Privacy Policy
Privacy Policy
Last updated:

1. Introduction

SpaceCloud (hereinafter referred to as the "Company") operates the SpaceCloud service (hereinafter referred to as the "Service").

  • For UK Residents: This policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The data controller is SpaceCloud UK.
  • For Ireland and EU Residents: This policy is governed by the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018. The data controller is SpaceCloud UK.

The Company is committed to protecting users’ personal data in an effective and transparent manner.

2. Definitions

The following key terms are defined as used in this Privacy Policy.

Terms not specifically defined herein shall have the meanings given to them in the Terms and Conditions of Service.

  • Personal Data: “Personal Data” refers to any information relating to an identified or identifiable individual (“data subject”) as defined under the UK GDPR and EU GDPR. This may include, but is not limited to, name, email address, phone number, IP address, and location data.
  • Service: “Service” refers to all features and systems provided by the “Company” via its website, mobile application, and other online platforms that enable users to list and book spaces. The Service includes additional functions such as space search, booking, payment, reviews, messaging, and customer support.
  • User: “User” refers to any person who accesses or uses the Service provided by the “Company”, including both registered and unregistered users.
  • Member: “Member” means any individual or organisation that has registered to use the Service by following the “Company”’s designated procedures and agreeing to the applicable terms. Members are categorised as follows:
    • Guest Member: A “Guest Member” is an individual or entity who completes registration and agrees to the terms to search for, book, and use spaces via the Service.
    • Host Member: A “Host Member” is a Guest Member who, upon agreeing to the host terms through the “Company”’s designated procedures, registers a space and uses the Service to offer it for rental. Host Members retain all Guest Member rights but also bear additional responsibilities such as providing operational details, registering settlement accounts, and complying with applicable policies.
  • Visitor: A “Visitor” refers to a person who uses certain features of the Service (e.g. browsing available spaces) without registering as a Member.
  • Third Party: A “Third Party” refers to any individual, company, or organisation that receives personal data but is neither the Company nor the data subject.

3. Collecting Personal Information

The Company collects and manages users’ personal information in accordance with the following principles. We adhere to the principle of data minimization, collecting only the data that is necessary for the stated purposes. The Company complies with the specific requirements of both UK and Irish data protection laws regarding the collection of sensitive information.

3-1. Information That You Give Us

For Guests:

  • Account Information: Name, date of birth(for age verification; information will be deleted once the purpose has been fulfilled), email address, phone number (including country code), etc.
  • Booking Information: The name, email address, and contact information of the booker designated by the guest member, as well as the reservation date and time, number of attendees, purpose of use, payment method, and amount, etc.
  • Communication Records: Inbox messages, email inquiries, and related communication records.
  • Payment Information: Credit/Debit card number, card issuer, expiry date, etc., are collected directly by payment processors such as Stripe. The Company does not access this information. Payment-related information is managed in accordance with Stripe’s Privacy Policy.

For Hosts:

  • Verification and Payout Information: Personal and business verification details required for Stripe Connect integration, including name, date of birth, address, business information, and bank account details, are collected and managed directly by Stripe. The Company either does not access or has limited access to this information. Stripe’s policy is outlined in its Privacy Policy.
  • Tax and Regulatory Reporting Information (UK Platform Reporting Rules/DAC7): In accordance with UK (Model Reporting Rules for Digital Platforms) and EU (DAC7) tax regulations, the Company is required to collect and report certain information to tax authorities (HMRC in the UK, Revenue Commissioners in Ireland). This includes, but is not limited to:
    • For Individual Hosts: Full name, primary address, Date of Birth, and Tax Identification Number (TIN) (e.g., National Insurance Number in the UK, PPSN in Ireland) with country of Issuance
    • For Business Hosts: Registered business name, business address, Tax Identification Number (TIN) / VAT registration number, and Business Registration Number.
  • Contact Information: Email address, phone number.
  • Space Information: Address and detailed information, and high-resolution images of the registered space.
  • Booking Information: Date and time of bookings and contact details (name, email, phone number) provided at the time of booking.

3-2. Information That You Choose to Give Us

This refers to any additional information that you voluntarily provide while using the service.

  • Additional information provided during sign-up:
    • Gender, profile image, etc.
  • Additional details entered during booking:
    • Specific requests or requirements related to the space.
  • Activities during service use:
    • Reviews and feedback
    • Survey responses
    • Prize delivery information for event participation
  • Activities during space registration:
    • Additional information about the space provided by the host

3-3. Information That We Automatically Collect from Your Use of Our Platform

The company automatically collects certain information when you use our website, mobile app, or interact with our emails. This information is used to operate, maintain, and improve our services. It includes:

  • Information necessary for service operation:
    • IP address
    • Cookies
    • Date and time of access
    • Records of misuse or unauthorised activity
    • Device information (e.g. PC, mobile device, browser type)
  • Precise Location Data: With your explicit consent (e.g., via mobile device settings), we may collect precise location data through GPS, Wi-Fi, or Bluetooth to provide location-based services, such as suggesting nearby spaces or providing directions. You may enable or disable this collection at any time through your device or app settings.
  • Transaction and Financial Records (for Tax & Payout):

    The following information is automatically generated and recorded through your use of the Service:

    • Booking & Payment History: Reservation numbers, payment amounts, and payment methods.
    • Host Revenue Data (UK Platform Reporting Rules/DAC7): Total consideration paid to the host, fees or taxes withheld by the platform, and quarterly earnings statistics required for mandatory reporting to tax authorities (HMRC in the UK and Revenue Commissioners in Ireland).

3-4. Information That We Collect from Third Parties

The company may collect personal information about you from third-party platforms and partners. This includes the following:

  • Third-party Account Linking

    If you choose to sign in or use our services through third-party accounts such as Google, Apple, or Facebook, we may collect information that those platforms provide (e.g. your name, email address, profile picture, etc.). This collection is based on your explicit consent or the act of linking your account. You may unlink your account at any time through your account settings.

  • Social Media Platforms

    If you share content or use integration features via social media platforms such as Facebook, Instagram, or X (formerly Twitter), we may receive certain information from these platforms. The information we receive is subject to the privacy policies of the respective services and is processed only to the extent necessary.

    We do not control how social media platforms collect or use your data. You are encouraged to review their privacy policies individually.

  • Online Advertising Platforms

    We may use online advertising networks, such as Google Ads or Meta Ads, to run search keyword ads, remarketing, or targeted campaigns. Advertising partners may collect or process non-identifiable data, such as website visits, behavioural patterns, or browser information, to deliver interest-based advertisements.

    The collection and processing of this data are governed by the privacy policies of the respective advertising platforms. You can manage personalised advertising preferences via your browser settings or the advertising platform's settings.

4. Legal Basis for Processing Personal Data

The company processes personal data based on the following legal grounds, providing this information in accordance with Article 6 of the UK GDPR and EU GDPR:

  • Contractual necessity: Processing is required to fulfil the contract with the user, including bookings, payments, and provision of spaces.
  • Legal obligation: We process data to comply with statutory obligations under laws such as tax, accounting, and auditing regulations applicable in the United Kingdom and Ireland.
  • Consent: Where explicit consent is given—for example, for marketing purposes—we will process personal data accordingly. Users may withdraw consent at any time, although this may limit access to certain services.
  • Legitimate interests: We process data to pursue legitimate interests such as fraud prevention, service improvement, and enhanced security, provided these interests do not override the user’s rights and freedoms.
  • Public interest: Data may be processed to cooperate with public authorities or for compliance with legal obligations in the public interest (e.g., tax investigations or law enforcement requests).
  • Vital interests: In emergency situations, data may be processed to protect someone’s life or physical safety.

5. Purposes for Which Personal Data Is Used

The company collects and processes only the minimum amount of personal data necessary for the following purposes, based on one or more of the legal grounds listed above:

  • Provision of services and fulfilment of contractual obligations
  • Customer support and dispute resolution
  • Compliance with legal and regulatory obligations
  • Delivery of marketing communications, promotions, and newsletters
  • Service improvement and data analytics to enhance user experience

6. Retention Period for Personal Data

The Company retains personal data only for as long as necessary to fulfil the purposes for which it was collected. Once these purposes have been achieved, data is securely deleted or anonymised without undue delay. However, data may be retained for a longer period under the following circumstances:

  • Data required to be retained under applicable laws:
    • Data will be kept for the period specified by relevant laws and regulations, such as the UK E-commerce Regulations, the Irish Statute of Limitations, and applicable tax/accounting laws in both the United Kingdom and Ireland.
  • Data retained for dispute resolution, fraud prevention, or service usage records:
    • Contract, payment, and billing-related records: Up to 7 years (to comply with statutory limitation periods and tax audit requirements in the UK and Ireland).
    • Login and access records: Up to 6 months (unless required longer for security investigations).
    • Communication records (inquiries, disputes): Up to 5 years from the date of resolution.
  • Anonymised data:
    • Once the original purpose is achieved, certain data may be anonymised (so it is no longer identifiable) and retained for statistical analysis, research, or service improvement.
    • Anonymised data may be kept without a specific retention limit.
    • The Company regularly reviews the necessity of retaining personal data and securely disposes of any data deemed no longer necessary or for which the legal retention period has expired.

7. Disclosure of Personal Information & Use of Third-Party Services

The Company works with reliable third-party service providers to deliver its services, and personal data may be shared in accordance with applicable laws and contractual obligations.

  • Minimum Disclosure: Personal data is disclosed to third parties only to the minimum extent necessary for service delivery. All vendors and partners are contractually obligated to implement adequate technical and organisational data protection safeguards.
  • Processing of External SDKs and Advertising Identifiers: To optimise app analysis and marketing, the Company utilises external analytical tools, including the Meta (Facebook) SDK. In this process, direct personal identifiers such as names or contact details are not shared. However, data that may identify a device—such as online identifiers (ADID/IDFA), IP addresses, and in-app activity records—may be transmitted. Users may manage these settings through their device settings or cookie banners.
  • Third-Party Responsibility: For services such as payments via Stripe, their own privacy policies and terms of service will apply. Specifically, for users in Ireland and the EU, payment services are provided by Stripe Payments Europe, Ltd. The Company’s Privacy Policy does not apply to any third-party websites, applications, or services linked from the Service that are not operated by the Company. Users are responsible for reviewing these third-party policies, and the Company is not liable for how such platforms process data within their own systems.
  • Notification of Changes: When significant changes are made to third-party service providers, the Company will provide advance notice and update this Privacy Policy accordingly.
Service ProviderService EntrustedData Items ProvidedPeriod of Retention and Use
Google WorkspaceProvision of hosting and email delivery servicesEmail address, service usage records5 years (or until the purpose is achieved)
Google MapsProvision of map services and location information displayLocation data, IP addressUntil termination of host's use or contract
StripePayment processing, settlement, and fraud preventionPayment method information, transaction amount, email addressFor the duration of service use and in accordance with Stripe's policy
TwilioSMS authentication and notification deliveryMobile phone numberUntil the purpose of authentication and notification is achieved
Meta (Facebook)Optimisation of ad targeting and performance measurementDevice identifiers (ADID/IDFA), app visit and activity data, IP addressIn accordance with Meta's Privacy Policy
Google (GA4)Service usage analysis and statistics (via SDK)Cookie ID, device information, page navigation pathsIn accordance with Google's policy and configured retention periods

8. Disclosure of Personal Data and In-Platform Information Sharing

  • Publicly Visible Information: Information voluntarily disclosed by users (e.g. reviews, ratings, and profile details) may be made publicly available through the platform and may also be indexed by external search engines. Such information may remain visible for a certain period even after account deletion or a removal request. However, the Company will honor deletion requests within a reasonable scope upon user request (Contact: office@spacecloud.city).
  • Caution on Voluntary Disclosure: Users are advised to exercise caution when disclosing personal information in publicly visible areas and must be aware that such information may be accessible to an unspecified number of individuals.
  • Prior Consent & Legal Exceptions: The Company does not share personal data externally without prior user consent, except where required by law or in response to legitimate requests by public authorities (e.g., courts, investigative authorities, or administrative orders).
  • Optional Information Visibility: For convenience and improved user experience, optional information provided by users (such as profile details or preferences) may be made visible within the service. Users are encouraged to verify and manage any such disclosure through their account settings beforehand.
  • In-Platform Information Sharing: Due to the nature of the Service, certain personal data is shared between the parties involved in a transaction at the time of booking to ensure smooth service delivery.

Management of third-party data sharing and processing

Examples of Third-Party DisclosuresUser Information Disclosed Within the Service
Requests from courts, investigative authorities, or through administrative ordersReviews and ratings submitted by guests with their consent- Space information provided by the host

Management of Information Exchanged Between Users

RecipientInformation ProvidedPurpose of DisclosureRetention Period
SpaceCloud HostBooker’s name, contact details, email address, and partial payment informationBooking guidance, entry instructions, refund processing, and dispute resolution (e.g. damage claims)14 days after completion of use or 1 day after cancellation
SpaceCloud GuestHost’s name, contact details, space address, and email addressUsing the space, receiving instructions, and post-use inquiries (e.g. lost and found)7 days after completion of use or 1 day after cancellation
  • Limitation of Liability for Member Misconduct: If a “Guest Member” or “Host Member” discloses or misuses another “Member”’s personal data in violation of relevant laws or this Policy, despite the Company having exercised due care and implemented reasonable technical and organisational measures, the Company shall not be held liable for such breach to the maximum extent permitted by law.

9. International Data Transfers

SpaceCloud is headquartered in South Korea and operates services globally, including in the United Kingdom and Ireland. Your personal data may be transferred to, accessed from, or processed in countries outside your country of residence—specifically to our servers in South Korea and to third-party service providers in other jurisdictions—in order to deliver our services.

  • Data Safeguards: The Company takes all necessary measures to ensure an adequate level of data protection in accordance with Articles 44 to 50 of both the UK GDPR and the EU GDPR. All vendors and partners are contractually obligated to implement adequate technical and organisational data protection safeguards to prevent unauthorised access, loss, or misuse of your information.
  • Transfer Mechanisms: For transfers between the UK, Ireland (EEA), and other jurisdictions, SpaceCloud ensures a level of protection equivalent to that of the UK/EU GDPR through the following mechanisms:
    • Adequacy Decisions: We rely on official adequacy decisions where the UK and EU have recognised certain countries—including South Korea—as providing a level of data protection essentially equivalent to their own.
    • Standard Contractual Clauses (SCCs) & UK Addendum: For transfers to countries or organisations without an adequacy decision, the Company implements the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (or IDTA) to protect your rights and personal data.
  • Legal Compliance: Although the legal frameworks of some countries may differ from your own, SpaceCloud implements these appropriate safeguards to ensure your data receives a level of protection equivalent to that within the UK/EEA.

10. Google Maps

The Company uses Google Maps API to provide location-related services (such as space search and address verification). By using these features, you acknowledge that your information (including IP address and location data) may be transmitted to and processed by Google. Please note that Google’s own Terms of Service and Privacy Policy apply to the use of these services.

11. Protecting Your Personal Information

The Company implements a range of appropriate technical and organisational measures to prevent unauthorised access, data leakage, loss, or damage to your personal information in accordance with Article 32 of the UK/EU GDPR. However, please be aware that no method of data transmission over the internet or electronic storage is 100% secure, and users should take appropriate precautions (e.g., managing their passwords).

  • Organisational safeguards: Internal data protection policies, regular staff training, and a designated data protection officer (DPO) or team.
  • Technical safeguards: Access control systems for personal data, encryption of data in transit and at rest (SSL/TLS), and the use of advanced security software.
  • Physical safeguards: Use of secure cloud infrastructure (e.g. AWS, Google Cloud) and restricted access to physical server locations or sensitive information.
  • Data Breach Notification: In the event of a significant personal data breach that is likely to result in a high risk to your rights and freedoms, the Company will notify you and the relevant supervisory authority (ICO/DPC) without undue delay in accordance with applicable laws.

12. Your Rights

You have several rights regarding your personal data under the UK GDPR and EU GDPR. You may exercise these rights by submitting a request via the Company’s official email (office@spacecloud.city). All requests will be handled within the timeframe required by applicable law (typically within one month).

  • Right of Access: You have the right to request a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Right to Rectification: You can request the correction of inaccurate or incomplete personal data that we hold about you.
  • Right to Erasure (Right to be Forgotten): You may ask us to delete or remove personal data where there is no good reason for us to continue processing it.
  • Right to Object: You have the right to object to the processing of your personal data where we are relying on a legitimate interest or using it for direct marketing purposes.
  • Right to Restrict Processing: You can request that we suspend the processing of your personal data in certain scenarios, such as wanting us to establish its accuracy.
  • Right to Data Portability: You may request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
  • Right to Withdraw Consent: Where our processing is based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
  • Right to Lodge a Complaint: You have the right to make a complaint at any time to the relevant supervisory authority:
    • In the United Kingdom: The Information Commissioner’s Office (ICO) (www.ico.org.uk).
    • In Ireland and the EU: The Data Protection Commission (DPC) of Ireland (www.dataprotection.ie) or your local data protection authority.
    • EU Representative: Where required under Article 27 of the EU GDPR, the Company shall appoint an EU Representative to act as contact point for EU-based members and supervisory authorities.

13. Third Party Websites

The SpaceCloud platform may contain links to third-party websites, plug-ins, or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. The Company does not control these third-party websites and is not responsible for their privacy statements or practices. When you leave our Service, we encourage you to read the privacy policy of every website you visit.

14. Cookies and Similar Technologies

The Company uses cookies and similar tracking technologies (such as web beacons and pixels) to improve website functionality, provide personalised content, and analyse advertising effectiveness.

  • Legal Compliance: For users in the United Kingdom, we comply with the Privacy and Electronic Communications Regulations (PECR). For users in Ireland and the EU, we comply with the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.
  • Cookie Consent: We will obtain your explicit consent for the use of non-essential cookies (such as marketing or analytics cookies) where required by law.
  • Managing Cookies: You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this Service may become inaccessible or not function properly.

15. Children’s Privacy

This Service is intended for users aged 18 and over. The Company does not knowingly collect or process personal data from children under the age of 18. If we learn that we have inadvertently collected personal data from a child without verifiable parental consent, we will take steps to delete that information from our records as soon as possible. If you believe that we might have any information from or about a child, please contact us at office@spacecloud.city.

16. Regulatory Registration

  • United Kingdom: Registered with the ICO (Registration Number: ZB961924).
  • Ireland: We comply with the registration and notification requirements of the Irish Data Protection Commission where applicable.

17. Amendments

This Privacy Policy is effective from 11 March 2026. Any changes to this policy will be made in accordance with the notification procedures set forth in the Service Terms and Conditions.

  • Notice Period: Any material changes will be notified at least 7 days in advance.
  • Significant Changes: For amendments that significantly change the purpose of data processing or involve third-party sharing that may affect your rights, we may provide a longer notice period (e.g., 30 days) and will seek your explicit consent where required by law.
  • Acceptance: Your continued use of the Service following the notification period constitutes your acknowledgment of the updated Privacy Policy.

18. Contact

UK, Ireland/EU Data Protection Team Email: office@spacecloud.city

Last updated: 11 March 2026