Expatriate

Legal

Privacy policy

We believe privacy should be simple and honest. Here is exactly what we collect, why, and what you can do about it.

Last updated: May 1, 2026

Introduction

Expatriate ("we", "us", "our") operates the website expatriate.se and the related apartment alert notification service. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.

We are subject to the General Data Protection Regulation (GDPR) as we operate within the European Union and serve users based in Sweden. By using Expatriate, you agree to the practices described in this policy.

Data we collect

We collect only what we need to deliver the service:

Account data

Your email address and password (hashed) when you create an account.

Filter preferences

The search criteria you set — cities, rent range, room count, and notification channels.

Payment data

If you subscribe to a paid plan, payment is processed by Stripe. We do not store card numbers — Stripe holds them under PCI-DSS compliance. We receive a subscription status and anonymised billing reference.

Usage data

Basic analytics (page views, feature usage) via PostHog to improve the product. No advertising identifiers are used.

Communication data

Any messages you send us via the contact form.

How we use your data

We use your data exclusively to operate and improve the service:

  • Sending you email (and SMS on paid plans) alerts for matching apartment listings
  • Managing your account and subscription
  • Processing payments through Stripe
  • Responding to your support inquiries
  • Improving product performance and fixing bugs using aggregated analytics

We do not sell your data, use it for advertising, or share it with third parties for their own marketing purposes.

Data sharing

We use a small number of trusted sub-processors to run the service:

SupabaseDatabase and authentication (hosted in EU)
StripePayment processing (PCI-DSS compliant)
ResendTransactional email delivery (EU region)
PostHogProduct analytics (EU region)
AWSCompute hosting for the scraper service (Stockholm region, eu-north-1)
VercelWeb hosting

We may also disclose data if required by law, court order, or to protect the rights and safety of our users or others.

Data retention

We keep your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are legally required to retain it (e.g. payment records, which we keep for 7 years under Swedish accounting law).

Anonymised, aggregated analytics data may be retained indefinitely as it cannot be used to identify you.

Your rights

Under GDPR, you have the following rights regarding your personal data:

  • Access — Request a copy of all personal data we hold about you.
  • Portability — Export your data in a machine-readable format (JSON/CSV) from your account settings.
  • Rectification — Correct inaccurate or incomplete data.
  • Erasure — Request deletion of your personal data ("right to be forgotten"). You can do this from your account settings or by emailing us.
  • Restriction — Ask us to limit how we process your data in certain circumstances.
  • Objection — Object to processing based on legitimate interests.
  • Withdraw consent — Withdraw any consent you have given at any time.

To exercise any of these rights, email us at support@expatriate.se. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

Cookies

We use a minimal set of cookies necessary to operate the service:

  • Authentication cookies — Set by Supabase to keep you logged in. These are strictly necessary and cannot be disabled.
  • Analytics cookies — Set by PostHog to understand how users interact with the product. These are first-party cookies and do not track you across other websites.

We do not use advertising cookies or third-party tracking pixels.

Security

We take reasonable technical and organisational measures to protect your data, including:

  • HTTPS encryption for all data in transit
  • Passwords hashed using industry-standard algorithms (managed by Supabase Auth)
  • Row-level security on all database tables
  • Access to production systems restricted to authorised personnel only

No system is 100% secure. If you discover a security vulnerability, please report it to support@expatriate.se.

Changes to this policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the new policy.

Contact

For any questions about this Privacy Policy or how we handle your data, contact us at:

Expatriate

support@expatriate.se
Terms of ServiceContact usBack to home