Privacy Policy
This policy explains how Exantur collects, uses, and protects your personal data. We process data in compliance with the General Data Protection Regulation (GDPR) and applicable Dutch law. Our processing is limited to what is necessary to provide the service.
1. Who we are
Exantur is a professional coaching practice management platform operated from the Netherlands. Exantur acts as the data controller for the personal data of coaches, organization administrators, and coachees registered on the platform.
For questions about this policy or your personal data, contact us at: privacy@exantur.com
2. What personal data we process
Depending on how you use Exantur, we process the following categories of personal data:
| Category | Examples | Who it applies to |
|---|---|---|
| Account data | Name, email address, password hash | All users |
| Profile data | Display name, profile photo, role | All users |
| Coaching relationship data | Session notes, program details, goal descriptions, accountability items | Coaches and coachees |
| Check-in responses | Answers to reflection questions submitted between sessions | Coachees |
| Assessment results | DISC profile data, Wheel of Life scores | Coachees |
| Documents | Files uploaded by coaches or coachees to the platform | Coaches and coachees |
| Usage data | Log data, IP address, browser type, pages visited | All users |
| Billing data | Subscription status, billing address, last 4 digits of card (Stripe-managed) | Subscribers |
Coaching session notes may contain sensitive personal data about coachees (health, personal circumstances, behavioral patterns). Coaches are responsible for limiting what they record to what is professionally necessary.
3. How we use your data and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Exantur platform and its features | Contract (Art. 6(1)(b)) |
| Account authentication and security | Contract (Art. 6(1)(b)) |
| Sending transactional emails (invitations, password reset, billing) | Contract (Art. 6(1)(b)) |
| Complying with legal obligations (tax records, legal holds) | Legal obligation (Art. 6(1)(c)) |
| Preventing fraud and abuse | Legitimate interests (Art. 6(1)(f)) |
| Improving and troubleshooting the service | Legitimate interests (Art. 6(1)(f)) |
We do not use your data for advertising, profiling for marketing purposes, or sell it to third parties.
4. AI features
Exantur includes optional AI features for coaches (session summaries, reflection questions, coaching dossiers). These features are opt-in and are not activated unless a coach explicitly requests AI assistance for a specific task.
When AI features are used, relevant coaching relationship context (session notes, goals, check-in responses) is sent to Anthropic's API to generate responses. This data is processed by Anthropic as a data processor under a data processing agreement. Anthropic does not use this data to train its models. Coaches choose whether to use AI features; coachees whose data would be included are informed of this in their organization's terms of use.
5. Data storage and security
All personal data is stored in the European Union. Our infrastructure is hosted on Supabase, which operates data centers in the EU (Frankfurt). Data is encrypted in transit (TLS) and at rest.
Access controls are enforced at the database layer using row-level security (RLS). A user cannot access data they are not explicitly authorized to see, regardless of how that access is attempted. Coach-private notes are never accessible to coachees. Organization data is isolated at the organization level.
Multi-factor authentication (MFA) is available to all users and required by default for organization administrators.
6. Data retention
We retain your personal data for as long as your account is active and for a reasonable period afterward to comply with legal obligations.
- Active accounts: data retained for the duration of the subscription.
- Deleted accounts: 21-day grace period before permanent deletion begins. During this period, data can be restored if the deletion was made in error.
- Hard deletion: after the grace period, personal data is permanently and irreversibly deleted from all systems.
- Billing records: retained for 7 years to comply with Dutch tax law.
7. Third-party processors
We share data with the following sub-processors, all of which are bound by appropriate data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication infrastructure | EU (Frankfurt) |
| Stripe | Payment processing and subscription management | EU / US (standard contractual clauses) |
| Brevo (Sendinblue) | Transactional email delivery | EU (France) |
| Anthropic | AI feature processing (opt-in only) | US (standard contractual clauses) |
| Cloudflare | CDN, DDoS protection, web application firewall | EU edge nodes |
8. Your rights under GDPR
As a data subject, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data (subject to legal retention obligations).
- Right to data portability — request your data in a structured, machine-readable format.
- Right to restriction — request that we limit our processing of your data.
- Right to object — object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@exantur.com. We will respond within 30 days. Data export and deletion can also be initiated directly from within the platform.
If you believe your rights have not been respected, you have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
9. Cookies
Exantur uses only functional cookies necessary to operate the service (authentication session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under GDPR.
10. Coachee data and coach responsibilities
Coaching session notes, goals, check-ins, and assessment results are entered by coaches and contain personal data about coachees. For this data, the coach's organization acts as the data controller and Exantur acts as a data processor. Organizations that require a Data Processing Agreement (DPA) for GDPR compliance can request one at privacy@exantur.com.
Coaches are responsible for informing coachees that their coaching data is stored in Exantur and for obtaining any consent required by their own professional obligations.
11. Changes to this policy
We may update this privacy policy to reflect changes to our practices or for legal reasons. When we make material changes, we will notify active users by email. The date at the top of this page reflects when the policy was last updated.
12. Contact
For privacy questions, data subject requests, or DPA requests:
privacy@exantur.com