Privacy Policy

This privacy policy explains how ExpatMemo ("we", "our", "us") collects, uses, stores, and protects personal data when you visit expatmemo.com or interact with our contact and newsletter features.

Overview

ExpatMemo is an independent editorial resource covering international corporate structuring, tax residency, banking, and employment for entrepreneurs and cross-border professionals.

We take your privacy seriously. We collect the minimum data needed to operate the site, we never sell personal data, and we give you clear control over your information. If anything in this policy is unclear, please write to [email protected].

Data controller

The data controller responsible for your personal data under the GDPR and UK GDPR is the editor of ExpatMemo, publishing under the pseudonym Thomas Lenoir, reachable at [email protected].

A dedicated legal entity is planned and will be disclosed in this policy once incorporation is complete. In the meantime, the editor above is the single point of contact for all data protection requests.

What data we collect and why

We collect personal data in a small number of defined situations. We do not collect data passively through advertising networks, social trackers, or third-party fingerprinting.

Contact form submissions

When you send us a message through the contact form on our Contact page, we collect:

Your name
Your email address
The subject category you select (optional)
Your message
A hashed version of your IP address (SHA-256, irreversibly anonymised)
Your browser's user-agent string, truncated to 255 characters
The timestamp of submission

We use this data to reply to your message, to maintain a searchable record of editorial correspondence, and to prevent abuse (spam, flooding).

Legal basis: Article 6(1)(f) GDPR — legitimate interest in responding to editorial inquiries and maintaining an audit trail of correspondence. You may object to this processing at any time by emailing the editor.

Newsletter and waitlist subscriptions

When you subscribe to a newsletter, waitlist, or notification request (for example, the "Notify me" form on the Expat Tax Checklist widget), we collect:

Your email address
The timestamp of subscription
The source page from which you subscribed

If you confirm your subscription through a double opt-in process, we add you to our newsletter service provider (see third-party processors below) and send you the content you subscribed to.

Legal basis: Article 6(1)(a) GDPR — explicit consent. You may withdraw consent at any time by clicking "unsubscribe" in any email we send, or by emailing the editor.

Server logs

Our web server automatically logs basic technical data for every visit: IP address, request timestamp, URL requested, HTTP status code, and user-agent string. These logs are kept for 14 days for operational and security purposes (detecting abuse, debugging errors, investigating incidents) and are then automatically deleted.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in operating a secure website.

Analytics

We use a self-hosted instance of Umami Analytics. Umami is privacy-first: it does not use cookies, does not collect personal data, and does not track individuals across sessions or websites. It records aggregated, anonymised usage statistics (pages viewed, country, browser type, referring site) that cannot be linked back to you personally.

Because Umami is cookieless and processes only aggregated data that is not personal data under GDPR, we do not require your consent for analytics, and we do not display a cookie banner.

What we do not collect

We want to be explicit about what this site does not do:

We do not use advertising networks, third-party ad pixels, or behavioral tracking.
We do not use Google Analytics, Facebook Pixel, TikTok Pixel, or similar tools.
We do not sell, rent, or trade personal data to any third party.
We do not embed videos, social media feeds, or maps that silently load third-party scripts.
We do not use cookies for marketing or profiling.

Third-party processors

We share your personal data only with processors strictly necessary to operate the site. Each processor is bound by a Data Processing Agreement (DPA) and has been assessed for GDPR compliance.

Processor	Purpose	Data shared	Location
Hetzner	Hosting of the website and databases	All data stored on ExpatMemo (contact messages, newsletter subscriptions, server logs)	Germany (EU)
Cloudflare	DNS, DDoS protection, CDN	IP address, user-agent, request metadata	Global (EU edges preferred; DPA signed)
MailerLite	Newsletter delivery and management	Email address, subscription date, engagement metadata	EU region selected (servers in Europe)

We do not transfer personal data outside the European Economic Area for any other purpose. If a processor changes its data handling practices, we will update this policy and notify affected users where feasible.

Cookies

We use a minimal number of strictly necessary cookies:

A WordPress session cookie if you log in to the administration panel (applies to the editor only, not to visitors).
A short-lived cookie to prevent duplicate form submissions (technical necessity).

We do not use tracking cookies, advertising cookies, or third-party cookies. No cookie consent banner is displayed because no consent-requiring cookies are set.

Data retention

We retain personal data only as long as necessary:

Contact form messages: 24 months from date of submission, after which they are automatically deleted unless they have been marked as part of an ongoing editorial project.
Newsletter subscriptions: for as long as you remain subscribed. If you unsubscribe, your email is removed from the active list within 7 days. A hashed record may be kept for up to 12 months to prevent re-subscription abuse.
Waitlist ("Notify me") submissions: until the corresponding product or checklist is delivered. Thereafter, you are offered a double opt-in transition to the newsletter; if you decline or do not confirm, your email is deleted within 30 days.
Server logs: 14 days, then automatic deletion.
Analytics data: aggregated and anonymised; retained for up to 24 months for trend analysis.

Your rights

Under the GDPR (EU) and UK GDPR, you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — correct inaccurate data.
Right to erasure ("right to be forgotten") — request deletion of your data.
Right to restriction of processing — request that we limit how we use your data.
Right to data portability — request your data in a structured, commonly used format.
Right to object — object to processing based on legitimate interest.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
Right to lodge a complaint — with a data protection authority (see next section).

To exercise any of these rights, email [email protected] with a clear description of your request. We will respond within one month (extendable by two additional months for complex requests, with notification).

We do not charge for exercising these rights, except for manifestly unfounded or excessive requests, as permitted by Article 12(5) GDPR.

Complaints and supervisory authorities

If you believe we have not handled your personal data properly, we encourage you to contact us first at [email protected] so we can address the issue directly.

You also have the right to lodge a complaint with a data protection supervisory authority:

If you are in the EU: the authority in your country of residence, or the Sächsischer Datenschutzbeauftragter (the authority competent for our German hosting provider).
If you are in the UK: the Information Commissioner's Office (ICO) — ico.org.uk.

Security

We apply reasonable technical and organizational measures to protect your data:

HTTPS encryption across the entire site.
Server-level firewall and intrusion detection.
Passwords stored as salted hashes.
IP addresses stored in hashed form (SHA-256 with a site-specific salt), never in plain text.
Regular backups with encrypted storage.
Access to the administration panel restricted to the editor and protected by strong authentication.

No online service is fully immune from incidents. In the event of a personal data breach that creates a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected users directly.

Children's privacy

ExpatMemo is aimed at adult professionals and entrepreneurs. We do not knowingly collect personal data from anyone under 16. If we discover that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has submitted personal data through our site, please email [email protected].

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, our processors, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active newsletter subscribers by email.

Continued use of the site after changes are posted constitutes acceptance of the revised policy.

Contact

For any question, request, or complaint regarding this policy or your personal data:

Email: [email protected]

The editor aims to respond to data protection requests within 5 business days.