Skip to content
PaulsTools

Privacy Policy

Last updated: June 2026

This policy explains which personal data we process when you use Pauls Tools (pauls.tools), for what purposes and on what legal basis. We only process what the service needs and never sell your data.

1. Controller

xpand Nederland, Paul Donders, Arnhemse Bovenweg 180, 3708 AH Zeist, Netherlands.

Privacy contact: p.donders@xpand.one. Technical implementation: Christian Freitag, xpand Deutschland GmbH (c.freitag@xpand.one).

2. What data we process

Your email address (for sign-in and sending the daily impulses).

Your scan answers and the scores derived from them.

Your answers to the deepening questions and your chat messages.

Plan and profile settings (time, weekdays, time zone).

Optional feedback you send us.

Technical access data (e.g. IP address, timestamp) that arises server-side on access.

3. Purposes and legal bases

Providing the service incl. the reflection, 30-day plan and chat (performance of a contract, Art. 6(1)(b) GDPR).

Sign-in via magic link (performance of a contract).

Security and abuse prevention, e.g. rate limiting (legitimate interest, Art. 6(1)(f) GDPR).

Improving the service based on voluntary feedback (consent, Art. 6(1)(a) GDPR).

4. Hosting and data location

Hosting: Vercel Inc. (USA). Delivery and processing take place in the EU region Frankfurt am Main.

Database: Neon Inc. (USA). The database runs in Frankfurt am Main (EU).

The data stored in your profile therefore resides in the EU (Frankfurt).

5. Processors and transfers to third countries

AI text features: Google Gemini (Google LLC, USA). For the reflection, impulses and chat, the relevant texts (e.g. scan answers, chat input) are transferred to Google in the USA for processing. The transfer is based on Standard Contractual Clauses and/or the EU-US Data Privacy Framework.

Voice output (read-aloud): Mistral AI (France, EU). Processing takes place in the EU.

Images: Unsplash (USA). When article images load, your browser connects directly to Unsplash, which transmits your IP address to Unsplash (USA).

Email delivery: Hostinger (EU).

We have the data-protection agreements required by law in place with all processors.

6. Cookies and local storage

We use strictly necessary cookies only: pt_session (sign-in, httpOnly, up to 60 days) and pt_auth (a hint about your sign-in status for the navigation).

Your browser's local storage holds your scan progress, a cache of your reflection, and the cookie-notice acknowledgement.

There is no tracking. We do not use analytics, advertising or third-party tracking cookies.

7. Retention

Profile data is stored until you delete your profile. Magic-link tokens are valid for at most 45 minutes and single-use. Technical server logs are kept only briefly.

8. Your rights

You have the right to access, rectification, erasure, restriction of processing, data portability and objection. You can fully delete your profile yourself at any time in your account.

You also have the right to lodge a complaint with a data-protection supervisory authority.

There is no automated decision-making with legal effect; the AI reflection is supportive and does not replace professional advice.

9. Contact

For access, deletion or other privacy requests: p.donders@xpand.one.