ExpertWin
Last Updated: February 21, 2026
In short: We explain how we handle your data. We take privacy seriously and are transparent about what we collect and why.
This Privacy Policy explains how ExpertWin ("we," "our," or "us") collects, uses, and safeguards personal data. Our platform allows users ("Creators") to build, manage, and interact with their audiences ("End Users") using AI personas via Telegram bots and other interfaces.
If you have any questions about how we handle your data, please contact us at: privacy@expertwin.net.
In short: We are the Controller for Creator data. Creators are Controllers for their End Users' data. We are the Processor acting on Creators' behalf.
To comply with international privacy standards (including UK GDPR), we strictly separate roles in data processing:
We are the Data Controller for the personal data of our Creators (our direct clients) who register on expertwin.net. This includes names, emails, billing information, and platform usage analytics.
The Creator of the AI persona is the sole Data Controller for the data of the End Users who interact with their bot (e.g., chat histories, voice messages, contact details).
Creator Obligation: Each Creator is required, under our Terms of Service, to maintain and publish their own Privacy Policy for their End Users. This Privacy Policy must disclose the use of ExpertWin as a data processor and describe how End User data is collected, processed, and stored. Failure to maintain such a policy constitutes a breach of our Terms of Service.
Regarding End User data, we act exclusively as a Data Processor, operating technically on behalf of and under the instructions of the Creators. The specific terms governing our data processing activities are set forth in our Data Processing Agreement (DPA), attached as Appendix A to our Terms of Service.
Anonymized Data: We may create anonymized, aggregated statistical data from processed data, provided such data cannot be re-identified to a particular individual. Such anonymized data is not Personal Data under GDPR and may be used by ExpertWin for platform improvement, analytics, and reporting purposes. Examples include average session duration, popular question categories, and cohort retention metrics.
To protect the platform and comply with legal obligations, ExpertWin maintains minimal security logs (IP addresses, timestamps, access patterns, abuse flags). We control this data independently under legitimate-interest and legal-obligation grounds.
In short: We collect what we need to run the platform for Creators, and we technically process End User data on behalf of Creators.
When End Users interact with AI bots via Telegram or other channels, we technically process the following on behalf of the Creator:
Voice messages submitted by End Users are processed solely for the purpose of generating AI responses and are not used to create biometric templates, voiceprints, or any form of biometric identification.
If ExpertWin introduces voice or visual cloning features for Creators in the future, we will obtain explicit, informed consent from the Creator before processing any biometric data. Such consent will include clear disclosure of: (a) the specific biometric data being collected; (b) the purpose and duration of processing; and (c) the right to withdraw consent at any time.
We do not process biometric data of End Users under any circumstances without prior explicit consent obtained through the Creator as Data Controller.
We do not intentionally collect or process special categories of personal data (e.g., health information, racial or ethnic origin, political opinions, religious beliefs). End Users and Creators are advised to avoid sharing such information through the platform. Where such data is incidentally provided, it is processed solely as part of the chat content under the same conditions described in this Policy.
To build and enrich their AI persona's knowledge base, Creators may voluntarily connect external data sources to ExpertWin. We currently support the following integrations:
Google Drive. When a Creator connects their Google account via OAuth 2.0, we request access only to files and folders explicitly selected by the Creator. We request the following OAuth scopes:
drive.file — to read the
content of files selected by the Creator.We do NOT request broad access to the Creator's entire Google Drive. We do not modify, delete, or create files in the Creator's Google Drive. File content is extracted (text, documents, PDFs), processed into the Creator's knowledge base, and the original files are not stored on our servers beyond the processing period (up to 72 hours). The extracted knowledge base content is retained for the duration of the Creator's account.
YouTube (Subtitle Extraction). Creators may provide YouTube video URLs from which we extract publicly available subtitle/caption data using the YouTube Data API. We process only:
We do not access private or unlisted videos unless the Creator provides authenticated access. We do not download, store, or process video or audio files themselves. Extracted subtitle text is processed into the Creator's knowledge base and retained for the duration of the Creator's account.
Creator Responsibility for Third-Party Content. When connecting external data sources, Creators warrant that they have the legal right to use the content for knowledge base purposes and that such content does not infringe on third-party intellectual property or privacy rights. ExpertWin is not responsible for the legality or accuracy of content imported by Creators from external sources.
Revoking Access. Creators may disconnect any third-party integration at any time through their account settings. Disconnecting an integration revokes our access to the external service. Previously extracted knowledge base content will remain in the Creator's knowledge base until the Creator deletes it or terminates their account.
Google API Services Disclosure. ExpertWin's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: (a) we only use data obtained via Google APIs for the purposes described in this Privacy Policy (knowledge base creation); (b) we do not transfer Google user data to third parties except as necessary to provide or improve the service, as required by law, or with the Creator's explicit consent; (c) we do not use Google user data for advertising purposes; and (d) a human reviews Google user data only with the Creator's affirmative consent, for security purposes, or to comply with applicable law.
In short: We use data to run the platform, process payments, and improve service quality. We do NOT use private conversations to train AI models.
We use the collected information for the following purposes:
AI Training Policy: We do NOT use End Users' private conversations or Creators' proprietary content to train or fine-tune foundational AI (LLM) models. We do not sell, license, or share conversation data with any third party for model training purposes. Should this practice change in the future, we will: (a) provide at least 30 days' advance written notice to affected Creators; (b) obtain explicit consent from each Creator; and (c) require Creators to obtain consent from their End Users before any such data is used.
In short: We don't sell your data. We share it only with trusted service providers needed to run the platform.
We do not sell your personal data. To provide our services, we share data with trusted third-party service providers ("Sub-processors") bound by strict confidentiality and security standards:
We maintain a current, publicly accessible list of all Sub-processors at: [URL, e.g., expertwin.net/legal/sub-processors]. This list includes the name, location, and purpose of each Sub-processor.
We will notify Creators at least 30 days before adding or replacing a Sub-processor. Creators may object to a new Sub-processor by contacting us within 14 days of notification. If we cannot reasonably accommodate the objection, the Creator may terminate the affected services under the terms of our DPA.
In short: We use essential and analytics cookies on expertwin.net. You can manage your preferences.
We use cookies and similar tracking technologies to provide, secure, and analyze our platform:
You can manage your cookie preferences through your browser settings or our cookie consent banner. Disabling essential cookies may affect your ability to use the platform. We default to rejecting non-essential cookies until you provide consent.
In short: We process data based on contract performance, legitimate interests, and legal obligations.
If you are located in the UK or the European Economic Area (EEA), our legal basis for collecting and using your personal data depends on the context:
In short: Your data may be transferred internationally. We use approved safeguards to protect it.
ExpertWin operates globally. Personal data may be transferred to, and processed in, countries outside the UK and the EEA (such as the United States or the UAE), where our servers (AWS, Google Cloud) or support teams are located.
When we transfer data internationally, we ensure appropriate safeguards are in place:
In short: We do not sell your data or use it for behavioral advertising. California and other state residents have specific rights.
If you are a resident of California (CCPA/CPRA), Colorado, Connecticut, Virginia, Utah, or other applicable U.S. states, you have specific rights regarding your personal data:
To exercise your rights, please contact us at privacy@expertwin.net. We will verify your identity and respond within 45 days.
In short: We keep data only as long as needed, with specific retention periods for each type.
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.
We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy or to comply with legal obligations. Specific retention periods are as follows:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| End User chat data | Duration of Creator account + 90 days | Contract performance |
| Creator account data | Duration of account + 12 months | Legitimate interest (dispute resolution) |
| Billing and financial data | 7 years from last transaction | Legal obligation (tax/accounting) |
| Voice messages | Duration of Creator account + 30 days | Contract performance |
| Security and access logs | 12 months | Legitimate interest (security) |
| Anonymized analytics | Indefinite | N/A (not personal data) |
| Knowledge base content (from integrations) | Duration of Creator account + 90 days | Contract performance |
When a Creator deactivates or deletes their account, we will: (a) notify the Creator of the impending deletion and provide an opportunity to export their data; (b) delete or anonymize all End User chat data within 90 days; (c) retain billing data as required by law; and (d) permanently delete all other Creator data within 12 months.
Deleting a message on the user's side within the Telegram app does not automatically delete that message from ExpertWin's databases, as the Telegram API does not send third-party services notifications of such deletions. End Users wishing to delete their data should contact the Creator directly (see Section 11).
In short: Creators manage their data directly. End Users contact the Creator first, then us if needed.
Depending on your jurisdiction (including UK/EU GDPR standards), you may have the right to access, rectify, port, restrict processing, object to processing, or erase your personal data.
You can manage your data and delete your account via your profile settings on expertwin.net or by contacting us at privacy@expertwin.net.
Because we act as a Data Processor, all requests to access, delete, or modify chat histories or personal data should be directed to the Creator (the owner of the bot) in the first instance. If the Creator fails to respond within 30 days, you may contact us at privacy@expertwin.net, and we will take appropriate steps to facilitate your request, including removing your data from our servers if necessary.
If you are in the UK or EEA, you have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.
In short: We notify regulators within 72 hours and affected Creators without undue delay.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
Given the nature of our processing activities (large-scale AI processing of chat data, voice messages, and behavioral analytics), we conduct Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35. These assessments are reviewed and updated periodically, and whenever we introduce new processing activities or technologies that may present a high risk to individuals' rights and freedoms.
In short: Our platform is for adults only (18+). Creators must implement age checks where required by law.
The ExpertWin platform is intended strictly for individuals aged 18 and older. We do not knowingly collect personal data from minors. If we become aware that we have collected such data, we will take immediate steps to delete it.
Creator Responsibility: Creators are responsible for implementing appropriate age verification mechanisms for their bots where required by applicable law in their jurisdiction. This obligation is specified in our Terms of Service.
We may update this Privacy Policy periodically to reflect changes in our practices, new features (such as the future introduction of biometric voice/visual cloning), or changes in applicable law.
We will notify Creators of any material changes at least 30 days in advance via email or through the platform interface. For non-material changes, we will update the "Last Updated" date at the top of this Policy.
Continued use of our services after such updates constitutes your acceptance of the revised Policy. If you do not agree with the changes, you may terminate your account before the changes take effect.
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
For data protection inquiries specifically, you may also contact our designated data protection point of contact at: dpo@expertwin.net.
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service between ExpertWin ("Processor") and the Creator ("Controller").
"Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings given in UK GDPR / EU GDPR.
The Processor processes Personal Data on behalf of the Controller for the purpose of providing the ExpertWin platform services, including AI-powered chat responses, knowledge base management, and related analytics. Processing continues for the duration of the Terms of Service and for the retention periods specified in Section 10.2 of the Privacy Policy.
End Users who interact with the Controller's AI bot(s) via Telegram or other supported channels.
The Processor shall:
The Processor may create anonymized, aggregated statistical data from processed Personal Data, provided such data cannot be re-identified to a particular individual. Such anonymized data is not Personal Data and may be used by the Processor for platform improvement, benchmarking, and reporting. The Controller acknowledges and agrees to this processing.
The Controller provides general written authorization for the Processor to engage Sub-processors listed at [URL]. The Processor shall: (a) notify the Controller at least 30 days before adding or replacing a Sub-processor; (b) impose data protection obligations on each Sub-processor no less protective than those in this DPA; and (c) remain fully liable for the acts and omissions of its Sub-processors.
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach. The notification shall include: (a) the nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) likely consequences; and (d) measures taken or proposed to mitigate effects.
The Processor shall not transfer Personal Data outside the UK/EEA without appropriate safeguards as described in Section 8 of the Privacy Policy. Where Standard Contractual Clauses are required, they are incorporated by reference into this DPA.
This DPA shall be governed by the same law that governs the Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
Last Updated: February 21, 2026
The following Sub-processors are authorized to process Personal Data on behalf of ExpertWin in connection with the services provided under the Terms of Service:
| Sub-processor | Location | Purpose | Data Processed |
|---|---|---|---|
| OpenAI | United States | AI response generation | Chat content (transmitted via API, not stored) |
| Anthropic | United States | AI response generation | Chat content (transmitted via API, not stored) |
| Amazon Web Services | EU / US | Cloud infrastructure | All platform data (encrypted at rest) |
| Google Cloud | EU / US | Cloud infrastructure | All platform data (encrypted at rest) |
| Stripe | United States | Payment processing | Creator billing data |
| Telegram | UAE / UK | Message delivery | Chat content, Telegram profile data |
| Google Analytics | United States | Platform analytics | Creator usage data (anonymized) |
| Amplitude | United States | Product analytics | Creator usage data (anonymized) |
| PostHog | EU | Session analytics | Creator usage data |
| Google (Drive API) | United States | Knowledge base content import | Creator-selected files (text extracted, originals not stored) |
| Google (YouTube Data API) | United States | Subtitle/caption extraction | Video subtitles, metadata (text only, no audio/video) |
To receive notifications of changes to this list, Creators may subscribe at [URL] or will be notified via email at least 30 days before any change takes effect.
ExpertWin implements the following technical and organizational measures to protect Personal Data: