Legal

Privacy Policy

Last updated: 7 July 2026  ·  Exantur

This policy explains how Exantur collects, uses, and protects your personal data. We process data in compliance with the General Data Protection Regulation (GDPR) and applicable Dutch law. Our processing is limited to what is necessary to provide the service.

1. Who we are

Exantur is a professional coaching practice management platform operated from the Netherlands. Exantur acts as the data controller for the personal data of coaches, organization administrators, and coachees registered on the platform.

For questions about this policy or your personal data, contact us at: privacy@exantur.com

2. What personal data we process

Depending on how you use Exantur, we process the following categories of personal data:

CategoryExamplesWho it applies to
Account dataName, email address, password hashAll users
Profile dataDisplay name, profile photo, roleAll users
Coaching relationship dataSession notes, program details, goal descriptions, accountability itemsCoaches and coachees
Check-in responsesAnswers to reflection questions submitted between sessionsCoachees
Assessment resultsDISC profile data, Wheel of Life scoresCoachees
DocumentsFiles uploaded by coaches or coachees to the platformCoaches and coachees
Usage dataLog data, IP address, browser type, pages visitedAll users
Billing dataSubscription status, billing address, last 4 digits of card (Stripe-managed)Subscribers

Coaching session notes may contain sensitive personal data about coachees (health, personal circumstances, behavioral patterns). Coaches are responsible for limiting what they record to what is professionally necessary.

3. How we use your data and our legal basis

PurposeLegal basis (GDPR Art. 6)
Providing the Exantur platform and its featuresContract (Art. 6(1)(b))
Account authentication and securityContract (Art. 6(1)(b))
Sending transactional emails (invitations, password reset, billing)Contract (Art. 6(1)(b))
Complying with legal obligations (tax records, legal holds)Legal obligation (Art. 6(1)(c))
Preventing fraud and abuseLegitimate interests (Art. 6(1)(f))
Improving and troubleshooting the serviceLegitimate interests (Art. 6(1)(f))

We do not use your data for advertising, profiling for marketing purposes, or sell it to third parties.

4. AI features

Exantur includes optional AI features for coaches (session summaries, reflection questions, coaching dossiers). These features are opt-in and are not activated unless a coach explicitly requests AI assistance for a specific task.

When AI features are used, relevant coaching relationship context (session notes, goals, check-in responses) is sent to Anthropic's API to generate responses. This data is processed by Anthropic as a data processor under a data processing agreement. Anthropic does not use this data to train its models. Coaches choose whether to use AI features; coachees whose data would be included are informed of this in their organization's terms of use.

5. Data storage and security

All personal data is stored in the European Union. Our infrastructure is hosted on Supabase, which operates data centers in the EU (Frankfurt). Data is encrypted in transit (TLS) and at rest.

Access controls are enforced at the database layer using row-level security (RLS). A user cannot access data they are not explicitly authorized to see, regardless of how that access is attempted. Coach-private notes are never accessible to coachees. Organization data is isolated at the organization level.

Multi-factor authentication (MFA) is available to all users and required by default for organization administrators.

6. Data retention

We retain your personal data for as long as your account is active and for a reasonable period afterward to comply with legal obligations.

7. Third-party processors

We share data with the following sub-processors, all of which are bound by appropriate data processing agreements:

ProcessorPurposeLocation
SupabaseDatabase and authentication infrastructureEU (Frankfurt)
StripePayment processing and subscription managementEU / US (standard contractual clauses)
Brevo (Sendinblue)Transactional email deliveryEU (France)
AnthropicAI feature processing (opt-in only)US (standard contractual clauses)
CloudflareCDN, DDoS protection, web application firewallEU edge nodes

8. Your rights under GDPR

As a data subject, you have the following rights:

To exercise any of these rights, contact us at privacy@exantur.com. We will respond within 30 days. Data export and deletion can also be initiated directly from within the platform.

If you believe your rights have not been respected, you have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

9. Cookies

Exantur uses only functional cookies necessary to operate the service (authentication session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under GDPR.

10. Coachee data and coach responsibilities

Coaching session notes, goals, check-ins, and assessment results are entered by coaches and contain personal data about coachees. For this data, the coach's organization acts as the data controller and Exantur acts as a data processor. Organizations that require a Data Processing Agreement (DPA) for GDPR compliance can request one at privacy@exantur.com.

Coaches are responsible for informing coachees that their coaching data is stored in Exantur and for obtaining any consent required by their own professional obligations.

11. Changes to this policy

We may update this privacy policy to reflect changes to our practices or for legal reasons. When we make material changes, we will notify active users by email. The date at the top of this page reflects when the policy was last updated.

12. Contact

For privacy questions, data subject requests, or DPA requests:
privacy@exantur.com