Legal

Privacy Policy

Last updated: 5 March 2026

We designed SPOTS to be a tool your team can trust. We collect only what is necessary to provide the service, we never sell your data, and you remain in control at all times.

1. Who We Are

Spots App ("Spots", "we", "us") is a B2B SaaS platform for resource booking and workplace management, operated by an independent professional (autónoma) based in Costa Brava, Spain.

Data Controller: Spots App
Email: hello@thespotsapp.com
Address: Costa Brava, Girona, Spain
Website: https://thespotsapp.com

For the purposes of the General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD), we act as the data controller for information collected through our website and platform.

2. Data We Collect

Account & Identity

  • Full name and email address
  • Password (encrypted — never stored in plain text)
  • Authentication method (email/password or Google OAuth)

Company Data

  • Company name and size
  • Billing address and VAT number
  • Subscription plan and payment status

Booking & Usage Data

  • Resources created (desks, meeting rooms, parking spots, and any other resource types you configure)
  • Booking records including dates, times, and resource details
  • User activity within the platform (logins, actions taken)

Payment Data

  • Payment processing is handled entirely by Stripe — we never store card numbers or sensitive payment details
  • We retain transaction identifiers, plan details, and invoice records

We do not use cookies for tracking or analytics. No third-party analytics tools are installed on our platform.

3. How We Use Your Data

  • Service delivery — account management, enabling bookings, managing team members and roles
  • Billing — processing subscription payments, generating invoices, managing plan changes and cancellations
  • Communications — account confirmations, password resets, booking notifications, and important service updates
  • Security — detecting and preventing fraud, unauthorised access, and abuse
  • Legal compliance — meeting our obligations under Spanish tax and accounting law

The legal bases for processing are contract performance (delivering the service you signed up for), legal obligation (tax and accounting records), and legitimate interests (security and service integrity).

4. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following trusted sub-processors:

  • Supabase — database and authentication infrastructure (EU region)
  • Stripe — payment processing and subscription management
  • Google Firebase — frontend hosting
  • Google App Engine — backend hosting
  • Resend — transactional email delivery

All providers are bound by Data Processing Agreements and comply with GDPR. We may also disclose data if required by law or to protect the safety of our users.

5. Data Retention

  • Account data is retained while your account is active, plus 30 days after cancellation
  • Booking records are retained for 12 months from the booking date
  • Billing and invoice records are retained for 5 years as required by Spanish tax law

You may request deletion of your account and personal data at any time — see Your Rights below.

6. Your Rights (GDPR)

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your personal data
  • Restriction — request that we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email hello@thespotsapp.com. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.

7. Security

  • All data transmitted via HTTPS/TLS encryption
  • Passwords encrypted using industry-standard hashing — never stored in plain text
  • Row-level security policies enforced on our database
  • Access controls and authentication requirements on all services

No system is completely secure. If you believe your account has been compromised, contact us immediately at hello@thespotsapp.com.

8. International Data Transfers

Your data is primarily stored and processed within the European Union. Some sub-processors (such as Stripe) may process data in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission, providing an equivalent level of data protection.

9. Children's Privacy

Spots is a B2B platform intended for use by professionals and organisations. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

10. Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes we will notify you by email or by posting a prominent notice on our website. The "last updated" date at the top of this page always reflects the current version.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please get in touch:

Email: hello@thespotsapp.com
Response time: Within 30 days
Supervisory authority: AEPD — www.aepd.es

Questions about your data?

We're happy to help with any privacy-related requests or concerns.

Contact us →