Stop searching. Create clarity you can stand on. 👉 Join the free challenge! 👈

Free Challenge
Free Challenge

Privacy Policy

1. Controller

Expand Future GmbH
Seitenstettengasse 5/37
1010 Vienna
Austria

E‑mail: hello@expand-future.com

The brand “The Leading Space” (www.theleadingspace.eu) is operated by Expand Future GmbH.

2. Principles of Data Processing

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Austrian data protection laws. We process data in particular:

  • to operate our websites and online offerings,

  • to perform and manage contracts with business clients,

  • to deliver online programmes and events,

  • to communicate with prospects and Clients (e.g. newsletters, challenges, invitations to events),

  • to ensure IT security and prevent misuse.

The main legal bases are:

  • Art. 6(1)(b) GDPR (performance of a contract or pre‑contractual steps),

  • Art. 6(1)(f) GDPR (legitimate interests),

  • Art. 6(1)(a) GDPR (consent), especially for optional cookies and certain marketing activities.

3. Website Provision, Hosting, CDN

3.1. Hosting via Hostinger

Our website is hosted by Hostinger International Ltd. Hostinger provides the technical infrastructure and acts as our processor.

When you access our website, the following data are automatically processed:

  • IP address of the requesting device,

  • date and time of access,

  • pages/files accessed,

  • volume of data transmitted,

  • browser type and version,

  • operating system,

  • referrer URL.

This processing is based on our legitimate interests (Art. 6(1)(f) GDPR) in maintaining a secure and stable website. Server logs may be reviewed to investigate security incidents or misuse.

3.2. Content Delivery Network (CDN) / Cloudflare

To deliver our website quickly and securely worldwide, we use a Content Delivery Network (CDN), in particular Cloudflare. This means:

  • website content is delivered from geographically distributed servers, and

  • personal data (especially IP addresses) may be processed outside the EU/EEA, including in the USA.

We use the CDN based on our legitimate interests in efficient and secure website delivery (Art. 6(1)(f) GDPR).

Cloudflare and Hostinger rely on appropriate safeguards for transfers to third countries, in particular the EU Commission’s Standard Contractual Clauses (SCCs) and additional security measures.

4. Cookies and Consent Management

We use cookies and similar technologies to ensure basic functionality and, with your consent, to perform analytics and marketing.

4.1. Technically necessary cookies

Technically necessary cookies are required for basic website functionality (e.g. session management, security). They are set based on our legitimate interests (Art. 6(1)(f) GDPR). Consent is not required for these necessary cookies.

4.2. Optional cookies (analytics, marketing)

We may use optional cookies for statistics and marketing (e.g. analytics functions of systeme.io, future use of Google Analytics or similar tools). These will only be activated with your express consent obtained through a cookie banner.

Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time with future effect by adjusting your cookie settings/banner choices or deleting cookies in your browser.

5. Use of systeme.io (ITACWT Limited)

5.1. Platform and Data Hosting

We use systeme.io (operated by ITACWT Limited, based in Dublin, Ireland) for:

  • email marketing (newsletters, free challenges),

  • landing pages and funnels,

  • course hosting (Visibility Academy),

  • CRM and automation.

systeme.io stores data on Amazon Web Services (AWS) servers in Ireland. The core data processing therefore takes place within the EU.

5.2. Purposes and Data Categories

Via systeme.io we process in particular:

  • master data (first name, last name, e‑mail address, country, company name, VAT ID),

  • contract and booking data (booked programmes, access, duration),

  • communication data (newsletter, automated sequences, support messages),

  • activity data (email open and click rates, course progress),

  • affiliate data (if we run an affiliate programme).

The legal bases are:

  • Art. 6(1)(b) GDPR for programme participants (contract performance),

  • Art. 6(1)(f) GDPR (our legitimate interest in efficient marketing and administration in a B2B context),

  • Art. 6(1)(a) GDPR for newsletter/marketing communications where consent is required.

5.3. Cookies and Tracking in systeme.io

systeme.io uses several types of cookies, including:

  • session cookies (login and authentication),

  • preference cookies (e.g. language),

  • security cookies,

  • cookies for affiliate tracking (combined with database‑based tracking),

  • possibly third‑party cookies (e.g. for analytics).

systeme.io can also capture UTM parameters and associate them with contacts to analyse campaigns.
Non‑essential cookies and tracking mechanisms of systeme.io are only activated based on your consent via our cookie banner (Art. 6(1)(a) GDPR).

5.4. Storage Period and Deletion in systeme.io

systeme.io keeps personal data only as long as necessary for providing and improving the service or for legal compliance.

We delete or anonymise data once the processing purpose ceases and no legal retention obligations apply. Contract and invoice data are stored in line with Austrian company and tax law retention periods (generally 7 years).

6. Web Analytics (Potential/Possible Use)

At present, we do not actively implement separate tracking scripts such as Google Analytics on our main website beyond what may be technically integrated via systeme.io or the hosting/CDN providers.

If, in future, we implement tools like Google Analytics or other analytics/marketing services:

  • we will list them specifically here (tool name, provider, purpose, data categories),

  • we will only activate them with your consent via the cookie banner (Art. 6(1)(a) GDPR), and

  • any data transfers outside the EU/EEA (e.g. to the USA) will be based on appropriate safeguards, in particular Standard Contractual Clauses.

7. Contact and Communication

If you contact us by e‑mail or via a contact form, we process your information (e‑mail address, name, message content) to respond to your enquiry.

Legal basis:

  • Art. 6(1)(b) GDPR if the enquiry relates to contract performance or pre‑contractual measures;

  • Art. 6(1)(f) GDPR (our legitimate interest in answering enquiries) in other cases.

8. Newsletter, Free Challenge and Event Invitations

8.1. Newsletter / E‑Mail Challenges

When you sign up for our newsletters or free e‑mail challenges, we collect at least your e‑mail address and possibly your name. By signing up, you consent to receive e‑mails that may include:

  • content relating to business, visibility and implementation,

  • information about our programmes and offers,

  • invitations to free and paid events.

Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time via the unsubscribe link in each e‑mail or by contacting us.

8.2. Invitations to Monthly Live Events

Based on your newsletter/challenge consent, we may invite you by e‑mail to our free live events. A separate additional consent is not required if these invitations remain within the scope of the consent described above.

Participation in a specific live event is based on Art. 6(1)(b) GDPR (performance of the event). If events are recorded, we will inform you in advance. You can choose not to switch on your camera/microphone if you do not want to be visible/audible in the recording.

9. Event Registration and Calendar Tools

For event registration and adding dates to your calendar, we may use third‑party services such as addevent, Google Calendar or comparable tools.

Depending on the tool, the following data may be processed:

  • name,

  • e‑mail address,

  • event details (title, date, time),

  • technical data (IP address, browser data).

Processing is based on:

  • Art. 6(1)(b) GDPR (organisation and execution of the event), and

  • Art. 6(1)(f) GDPR (our legitimate interest in efficient event management).

Because these tools often use servers in third countries (especially the USA), data transfers outside the EU/EEA may occur. Such providers rely on appropriate safeguards, particularly Standard Contractual Clauses and additional protective measures. For details, see the respective providers’ privacy policies.

10. B2B Outreach via LinkedIn and Waalaxy

For B2B lead generation and outreach, we use LinkedIn and an automation tool such as Waalaxy.

We may process:

  • publicly available LinkedIn profile data (name, job title, employer, profile URL),

  • communication data (connection requests, direct messages),

  • metadata regarding contact sequences.

This processing is carried out based on our legitimate interest in B2B direct marketing and business development (Art. 6(1)(f) GDPR).

The primary data controller for LinkedIn profile data is LinkedIn itself. Waalaxy assists us in automating certain steps (import of profiles, sending messages) and may process data on servers in the EU or third countries. Where data is transferred to third countries, Waalaxy relies on appropriate safeguards (such as Standard Contractual Clauses).

Recipients are free to decline or ignore our outreach at any time. If you no longer wish to be contacted via LinkedIn, you can indicate this in your message or adjust your LinkedIn settings.

11. Communication via Messenger Services (WhatsApp, Telegram)

To communicate with existing programme Clients (e.g. participants of “The Sustainability Implementation Lab”), we may use messenger services such as WhatsApp or Telegram in addition to e‑mail.

In this context, we process:

  • your phone number and/or username,

  • message content,

  • metadata (time, date).

Using such messenger services is voluntary. You can always choose alternative communication channels (especially e‑mail).

Legal basis:

  • Art. 6(1)(b) GDPR (communication necessary for performing the programme), and

  • Art. 6(1)(f) GDPR (our legitimate interest in efficient communication).

Since these providers may use servers in third countries (in particular the USA), corresponding data transfers may occur. Additional details are provided in the privacy policies of WhatsApp, Telegram and similar services. We recommend that you do not transmit particularly sensitive information via messenger, or use e‑mail or other secure channels instead.

12. Social Media Profiles and Links

We maintain profiles on various social media platforms, such as Instagram, Facebook (Meta) and LinkedIn.

When you visit our profiles or click the respective icons/links on our website, the platform providers process personal data in their own responsibility (e.g. IP address, device information, usage data). For these data processing activities, the privacy policies of the respective platforms apply.

We may additionally process data made available to us on these platforms (e.g. comments, messages, profile names) to communicate with users and present our services (legitimate interest under Art. 6(1)(f) GDPR).

Social‑media providers may store and process data outside the EU/EEA (especially in the USA) and rely on appropriate safeguards such as Standard Contractual Clauses.

13. Payment Processing (Stripe)

We use Stripe as our payment service provider for paid programmes. Stripe processes payment data (e.g. credit card numbers, bank details, transaction IDs) directly; we typically only receive:

  • confirmation that a payment was successful or failed, and

  • partial anonymised payment details.

Processing is based on Art. 6(1)(b) GDPR (contract performance). Stripe may process data outside the EU/EEA (e.g. USA) but relies on Standard Contractual Clauses and additional safeguards to ensure appropriate data protection.

14. Storage Periods

We retain personal data only as long as necessary for the respective purposes or as required by legal retention obligations:

  • Contract and invoice data: generally 7 years under Austrian company and tax law.

  • Course and programme data: for the duration of the programme and as long as legitimate interests (e.g. legal defence, documentation) exist.

  • Newsletter/marketing data: until you withdraw consent or object to processing.

  • Log data: usually for a few weeks/months unless required for investigation of security incidents.

After the relevant periods end, data are deleted or anonymised.

15. Your Rights as a Data Subject

You have the following rights under the GDPR:

  • right of access (Art. 15),

  • right to rectification (Art. 16),

  • right to erasure (“right to be forgotten”, Art. 17),

  • right to restriction of processing (Art. 18),

  • right to data portability (Art. 20),

  • right to object to processing based on Art. 6(1)(f) GDPR (Art. 21),

  • right to withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of processing before withdrawal.

To exercise these rights, please contact us: hello@expand-future.com

You also have the right to lodge a complaint with a supervisory authority. In Austria, this is:

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
https://www.dsb.gv.at/

16. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss or destruction. These include, in particular:

  • encryption of data transmission (SSL/TLS),

  • access controls and role‑based permissions,

  • regular software and security updates,

  • careful selection of service providers with adequate security standards.

17. Changes to this Privacy Policy

We may amend this Privacy Policy when our data processing activities, tools or legal requirements change. The current version is always available on our website.

© 2026. All rights reserved.

The Leading Space - Jiaran Wang

Privacy Policy | Terms & Conditions (AGB) | Impressum | Refund & Disclaimer |