PRIVACY POLICY

Privacy Policy – Expand Future GmbH

Last updated: 2026

1. Controller and contact

The controller for the processing of personal data on this website and in connection with our services is:

Expand Future GmbH
Seitenstettengasse 5/37
1010 Vienna
Austria

Email: hello@expand-future.com

For any questions regarding data protection or to exercise your rights, please contact us via email.

2. Scope

This Privacy Policy explains how we process personal data when:

• you visit our website www.expand-future.com (including /services, /about, /submit, /contact, /zh and related subpages),

• you contact us by email/newsletter,

• you submit an opportunity via our intake form on /submit,

• we use analytics tools such as Google Analytics 4 (if activated).

Our services are exclusively B2B. However, GDPR applies to any personal data of natural persons we process (e.g. contact persons at companies), as set out in art. 4–6 GDPR (C‑492/23).

3. Data we process

3.1 Server log files (website usage)

When you access our website, your browser automatically transmits information, which is stored in server log files by our hosting provider (Hostinger):

• IP address

• date and time of access

• URL and subpages accessed

• referrer URL

• browser type and version

• operating system and device information

• amount of data transferred

• error codes / status codes

This data is necessary to provide the website and ensure IT security. It is processed according to the GDPR principles of lawfulness, transparency, purpose limitation and data minimisation (arts. 5–6 GDPR, see C‑231/22, C‑655/23).

3.2 Contact by email

When you contact us by email (e.g. hello@expand-future.com) we process:

• your name, email address and other contact details you provide,

• the content of your message and any attachments,

• metadata (timestamp, technical routing data).

We use this data to respond to your request and manage our communication.

3.3 Intake form on /submit (including /zh/submit)

If you submit an opportunity via our intake form, we process the information you enter:

Personal and company data

• full name

• role / title

• company / fund name

• company website

• business email address

• LinkedIn profile (optional)

Deal information

• opportunity type (capital raise / partnership / M&A / market entry / other)

• indicative deal size range

• company stage

• geography (origin and target markets)

• industry / sector

• opportunity description (free text)

• timeline / expected process

• uploaded files (e.g. deck / one‑pager, PDF)

Meta information

• how you found us

• additional comments

• your declaration / consent via checkbox

The form is technically provided via our hosting infrastructure (Hostinger) or, where applicable, embedded via tools such as Systeme.io.

3.4 Calendly / scheduling tools (if used)

If we invite you to schedule a call via Calendly or similar, we process:

• name

• email

• company

• meeting time and date

• any notes you provide.

These tools are provided by external service providers; their own privacy policies apply in addition to this Privacy Policy.

3.5 Analytics (Google Analytics 4 – if activated)

If Google Analytics 4 is activated on our website, usage data such as page views, session duration, device type and approximate geographic region is collected to analyse website usage. IP addresses are truncated or anonymised where possible.

Analytics uses cookies and similar technologies; details are in section 5.

X. Social media presence and business networking (LinkedIn, Instagram, Xiaohongshu)

We maintain company profiles on external social media platforms such as LinkedIn, Instagram and, for the Chinese‑speaking audience, Xiaohongshu (RED). When you visit these profiles, the respective platform operators are controllers for any data processing on their systems; their own privacy policies apply.

In addition, we may use publicly available information from such platforms for B2B networking purposes. This may include:

• your name,

• your role and company,

• your business profile URL,

• other professional information you publish on your profile.

Purpose and legal basis

We use this data to identify and contact potential B2B partners (e.g. entrepreneurs, investors, corporate partners) and to build or maintain business relationships.

The legal basis for this processing is our legitimate interest (art. 6(1)(f) GDPR) in effective B2B networking and business development. This kind of use of publicly available professional data must always respect your reasonable expectations and be proportionate, as required by arts. 5–6 GDPR and the balancing approach described in C‑492/23.

Source of the data

Where we use social‑media profile data for networking, we do not obtain it from you directly, but from publicly accessible sources such as LinkedIn, Instagram or Xiaohongshu. We are therefore providing this information in accordance with art. 14 GDPR, as clarified by the requirement to disclose such sources in decisions like W292 2285487‑1.

Storage period

We keep such networking‑related data only as long as it is relevant for the business relationship or potential cooperation. If no business relationship arises and there is no further contact, we periodically review and delete or anonymise data in line with the storage‑limitation principle in art. 5(1)(e) GDPR (C‑492/23).

Your right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data for these networking and outreach purposes (art. 21(1) GDPR). You can exercise this right by contacting us at hello@expand-future.com. If you object, we will no longer process your data for these purposes and will delete it, unless we demonstrate compelling legitimate grounds as provided in art. 21 GDPR.

Use of Waxxaly for LinkedIn prospecting

We may use third‑party prospecting tools such as Waxxaly to identify and manage potential business contacts on LinkedIn. In this context, the following data may be processed:

• name,

• role and company,

• LinkedIn profile URL,

• public information from your LinkedIn profile that is relevant for a potential B2B conversation (e.g. industry, location, professional background),

• interaction status (e.g. “contacted”, “no response yet”, “call scheduled”).

Purpose and legal basis

We use Waxxaly solely for B2B networking and outreach, in order to identify suitable founders, executives, investors and partners and to contact them about potential cross‑border opportunities.

The legal basis for this processing is our legitimate interest in effective B2B business development and networking. We only use publicly available professional data and aim to respect your reasonable expectations as a LinkedIn user.

Source of the data

The data is not collected directly from you but from publicly available information on LinkedIn via Waxxaly’s interface.

Recipients

Waxxaly acts as a technical service provider for us. To the extent it processes personal data on our behalf, Waxxaly is bound by a data‑processing agreement and may not use the data for its own purposes.

Storage period and your rights

We store prospecting data in Waxxaly and our internal systems only as long as it is relevant for potential cooperation. If no meaningful contact occurs, we periodically review and delete or anonymise such data.

You can object at any time to the use of your LinkedIn data for our outreach and networking purposes and request deletion by contacting us at hello@expand-future.com.

Y. Newsletter and email updates (planned)

At the moment, we do not operate a general newsletter for Expand Future. If we introduce newsletters or regular email updates in the future, the following will apply:

Purpose

We would process your personal data (typically your name, email address and company) in order to send you:

• updates about our services and content,

• invitations to events,

• curated insights on cross‑border opportunities.

Legal basis

Depending on the specific design, we would rely either on:

• your explicit consent (art. 6(1)(a) GDPR) obtained via an opt‑in process (ideally double opt‑in), or

• our legitimate interests in maintaining B2B relationships (art. 6(1)(f) GDPR), where permitted and subject to a clear balancing of interests, as reflected in the GDPR principles of lawfulness and transparency in arts. 5–6 and discussed in C‑492/23.

In any case, we will transparently inform you about the applicable legal basis at the time we collect your data.

Use of email tools

If we use an email‑marketing tool (for example Systeme.io or a similar provider), this provider will act as a processor on our behalf. We will conclude appropriate data processing agreements and ensure compliance with GDPR, in line with the general approach to processors and recipients described above and with the requirement in DLG §22 Abs.1 Z 6, wonach verwendete allgemeine Bedingungen und Klauseln offenzulegen sind.

Storage period

We store your email data for newsletter purposes until you unsubscribe or, where we rely on consent, until you withdraw your consent. After that we will delete or block your email address for newsletter purposes, subject to any longer retention that may be required for proof of consent or legal claims.

Right to withdraw consent and to object

You can withdraw your consent to receive newsletters at any time with effect for the future, without affecting the lawfulness of processing before the withdrawal (art. 7(3) GDPR; see also the explicit consent conditions in C‑492/23).

Where we rely on legitimate interests, you can object at any time to the use of your data for direct marketing (art. 21(2) GDPR). Each newsletter email will contain a clear unsubscribe link; alternatively, you can contact hello@expand-future.com to opt out.

Z. Links to social‑media platforms

Our website contains simple links (not embedded plug‑ins) to external social‑media platforms such as LinkedIn, Instagram and Xiaohongshu. When you click one of these links, you are redirected to the respective platform. The platform provider is solely responsible for any data processing that takes place there; please refer to their respective privacy policies.

We do not currently use embedded social‑media plug‑ins (such as “like” buttons that transfer data when you simply load our pages), nor do we use social‑media tracking pixels. If we introduce such technologies in future, we will update this Privacy Policy to describe them in detail and, where necessary, obtain your consent beforehand, in accordance with the consent standard under GDPR and the CJEU’s guidance in C‑673/17.

4. Purposes and legal bases

We process personal data only for specific, explicit and legitimate purposes and on a valid legal basis, as required by arts. 5–6 GDPR (C‑492/23).

Purposes and legal bases:

1. Operating the website and ensuring security

   • Purpose: technical provision, IT security, prevention of abuse.

   • Legal basis: legitimate interests (art. 6(1)(f) GDPR) in operating a secure website.

2. Handling enquiries and pre‑contractual measures

   • Purpose: responding to your email or form submissions, reviewing opportunities, preparing potential engagements.

   • Legal basis: performance of a contract or pre‑contractual steps at your request (art. 6(1)(b) GDPR).

3. Contract fulfilment and business relationship

   • Purpose: managing engagements (dealflow, projects, advisory), invoicing, documentation.

   • Legal basis: art. 6(1)(b) GDPR.

4. Compliance with legal obligations

   • Purpose: accounting, tax, retention obligations.

   • Legal basis: art. 6(1)(c) GDPR.

5. Analytics and website improvement (if analytics is activated)

   • Purpose: understanding website usage, improving content and user experience.

   • Legal basis: your consent via cookie banner (art. 6(1)(a) GDPR); you can withdraw at any time.

6. Limited B2B communication

   • Purpose: communicating with existing business contacts about closely related services or updates.

   • Legal basis: legitimate interests in maintaining B2B relationships (art. 6(1)(f) GDPR).

We do not process special categories of personal data (art. 9 GDPR).

5. Cookies and similar technologies

In line with GDPR and the requirement for informed consent for non‑essential cookies as clarified by the CJEU in C‑673/17, we distinguish:

5.1 Essential cookies

These cookies are necessary for the basic functioning and security of the website (e.g. session cookies, security tokens, language settings). They are set automatically when you visit our site.

Legal basis: our legitimate interests (art. 6(1)(f) GDPR) in providing a functional website.

5.2 Analytics cookies (Google Analytics 4 – optional)

If we use Google Analytics 4, cookies are placed to analyse website usage. These cookies are only activated if you give your consent via the cookie banner.

Legal basis: consent (art. 6(1)(a) GDPR). You can withdraw consent at any time by changing your cookie settings or browser settings.

No marketing, advertising or social media tracking cookies (e.g. Facebook Pixel, LinkedIn Insight Tag) are used at this time.

6. Google Analytics 4 (if used)

If activated:

• Provider: Google LLC and/or its European affiliates.

• Data collected: usage data (page views, session information, device/browser data), truncated/anonymised IP addresses where technically configured.

• Purpose: statistical analysis, optimisation of content.

• Transfer to third countries: data may be processed on servers outside the EU / EEA (e.g. USA). Transfers occur subject to appropriate safeguards, such as standard contractual clauses, as required by chapter V GDPR (see W292 2235435‑1).

You can refuse analytics cookies in the cookie banner or change your browser settings to block cookies.

7. Data sharing and recipients

We only share personal data where necessary and lawful, in line with the definitions of “recipient” and “third party” in art. 4 GDPR (W292 2235435‑1):

• Hostinger (EU – Cyprus): hosting, server, email and forms.

• Email providers (e.g. Gmail / Google Workspace or similar): handling email communication.

• Analytics providers (e.g. Google Analytics 4): only if activated and consented.

• Form / automation tools (e.g. Systeme.io, Airtable, Make.com / n8n – if implemented): handling form submissions, pipeline management and internal workflows.

• Calendly / scheduling tools: for call scheduling, if used.

• Professional advisers and authorities: tax advisers, lawyers, auditors, and public authorities where required by law.

Where such providers act as processors on our behalf, we conclude appropriate data processing agreements. We do not sell personal data and do not share it with third parties for their independent marketing.

8. Data retention

In line with the storage limitation principle (art. 5(1)(e) GDPR, see C‑231/22), we store personal data only as long as necessary:

• Server logs: retained for a limited period necessary for security and troubleshooting, then deleted or anonymised.

• Email communication and contract data: retained for the duration of the business relationship and for statutory retention periods (e.g. accounting, tax).

• Intake form submissions: retained for up to 24 months after the last relevant contact regarding the opportunity, unless a longer period is required (e.g. ongoing negotiations, concluded engagement, legal obligations).

• Uploaded documents (e.g. pitch decks): retained while we review the opportunity and during any related engagement; then archived or deleted following the 24‑month guideline and statutory retention.

When data is no longer needed, we delete or anonymise it unless we must keep it to comply with legal obligations or to establish, exercise or defend legal claims.

9. Your rights

Under GDPR (arts. 12–23, 77–79; see C‑757/22), you have the following rights:

• Right of access: to obtain confirmation whether we process your personal data and receive a copy.

• Right to rectification: to correct inaccurate or incomplete data.

• Right to erasure: to request deletion of your data where the conditions of art. 17 GDPR are met.

• Right to restriction: to request restriction of processing in certain cases (art. 18 GDPR).

• Right to data portability: to receive data you provided in a structured, commonly used and machine‑readable format and transmit it to another controller.

• Right to object: to object to processing based on our legitimate interests (art. 21 GDPR); you can also object to any B2B marketing at any time.

• Right to withdraw consent: where processing is based on your consent, you may withdraw this consent at any time with effect for the future.

To exercise these rights, please contact us at: hello@expand-future.com.

You also have the right to lodge a complaint with a data protection authority if you believe that the processing of your personal data infringes GDPR. In Austria, this is the Austrian Data Protection Authority (Datenschutzbehörde).

10. No automated decision-making

We do not carry out automated decision‑making, including profiling, that produces legal effects concerning you or similarly significantly affects you (art. 22 GDPR).

If we introduce such processes in future (e.g. internal scoring tools for deal screening), we will update this Privacy Policy and, where required, obtain your consent.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if we add new tools or services or if legal requirements change. The latest version is always available on our website and indicated by the “Last updated” date at the top.