Who we are
Setspce is a marketplace connecting hosts of creative production spaces with creators seeking temporary access. References to "we", "us", or "Setspce" in this policy refer to the operator of setspce.com.
For privacy questions, contact us at privacy@setspce.com.
Data we collect
We collect only what is necessary to operate the platform:
- Account data: name, email, password hash, profile picture
- Identity verification: government ID and selfie (for hosts and selected creators)
- Listings: titles, descriptions, photos, location, pricing
- Bookings: dates, times, messages, status
- Payments: handled by Stripe; we receive transaction status and last 4 digits only
- Reviews and ratings
- Technical data: IP address, browser, device, log files, cookies
Why we use your data
- Operate bookings, payments, payouts, and communications
- Verify identity to prevent fraud and protect hosts and creators
- Send transactional emails (booking confirmations, reminders, reviews)
- Provide customer support and resolve disputes
- Comply with legal obligations (tax, anti-money-laundering, court orders)
- Improve the platform (aggregated, non-identifying analytics)
Legal bases (GDPR Art. 6)
- Contract: to deliver the service you signed up for
- Legal obligation: to keep records for tax and consumer-protection law
- Legitimate interest: fraud prevention, platform security, basic analytics
- Consent: optional marketing emails and non-essential cookies — you can withdraw at any time
Who we share data with
We never sell your data. We share only with processors strictly needed to run Setspce:
- Stripe — payment processing and identity verification (Ireland / USA, SCCs in place)
- Supabase — database and authentication hosting (EU region)
- Resend — transactional email delivery
- Cloudflare — web infrastructure and security
- Hosts and creators — only the data needed to complete a booking (name, contact, booking details)
- Law enforcement — only when legally compelled
International transfers
Some processors are located outside the EU/EEA. Where this is the case, transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or by an equivalent safeguard.
How long we keep data
- Account data: until you delete your account
- Bookings, invoices, payments: 7 years (Dutch tax law)
- Identity verification documents: deleted within 30 days after verification or rejection
- Marketing consent records: until you unsubscribe
- Server logs: 90 days
Your rights
Under the GDPR you have the right to:
- Access your data
- Correct inaccurate data
- Delete your data (right to be forgotten)
- Restrict or object to processing
- Data portability (receive your data in a machine-readable format)
- Withdraw consent
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
To exercise any of these rights, email privacy@setspce.com. We respond within 30 days.
Security
We use encryption in transit (TLS), encryption at rest, row-level security on the database, hashed passwords, and access controls. No system is 100% secure — if a breach affects your data, we will notify you and the regulator within 72 hours as required by law.
Changes to this policy
We may update this policy as the platform evolves. Material changes are announced by email or via a notice on the site at least 30 days before they take effect.