Privacy Policy
Last updated: 12 April 2026
This policy explains how ExpressCSV handles personal data across:
- the ExpressCSV website and docs
- the ExpressCSV application
- the embedded importer
- related support, billing, security, and operational services
Who we are
ExpressCSV is operated by William Taylor, Office 14164, 182-184 High Street North, East Ham, London, E6 2JA, United Kingdom.
For privacy questions or rights requests, email care@expresscsv.com or use the details on the Contact page.
Our role
ExpressCSV acts in different GDPR roles depending on the context:
- For account creation, authentication, billing, support, website operations, and product analytics for our own service, ExpressCSV acts as a controller.
- For customer import data processed through the importer on behalf of a customer, ExpressCSV generally acts as a processor and the customer acts as the controller.
Data we process
Depending on how you use the service, we may process:
- account details such as email address, name, team membership, and authentication records
- billing data such as subscription status, invoices, and payment-related metadata from Stripe
- support data such as chat messages and support context shared through Crisp
- technical and usage data such as IP-derived location, browser information, device information, pages viewed, and operational logs
- importer session data such as step changes, validation states, and import-session events
- customer import data submitted through the importer for upload, validation, transformation, preview, and delivery
- limited AI input data when AI-assisted importer features or docs AI chat are used
How we use data
We use personal data to:
- provide and secure the service
- authenticate users and manage teams
- bill customers and prevent abuse or fraud
- provide support and respond to requests
- understand product usage and reliability
- operate the importer, including upload, validation, mapping, transformation, and delivery workflows
- meet legal, tax, accounting, and security obligations
Importer-specific handling
ExpressCSV is designed to process customer import data for the active workflow rather than operate as a long-lived customer data warehouse.
Important details:
- imported files and row data are processed so the importer can preview, validate, transform, and deliver results
- the importer can send import results back to the embedding application controlled by the customer
- the importer can persist in-progress review data in the browser through IndexedDB when the embedding application enables session saving
- importer session events may be sent to ExpressCSV so we can operate the importer, debug issues, and measure usage for billing and reliability
Product analytics and monitoring
ExpressCSV currently uses the following telemetry and support tooling:
- PostHog for product analytics
- Sentry for error monitoring and selected replay and performance diagnostics
- Crisp for support chat
- Cal.com for demo scheduling
We have reduced telemetry payloads to avoid sending raw CSV cell values, worksheet names, file names, and raw email fallback identifiers where they are not required for service operation.
AI features
If AI-assisted features are enabled:
- importer AI features may send prompts, schema context, and limited sample values to our AI processing stack
- docs AI chat may send submitted questions to an AI provider
These flows are used to generate mapping suggestions, transformation assistance, or documentation answers. They are not intended for advertising or resale.
Legal bases for GDPR processing
Where GDPR applies, ExpressCSV generally relies on one or more of the following legal bases:
- performance of a contract
- legitimate interests in operating, securing, supporting, and improving the service
- compliance with legal obligations
- consent, where consent is specifically requested
Subprocessors and service providers
ExpressCSV uses third-party providers to run the service. The main providers currently used in the product stack include:
- Vercel for hosting and application infrastructure
- Cloudflare for traffic routing and content delivery
- Neon/Postgres infrastructure for application data storage
- Stripe for billing and payments
- PostHog for analytics
- Sentry for monitoring and diagnostics
- Crisp for support chat
- Cal.com for scheduling
- an SMTP email provider for transactional email delivery
- OpenRouter and model providers for AI-enabled features when enabled
See the dedicated Subprocessors page for a service-by-service summary.
International transfers
Some of our providers process data outside the UK or EEA. Where relevant, we rely on contractual and organizational safeguards that are appropriate for the transfer context, including standard contractual mechanisms where required.
Retention
We keep data only for as long as needed for the purpose for which it was collected, including security, contractual, billing, and legal obligations.
See the dedicated Retention page for a practical summary of the main categories and retention approach.
Data sharing
We share personal data with subprocessors and service providers only where needed to operate the service, support customers, secure the platform, process payments, send communications, or provide AI-enabled features.
We do not sell personal data. We also do not share personal information for cross-context behavioral advertising as those terms are used in California privacy law, and we do not use customer import data for third-party advertising.
California privacy notice
This section supplements the rest of this policy for California residents and describes how ExpressCSV handles personal information when acting as a business under the CCPA/CPRA.
Categories of personal information we collect
In the last 12 months, we have collected the following categories of personal information in connection with the website, app, importer, support, billing, and security operations:
| California category | Examples in the ExpressCSV service |
|---|---|
| Identifiers | name, email address, account ID, team ID, online identifiers, IP-derived request metadata |
| Customer records information | billing contact details, company details you provide, invoice and subscription metadata |
| Commercial information | subscription status, invoices, plan selections, transaction history |
| Internet or network activity | pages viewed, product usage events, error diagnostics, importer workflow events, browser and device metadata |
| Geolocation data | approximate location inferred from IP address or request metadata |
| Professional or employment information | work email, company name, role, and procurement details you choose to share |
| Inferences | limited product-preference or attribution information used to understand how the service is adopted |
| Sensitive personal information | only where necessary for account security, payment operations, fraud prevention, or other permitted business purposes, or where such data appears in customer import data that we process on behalf of customers |
Sources of personal information
We collect personal information from:
- you directly, such as when you create an account, request support, book a demo, submit a privacy request, or configure the product
- your use of the website, app, and importer
- service providers involved in billing, authentication, hosting, monitoring, support, and scheduling
- customers who use ExpressCSV as a processor and provide data for importer workflows
Business and commercial purposes
We collect and use personal information for the following purposes:
- providing, securing, maintaining, and improving the service
- authenticating users and managing teams, subscriptions, and billing
- supporting importer workflows, including validation, mapping, delivery, and reliability operations
- responding to support, procurement, legal, and privacy requests
- detecting abuse, fraud, and security incidents
- measuring service reliability and product usage through optional analytics and diagnostics
- complying with legal, tax, accounting, and contractual obligations
Disclosure to third parties
We disclose the categories of personal information listed above to service providers, contractors, and subprocessors that help us operate the service, including hosting, traffic delivery, database infrastructure, billing, analytics, monitoring, support chat, scheduling, email delivery, and AI providers when AI-enabled features are used.
See the Subprocessors page for the current provider summary.
Sale, sharing, and sensitive personal information
- We do not sell personal information.
- We do not share personal information for cross-context behavioral advertising.
- We do not offer financial incentives in exchange for personal information.
- We do not use or disclose sensitive personal information to infer characteristics about consumers. Where sensitive personal information is processed, we use it only for permitted business purposes or as part of customer import data processed on behalf of customers.
California privacy rights
California residents may have the right to:
- know the categories of personal information we collect, disclose, and use
- request access to specific pieces of personal information
- request correction of inaccurate personal information
- request deletion of personal information, subject to legal and operational exceptions
- receive a portable copy of certain personal information
- opt out of any future sale or sharing, although ExpressCSV does not currently sell or share personal information in that way
- not receive discriminatory treatment for exercising privacy rights
Retention
We keep personal information only for as long as reasonably necessary and proportionate for the purposes described in this policy. Retention depends on the data category, the feature used, contractual obligations, and legal or security requirements.
Examples:
- account and team records are kept while an account is active and for a limited period afterward where needed for support, security, dispute handling, or legal obligations
- billing and invoice records are kept for the periods required by tax, accounting, and financial reporting obligations
- support records are kept as reasonably necessary for support history, service quality, and legal protection
- analytics, monitoring, and importer operational records are kept for limited operational, debugging, abuse-prevention, and product-improvement purposes subject to internal review and vendor retention settings
See the Retention page for a practical summary of our current retention approach.
How to exercise California rights
California residents can submit requests by:
- emailing care@expresscsv.com
- using the privacy request form on the Contact page
We may ask for information needed to verify the request before acting on it. Authorized agents may also submit requests on a consumer's behalf, and we may request proof of the agent's authority and information needed to verify the consumer before completing the request.
Your rights
If you are in the UK, EEA, or another jurisdiction with similar rights, you may have the right to:
- access your personal data
- correct inaccurate data
- delete data in certain circumstances
- restrict or object to certain processing
- receive a portable copy of certain data
- withdraw consent where processing is based on consent
- complain to your local supervisory authority
If ExpressCSV acts only as a processor for customer import data, we may direct the request to the relevant customer controller or help them fulfill the request under our contractual obligations.
How to make a privacy request
You can submit privacy requests by:
- emailing care@expresscsv.com
- using the privacy request form and contact information on the Contact page
We may ask for information needed to verify the request before acting on it.