Two things can happen here. You can join the waitlist — we keep one email, nothing else. And, rolling out now, you can scan yourself to see what's already public about you. Here's exactly what each one means. No legalese.
Your email address, the fact that you submitted it through our waitlist, and the date you did. That's the whole waitlist record.
We do not store your IP address. No cookies, no tracking pixels, no analytics on this site.
You gave it to us by joining the waitlist — that's what we rely on (your consent). We use it only to let you know when xpose is available. No marketing lists, no selling, no profiling.
Until launch, or until you ask us to remove it — whichever comes first. When you ask, it's deleted, not archived.
No one. The list is never sold, rented, or shared with third parties. It lives on EU-based hosting and stays there.
As the scan feature rolls out, here's how it handles your data when you choose to use it.
You can run a scan of yourself. We search publicly available sources to show you what's already exposed about you online. The purpose is to give you back visibility into your own footprint — nothing more.
We only ever scan you, and only when you start the scan yourself. We never scan anyone on someone else's behalf, and we never run a scan you didn't initiate.
To make sure a scan can only run on yourself, you sign in with Google. We receive only your verified email address and basic profile (name, picture). We never get access to your Gmail, your Drive, or your contacts.
The scan runs only after you sign in and click to start it. That click is your consent, and we record the date you gave it. You can withdraw it at any time.
Information about you that is already publicly accessible online — for example, where your email or handles show up across public sources. We don't access anything private, and nothing behind a login.
The result is a private report, visible only to you. To open it you sign in again — only the signed-in owner of the email can see it. We don't send the report as an email attachment.
Your report is available until you download it, and in any case for no more than 14 days after it's generated — then it's deleted. Ask us to remove it sooner and we delete it immediately. The underlying scan data stays on our own systems and isn't kept on the web host; the host only holds your finished report, briefly.
Hosting is EU-based. We use Google solely to verify your sign-in. We don't share your report or your scan data with anyone else, ever.
Under the GDPR you can ask us to show you the data we hold on you — your waitlist email or your scan data alike — correct it, delete it, or withdraw your consent at any time. Email contact@xpose.lu and we'll act within 30 days.
xposeTIP — Nabil Ksontini, Luxembourg. Questions about your data: contact@xpose.lu.
This reflects our current practice for the waitlist and for the self-scan feature as it rolls out. As we incorporate and reach full launch, we'll publish a fuller policy reviewed by a data-protection officer. Last updated June 2026.