LogoSpacepad
Sign In

Privacy Policy

The privacy policy of Spacepad.

1. Data Controller

Spacepad is operated by:

Waterway Studios
Sweelinckplein 90
5216ED 's-Hertogenbosch
The Netherlands
KvK: 88397971

Email: support@spacepad.io

Waterway Studios is the data controller for the personal data processed through the Spacepad cloud service. This Privacy Policy applies to the Spacepad web application, tablet app, and all related services.

2. What Data We Collect

Account data
When you register, we collect your name, email address, and (if applicable) company name. This is necessary to provide you with access to the service.

Calendar data
Spacepad connects to your calendar system (Microsoft 365, Google Workspace, or a CalDAV server) to read room resource availability. We access only the minimum data needed to display room status: booking status, start/end times, and optionally the meeting title and organizer. We never access personal calendars or email content.

Usage data
We collect technical logs (IP address, timestamps, browser/device type) for security monitoring and service improvement. This data is pseudonymised where possible.

Cookies and similar technologies
We use strictly functional cookies required for authentication and session management. We do not use advertising cookies or sell data to advertisers.

On this marketing site we use Google Analytics (loaded via Google Tag Manager) to measure aggregate page views, traffic sources, and general usage patterns. Google Analytics may set cookies and sends data to Google servers. This processing is based on our legitimate interest in understanding how visitors use the site (Art. 6(1)(f) GDPR). Google may transfer this data to servers in the United States; such transfers are covered by Google's Standard Contractual Clauses.

Self-hosted mode
When running a self-hosted instance of Spacepad, we collect your email address solely to verify license compliance. This data is not used for marketing and is not shared with third parties.

3. Legal Basis for Processing

We process personal data on the following grounds under the GDPR:

Processing activityData collectedLegal basis
Account registration and service deliveryName, email, company namePerformance of a contract (Art. 6(1)(b))
Calendar data accessRoom availability, meeting times, titlesPerformance of a contract (Art. 6(1)(b))
Security logging and fraud preventionIP address, timestamps, request logsLegitimate interest (Art. 6(1)(f))
Service improvementAggregated usage patternsLegitimate interest (Art. 6(1)(f))
License compliance (self-hosted)Email addressLegitimate interest (Art. 6(1)(f))
Transactional emails (invoices, service notices)Email address, namePerformance of a contract (Art. 6(1)(b))
Marketing emailsEmail addressConsent (Art. 6(1)(a)) — you may unsubscribe at any time

4. How We Use Your Data

We use collected data to:

  • Provide, maintain, and improve the Spacepad service
  • Authenticate users and manage accounts
  • Display room availability on connected tablets
  • Send transactional emails (account confirmations, invoices, support responses)
  • Detect and prevent unauthorized access or abuse
  • Comply with legal obligations

We do not sell, rent, or trade your personal data to third parties.

Spacepad's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Storage and Hosting

The Spacepad cloud service is hosted within the European Union. Your data is processed and stored in the EU and does not leave the EU under normal operations.

Where we use third-party sub-processors (see section 6), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V.

6. Sub-processors

We use the following sub-processors to deliver our service. All listed sub-processors process data within the EU or under appropriate GDPR safeguards:

Sub-processorRolePurposeLocation
TransIP B.V.InfrastructureCloud server hosting and data storageNetherlands (EU)
Cloudflare, Inc.InfrastructureDNS, DDoS protection, CDNEU edge nodes (SCCs)
Brevo (Sendinblue SAS)CommunicationsTransactional email deliveryFrance (EU)
LemonSqueezyBillingSubscription payment processingEU region (SCCs)
Google LLCAnalyticsWebsite analytics via Google Tag Manager and Google AnalyticsUnited States (SCCs)

We will notify customers of any intended changes to this list (additions or replacements) with at least 14 days' advance notice via email or in-app notification, giving customers the opportunity to object.

7. Data Retention

Data typeRetention period
Account dataDuration of the subscription; deleted within 30 days of account closure
Calendar dataProcessed in real-time; not stored persistently
Usage/log dataUp to 90 days
Billing records7 years (Dutch legal obligation under Article 2:10 BW)
Self-hosted license emailsUntil license is terminated

8. Your Rights Under the GDPR

As a data subject, you have the following rights. All rights can be exercised by emailing support@spacepad.io. We will respond within 30 days.

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data. You can also delete your account directly from the account settings page in the Spacepad dashboard. Deletion is permanent and cascades to all associated data (calendar tokens, device assignments, configuration).
  • Right to restriction (Art. 18): Request that we limit processing in certain circumstances.
  • Right to data portability (Art. 20): Request your account data in a structured, machine-readable format (JSON or CSV) by emailing support@spacepad.io.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent: Where processing is based on consent (e.g. marketing emails), you may withdraw at any time via the unsubscribe link or by contacting us.

You have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag
autoriteitpersoonsgegevens.nl

9. Data Breach Notification

In the event of a personal data breach, we will notify affected customers without undue delay and at the latest within 72 hours of becoming aware, in accordance with GDPR Article 33. We will also notify the Autoriteit Persoonsgegevens where required. If a breach poses a high risk to individuals, we will notify affected users directly.

10. Data Processing Agreement (DPA)

When Spacepad processes personal data on behalf of your organization (for example, calendar data of your employees), Waterway Studios acts as a data processor under GDPR Article 28, and your organization acts as the data controller.

Our Data Processing Agreement (DPA / Verwerkersovereenkomst), which governs how we process your organization's data, is available at spacepad.io/dpa. By using Spacepad, customers agree to the terms of the DPA.

11. Security

We implement appropriate technical and organizational measures to protect personal data:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest is encrypted using AES-256
  • Access to production systems is restricted to authorized personnel with multi-factor authentication
  • Automated daily backups with 30-day retention, stored within the EU
  • Regular dependency audits and security patching

12. International Data Transfers

All personal data is processed and stored within the European Union. Where sub-processors are based outside the EEA (e.g. Cloudflare, LemonSqueezy), transfers are covered by Standard Contractual Clauses (SCCs) as per GDPR Article 46.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the date at the bottom of this page. Material changes will be communicated to customers via email.

14. Contact

For any questions about this Privacy Policy or to exercise your rights, contact:

Waterway Studios
support@spacepad.io

Last updated: May 2026