SpaceOS Compliance Summary

Owned by Alex Do (Unlicensed)
Aug 17, 2023
2 min read

This document outlines key data practices within spaceOS. It addresses how spaceOS manages user data, providing insights into processes such as data anonymization, user deactivation and deletion, and payment processing.

Being GDPR compliant is important to our organization and our application is designed to be fully GDPR compliant.

Data Collection for Events

For events, spaceOS collects users' first and last names, and company names. Dietary data or other personal information is not collected, though agreement consent is necessary to join an event.

Event Data Deletion

Event data is not automatically deleted in spaceOS. Instead, a soft-delete mechanism is in place which retains the data in the database after manual deletion. This deleted data is then invisible and inaccessible to users. We can also remove the data about the events on a specific

IP Address and Location Data Collection

IP addresses are stored in several places in the system, including logs, the Analytics module, the Authentication module, and Google Analytics. The most recent IP address is visible in the admin panels for security purposes, such as identifying suspicious logins. However, no location data is stored by spaceOS, and users are free to use VPN connections if they have privacy concerns.

Guests

Guests do not need to register for the app. Instead, they are sent an email invite with either a QR code or a link for their building meeting. Guest names, surnames, and emails are not deleted, allowing for easy re-invitation.

User Counting

Both active and deleted users are included in analytics counts, but there's no in-app analytics breakdown available. We see only the number of users (active and deleted) but we don't see the details about them (name, email, etc.)

Payment Processing

All payments are processed through Stripe. SpaceOS does not handle sensitive payment data and has no access to it.

Marketplace Data Access

Global Admins and Location Admins cannot see data relating to Marketplace transactions between vendors and users unless they sell the items themselves. They can only access a vendor's shop or Stripe account if the vendor shares the credentials with them.

Tenant Level Tools Access

For tenant-level news and events, Global Admins and Location Admins do not have access or control. However, they do have access and data control for tenant inventory and member groups.

Data Provided by External Users

External users booking via the external booking flow need to provide their first and last names, email addresses, and, if a business invoice is needed, company legal name, VAT, and credit card details. These users are not automatically removed from the platform once their booking ends.

User Profile Data Deletion

When off-boarding is enabled, users are soft-deleted from the system after a set number of months, during which time they are deactivated. The users remain in the database and backups, but they are not visible to users or admins. We can delete user data on the user’s request anytime.

Data Storage Duration

Backups are kept for 1 year, logs are accessible for 3 months and archived for 1 year, and User Engagement Analytics data is kept for 3 months.