
• You have the right to opt out of the sale of personal data. We do not sell personal data.
• You have the right to request deletion of personal data we have collected about you, subject to certain exceptions.
• You have the right to non-discrimination — we will not deny service, charge different prices, or provide a lower quality of service for exercising your privacy rights.

To exercise any of these rights, please contact us with your request. We may need to verify your identity before processing.

We implement industry-standard technical and organisational safeguards to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Password hashing — All passwords are hashed using Argon2id, a memory-hard algorithm specifically designed to resist GPU and ASIC brute-force attacks.
• Encryption in transit — All communications between your browser and our servers are encrypted using TLS 1.2 or higher (HTTPS).
• Short-lived authentication — Access tokens expire after 15 minutes. Refresh tokens rotate on each use and expire after 30 days, limiting the window of exposure if a token is compromised.
• Network isolation — Our database server is not exposed to the public internet. All database connections originate from within our private application network.
• OTP rate limiting — Email verification codes are rate-limited to 3 requests per hour and expire after 10 minutes, with a maximum of 5 incorrect attempts before invalidation.

No internet-based system can guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and relevant supervisory authorities within the timeframes required by applicable law.

We may revise this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page will always reflect when the most recent revision was made.

For material changes — those that meaningfully affect your rights or how we use your data — we will notify registered users by email at least 14 days before the revised policy takes effect. For minor, non-material updates (such as wording clarifications), the revised policy takes effect immediately upon publication.

Your continued use of ExpatHavenHub after any revision constitutes your acceptance of the updated policy. If you disagree with a material change, you may delete your account before the effective date.

For any questions, concerns, or data rights requests relating to this Privacy Policy, please contact us through one of the following channels:

We aim to acknowledge all privacy-related requests within 5 business days and resolve them within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.