PRIVACY POLICY

Spaceflow transforms physical buildings into a human experience, making amenities, services and community life available right in the palm of your hand. Spaceflow changes the way people connect with the spaces around them and with each other – making life more convenient and enjoyable.

Definitions

GDPR means General Data Protection Regulation (EU) No. 2016/679;

Personal data means any information relating to an identified or identifiable natural person;

All definitions used in the Terms of Use are also used in these Privacy terms unless it is stated something explicitly different.

What data is collected?

In order to provide “You” (as the User of our services especially the App, or the visitor of the building in case any User uses the Visitor System) and the “SF Manager” (entity which use the App with respect to the specific real-estate project – operation of the Profile) with an essential App functionality under the Terms of Use we, Spaceflow, collect through your App-Usage following personal data:

Minimal viewed data Basic data for App (or its services) to work for any user: Optional data (voluntarily inserted) Social Content
Name/Surname Name (Name of the Merchant), Surname Bio (“description” in case of the Merchant) Reservations, communications etc. by a particular User
E-mail E-mail Telephone (in case of the User)
Telephone (compulsory in case of the Merchant, in case of the User compulsory for verification while registering the Account unless Facebook login used) Image (in case of the User)
Phone operating system & brand Employer
Facebook credentials (ID user and Email stored in the phone) Time of the meeting with the visitor /User, place of the meeting with the visitor /User (in case of the Visitor System)
Phone language
Privacy settings
Notification token
Geolocation (not stored)
Password (not access to it) / access code to the building
Image (in case of the Merchant)
History of purchased Events (date, Event name, Price)
History of purchased Amenities (date, duration, Amenity name, Price)

The data specified above is jointly referred to as the "User data". The App does not allow performing any personalized analysis of your behavior or profiling based on the User data.

Other specific data are processed for web admin page and for online payment mechanism within the App:

Payment data (Stripe payment service)
Cardholder data (like Credit Card Numbers, CVC codes, expiry dates etc.). Spaceflow does not have access to such data (except for the last 4 digits of the card number, expiry data and Cardholder name) and they are securely processed by a payment platform which acts as a sub-processor – Stripe Technology Europe, Limited. Cardholder Data (including, but not limited to, credit card numbers, CVC codes, and expiry dates) are not accessed by Spaceflow (with the exception of the last four digits of the card number, the expiry date, and the Cardholder's name). Such data is securely processed by a dedicated payment platform, Stripe Technology Europe, Limited, which operates as a sub-processor in this context.
Facebook SDK data (SDK data)
Explicit events, Implicit events, Automatically logged events, Facebook app ID, Mobile advertiser ID, Metadata from the requests, the following device related metrics: time zone, device OS, device model, carrier, screen size, processor cores, total disk space, remaining disk space. The SDK data is described more in detail in the . (https://developers.facebook.com/terms/)
Pendo.io, Inc.
Gathering user behaviour data, providing and collecting customer satisfaction, providing interactive tutorials and announcements. This includes, but is not limited to, the user's unique identifier (user-ID), data concerning the user's interaction and behaviour within the service, and any responses provided by the user in connection with customer satisfaction surveys (such as Net Promoter Score - NPS). Where the user voluntarily provides feedback, the collected data may include all responses and any personally identifiable information (PII) contained therein, provided and limited to the information voluntarily submitted by the user.
Luzmo
For the purpose of furnishing interactive customer dashboards and providing insightful analytics, we transmit certain aggregated and aggregated and pseudonymized analytical data to our third-party data visualization and business intelligence provider, Luzmo. Furthermore, and strictly for the functional enablement of said dashboards, this process necessitates the transmission of User Identifiers (IDs) pertaining exclusively to those users who have actively accessed or interacted with these dedicated dashboard features. Access to these interactive dashboards is strictly limited to Users with a 'Manager' role within Spaceflow platform; consequently, data processing under this section does not encompass the personal data or User Identifiers of general 'End-Users' of Spaceflow service. This processing activity is undertaken pursuant to our legitimate interest in service optimization and customer reporting, and is governed by a data processing agreement ensuring compliance with applicable data protection regulations.
Sentry.io
The processing activities associated with Service monitoring and error reporting are strictly limited to the transmission and analysis of technical telemetry data for error tracking. We configure our Sentry integration to minimize PII collection, focusing on diagnostic data to improve App stability. 
Cookiebot
For the purposes of managing and documenting user consent preferences regarding the use of cookies and similar tracking technologies, we utilize "Cookiebot" (by Usercentrics A/S) as our designated Consent Management Platform (CMP). This includes the lawful collection, processing, and storage of consent related data in accordance with applicable data protection regulations. .

Who can see my profile?

If your Account is in private regime, the Optional data and your Account is not seen within a particular Profile by anyone except the SF Manager and Spaceflow through the web admin page to the extent of your Minimal viewed data and if you post anything, your post is visible to anyone in the particular Profile (in case of ticket request the SF Manager upon its decision can see your cell phone number). The Merchant cannot see in the web admin page anything about you except its published information (e.g. advertisements).

If your Account is in a public regime, your Account can be viewed also by other Users connected to the same Profile and in such Profile to the extent of your Minimal viewed data, the Optional data and the Social content you published.

Who is controller and processor?

Spaceflow provides some of the data above to the SF Manager who processes this data for its own purposes. Please find below an overview of who is the controller for which processing activities:

Personal data Controller Processor
Basic data (user inserts the data) Spaceflow
Basic data (except of history of purchased Events and history of purchased Amenities) Optional data Social content (user inserts the data) Spaceflow
History of purchased Services (Events, Amenities) SF Manager / Merchant Spaceflow
Minimal viewed data Optional data Social content (if applicable) (the SF Manager receives through the App) SF Manager Spaceflow
Optional data (Inserted by the User himself about another user, or – in case of the Visitor System – about the visitor) User (if applicable) Spaceflow
Payment data Spaceflow Spaceflow
Experience data Spaceflow 
SDK data Spaceflow 

If You provide (as the Merchant or any Building user) the Basic data/Optional data of another natural person (e.g. sub-contractor or employee), You are considered to be a controller with full liability and Spaceflow is a processor.

What Spaceflow does with the User data and Optional data, Experience data and Payment data

1. App functionality

We, Spaceflow, use the User data and SDK data in the App in order to make the App work under the Terms of Use, i.e. to provide all Users of the App their connection with their Account and to join the Profiles, and to connect the Users, the Merchants and the SF Managers in the social environment of the Profiles. Thus, processing the User data for this purpose is necessary in order to perform a contract with you.

For this purpose, your data will be stored until the Account is deactivated.

2. Improvement of the App and SF Managers’ experience

In addition to the purpose described above, we, Spaceflow, may use the User data (which are for these purposes used in anonymized form and therefore not considered to be personal data under the GDPR) based on the basis of our legitimate interest in further development of the App, more specifically:
to improve, test, and monitor the effectiveness of the App with respect to the current functionalities in the Profiles (e.g. workload of hardware if certain amount traffic is reached, modify user experience in order to provide more comfort and intuitive use of the App, change of the App’s configuration if any);
to develop and test new features (including their improvement, e.g. future internal market, different method of sharing economy implemented within the building profile, incentivize a cooperation of building users,) of the App;
to monitor metrics such as total number of visitors, traffic (e.g. how much users sign into the App during day, what are the main activities they do in the app, the workload of the App during the day);
to diagnose or fix problems with the use of the App (e.g. if the App does not work properly with a specific device operating system, if it crashes due to noncompliance with other technical parameters of the device);
to automatically update the App on your device (if Spaceflow comes with any new functionality of feature we do so through the App update);
We, Spaceflow, process the Experience data in order to provide effective onboarding process for new App-users, to facilitate early adoption of new App features, to enable better user – experience through App-user feedback/surveys, campaigns and Users’ self-service support, as a result to make experience with the App deeper. Social content posted within the Profile stays in the Profile communication history until it is outdated (in case of created events) or deleted by you (if you are an author). All other data (communication) will be stored for the purposes above for the life of the Profile.

3. Operation of payment mechanism

The App enables an online payment mechanism for amenities and services. Spaceflow uses Stripe Technology Europe, Limited ("Stripe") as our payment processing partner.

Processing: Spaceflow processes Payment data based on the performance of a contract.

Security: Spaceflow does not have access to full cardholder data (PAN) or CVC codes. These are securely processed directly by Stripe. We only retain the last 4 digits, expiry date, and cardholder name for user identification purposes.

Fraud Detection: To prevent fraud and manage risk, we share specific data with Stripe (including device identifiers, location data, and transaction history). In this capacity, Stripe may act as a Data Controller to detect and block fraudulent transactions using their global network insights.

Recurring Billing: If you subscribe to a recurring service, Stripe will securely store a payment token to authorize future charges in accordance with your subscription terms.

Retention: Payment transaction records are retained by Stripe for 10 years to comply with legal and tax obligations in Ireland and other applicable jurisdictions.

4. Facebook SDK login and integration

We process SDK data to allow you to log to the App via Facebook, based on the legitimate interest under point 2 above.

Based on this information we may use this SDK data to create a list of Custom Audiences to promote our core product, the App, to search for potential customers and users with shared qualities (Lookalike Audience).  We do so on the basis of your granted consent.

5. Recipients

Spaceflow uses the following processors:

  • Google Ireland Limited (Cloud Service Provider, providing “platform as a service” services e.g. environment, computing capabilities, for more information see: here), the App runs on the Google Cloud Platform;
  • Bird Global / MessageBird (formerly SparkPost), (email service – sending emails from the App). For more information see: Bird Privacy Policy. The App uses the API to process: 1) Message content, 2) Recipient email address, and 3) Metadata. Bird participates in the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection for data transferred to the US.
  • Stripe Technology Europe, Limited, Ireland , (payment processing payment transactions), for more information see: here, the App uses Stripe services to operate on-line payment mechanism;
  • Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, (link the App with various social media services, mainly login). Further information about Facebook SDK within iOS can be found here. For Android, please here.
  • Functional Software, Inc. d/b/a Sentry, (error reporting and monitoring), for more information see Privacy policy.
  • Pendo.io, Inc. (data analytics, guides, CSAT), for more information see Privacy policy.
  • Luzmo NV (analytics), for more information see Privacy policy.
  • Usercentrics A/S (Cookiebot, cookie management), for more information see Privacy policy.

Furthermore, your data may be disclosed to the following recipients:

  • In case privacy mode is off: App-User joined in same Profile as the User, application portfolio manager, building managers;
  • Courts, Legal representatives and Notaries.

6. International Data Transfers

Some of our external service providers (processors) are based outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

Adequacy Decisions: The recipient is located in a country deemed to provide an adequate level of protection by the European Commission (e.g., the EU-U.S. Data Privacy Framework); or

Standard Contractual Clauses: We use specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data the same protection it has in Europe.

What the SF manager does with the Minimal viewed data, the Optional data, the history of purchased Services and the Social content

1. Purpose, legal basis and duration of processing

If you are connected to the particular Profile the SF Manager is a controller of the Personal data in your Profile, namely your Minimal viewed data, the Optional data and the Social content (see above). Your profile can be viewed by the SF Manager through the web admin page of the App. SF Manager is entitled to observe and manage the Profile environment to the extent you see. Through the web admin page the SF Manager is entitled to see your Minimal viewed data. SF Manager uses the web admin page to:

  • regulate access control and management of users of the Profile for a particular building;
  • react to various requests/demands and feelings from You;
  • communicate with You directly through various communication activities (questionnaires, posts and notifications regarding functionalities, facilities, etc.);
  • improve the service of buildings operated by the SF Manager; and
  • provide a social place for You to meet and to make the building life more vibrant; and monitor the movement of the other persons inside the building to maintain the security of people and property in the building (in case of the Visitor System).

Processing your Minimal viewed data, the Optional data and the Social content as just described is necessary for the purpose of the legitimate interest of the SF Manager to provide better services in the building to which the building profile in the App is connected, to create a closer connection between the operator of the real-estate project and You (the User/Merchant), to provide unique and vivid experience when your work or use the particular building any other way and make the particular building attractive for current and prospective tenants. Minimal viewed data may be used by the SF Manager in other systems the SF Manager engages in relation with the operation of the building.

Processing your history of purchased Services is necessary for the purpose of the legitimate interest of the SF Manager (or the Merchant) for the establishment, exercise or defense of legal claims and to fulfillment of their duties with respect to tax legislation.

For these purposes, your data is stored until it is outdated (in case of events, history of purchased Services) or deleted by you (if you are an author).

Communication between you and your SF Manager is stored for the life of the Profile.

2. Recipients

SF Manager uses the following processors:

  • IT-Service provider Spaceflow s.r.o. (for the purpose of ensuring the technical functionality and for providing all users of the App their connection with their Account and to join the Profiles);
  • Property-manager (in case they are admins of the particular Profile, if the SF manager provides access to the Profile of the facility/asset);
  • Other services providers (e.g. visitor access systems or other systems facilitating building operation). The App may provide integration with other systems engaged (and contracted) by the SF Manager (the “Integrated third systems”) and reads personal data from Integrated third systems which govern personal data privacy policy independently of the App.

Furthermore, your data may be disclosed to the following recipients:

  • Company’s affiliates (for the purpose of internal audits);
  • In case privacy mode is off: Users joined in the same Profile as you, application portfolio manager, building managers, service providers, admin of Spaceflow (the latter only in case You load data about the building);
  • Courts, Legal Representatives and Notaries.

What are the security measures in place?

The App and the web admin page are used in communication with all users of the App a Transport Layer Security (TLS) encryption technology to encrypt personal information (including geolocation) and maintain by-design security.

If you make a reservation within a particular Profile in the App for a certain service, you will decide whether the App will have access to your calendar application in order to record such reservation.

Spaceflow implements industry-standard technical and organizational measures to protect information in the App against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. Data logs from the App are saved for the purposes of security events and are erased from the App after 90 days.

The Experience data is secured by highest level encryption i) in external traffic in transit (HTTPS/TLS) and ii) at rest (using AES-256 and an automated key rotation system).

The Experience data is retained for the lifetime of the relevant Profile, or until the data is anonymized for statistical purposes.

The Optional data regarding the Visitor system shall be accessible for the SF manager and the User for a 60-day period following the day of the visit.

The Payment data is retained by the payment processor for 10 years, this requires Irish law under which the payment processor operates.

Personal data received from Integrated third systems are retained in the App for the retention periods set by Integrated third systems providers.

If there is a serious suspicion that the particular user breached the Terms of use or committed a fraud and other illegal activity, such log can be accessed, processed and retained for an extended time period when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of the Terms of Use, or otherwise to prevent harm.

Spaceflow, the SF Manager and the Merchant can access the App through web admin page. We do not use any plugins of third parties in our web admin page and the App web admin environment. Spaceflow uses its own analytics tools to monitor metrics and usage trends in the App and such tools collect information sent by your device but are anonymized. Spaceflow works within the App only with anonymized logs of such statistics and then provides results to the SF Manager in the web admin page.

If Information is anonymized (e.g. used anonymized for statistics) so it is no longer reasonably associated with an identified or identifiable natural person, Spaceflow and the SF Manager may use it for any business purpose.

What are your rights and your obligations?

The GDPR grants you a number of rights we will honor:

  • to request access to your Personal data;
  • to request rectification or erasure your Personal data;
  • to request restriction of the processing of your Personal data;
  • to object to the processing of your Personal data;
  • to receive your Personal data, as it was provided by you (data portability).

In case you granted your consent to processing your Personal data, you have to a right to withdraw that consent at any time.

If you wish to exercise any of the rights set out above, please contact the respective controller (see above). You can find the contact details of all controllers at the bottom of this document.

Although Spaceflow and the SF Manager go to great lengths to ensure your data’s confidentiality and integrity, differences in opinion might nevertheless occur from time to time. If you feel that Spaceflow or the SF Manager is not handling your data in line with applicable laws, please do not hesitate to contact us. Alternatively, you are entitled to file a claim with the data protection authority in your country.

Personal Data deletion requests

Your request for deletion (via email: gdpr-request@spaceflow.io) of your personal data shall be executed by Spaceflow without delay (in case e.g. there is no legal title to use your personal data), unless Spaceflow is unable to execute your request in accordance with the applicable regulations.

Changes of Privacy Terms

Spaceflow may modify or update this privacy policy from time to time. Spaceflow may provide you through the App and via e-mail with additional forms of notice of modifications or updates as appropriate under the circumstances.

How can you reach us?

1. Spaceflow

Spaceflow s.r.o.
With its registered office at Americká 415/36, Vinohrady, 120 00 Praha 2,
ID: 05184142
Registered in the Commercial Register kept by the Municipal Court in Prague, Section C, File 259630
Account No.: 275103930/0300
Represented by Lukáš Balík, Executive Director
The representative of Spaceflow: support@spaceflow.io
Data Protection Officer: dpo@spaceflow.io

2. SF Manager

You can also reach the SF Manager in the App help desk for a particular Profile.

Last updated 16 December, 2025