These Terms of Service ("Terms") form a legally binding agreement between you (either an individual or the entity you represent, "Customer" or "you") and Expanly Oy (Business ID 3506966-5), a company incorporated under the laws of Finland with its registered address at Siltasaarenkatu 12 A, 00530 Helsinki ("Expanly", "we", "our" or "us").
By clicking “Sign up”, creating an account, or otherwise accessing or using the Expanly platform, websites, or related services (collectively, the "Service"), you acknowledge that you have read, understood, and agree to be bound by these Terms of Service, which include and incorporate our Data Processing Agreement (see Appendix 1 below). If you do not agree, you must not use the Service.
NOTE: These Terms apply to self-service subscriptions completed online without a separately signed contract. If you have executed a master software-service agreement with Expanly, that agreement will govern to the extent of any conflict.
1. Agreement to the Terms
By accessing or using the Service, clicking “Sign up” or executing an Order referencing these Terms, you agree to be bound by this Agreement (defined below). If you are entering into this Agreement on behalf of a company or other legal entity, you represent that you have authority to bind that entity; "Customer", "you" and "your" refer to that entity. If you do not agree, do not access or use the Service.
2. Definitions
“Agreement” means these Terms of Service together with any Order and any policies referenced herein.
“Advertising Platform” means Google, Meta, Amazon, TikTok, or any other advertising platform where Customer uses the Service.
“Customer Content” means data, materials, code, files, and information Customer (including Users) uploads to or generates in the Service.
“Deliverables” means Customer-facing outputs provided by Expanly (e.g., reports, dashboards as content, and data exports). Deliverables exclude the Service, underlying models, methodologies, and other technology.
“Fees” means all amounts payable by Customer for the Service, as specified in an Order or at checkout.
“Integration” means a configured connection between the Service and an external data source or destination (e.g., Shopify, PIM, Google Analytics, or an Advertising Platform). Each Integration is counted individually for service limits and fees.
“Model” means a predefined template within the Service that generates a scoring model used to perform calculations on Customer’s product data.
“Order” means (a) an online subscription selection, or (b) a written ordering document signed by both parties, identifying the subscription plan, Fees, and any additional terms.
“SKU” means a Stock Keeping Unit, a unique identifier for a product variant (e.g., colour/size) that the Service uses to match, score, and report product-level data.
“Service” means Expanly’s proprietary software-as-a-service marketing-performance platform and related services.
“Subscription Term” has the meaning set out in Section 14.1.
“Usage Data” means data generated from operation of the Service (e.g., log data, performance metrics, and analytics).
“User” means anyone authorised by Customer to access the Service.
“User Credentials” means credentials (e.g., passwords, tokens) used to access the Service.
3. Account Registration & Eligibility
3.1 Account Registration. Customer must provide accurate information when creating an account and keep such information current. Customer is responsible for Users’ compliance with this Agreement. Customer is responsible for maintaining the confidentiality and security of all its User Credentials and for all activities that occur under such User Credentials. Customer agrees to notify Expanly immediately of any unauthorized use of its account or credentials or any other breach of security. Customer is responsible for obtaining and maintaining, at its own expense, all hardware, software, and internet connections necessary to access and use the Service, and for ensuring that such systems meet any minimum system requirements specified by Expanly. Without incurring any liability, Expanly may at any time block the use of any User Credentials if it has reasonable grounds to believe that the Service is used in violation of these Terms.
3.2 Third-Party Users. Customer remains responsible for all use of the Service by third parties acting on Customer’s behalf (including agencies and consultants). Customer shall ensure such third parties are bound by written confidentiality and use restrictions no less protective than this Agreement. Customer shall not permit access to any direct competitor of Expanly without Expanly’s prior written consent. Customer is liable for any breach of this Agreement by such third parties as if committed by Customer.
4. License & Acceptable Use
4.1 License grant. Expanly grants Customer a non-exclusive, non-transferable, non-sublicensable right for Users to access and use the Service during the Subscription Term, solely for Customer’s internal business purposes and in accordance with the Order and this Agreement.
4.2 Restrictions. Customer will not (and will not permit anyone else to): (a) reverse engineer or decompile the Service or otherwise attempt to discover the source code or underlying ideas of the Service; (b) copy, frame, or mirror any part of the Service other than copying or framing on Customer’s own intranets for internal purposes; (c) access the Service to build a competitive product; (d) remove proprietary notices; or (e) use the Service in violation of law or any third-party right.
5. Customer Content; Aggregated & Anonymised Data; Outputs
5.1 Ownership. Customer retains all right, title, and interest in Customer Content. Expanly will process Customer Content solely to provide, maintain, and support the Service in accordance with this Agreement and applicable law.
5.2 Aggregated/Anonymised Use. Expanly may process and analyse data derived from Customer’s use of the Service in aggregated and anonymised form to improve its services (e.g., develop new features or models) and to produce industry insights or benchmarks. Any such data shall be anonymised using GDPR-compliant methodologies so that no individual or Customer can be identified. Expanly will not disclose Customer-identifiable data to third parties without Customer’s explicit written consent.
5.3 Outputs & IP. Data which the Customer enters into and which is processed through the Service remains Customer’s property. Expanly’s software, models, scoring methodologies, feature engineering, algorithms, and other underlying technology (including improvements and derivatives) relating to the Service (including but not limited to its source code) remain Expanly’s exclusive property. Subject to the terms and conditions of this Agreement and for the duration of the Subscription Term, Customer is granted a non-exclusive, non-transferable, non-sublicensable licence to use algorithmic outputs (including scores and classifications) generated by the Service solely for Customer’s internal business purposes.
5.4 Security. Expanly will implement industry-standard administrative, physical, and technical safeguards designed to protect the security, integrity, and confidentiality of Customer Content.
5.5 Permission During Beta Phase. While the Service is in beta phase, Customer grants Expanly permission to create, edit and delete models, integrations, data-mappings, attributes, weights, scores, buckets, insights and permission to skip processing of invalid product data rows on the behalf of the Customer. This permission shall be valid until the beta phase of the Service is completed.
6. Fees, Billing & Payment
6.1 Fees & Billing. Fees and billing frequency are specified in the applicable Order or on the pricing page. Unless otherwise stated: (a) amounts are in euros; (b) taxes, duties, and bank charges are excluded from the Fees and are Customer’s responsibility; (c) recurring Fees are billed in advance and payable on receipt or 14 days net from the invoice date where invoicing is authorised; and (d) a one-time onboarding fee may be invoiced upon signature or activation, as specified in the Order.
6.2 Plan Allowances. For the Subscription Term, Customer’s subscription includes the plan-specific allowances stated in the Order (e.g., Models, Integrations, SKUs, Reporting, Support). If Customer exceeds an allowance in any calendar month, excess units will be charged at Expanly’s then-current list price published on Expanly’s website. Excess charges appear on the next invoice. Customer may request higher allowances at any time; unless otherwise agreed in writing, new allowances and corresponding fees take effect on the first day of the month following the request.
6.3 Professional Services. Work requested by Customer after completion of onboarding that falls outside the standard subscription scope (including implementing additional models, adding new integrations, or performing new data-mapping) will be performed at €160/hour (plus VAT) and invoiced monthly in arrears.
6.4 Disputed Invoices. If Customer disputes an invoice, Customer must notify Expanly in writing within fourteen (14) days of receipt of the invoice in question. During dispute resolution, Customer remains responsible for any undisputed portion.
6.5 Late Payment & Suspension. If payment is delayed, late-payment interest accrues in accordance with the Finnish Interest Act (633/1982). If payment is more than thirty (30) days overdue, Expanly may suspend access to the Service until full payment (including interest) is received.
6.6 Pricing Changes. Expanly may adjust pricing with at least sixty (60) days’ written notice. If Customer does not accept the new pricing, Customer may (a) switch to a different pricing plan offered by Expanly, if available; or (b) terminate the Agreement with sixty (60) days’ notice, in each case effective at the end of the then-current billing period.
7. Delivery, Service Availability, Maintenance & Changes
7.1 Delivery & Implementation. Expanly will use commercially reasonable endeavors to ensure the Service is implemented in the best possible way for Customer’s use. Customer is responsible for integrating the Service into its advertising environment and ensuring compatibility with its systems. Expanly will provide reasonable support to facilitate integration. If additional onboarding or customisation services are required, the parties may agree a separate implementation plan and associated fees in writing. Delivery is deemed complete once the Service has been deployed and connected to an Advertising Platform, after which applicable fees may be charged.
7.2 Availability & Maintenance. Expanly will take reasonable measures to ensure that the Service remains available without interruptions, except for maintenance work and circumstances beyond Expanly’s control. Expanly will use commercially reasonable endeavors to minimize any potential service interruptions and their duration. Expanly has the right to temporarily suspend the Service during weekdays (Monday to Friday) between 18:00 and 08:00 local time in Helsinki (EET/EEST), as well as at any time on Saturdays, Sundays, and public holidays, if necessary for installation, modification, or maintenance, and if such work cannot reasonably be carried out without temporarily suspending the Service. If Expanly suspends the Service for such reasons, it must: (a) Notify the Customer in advance about the suspension and its expected duration; and (b) Strive to minimize the inconvenience caused by the suspension.
7.3 Changes to the Service. Expanly may improve or modify the Service. If Expanly makes a change that negatively affects the Service provided to Customer, Expanly will notify Customer in writing at least sixty (60) days before the change takes effect (or as soon as reasonably possible if earlier notice is not feasible). Expanly may replace the Service with a new version or replacement software, provided the replacement meets the essential functionality, performance, and feature criteria agreed in writing by the parties.
7.4 Temporary Suspension. Expanly may suspend or limit the Service: (a) to address a cybersecurity or system-integrity threat; (b) due to installation, modification, or maintenance of public communication networks; (c) if required by law or regulatory authorities; (d) for non-payment; or (e) if Customer’s use burdens or endangers the Service for other users. Expanly will use commercially reasonable efforts to notify Customer in advance of any such suspension, or otherwise promptly after becoming aware, and will use commercially reasonable endeavors to minimise the duration and impact of such suspension.
8. Confidentiality
8.1 Definition. "Confidential Information" means non-public information disclosed by either party that is marked or should reasonably be considered confidential, including without limitation pricing, business plans, technology, and Customer Content.
8.2 Protection. Each party will use the same degree of care it uses to protect its own confidential information (but at least reasonable care) to protect the other party’s Confidential Information, and will not use or disclose such information except as permitted by this Agreement.
8.3 Exclusions & compelled disclosure. Confidential Information does not include information that: (a) is or becomes public through no fault of the recipient; (b) was known to the recipient without confidentiality obligations before receipt; (c) is received from a third party without breach; or (d) is independently developed. A party may disclose Confidential Information when required by law, after giving reasonable notice and cooperating to seek confidential treatment.
9. Publicity & Marketing Rights
Expanly may list Customer’s name, display Customer’s logo (in accordance with Customer’s brand guidelines), and make a factual statement that Customer uses the Service in marketing materials, on Expanly’s website, in press releases, and on social media, without separate consent once this Agreement is in effect. For any press release, Customer will have an opportunity to review the text for accuracy and brand-guideline compliance before publication. Any public quote or case study containing qualitative claims, performance metrics, or campaign-specific details requires Customer’s prior written approval. Upon Customer’s written request, Expanly will cease use of Customer’s name and logo within ten (10) business days. Customer grants Expanly a limited, revocable, non-exclusive, royalty-free licence to use its name and logo for the foregoing purposes.
10. Intellectual Property & Feedback
Except for the limited rights expressly granted here, Expanly and its licensors retain all rights, title, and interest in and to the Service, including all related intellectual property rights. This includes any and all generalized improvements, new features or functionalities, models, algorithms, or other developments in the Service derived from or developed as a result of processing Customer Content or Usage Data, provided that such developments do not identify the Customer or any individual, nor incorporate Customer Confidential Information in its identifiable form. Customer retains all rights in its Customer Content as specified in Section 5.1. If Customer provides suggestions or feedback, such feedback shall become Expanly’s property and Expanly may use them without restriction or obligation.
11. Warranties & Disclaimers
11.1 Performance warranty. Expanly warrants that, during the Subscription Term, the Service will materially conform to this Agreement and the applicable Order (subject to any changes made in accordance with Section 7.3). Customer’s sole and exclusive remedy for breach of this warranty is for Expanly to use reasonable efforts to correct the non-conformity.
11.2 Disclaimers. Except as expressly provided, the Service is provided “as is” and “as available,” without warranties of any kind, whether express, implied or statutory, including merchantability, fitness for a particular purpose, and non-infringement. Expanly does not warrant that the Service will be uninterrupted, error-free, or that results obtained from its use will be accurate or reliable.
12. Indemnities
12.1 Expanly indemnity. Expanly will, at its own expense, defend Customer against any third-party claim alleging that the Service infringes a valid patent, copyright, or trademark, and will pay any damages and costs finally awarded against Customer in a competent court (or agreed in a settlement approved by Expanly), provided that Customer promptly notifies Expanly of the claim, provides reasonable cooperation, and grants Expanly sole control over the defense and settlement. This indemnity will not apply to claims resulting from (i) modification of the Service by the Customer or a third party on the Customer’s behalf, (ii) use of the Service in combination with items not provided or authorized by Expanly, or (iii) Customer’s breach of this Agreement. If such a claim arises, Expanly may, at its option and expense, modify or replace the Service to avoid infringement, or terminate the Agreement and refund Customer any unused, prepaid Fees, without further liability.
12.2 Customer indemnity. Customer will defend Expanly against claims arising from (a) Customer Content, including allegations it infringes third-party rights or violates law; (b) Customer’s breach of Section 4; or (c) use of the Service in violation of law, and will pay resulting damages and costs.
13. Limitation of Liability
13.1 Cap. Expanly’s aggregate liability arising out of or related to this Agreement will not exceed the fees paid by Customer to Expanly in the six (6) months immediately preceding the first event giving rise to liability.
13.2 Exclusion of consequential damages. In no event will either party be liable for indirect, incidental, special, consequential or punitive damages, or loss of profits, revenue, data, or business, even if advised of the possibility.
13.3 Exceptions. The limitations above do not apply to (i) a party’s indemnification obligations in Section 12; (ii) a party’s breach of confidentiality; (iii) a party’s wilful misconduct or fraud; or (iv) Customer’s payment obligations.
14. Term & Termination
14.1 Term & Auto-Renewal. The Agreement begins on date of the Order and continues for the initial term stated in the Order (the “Subscription Term”). The Subscription Term is renewed automatically for successive terms of equal length unless either party gives written notice of non-renewal at least sixty (60) days before the end of the then-current Subscription Term. If the Parties have signed a separate fixed-term contract by which you commit to using the Service for a fixed contract period, then the Parties’ right to terminate the Agreement shall be controlled by the terms of that separate contract.
14.2 Termination for cause. Either party may terminate the Agreement with written notice to the other party (a) if the other party materially breaches the Agreement and fails to cure such breach within 30 days of receiving a notice of such breach from the non-breaching party, or (b) immediately if the other party becomes insolvent or enters bankruptcy.
14.3 Termination without cause. The Customer may terminate the Agreement at any time to switch service provider in accordance with Section 15.1 (Switching service provider) with two (2) months’ written notice. The termination shall be deemed to have taken effect upon the earlier of (i) the successful completion of the service provider switching process; or (ii) upon the end of the two-month notice period related to this Section 14.3.
14.4 Effect of Termination. Upon termination, Customer’s licence immediately ends, and Customer must cease use of the Service. Data return and deletion will be handled as set out in Section 15 (Data Return & Deletion), including the 30-day retrieval window and deletion within 90 days, subject to any legally required or operationally justified retention described therein. If the Customer terminates this Agreement before the end of a fixed contract period for reasons other than a material breach by Expanly, the Customer shall remain liable for all Fees due for the remainder of the fixed contract period. Expanly shall be entitled to invoice such remaining Fees upon termination. In the event of termination by the Customer pursuant to Section 14.3, Expanly will have no obligation to refund or return any prepaid Fees.
14.5 Downgrades. Downgrades that reduce subscribed quantities or features (including limiting the number of users, accounts, or products) require sixty (60) days’ prior written notice and take effect at the next renewal date.
15. Switching, Data Return & Deletion
15.1 Switching service provider. If the Customer has notified Expanly that its termination is due to switching to an alternative data processing service provider, Expanly shall for thirty (30) days after the termination of the Agreement: (i) provide reasonable assistance to you and, where applicable, to any authorized third party designated by you, to enable effective switching; (ii) reasonably support your exit strategy by making available the necessary information relating to the porting of Customer Data and Usage Data; (iii) act with due care and in good faith to preserve your business continuity and minimize service disruption; and (iv) maintain a high level of data security in accordance with applicable laws. Expanly shall not be liable for the continued integrity, usability, or suitability of the Customer Data and Usage Data after the completion of the service provider switching, nor for their subsequent implementation by the Customer or any third party.
15.2 Retrieval Period. During the notice period set out in Section 14 and for thirty (30) days after the termination of the Agreement has taken effect, Customer may export Customer Content and Usage Data using available self-service tools at no charge. Upon request within this period, Expanly will provide a copy of Customer Content and Usage Data in a commonly-used format; Expanly may charge a reasonable administrative fee for such assistance as set out in the then current price list of Expanly.
15.2 Deletion. Within ninety (90) days after termination, Expanly will delete Customer Content from production systems, except where retention is required by applicable law or regulatory obligations, or for legitimate operational purposes such as legal archiving, dispute resolution, or system-integrity analysis.
16. Data Protection
For any Personal Data processed in connection with provision of the Service, Customer acts as the controller and Expanly acts as the processor (each as defined in the GDPR). Expanly will process Personal Data only on documented instructions from Customer and solely to provide the Service and related support, and will implement appropriate technical and organisational measures to protect Personal Data. The parties will enter into a Data Processing Agreement (DPA) if required by law. Customer is responsible for ensuring Customer Content complies with applicable law. Expanly is not liable for Customer’s failure to meet its data protection obligations.
17. Use of Subcontractors
Expanly may use subcontractors or other third-party providers to perform its obligations under this Agreement, including the provision of the Service or parts thereof. Expanly will remain responsible for the performance of its subcontractors and their compliance with Expanly's obligations under this Agreement.
18. Force Majeure
Neither party shall be liable for any failure or delay in performing its obligations hereunder (other than payment obligations) if such failure or delay is caused by a Force Majeure Event. A "Force Majeure Event" means any event beyond a party's reasonable control, which by its nature could not have been foreseen, or, if it could have been foreseen, was unavoidable, including without limitation strikes, lock-outs or other industrial disputes (whether involving its own workforce or a third party's), failure of energy sources or transport network, war, terrorism, riot, civil commotion, interference by civil or military authorities, national or regional calamity, armed conflict, malicious damage, breakdown of plant or machinery, nuclear, chemical or biological contamination, sonic boom, explosions, collapse of building structures, fires, floods, storms, earthquakes, loss at sea, epidemics or similar events, natural disasters or extreme adverse weather conditions, or default of suppliers or subcontractors due to any such event. The affected party will notify the other party of the Force Majeure Event and its expected duration as soon as reasonably practicable and will use reasonable efforts to mitigate the effects of the Force Majeure Event.
Force Majeure does not apply to payment obligations already due or owed, nor to events arising from a party’s internal business decisions or labour strikes affecting only that party’s workforce.
19. Modifications to the Terms
Expanly may update these Terms from time to time, and the most current version of the Terms will be posted on Expanly’s website. Updated Terms become effective sixty (60) days after posting or notice to Customer. If the change materially diminishes Customer’s rights, Customer may object before the effective date, in which case the parties will seek a mutually acceptable resolution. If no agreement is reached, Customer may terminate the Agreement for convenience with sixty (60) days’ notice, and Expanly will refund any unused prepaid Fees for the terminated portion of the Subscription Term.
20. Compliance, Export & Notices
Customer will comply with all applicable laws, including without limitation export control, sanctions, and anti-bribery laws. The Service is controlled and operated from facilities in the European Union and may be subject to EU export laws.
All notices under this Agreement must be delivered via email. Unless otherwise specified in the Order, the notice details are:
For Expanly: contact@expanly.com
For Customer: the email address specified in the Order.
A notice is deemed received when sent, provided the sender has not received a bounce-back or similar delivery failure.
21. Governing Law & Dispute Resolution
This Agreement is governed by the laws of Finland, excluding its conflict-of-laws rules and the Finnish Sale of Goods Act (355/1987, as amended). Any dispute arising out of or related to this Agreement shall first be referred to a senior representative of each party for good-faith negotiation within thirty (30) days of notification of the dispute. If no resolution is reached, the dispute shall be escalated to mediation conducted under the Finland Chamber of Commerce Mediation Rules. Only if mediation fails shall the dispute be resolved through arbitration in Helsinki in accordance with the Arbitration Rules of the Finland Chamber of Commerce by one arbitrator. The arbitral decision shall be final and binding.
22. Miscellaneous
The parties are independent contractors. Neither party may assign this Agreement without the other party’s prior written consent, except that Expanly may assign to an affiliate or to a third party in connection with a merger, acquisition or sale of assets. If any provision of the Agreement is held unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will remain in effect. This Agreement constitutes the entire agreement between the parties relating to its subject matter and supersedes all prior or contemporaneous agreements, proposals, or communications.
Questions? Contact us at contact@expanly.com
© Expanly Oy 2025. All rights reserved.
Appendix 1
Data Processing Agreement
1. Parties and Roles
1.1. This Data Processing Agreement ("DPA") forms an appendix to and is an integral part of the Terms of Service ("TOS" or "Principal Agreement") entered into between you, the user of our Services (the "Customer," also referred to as "you" or "User" in the TOS, hereinafter referred to as the "Controller" for the purposes of this DPA), and Expanly, a limited liability company with its principal place of business at Siltasaarenkatu 12 A, 00530 Helsinki (hereinafter referred to as "Expanly," "we," "us," "our," or the "Processor" for the purposes of this DPA).
1.2. The terms of this DPA shall govern the processing of Personal Data by Expanly as the Processor on behalf of the Customer as Controller in connection with the provision of the Services outlined in the TOS. This DPA shall form an integral part of the Main Agreement, meaning that applicable parts of the Principal Agreement (including its provisions on governing law and dispute resolution) shall apply also to this DPA. However, the terms of this DPA shall prevail over any conflicting terms in the Principal Agreement regarding the Processing of Personal Data.
1.3. Definitions: "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR. * "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). * "Services" means the services to be provided by the Processor to the Controller as defined in the Principal Agreement. * "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Processor.
2. Subject Matter, Duration, Nature, and Purpose of Processing
2.1. Subject Matter: The subject matter of the Processing is the Personal Data provided or made available by the Controller to the Processor for the provision of the Services.
2.2. Duration: The duration of the Processing shall be for the term of the Principal Agreement and as long as the Processor Processes Personal Data on behalf of the Controller, unless terminated earlier in accordance with this DPA or the Principal Agreement, or as required by applicable law.
2.3. Nature of Processing: The nature of the Processing includes collection, storage, analysis and transmission of Personal Data as necessary to provide the Services.
2.4. Purpose of Processing: The purpose of the Processing is to enable the Controller to utilize the Services, which includes, but is not limited to: * Analyzing marketing campaign performance * Generating insights and recommendations for advertising and promotional strategies * Evaluating customer engagement and conversion data * Identifying high-performing products or audiences * Assisting with segmentation and targeting decisions * Enabling the use of machine learning models for predictive marketing analytics * Integrating business data (such as profit margins, inventory levels, seasonality, and ERP information) to align advertising campaigns with the Controller's business objectives. * Automating the execution of custom business rules across advertising platforms, thereby reducing manual intervention and potential errors. * Enabling proactive optimization by automatically adapting to changes in stock levels, margins, seasonality, and competitor actions in real-time. * Driving predictable and profitable growth by building a scalable, data-driven advertising engine aligned with the Controller's bottom line. All processing activities will be conducted in accordance with the Controller's documented instructions and solely for the purposes outlined above, ensuring alignment with the Controller's legitimate interests in optimizing advertising performance and return on investment.
3. Types of Personal Data and Categories of Data Subjects
3.1. Types of Personal Data: The types of Personal Data Processed may include:
Customer and User Identifiers: Names (first and last), Email addresses, User/customer IDs, IP addresses, Device identifiers.
Contact and Profile Information: Phone numbers, Geographic location (e.g., shipping or billing addresses, city, country).
Behavioral and Usage Data: Website and app usage data (page views, clicks, session duration, bounce rates), Product interaction data (e.g., views, carts, purchases, returns), Ad interaction data (e.g., impressions, clicks, conversions, attribution paths).
Marketing and Advertising Data: Engagement data with email campaigns or ads, Custom audiences or segments, Preferences or inferred interests (e.g., based on behavior or segmentation rules).
Technical and System Data: Browser type and version, Operating system and platform, Timestamped logs and diagnostics.
Expanly does not process sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless explicitly instructed and authorized by the Controller in compliance with applicable law.
3.2. Categories of Data Subjects: The categories of Data Subjects whose Personal Data may be Processed include:
Customers and Prospective Customers of the Controller: Individuals who have interacted with the Controller’s website, ecommerce platform, or marketing campaigns (e.g., site visitors, leads, and purchasers).
End-users of the Controller’s Services: Individuals who use or interact with the Controller’s digital properties (e.g., web or app users whose behavior and engagement data is collected for marketing and optimization purposes).
Employees or Marketing Team Members of the Controller: Individuals whose data may be processed to enable account access, user activity tracking, or to execute rule-based ad automation set by team members (e.g., email addresses, usernames, audit logs).
Audience Segments or Third-party Leads: Individuals included in custom audience segments or remarketing lists managed through advertising platforms, provided by or on behalf of the Controller.
4. Obligations of the Processor
4.1. Instructions: The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or EU Member State law applicable to the Processor. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are initially set out in this DPA and the Principal Agreement. The Controller may provide further instructions during the term of this DPA.
4.2. Confidentiality: The Processor shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Security of Processing: Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: * (a) the pseudonymization and encryption of Personal Data; * (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; * (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; * (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
4.4. Sub-processing: * (a) A current list of Sub-processors is available in Annex 1 to this DPA and may be updated from time to time. * (b) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes within 30 days. If the Controller does not accept the intended change, the Controller may terminate the part of the Principal Agreement to which the sub-processing would be related to with 30 days’ prior written notice. * (c) Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. * (d) The Processor shall remain fully liable to the Controller for the performance of that Sub-processor's obligations. *
4.5. Data Subject Rights: Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR (e.g., right of access, rectification, erasure, restriction of processing, data portability, objection). The Processor shall promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data, and shall not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the Processor responds to the request.
4.6. Assistance to the Controller: The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of processing, Notification of a personal data breach to the supervisory authority, Communication of a personal data breach to the data subject, Data protection impact assessment, and Prior consultation), taking into account the nature of Processing and the information available to the Processor. This includes: * (a) Notifying the Controller without undue delay after becoming aware of a Personal Data Breach. Such notification shall, as a minimum: * (i) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; * (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; * (iii) describe the likely consequences of the Personal Data Breach; * (iv) describe the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. * (b) Providing reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by Articles 35 or 36 of the GDPR, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
4.7. Return or Deletion of Personal Data: At the choice of the Controller, the Processor shall delete or return all the Personal Data to the Controller after the end of the provision of Services relating to Processing, and shall delete existing copies unless Union or Member State law requires storage of the Personal Data. The Processor shall certify to the Controller that it has done so upon request.
4.8. Audits and Inspections: The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits shall be conducted no more than once annually, with 30 days prior written notice, and each party shall bear its own costs. Where possible, the Controller agrees to exercise its audit rights by requesting and reviewing Expanly’s third-party audit reports and certifications before initiating any on-site audit. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
5. Obligations of the Controller
5.1. The Controller warrants that it has complied, and will continue to comply, with all applicable data protection laws, including the GDPR, in respect to its Processing of Personal Data and any Processing instructions it issues to the Processor.
5.2. The Controller shall ensure that it has a lawful basis for the Processing of Personal Data by the Processor in accordance with this DPA.
5.3. The Controller shall be responsible for providing all necessary privacy notices to Data Subjects and, where required, obtaining any necessary consents from Data Subjects for the Processing of their Personal Data by the Processor.
5.4. The Controller is responsible for ensuring that the Processor is informed of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Data) related to the Personal Data provided by the Controller which affect the technical and organizational measures employed under this DPA.
6. International Transfers of Personal Data
6.1. Any transfer of Personal Data to a third country or an international organization by the Processor shall only occur on the basis of documented instructions from the Controller and shall comply with Chapter V of the GDPR.
6.2. Where Personal Data is transferred from the European Economic Area (EEA) to a country outside the EEA that is not recognized by the European Commission as providing an adequate level of data protection, the Parties agree to implement appropriate safeguards as required by the GDPR, such as the Standard Contractual Clauses (SCCs) as approved by the European Commission. The Parties agree to execute any further documentation necessary to give effect to such safeguards.
7. Liability and Indemnity
7.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.
7.2. The Processor shall be liable for the damage caused by Processing only where it has not complied with obligations of the GDPR specifically directed to Processors or where it has acted outside or contrary to lawful instructions of the Controller.
7.3. The Controller shall be liable for the damage caused by Processing where it has not complied with its obligations under the GDPR.
7.4. Any indemnification obligations related to data protection are set out in the Principal Agreement.
8. Term and Termination
8.1. This DPA is effective as of Customer’s acceptance of the Terms of Service or execution of an Order referencing the Terms of Service, and remains in effect while the Processor Processes Personal Data on behalf of the Controller under the Principal Agreement.
8.2. Termination of this DPA shall not affect any rights or obligations of the Parties which have accrued prior to termination.
8.3. The provisions of this DPA which by their nature are intended to survive termination (including, without limitation, obligations regarding confidentiality, return or deletion of data, and liability) shall remain in effect.
9. Governing Law and Jurisdiction
9.1. This DPA is governed by the laws of Finland.
9.2. Disputes under this DPA shall follow the dispute-resolution process in Section 21 (Governing Law & Dispute Resolution) of the Terms of Service (negotiation → mediation under the Finland Chamber of Commerce Mediation Rules → arbitration seated in Helsinki). The arbitral decision shall be final and binding.
10. Miscellaneous
10.1. Notices: Any notices required or permitted to be given under this DPA shall be in writing and shall be delivered to the contact details provided by the Parties during account registration or as otherwise specified in the Principal Agreement (TOS), or to such other address as may be designated by a Party in writing.
10.2. Severability: If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other provisions shall remain in force.
10.3. Entire Agreement: This DPA, together with the Principal Agreement and any Annexes, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter.
10.4. Amendments: No amendment or modification of this DPA shall be effective unless it is in writing and signed by authorized representatives of both Parties.
© Expanly Oy 2025. All rights reserved.
Annex 1: Sub-processors
Expanly uses the following Sub-processors to provide the Services. This list may be updated from time to time in accordance with the terms of this DPA.
Google Cloud Platform (EU/EEA regions) - hosting, storage, networking, logging, monitoring.
Firebase Authentication (Google LLC, United States) - user authentication (emails & credentials, hashed & encrypted). Subject to EU SCCs and supplementary measures under Google’s Cloud Data Processing Addendum.
© Expanly Oy 2025. All rights reserved.
