Your privacy is important to us. It is SpacetoCo’s policy to respect your privacy regarding any information we may collect from you across our website, spacetoco.com, and other sites we own and operate.
Updated: 3 June, 2025.
The aim of this Privacy Policy is to set out how SpacetoCo collects, uses and protects your personal data through your use of our website and our services.
Neither our website nor our services are intended for children and we do not knowingly collect data relating to children.
The SpacetoCo Group
The SpacetoCo Group is made up of different legal entities across the world, and you can find out more about us here: https://www.spacetoco.com/about
This Privacy Policy therefore is issued on behalf of the SpacetoCo Group, and so when we refer to “SpacetoCo”, “we”, “us”, or “our” throughout this Privacy Policy, we are referring to the SpacetoCo company that is responsible for collecting and using Your Data.
For the purposes of the United Kingdom (“UK”) and European Union (“EU”) privacy laws:
- SpacetoCo Pty Ltd (ACN 610 588 424), based in Australia, is the controller and is responsible for our website and any other sites or platforms that we own and operate.
- The SpacetoCo company which you work with under a client contract, or which you receive services from, will either be the controller or processor of any personal data you provide to us in connection with that contract, or those services, and that client contract (or our Standard Terms and Conditions) will confirm whether we will be acting as controller or processor.
The Privacy Laws that Apply to you
The privacy laws that apply to Your Data will depend on where you (or we) are based. If you are based:
- in the UK, Your Data will be collected and used in accordance with the privacy laws of the UK, including: (i) the Data Protection Act 2018 (“DPA”); (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”); and (iii) the UK GDPR, as defined by section 3(10) of the DPA.
- in the EU, Your Data will be collected and used in accordance with the privacy laws of the EU, including: (i) the General Data Protection Regulation ((EU) 2016/679); and (ii) the PECR.
- In Australia, Your Data will be collected and used in accordance with the privacy laws of Australia, which may include: (i) the Privacy Act 1988 (Cth); and (ii) the Australian Privacy Principles. To confirm, SpacetoCo are not subject to the Australian Privacy Principles, however we do hold ourselves accountable to these best-practice guidelines to keep data safe.
- In New Zealand, Your Data will be collected and used in accordance with the privacy laws of New Zealand, including: (i) the New Zealand Privacy Act 2020; and (ii) Unsolicited Electronic Messages Act 2007 ("UEMA").
Please note, the reach of the UK and EU privacy laws means that if you are a client of:
- a UK or EU based SpacetoCo company, but you are based outside of the UK or the European Economic Area (“EEA”), your personal data will be governed by, and used in accordance with the privacy laws of the UK and/or Europe, regardless of your location.
- an Australian or New Zealand based SpacetoCo company, but you are based in the UK or the EEA your personal data will be governed by, and used in accordance with the privacy laws of the UK and/or Europe, regardless of the company's location.
Overview of this Privacy Policy
We have included more detail throughout this Privacy Policy, however as an overview we want to confirm:
- We only ask for personal information when we truly need it to provide a service to you. We collect it by fair and lawful means and will let you know why we’re collecting it and how it will be used.
- We only retain collected information for as long as necessary to provide you with your requested service unless we are required by law to keep this information for longer.
- What data we store, we’ll protect within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use, or modification.
- We don’t share any personally identifying information publicly or with third-parties, except when required to by law or for the successful operation of the website.
- Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and practices of these sites, and cannot accept responsibility or liability for their respective privacy policies.
- Host Requirements: SpacetoCo works with a number of local governments as a part of supplying 'the services'. Local Government entities have specific rules around data that they (and therefore we) must adhere to at all times. Hosts are able to access booking data at the time of booking and for a reasonable period after the booking is completed. Local Government entities may store your data for up to seven (7) years, but that data is from a point in time (at the time of booking). Should you choose to update Your Data, a Host is not entitled to your updated information as it is no longer required to facilitate the booking.
- You are free to refuse our request for your personal information, with the understanding that in some cases, that may mean that we are unable to provide you with some of your desired services.
- SpacetoCo is an internet application that facilitates the connection of Hosts (People with Spaces) and Customers (People who wish to find and hire out Spaces). In this capacity, we will need to collect some data from you along the way to ensure that we can successfully facilitate the process of connection.
If you have any questions about how we handle user data and personal information, feel free to contact us.
We keep this Privacy Policy under regular review; this version was updated on, and is effective as of, the date stated at the beginning of it.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if Your Data changes during your relationship with us.
Our website and the portal may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
If you have any questions about this Privacy Policy or our privacy practices, you can contact us using the details that we have set out at the end of this Privacy Policy.
Definitions
In order to make this Privacy Policy as simple and easy to read as possible, we have defined some terms which we have set out below:
“Your Data” means data that is capable of being associated with you, whether or not it includes an explicit identifier such as your name or user ID. In particular, it encompasses all data that SpacetoCo is capable of correlating with you, using such means as server-logs and cookie-contents.
“Your Data” does not refer to data that can no longer be associated with you. This includes aggregated data that does not and cannot identify the individuals whose data are included in the aggregation.
“Consent” means your concurrence with an action to be taken by SpacetoCo. The rules for consent are different depending on the privacy laws that apply to you. In Australia, consent may be express or implicit, but in either case must be informed and freely-given. In the UK and EU, consent must be explicit, informed and freely-given.
“User” means any person or persons who create a profile on the website or application for the purposes of exploring its contents or connecting with the purpose of transacting within the SpacetoCo online environment.
“Your Profile” means the data entered into the Profile section of the website in order to provide more detail about yourself to other Users to promote trust. Required data to fill in “Your Profile” may change from time to time.
“Website” means the website spacetoco.com and blog.spacetoco.com and any links within the website and any applications downloaded to your device in which users can access SpacetoCo services.
“Hosts” means individuals who register a profile and list space as available for hire.
“Customers” means any individuals who register a profile for the purpose of hiring a space.
“Space” means any listing of a property in the SpacetoCo online environment made available for hire to other members of the site.
What Do We Collect?
We collect all of the information when you sign up to the service. To create an account, you require a name and an email address. You may choose to enter your phone number, date of birth, gender, profile image, personal address and your short bio statement about yourself as well as your intention to be a Host or a Customer to make your profile more complete for other members of the online community.
If you wish to list a Space, it is optional to advise your social networking profiles (Facebook, Twitter, LinkedIn and Instagram). It is not required.
Additionally, the website systems such as Stripe, GoCardless, Hubspot, Slack, Jira, Confluence, Google, Mailgun and any other software or services that we use to provide you with an exemplary experience will automatically log details about your time on site. For example your mac and/or IP address, messages content and other date and time stamp information.
We may also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data could be obtained from your personal data but is not considered personal data in law as it will not directly or indirectly reveal your identity. For example, we may aggregate some of your Technical and Usage Data to calculate the percentage of users accessing a specific website or portal feature.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How Do We Collect Your Data?
We ask you to fill in the form in the profile section of the website and the website backend systems and other website integrations (such as Segment and Hubspot) are always logging info about user activity as you use the site.
In addition to the form that we ask you to complete in the profile section of the website, you may also give us Your Data (including names, contact details, username and passwords, billing information, information about your interests or preferences, feedback and survey responses, and details about services you are interested in or have purchased) by filling in forms or by corresponding with us by post, phone, email, through contact forms on our website or otherwise. This includes personal data you provide when you (i) enquire about or purchase our services, (ii) subscribe to our marketing, (iii) contact us, (iv) give us feedback, (v) use our services through our website or portal.
As you interact with our website, we will automatically collect information (including information about how you use our website or portal, internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website) about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have, or are trying to enter into, with you (for example, to provide you with our services). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
From time to time, we may also collect or receive Your Data from various third parties including:
- technological or usage information from analytics providers, such as Google (who are based outside the UK and EEA); and
- contact and identity information from publicly available sources, such as Companies House and the Electoral Register, (who are based inside the UK and EEA).
Purpose of Collecting and Using Your Data
We will only collect and use Your Data where the law allows us to. This will vary depending on the privacy laws that apply to you, however, most commonly (and in particular in respect of the privacy laws of the UK, Europe and New Zealand) we will rely on one or more of the following legal bases (or lawful purposes) when we collect and use Your Data:
- Where we need to perform the contract that we are about to enter, or have entered, into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
- In some cases, we will obtain your consent. However, generally, we do not rely on consent as a legal basis (or lawful purpose) and as such, this is only relied on where we have obtained your active agreement to use your personal data for a specified purpose. You have the right to withdraw consent to marketing at any time by contacting us.
By way of examples, we generally collect and use Your Data to:
- facilitate a successful connection between Customers and Hosts. The more information in your profile, the higher level of trust is built between you and the person with whom you may decide to transact.
- register you as a new user and deliver our services to you including (i) onboarding and registration as a Customer or a Host, and (ii) dealing with payment and invoice recovery.
- Manage our relationship with you including (i) notifying you about any changes to our terms or our services and asking you to complete testimonials, reviews, surveys, and (ii) dealing with your requests and queries.
- improve the user experience including (i) improving our website and services, (ii) using data analytics to provide you with a better experience, (iii) delivering relevant content, and (iv) making suggestions and recommendations about services that may be of interest to you. This information may assist us to make the website better in the future or resolve disputes systematically and expediently.
- deter and identify potential fraud, spam or suspicious behaviour, we reserve the right to monitor conversations from time to time.
We will only use Your Data for the reasons we collected it, unless we reasonably need to use it for another reason and that reason is compatible with the original purpose. If we need to use Your Data for an unrelated purpose, we will notify you and we will explain the legal basis (or lawful purpose) which allows us to do so.
Marketing
We aim to ensure that you have choices when it comes to marketing and advertising, and so we have in place the following internal practices to help you get the most out of our services:
- We may use Your Data to get an idea of what services we think you may want or need and what may be of interest to you. We then use this to provide you with offers and inform you about services that are available.
- You will receive marketing in respect of the above relevant services and offers if you have requested information about our services or have purchased any services through our website, and you have not opted out of receiving that information.
- We will always get your explicit consent before we share Your Data with third-parties for marketing purposes.
- You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time. When you opt-out of receiving marketing messages, this will not apply to Your Data that we use and collect for reasons outside of marketing purposes.
To Whom Do We Disclose Your Data?
We use Your Data to facilitate successful connections of Customers to Hosts. For example, this may involve other Customers looking at your Listed Space and Profile as a Host; or your Profile and previous booking rating as a Customer to consider you as a potential hirer of their Space.
We won’t be selling Your Data for spam purposes to anyone. We don’t like that when it happens to us, so we won’t be doing it to you.
We require all third parties to respect the security of Your Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process Your Data for specified purposes and in accordance with our instructions.
We may also share Your Data with some other third parties where it is necessary to provide you with services or where we are required to for legal purposes, this includes:
- Internally throughout the SpacetoCo Group, we may share Your Data in order to provide our services, or store Your Data. Other companies in the SpacetoCo Group may also provide services that our supplementary such as IT, system, financial and other administrative services. The SpacetoCo Group is based in Australia, New Zealand, and the UK.
- Service providers who deal with hosting websites and services, who will act as processors in respect of Your Data.
- Hosts who, as a Customer, you book with and request to receive services from may receive Your Data so that they can provide you with the service that you have requested from them through our website.
- Professional advisers acting as processors including lawyers, bankers, auditors, and insurers based in Australia, New Zealand, and the UK, who provide consultancy, banking, legal, insurance and accounting services.
- Tax authorities, regulators and other authorities acting as processors based in Australia, New Zealand, and the UK, who require reporting of processing activities in certain circumstances.
International Transfers
We share Your Data within the SpacetoCo Group. This will (depending on where you are based) involve transferring your data to (or within) Australia, New Zealand, and the UK.
Some of our external third parties service providers are also based worldwide so their use of Your Data may involve a transfer of data outside of where you are based, or where it originates. We have set this information out above when detailing the third parties that we may transfer Your Data to.
The UK and EU have strict rules about when transfers of Your Data outside of the UK and/or EEA can take place, and have a variety of safeguards that companies must put in place when transferring Your Data internationally.
As such, whenever we transfer Your Data out of the UK and EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
- Where the country is not deemed to have an adequate level of protection, we (i) will use specific contracts approved for use in the UK and EEA (called Standard Contractual Terms and/or International Data Transfer Agreements) which give personal data the same protection it has in the UK and EEA, and (ii) undertake a data transfer risk assessment to ensure the protection of Your Data.
Please note that New Zealand, UK and Europe are all deemed to afford individuals with a similar degree of protection as one another, but Australia currently is not (as at the date of this privacy policy) deemed to have a similar degree of protection.
You can find out which countries are considered to afford individuals with a similar degree of protection to:
- the European privacy laws here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- the UK privacy laws here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
Please contact us if you want further information on the specific mechanism used by us when transferring Your Data out of the UK and EEA.
Data Security
We have put in place appropriate security measures to prevent Your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to Your Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Your Data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Retention of your Data?
Retention of data refers to the length of time that data is kept. Your data is securely encrypted and stored within secure, offsite, cloud services.
We will only retain Your Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain Your Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To decide the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process Your Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being clients for tax purposes.
In some circumstances you can ask us to delete Your Data, which we have explained in more detail below.
Generally speaking, in order to comply with these rules and regulations, SpacetoCo retains your user data for a period of 7 years after your last interaction after which time it may be deleted.
Your Legal Rights - in Australia
Under the privacy laws of Australia:
-
Can I look at it? You can view your profile at any time. You can also request to view Your Data formally by contacting us.
-
Deleting Your Data or Account. If you would like SpacetoCo to permanently delete your account and associated data please see this article.
- Correcting Your Data. You will also have the right to correct any personal information that we hold if it is inaccurate, out of date, incomplete, irrelevant or misleading.
We try to respond to all legitimate requests within a reasonable time period (in most circumstances this will be within 30 days).
Your Legal Rights - in New Zealand
Under the privacy laws of New Zealand, you can request Your Data via email, letter, phone, in person, or via the New Zealand Privacy Commissioner website.
We try to respond to all legitimate requests within 20 working days. Occasionally, in some circumstances, it could take us longer than this. In this case, we will notify you and confirm why within 20 working days, and will keep you updated.
If, at any time, you discover that information held about you is incorrect, you may contact us to have the information corrected.
Your Legal Rights - in the UK
Under the UK and European privacy laws, and in certain circumstances, you have rights under data protection laws in relation to Your Data, including the right to:
- request access to Your Data (commonly known as a "data subject access request"). This enables you to receive a copy of Your Data and to check that we are lawfully processing it.
- request correction of Your Data. This enables you to correct Your Data where it is incomplete or inaccurate, though we may need to verify the accuracy of the new data you provide to us.
- request deletion of Your Data. This enables you to ask us to delete or remove Your Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove Your Data where you have successfully exercised your right to object to processing (see below), where we may have used Your Data unlawfully or where we are required to erase Your Data to comply with local laws. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- object to the use of Your Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to our use of Your Data on this ground, as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are using Your Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- request restriction of the use of Your Data. This enables you to ask us to suspend our use of Your Data in the following scenarios: (i) if you want us to establish the data's accuracy; (ii) where our use of Your Data is unlawful but you do not want us to erase it; (iii) where you need us to hold Your Data even if we no longer require it as you need it to establish, exercise or defend legal claims; (iv) you have objected to our use of Your Data but we need to verify whether we have overriding legitimate grounds to use it.
- request to transfer Your Data to you or to a third party. We will provide to you, or a third party you have chosen, Your Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- withdraw consent where we are relying on consent to process Your Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Contact Us: If you wish to exercise any of the rights set out above, please contact us using the contact details relevant to you as set out below.
Fees: You will generally not have to pay a fee to access Your Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Identity Checks: We may need to request specific information from you to help us confirm your identity and ensure your right to access Your Data (or to exercise any of your other rights). This is a security measure to ensure that Your Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Deadlines: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
How to Get in Touch
If you have any questions about this Privacy Policy or our privacy practices, or would like to exercise any of your rights in respect of Your Data, please contact us in the following ways:
United Kingdom:
Full name of legal entity: SpacetoCo UK Ltd
Email Address: privacy@spacetoco.com
Postal Address: 10 John Street, London, United Kingdom, WC1N 2EB
Complaints: If you are based in the UK, or are working with our entity based in the UK, you have the right to make a complaint at any time to a relevant Data Protection Authority based within the UK. The UK regulator for data protection issues is the Information Commissioner's Office (ICO) (www.ico.org.uk).
Australia/New Zealand:
Full name of legal entity: SpacetoCo Pty Ltd
Email Address: privacy@spacetoco.com
Postal Address: 525 Falls Road, Hovea WA 6070
Complaints: You have the right to make a complaint at any time to a relevant Data Protection Authority based in Australia. The Australian regulator for data protection issues is the Office of the Australian Information Commissioner (OAIC) (https://www.oaic.gov.au/).
Other Complaints:
New Zealand: If you are based in New Zealand, you have the right to make a complaint at any time to a relevant Data Protection Authority based in New Zealand. The regulator for data protection issues in New Zealand is the Office of the Privacy Commissioner (www.privacy.org.nz/).
EU: If you are based in Europe (and/or the EEA), you have the right to make a complaint at any time to a relevant Data Protection Authority based within Europe. You can find the relevant European Data Protection Authority through the European Data Protection Board or the European Data Protection Supervisor (https://edpb.europa.eu/about-edpb/about-edpb/members_en).