Spaciora

Legal

Privacy policy

Effective 5 May 2026

Effective date: 5 May 2026

This privacy policy explains how Spaciora Technologies Pvt. Ltd. ("Spaciora", "we", "us", or "our") collects, uses, discloses, retains, and protects personal data when you use our integrated workplace management system (the "Service") accessible at https://spaciora.app and related applications. We have written this policy to be read in plain English. If anything is unclear, please contact our Grievance Officer using the details at the end of this policy.

This policy applies to information we collect from prospective customers, paying customers, the authorised users of those customers, visitors logged through our visitor management module, and individuals whose information is processed through our platform on behalf of our customers. Where Spaciora processes personal data on behalf of a customer (for example, visitor records, tenant lease data, helpdesk tickets, or employee badge logs), the customer is the Data Fiduciary or Controller and Spaciora acts as a Data Processor under the terms of a Data Processing Agreement.

Our commitment to the eight DPDPA principles

Spaciora is committed to processing personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA") and observes each of the following principles when handling your information.

  • Lawfulness. We process personal data only where we have a lawful basis to do so, such as your consent, the performance of a contract with you, a legitimate interest, or a legal obligation.
  • Notice. We provide clear, accessible, and timely notice of the categories of personal data we collect, the purposes of processing, and the rights available to you.
  • Purpose. Personal data is collected and used only for specified, explicit, and legitimate purposes that are described to you in advance, and is not further processed in a manner incompatible with those purposes.
  • Data minimization. We collect and retain only the personal data that is necessary to deliver the Service, meet our legal obligations, and operate our business.
  • Accuracy. We take reasonable steps to keep personal data accurate and up to date, and we provide tools that allow you and our customers to correct inaccuracies promptly.
  • Storage limitation. We keep personal data only for as long as it is necessary for the purposes for which it was collected, after which we delete or anonymise it according to documented retention schedules.
  • Reasonable security. We apply appropriate technical and organisational measures to safeguard personal data against unauthorised access, loss, alteration, or disclosure.
  • Accountability. We maintain records of processing activities, train our personnel, monitor compliance, respond to grievances, and stand ready to demonstrate adherence to applicable data protection law.

1. Who we are

Spaciora Technologies Pvt. Ltd. is a private limited company incorporated under the Companies Act, 2013, with its registered office in Pune, Maharashtra, India. We are the Data Fiduciary in respect of personal data we collect about our prospects, customer account holders, billing contacts, website visitors, and authorised end users acting on their own behalf. In respect of personal data that our customers upload to or generate within the Service about their own employees, contractors, tenants, visitors, and other Data Principals, our customers are the Data Fiduciary and we act as a Data Processor.

For European Economic Area, United Kingdom, and Swiss customers, references in this policy to the DPDPA should be read alongside the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom Data Protection Act 2018 and the UK GDPR, and the Swiss Federal Act on Data Protection respectively. Where those laws afford additional rights, we honour them.

2. Personal data we collect

We collect the following categories of personal data, depending on how you interact with us and the Service.

  • Account data. Name, work email, work phone number, job title, organisation name, password hash, profile photo (optional), preferred language, time zone, and authentication tokens for single sign-on.
  • Billing data. Billing contact name, billing email, postal address, GSTIN, PAN, purchase order references, invoice records, payment method tokens (we do not store full card numbers), and bank account details for refunds.
  • Visitor PII. Where our customers operate the visitor management module, the personal data collected typically includes visitor name, mobile number, email, organisation, vehicle registration, host employee, photograph, government ID type and last four digits, signature image, time of arrival and exit, and the host's approval record.
  • Workplace operations data. Tenant lease records, helpdesk tickets, parking allocations, contractor registrations, energy meter readings tagged to assets, audit trails of user actions, and policy acknowledgements.
  • Behavioural data. Pages visited within the Service, features used, search queries within the application, click streams used to improve the user interface, and aggregate usage statistics.
  • Device and technical data. Internet protocol address, device type, operating system, browser type and version, referring URL, language preference, and crash diagnostics.
  • Cookies and similar technologies. Cookies and equivalent identifiers used to operate the Service, remember your preferences, and measure performance, as described in our cookie policy.
  • Marketing data. Information you provide when downloading whitepapers, attending webinars, or subscribing to newsletters, including consent and unsubscribe history.
  • Support and communications data. Records of your interactions with our support team, including emails, chat logs, screen recordings you choose to share, and call summaries.

3. How we use personal data

We process personal data for the purposes set out below, relying on the legal bases indicated.

  • To provide the Service (contract). We use account, billing, and operations data to make the Service available, authenticate users, process visitor check-ins, generate invoices, and deliver helpdesk workflows that you request.
  • To take payment (contract and legal obligation). We use billing data to issue invoices, calculate Goods and Services Tax, and remit payments through our payment processor.
  • To improve the Service (legitimate interest). We analyse aggregate behavioural and device data to understand which features are used, fix bugs, prioritise improvements, and prevent abuse.
  • To communicate with you (consent and legitimate interest). We send service announcements, security notifications, and changes to terms. We send marketing communications only where we have consent or where permitted by applicable law, and you may unsubscribe at any time.
  • To meet legal and regulatory obligations. We retain certain records to comply with tax, accounting, anti-money-laundering, and data protection laws, and to respond to lawful requests from authorities.
  • To enforce our terms and protect our users. We use logs, audit trails, and behavioural signals to detect fraud, abuse, and security incidents, and to enforce our acceptable use policy.

Where we rely on consent, you are free to withdraw your consent at any time by contacting us or using in-product controls. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Sharing and sub-processors

We do not sell personal data. We share personal data only as needed to deliver the Service, to operate our business, or where required by law. Recipients fall into the following categories.

  • Cloud hosting and infrastructure providers who host the Service and store data under contractual restrictions.
  • Email and notifications providers who deliver transactional and marketing emails on our behalf.
  • Analytics providers who help us measure usage of our marketing site and the Service in an aggregated manner.
  • Payment processors such as Razorpay and equivalent international processors who handle card and bank payments.
  • Customer support tooling providers who power our helpdesk, in-app chat, and ticketing systems.
  • Professional advisers such as auditors, lawyers, and tax consultants under duties of confidentiality.
  • Authorities and law enforcement where disclosure is required by law, court order, or legal process, and only to the extent necessary.
  • Acquirers and successors in the event of a merger, acquisition, or sale of assets, subject to commitments to honour this policy.

A current list of sub-processors used in delivering the Service is maintained at /resources/sub-processors.

5. International transfers

By default, customer data is hosted in our primary region in Mumbai, India. We offer a European Union region for customers subject to GDPR who require data residency within the EEA. Where personal data is transferred outside India or the EEA, we put in place appropriate safeguards, such as the European Commission's Standard Contractual Clauses, the United Kingdom International Data Transfer Addendum, reliance on adequacy decisions where they exist, or other legally recognised mechanisms.

6. Retention

We retain personal data only for as long as we need it for the purposes described in this policy, or for longer where required or permitted by law. Default retention periods within the Service include the following.

  • Visitor PII: 90 days after the visit, unless the customer configures a shorter or longer period within applicable legal limits.
  • Audit logs and security trails: 7 years, to support compliance, investigations, and dispute resolution.
  • Billing and invoice records: 8 years, to comply with Indian tax and corporate record-keeping requirements.
  • Helpdesk and support tickets: 3 years from closure, for service quality, training, and dispute resolution.
  • Account data: for the duration of your subscription and for a reasonable period afterwards to allow reactivation, followed by deletion or anonymisation.
  • Marketing data: until you unsubscribe or withdraw consent, after which we retain only suppression records to honour your choice.

7. Your rights as a Data Principal

Subject to the conditions set out in applicable law, you have the following rights with respect to your personal data.

  • Right to access. You may request a summary of the personal data we hold about you and the purposes for which we process it.
  • Right to correction and updating. You may ask us to correct inaccurate or incomplete personal data.
  • Right to erasure. You may ask us to delete personal data that we no longer need to retain, subject to legal exceptions.
  • Right to data portability. Where applicable, you may receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to withdraw consent. Where processing is based on consent, you may withdraw that consent at any time.
  • Right to nominate. Under the DPDPA, you may nominate another individual to exercise your rights in the event of your death or incapacity.
  • Right to grievance redressal. You may raise a grievance with our Grievance Officer using the contact details below.

8. Children's data

The Service is intended for use by businesses and their authorised personnel and is not directed at children. We do not knowingly collect personal data from individuals under the age of 18. Where the Service is used in environments such as schools, customers are responsible for ensuring an appropriate lawful basis and for obtaining any required parental consent.

9. Security

We maintain a layered information security programme designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. Key measures include:

  • Encryption of personal data at rest using AES-256 and in transit using TLS 1.3 or higher.
  • Multi-factor authentication for all administrative access and as an option for end users.
  • Role-based access control, least-privilege provisioning, and quarterly access reviews.
  • Immutable audit trails of administrative and security-sensitive actions.
  • Continuous vulnerability scanning, annual third-party penetration testing, and a coordinated disclosure programme.
  • Documented incident response, business continuity, and disaster recovery plans, exercised regularly.
  • Background checks and security training for personnel with access to personal data.

10. Cookies

We use cookies and similar technologies on our marketing site and within the Service. For details on the categories of cookies we use, their purposes, retention periods, and how to manage them, please see our cookie policy.

11. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the effective date at the top of this policy and notify you by email or through an in-product notice before the changes take effect.

12. Grievance Officer (DPDPA)

If you have any questions, concerns, or grievances about this policy or our processing of your personal data, please contact our Grievance Officer:

  • Name: DPDPA Grievance Officer
  • Email: grievance@spaciora.app
  • Postal address: Spaciora Technologies Pvt. Ltd., Pune, Maharashtra, India

13. Data Protection Officer (GDPR / UK GDPR)

For inquiries from individuals or customers in the European Economic Area, the United Kingdom, or Switzerland, our Data Protection Officer can be contacted at dpo@spaciora.app. You also have the right to lodge a complaint with your local data protection supervisory authority.

Questions about this document? Write to legal@spaciora.app or our Grievance Officer.