Privacy Policy

[Company Name] ("aboutspace") is the data controller for the personal data we process about hosts and guests using the platform.

Registered office: [Address]. Identifiers: [KvK / VAT number]. Contact: [Contact email].

Account data: name, email address, hashed password, two-factor secret (if enabled), language preference, IP address and user-agent at sign-in.

Listing data: building and space details you publish, photos, availability rules, pricing.

Booking data: reservation requests, confirmations, cancellations, and the conversation thread between host and guest.

Billing data: identifiers and metadata returned by Stripe (subscription state, invoices).

Usage data: timestamps, status changes, error logs, and basic in-app navigation events used for debugging and product improvement.

To deliver the service you've signed up for (contract performance, Art. 6(1)(b) GDPR).

To bill you and meet our tax obligations (legal obligation, Art. 6(1)(c)).

To prevent abuse, fraud, and to keep the service secure (legitimate interests, Art. 6(1)(f)).

To send transactional emails (booking notifications, password resets, billing receipts). We do not send marketing email without your prior opt-in.

We use the following sub-processors. Each has its own privacy commitments and is bound by a Data Processing Agreement with us:

Stripe (Ireland / United States) — payments and tax handling. AWS (Ireland / EU) — application hosting and media storage. Mail provider — transactional email delivery. MongoDB Atlas (EU region) — primary database.

We rely on EU Standard Contractual Clauses for transfers outside the EEA where applicable.

Account data: kept while your account is active and for up to 60 days after closure, then deleted (except where law requires longer retention, e.g. invoices kept for 7 years under Dutch tax law).

Listing and booking data: kept until you delete the listing or close the account; permanently deleted within 60 days of closure, subject to legal retention.

Logs: 30 days for security/debugging logs, longer where law requires.

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interests. You can exercise most of these directly in your account; for anything else, contact us.

You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have not handled your data correctly. Contact us first if you can: [Contact email].

See our Cookie Policy for the specific cookies we set. We do not use advertising or cross-site tracking cookies.

If we make material changes we will email account owners and update the "last updated" date below.