Legal

Privacy Policy

Last updated: 20 May 2026

1. Introduction

Experio (“we”, “us”, “our”) operates the website at myexperio.com(the “Service”). This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit the Service or sign up for our waitlist.

We are committed to processing your personal data in accordance with the General Data Protection Regulation (GDPR) and Danish data protection law. This policy applies to the pre-launch waitlist phase. When we launch the Experio product, this policy will be updated to cover the broader data we process.

Data controller: Experio is currently operated by Ida Nørgaard and Katinka Schjeldrup Klepsch as co-founders, pre-incorporation, at the address:

Ved Hegnet 1, 3.tv, 2100 København Ø, Denmark

Once we are incorporated as a Danish company, this section will be updated with our official entity name, CVR number, and registered address.

2. What personal data we collect

We collect the minimum data necessary to operate our waitlist. Specifically:

2.1 Information you provide

• Email address — when you sign up to our waitlist via the form on our website.

2.2 Information collected automatically

• Server logs — including your IP address, browser type, operating system, and approximate location (country/city level), collected by our hosting provider Cloudflare. These logs are used for security and uptime monitoring.
• Email delivery metadata — when we send you a welcome email, our email provider Resend records delivery status (delivered, bounced, opened). We do not track individual click-through behaviour.

We do not use third-party analytics, advertising trackers, or behavioural cookies. We do not collect names, addresses, phone numbers, payment information, or any sensitive categories of data during the waitlist phase.

Our hosting provider Cloudflare sets technically necessary cookies (such as __cflb and __cf_bm) required for security and performance. These do not track you across websites and, under the ePrivacy Directive, do not require your consent.

3. Purpose and legal basis

We process your personal data only when we have a lawful basis to do so. The following table summarises our processing activities:

3.1 Waitlist signup and confirmation email

Purpose: To record your interest in Experio and send a welcome email confirming your position on the waitlist.

Legal basis: Your consent (GDPR Article 6(1)(a)). By submitting your email via our waitlist form, you consent to receive a welcome email, a small number of pre-launch updates, and a launch invitation, as described in section 3.2. You may withdraw consent at any time (see section 8).

3.2 Pre-launch updates and product launch invitation

Purpose:To send you updates about Experio’s development before launch, and an invitation when the app opens to first members.

Legal basis: Your consent (GDPR Article 6(1)(a)). This is part of the waitlist signup consent. We have committed to sending no more than two pre-launch emails: a story in July and a launch invitation in August 2026.

3.3 Service security and infrastructure logs

Purpose: To protect the Service against abuse, monitor uptime, and diagnose technical issues.

Legal basis: Our legitimate interest in maintaining a secure service (GDPR Article 6(1)(f)).

4. Who we share your data with (sub-processors)

We do not sell your personal data to anyone. We share it only with the following service providers, each bound by data processing agreements consistent with GDPR requirements:

• Supabase (privacy policy) — our database and serverless backend. Your email and signup metadata are stored here. Servers located in the European Union.
• Resend (privacy policy) — our email delivery provider. Used to send you the welcome email and future pre-launch updates. Resend is based in the United States.
• Cloudflare (privacy policy) — our DNS, hosting, and security provider. Handles server logs and traffic routing. Global edge network with European data centres.

5. International data transfers

Some of our service providers are based outside the European Economic Area (EEA), specifically Resend (United States). When personal data is transferred outside the EEA, we rely on appropriate safeguards as required by GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission. Details of Resend’s transfer safeguards are available in their Data Processing Agreement.

You can request more information about the specific safeguards used by contacting us using the details in section 10.

6. Profiling and automated decision-making

We do not use profiling or automated decision-making that produces legal or similarly significant effects on you. We do not segment our waitlist based on demographics, location, or behaviour.

7. How long we keep your data

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy:

• Waitlist email — kept until our product launches or you unsubscribe, whichever comes first. After the public launch, we will either transfer your data to a customer account (if you create one) or delete it from the waitlist database within 90 days.
• Server logs — retained by Cloudflare and Supabase per their own retention policies (typically 7-30 days for security logs).
• Email delivery metadata — retained by Resend as specified in their data retention policy, typically up to 30 days for delivery logs.

In the event that Experio ceases operations before launch, all waitlist data will be permanently deleted from our systems and from Resend within 30 days.

8. Your rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15) — to confirm what personal data we hold about you and receive a copy.
• Right to rectification (Article 16) — to correct inaccurate or incomplete data.
• Right to erasure(Article 17, “right to be forgotten”) — to ask us to delete your data.
• Right to restrict processing (Article 18) — to limit how we use your data in certain circumstances.
• Right to data portability (Article 20) — to receive your data in a structured, commonly used format.
• Right to object (Article 21) — to object to processing based on legitimate interest.
• Right to withdraw consent (Article 7) — at any time, without affecting the lawfulness of processing before withdrawal.

To unsubscribe from our emails at any time, click the unsubscribe link in the footer of any email we send. Your removal is recorded immediately. Alternatively, contact us using the details in section 10.

Right to complain to the Danish Data Protection Agency

You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) if you believe we have not handled your personal data in accordance with the law. You can reach them at [email protected] or via datatilsynet.dk.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• HTTPS / TLS encryption for all data in transit
• Database access restricted to authenticated server-side functions (no direct client access)
• Row-level security policies on our Supabase database
• Limited access to production systems — restricted to founders only

10. Contact us

If you have questions about this policy, want to exercise your rights, or want to raise a concern about how we handle your personal data, contact us at:

Email: [email protected]

We aim to respond to all data-related requests within 30 days, as required by GDPR.

11. Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, legal requirements, or sub-processors. The most current version is always available at myexperio.com/legal/privacy. When we make material changes, we will notify waitlist members by email at least 14 days before the changes take effect.

The “Last updated” date at the top of this policy reflects the most recent revision.