Privacy Policy

Last updated: October 15, 2025

This Privacy Policy outlines how ExpCarry LLC ("ExpCarry", "we", "us", "our") collects, uses, discloses, and safeguards your personal data when you visit https://expcarry.com (the "Site") or interact with us through related channels (e.g., support, Discord). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, and California Consumer Privacy Act (CCPA/CPRA). This policy also details your privacy rights and how to exercise them.

For questions or to exercise your rights, contact us at [email protected].

1. Who We Are (Data Controller)

ExpCarry LLC is a limited liability company registered in the State of Delaware, USA (Delaware Division of Corporations, File Number 7372610).

Contact Details:

Email: [email protected]
Mailing Address: c/o Northwest Registered Agent Service, Inc., 8 The Green, Ste B, Dover, DE 19901, USA
Rapid Contact (Messaging): Discord Support Channel

EU Representative (GDPR Art. 27):
We are in the process of appointing an EU representative to comply with GDPR requirements. For now, please direct all EU-related privacy inquiries to [email protected].

UK Representative (UK GDPR):
We are in the process of appointing a UK representative to comply with UK GDPR requirements. For now, please direct all UK-related privacy inquiries to [email protected].

We provide coaching and in-game assistance services for online games, such as boosting and progression support. We are not affiliated with or endorsed by any game publisher. We do not directly trade, broker, or resell in-game items or currency; all in-game progress or resources are obtained through legitimate gameplay mechanics as intended by game developers/publishers, in compliance with their terms of service.

2. Scope

This Policy applies to personal data collected online via the Site, order forms, support chat, Discord community, or other digital channels. It does not cover offline data collection unless explicitly stated. We adhere to the principle of data minimization, collecting only what is necessary for the purposes outlined below.

3. What Data We Collect

We collect and process the following categories of personal data:

Identification & Contact Data: Name, username/Discord handle, email address, phone number (if provided), billing/shipping address (if provided), country/region.
Account & Order Data: Account identifiers, order history, purchased services (e.g., boosting, coaching), preferences, support tickets/communications, discount codes.
Technical & Usage Data: IP address, device/browser type, operating system, language, timestamps, referrers, page views, clicks, scroll/interaction data, error logs.
Cookies & Similar Identifiers: Consent choices, session IDs, analytics/advertising identifiers (see Section 6).
Payment Data: Tokenized payment information and transaction metadata processed securely by our payment processors (we do not store full card numbers on our servers).
Fraud-Prevention & Security Data: Risk signals, abuse indicators, anti-spam/anti-fraud checks, server and firewall logs.

We do not collect special categories of personal data (e.g., health, religion, political opinions) or sensitive personal information as defined by CCPA/CPRA, except where strictly necessary and permitted by law.

4. How We Obtain Data

We collect personal data in the following ways:

Directly from You: When you browse the Site, create an account, place an order, contact support, join our Discord, or subscribe to our newsletter.
Automatically: Through cookies, pixels, server logs, session replay/heatmaps, and similar technologies (see Section 6).
From Third Parties: From service providers/partners, including payment processors (e.g., Stripe, Plisio), analytics providers (e.g., Google Analytics, Microsoft Clarity), advertising networks, anti-fraud tools, and email/marketing platforms (e.g., SendPulse).

5. Why We Use Your Data (Purposes & Legal Bases)

We process personal data for the following purposes, with corresponding legal bases under GDPR/UK GDPR:

Purpose	Examples	Legal Basis
Provide and operate the Site & services	Account creation, order processing, customer support, Discord interactions	Art. 6(1)(b) GDPR (performance of a contract)
Payments and billing	Process transactions, issue invoices, handle refunds/chargebacks	Art. 6(1)(b) (contract); Art. 6(1)(c) (legal obligations)
Security & fraud prevention	Detect/prevent abuse, secure our infrastructure, monitor for risks	Art. 6(1)(f) (legitimate interests); Art. 6(1)(c) (legal obligations)
Analytics & service improvement	Measure performance, debug issues, conduct UX research	Art. 6(1)(a) (consent, where required); otherwise Art. 6(1)(f) (legitimate interests)
Marketing & personalization	Deliver ads, remarketing, send email updates (where permitted)	Art. 6(1)(a) (consent); Art. 6(1)(f) (legitimate interests, for non-EU/UK users where applicable)
Compliance & record-keeping	Maintain tax/financial records, respond to legal claims	Art. 6(1)(c) (legal obligations); Art. 6(1)(f) (legitimate interests)

For processing based on consent, you can withdraw it at any time via the Cookie Settings link or by contacting us. For legitimate interests, we conduct balancing assessments to ensure your rights are protected; a summary is available on request. For EU/UK marketing, we comply with ePrivacy Directive/PECR (e.g., soft opt-in for existing customers).

6. Cookies, Analytics, Advertising & Session Replay

We use cookies and similar technologies (e.g., pixels, tags) to operate the Site, enhance user experience, analyze performance, and deliver personalized marketing.

Consent Management: We use CookieScript to manage cookie preferences. You can adjust your choices anytime via the Cookie Settings link in the Site’s footer.
Analytics & Session Replay: Tools like Google Analytics 4 and Microsoft Clarity (for session replay/heatmaps) collect data on Site usage to improve functionality and user experience. These use first- and third-party cookies.
Advertising/Remarketing: We may use platforms like Google Ads, Microsoft Advertising, or Meta to deliver targeted ads, deploying cookies/pixels for campaign measurement and personalization (only with your consent where required).
Control Options: You can manage cookies via browser settings, but disabling some cookies may affect Site functionality.

7. Disclosures (Processors) & International Transfers

We share personal data with trusted third parties under strict data protection agreements:

Service Providers/Processors:
- Hosting & Security: Cloudflare (CDN, DDoS protection).
- Analytics & Session Replay: Google Analytics 4, Microsoft Clarity.
- Payments: Stripe (credit/debit cards), Plisio (cryptocurrency).
- Email & Marketing: SendPulse (newsletters, promotional emails).
- Support & Communication: Crisp (live chat, support desk), Discord (user-initiated interactions).
Advertising Partners: Only with your consent (where required) for ad measurement and targeting.
Legal Authorities: When required by law or to protect our rights, users, or others (e.g., fraud investigations).

International Transfers: Your data may be transferred to countries outside your jurisdiction, including the United States, which may not have equivalent data protection laws. For EU/UK data, we rely on:

The EU-US Data Privacy Framework (DPF), where applicable (we are in the process of certifying).
Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures (e.g., encryption, pseudonymization) and organizational safeguards (e.g., access controls, audits).
UK International Data Transfer Agreements (IDTA) for UK data.

Details or copies of these safeguards are available by contacting [email protected].

8. Data Retention

We retain personal data only as long as necessary for the purposes outlined, unless a longer period is required by law:

Accounts & Orders: Up to 5 years after account inactivity or order completion (or longer for tax/accounting compliance).
Support Tickets & Communications: Up to 5 years after resolution.
Analytics & Logs: 3–24 months (raw logs shorter; aggregated, anonymized data may be kept longer).
Marketing Data: Until you withdraw consent or opt out (minimal suppression records retained to honor opt-outs).

Post-retention, we securely delete or anonymize data using industry-standard methods.

9. Newsletter & Marketing Communications

We use SendPulse to send newsletters and promotional emails to subscribers who have opted in. You can unsubscribe at any time via:

The unsubscribe link in any email.
Your profile/preferences at https://expcarry.com/newsletter.

Unsubscribing from marketing emails does not affect transactional/service emails (e.g., order confirmations).

10. Your Rights

Depending on your location, you may have the following rights under GDPR, UK GDPR, CCPA/CPRA, or other laws:

Access: Request a copy of your personal data.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data (subject to legal exceptions).
Restriction: Limit how we process your data.
Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing (e.g., for direct marketing or legitimate interests).
Withdraw Consent: Revoke consent at any time (without affecting prior processing).
Lodge a Complaint: Contact a supervisory authority (e.g., in the EEA/UK).

To exercise these rights, email [email protected]. We may verify your identity to protect your data. Responses will be provided within legal timeframes (e.g., 30 days under GDPR/CCPA).

11. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the CCPA/CPRA:

Right to Know: Access details about the personal information we collect, use, or disclose.
Right to Delete: Request deletion of your personal information (subject to exceptions).
Right to Correct: Correct inaccurate personal information.
Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising (e.g., targeted ads). Use the Cookie Settings link or contact us.
Non-Discrimination: We will not discriminate against you for exercising these rights.

We do not use or disclose sensitive personal information (as defined by CPRA) for purposes beyond those permitted by law. To submit a request, contact [email protected].

12. Children’s Privacy

Our services are not directed to children under 13 (US) or 16 (EEA/UK for information society services). We do not knowingly collect personal data from children in these age groups without verifiable parental consent. If we learn such data has been collected, we will:

Delete it promptly.
Notify the parent/guardian (where applicable).

If you believe a child has provided data, contact us at [email protected].

13. Security

We implement robust technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS/SSL) and at rest (where applicable).
Network and application security (e.g., firewalls, intrusion detection).
Strict access controls and employee training.
Regular backups and security audits.

While we strive to ensure security, no method is 100% secure. We notify users and authorities of data breaches as required by law.

14. Changes to This Policy

We may update this Policy to reflect legal, technical, or business changes. The “Last updated” date indicates the latest revision. Material changes will be communicated via:

A notice on the Site.
Email notification (where appropriate).

Continued use of the Site after changes constitutes acceptance of the updated Policy.

15. Contact

Data Controller: ExpCarry LLC
Email: [email protected]
Mailing Address: c/o Northwest Registered Agent Service, Inc., 8 The Green, Ste B, Dover, DE 19901, USA
Discord Support: https://discord.com/invite/expcarry

For EU/UK-specific inquiries, contact [email protected] until our representatives are appointed.