Spacia.AI Chat

Spacia B.V.

Last updated: February 2026

Effective date: February 2026

Version: 1.0

Summary

This Privacy Policy explains how Spacia B.V. ("Spacia," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use our AI-powered website building platform ("Service"). We are committed to transparency and protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the Dutch GDPR Implementation Act (UAVG), and other applicable data protection laws.

Key points:

We process your data to provide our AI website building service.
We use third-party AI providers (Anthropic, OpenAI) to generate code from your descriptions.
We transfer data to the United States with appropriate safeguards.
You have rights to access, correct, delete, and port your data.
We retain data only as long as necessary for the purposes described.

For questions, contact us at contact@spacia.ai.

Who We Are
Scope of This Policy
Personal Data We Collect
How and Why We Process Your Data
Legal Bases for Processing
AI Processing and Automated Decision-Making
Data Sharing and Third-Party Processors
International Data Transfers
Data Retention
Your Rights
Cookies and Tracking Technologies
Data Security
Data Breach Notification
Children's Privacy
Changes to This Policy
Contact Us and Supervisory Authority

1. Who We Are

1.1 Data Controller

Spacia B.V. is the data controller responsible for your personal data.

Registered Office:
De Nieuwe Erven 3, Unit 14124
5431 NV Cuijk
Netherlands

Chamber of Commerce (KvK): 98795198
VAT ID: NL868646507B01

1.2 Contact Details

General inquiries: contact@spacia.ai
Privacy inquiries: contact@spacia.ai (subject: "Privacy")
Data protection requests: contact@spacia.ai (subject: "Data Request")

Response time: We respond to all inquiries within 5 business days and to data protection requests within one month as required by GDPR.

1.3 Data Protection Officer

Based on our current scale of operations, we are not required to appoint a Data Protection Officer under Article 37 GDPR. For all data protection matters, please contact us at contact@spacia.ai.

2. Scope of This Policy

2.1 What This Policy Covers

This Privacy Policy applies to:

Our website at spacia.ai and all subdomains.
Our web application and platform.
Our mobile applications (if any).
All services we provide through these channels.
Communications between you and Spacia.

2.2 What This Policy Does Not Cover

This Privacy Policy does not apply to:

Websites you create and deploy using our Service (you are the data controller for those).
Third-party websites linked from our Service.
Services provided by our integration partners (Vercel, GitHub, etc.) under their own terms.

2.3 Your Responsibilities

When you use our Service to create websites that collect personal data from your own users, you become a data controller for that data. You are responsible for:

Creating your own privacy policy for your websites.
Obtaining appropriate consents from your users.
Complying with applicable data protection laws.

3. Personal Data We Collect

We collect personal data in three ways: directly from you, automatically when you use our Service, and from third parties.

3.1 Data You Provide Directly

Category	Data Elements	Purpose
Account Data	Name, email address, password (hashed), profile information	Account creation and management
Payment Data	Billing name, billing address, payment method details (processed by Stripe)	Subscription billing
Workspace Content	Prompts, descriptions, instructions you enter	AI code generation
Project Data	Code you write or modify, uploaded assets (images, files), project configurations	Service provision
Communication Data	Support requests, feedback, emails you send us	Customer support

3.2 Data Collected Automatically

Category	Data Elements	Purpose
Usage Data	Features used, actions taken, session duration, click patterns	Service improvement
Device Data	Device type, operating system, browser type and version	Technical compatibility
Network Data	IP address, approximate location (country/region), ISP	Security, fraud prevention
Log Data	Access times, pages viewed, error logs, referring URLs	Debugging, security

3.3 Data from Third Parties

Source	Data Elements	When Collected
OAuth Providers (Google, GitHub)	Email, name, profile picture, OAuth tokens	When you sign in via OAuth
Payment Processor (Stripe)	Payment status, transaction confirmations	When you make payments
Deployment Providers (Vercel)	Deployment status, domain information	When you deploy projects

3.4 Data You Choose Not to Provide

Some data is required to use our Service:

Email address: Required for account creation and essential communications.
Payment information: Required for paid subscriptions.

If you do not provide required data, we cannot provide the associated services. Optional data (such as profile information) enhances your experience but is not mandatory.

4. How and Why We Process Your Data

4.1 Core Service Provision

Processing Activity	Data Used	Why Necessary
Account creation and authentication	Account data, OAuth data	Cannot provide service without user accounts
AI code generation	Prompts, project context	Core service functionality
Project storage and management	Project data, workspace content	Enable ongoing project work
Website deployment	Project data, deployment configurations	Core service functionality
Subscription management	Account data, payment data	Service access control

4.2 Service Improvement and Security

Processing Activity	Data Used	Why We Do This
Debugging and error resolution	Log data, usage data	Maintain service reliability
Security monitoring	Network data, log data, usage patterns	Protect against threats
Fraud prevention	Payment data, network data, usage patterns	Prevent abuse
Performance optimization	Usage data, device data	Improve service speed and reliability

4.3 Communications

Communication Type	Data Used	Frequency
Service notifications	Email address	As needed for service operation
Security alerts	Email address	When security events occur
Support responses	Email address, communication data	In response to your inquiries
Product updates	Email address	With your consent only
Marketing communications	Email address	With your explicit consent only

4.4 Legal Compliance

We process data as required by Dutch and EU law, including:

Tax and accounting records (7-year retention under Dutch AWR).
Responding to lawful requests from authorities.
Establishing, exercising, or defending legal claims.

5. Legal Bases for Processing

Under Article 6 GDPR, we must have a valid legal basis for each processing activity. We rely on the following bases:

5.1 Contract Performance (Article 6(1)(b))

We process data necessary to perform our contract with you:

Processing Activity	Why Contract Performance Applies
Account management	Essential for providing the service you requested
AI code generation from your prompts	Core contracted service
Project storage and retrieval	Essential service functionality
Payment processing	Necessary to fulfill subscription agreement
Deployment to hosting providers	Core contracted service
Customer support	Necessary to maintain service

5.2 Legitimate Interests (Article 6(1)(f))

We process some data based on legitimate interests, where we have balanced our interests against your rights:

Processing Activity	Our Legitimate Interest	Balancing Considerations	Safeguards
Service improvement	Improving service quality and user experience	Users benefit from improvements; minimal privacy impact	Aggregated/anonymized where possible
Security monitoring	Protecting our service and users from threats	Users benefit from security; essential for trust	Automated detection, limited human review
Fraud prevention	Preventing financial loss and abuse	Protects both us and legitimate users	Proportionate measures, false-positive review
Debugging	Maintaining service reliability	Users benefit from stable service	Access controls, automatic deletion
Analytics (aggregated)	Understanding service usage patterns	Used for business decisions; anonymized	No individual profiling

Your right to object: You have the right to object to processing based on legitimate interests. See Section 10 for how to exercise this right.

5.3 Legal Obligation (Article 6(1)(c))

We process data as required by law:

Legal Obligation	Applicable Law	Data Processed
Tax record retention	Dutch General Tax Act (AWR)	Financial/billing records
Response to lawful authority requests	Dutch law, EU law	As specified in requests
Data breach notification	GDPR Article 33	Breach-related information

5.4 Consent (Article 6(1)(a))

We obtain your explicit consent for:

Processing Activity	How We Obtain Consent
Marketing emails	Opt-in checkbox at registration or in settings
Non-essential cookies	Cookie consent banner
Optional analytics	Cookie consent banner

Withdrawing consent: You may withdraw consent at any time by:

Clicking "unsubscribe" in marketing emails.
Adjusting cookie preferences via our cookie settings.
Contacting us at contact@spacia.ai.

Withdrawal does not affect the lawfulness of processing before withdrawal.

6. AI Processing and Automated Decision-Making

6.1 How Our AI Processing Works

Spacia uses artificial intelligence to generate website code from your natural language descriptions. When you enter a prompt or description:

Your input is sent to our servers.
We transmit your input to third-party AI model providers (Anthropic and/or OpenAI, routed via OpenRouter or Requesty).
The AI model processes your input and generates code.
We return the generated code to you.
You can review, modify, and use the generated code.

6.2 AI Model Providers

Provider	Models Used	Data Transmitted
Anthropic	Claude models	Your prompts, project context
OpenAI	GPT models	Your prompts, project context

These providers process your data as our processors under data processing agreements with appropriate safeguards.

6.3 What We Do Not Do with AI

We do not use your prompts or generated code to train our own AI models.
We do not permit our AI providers to use your data for their model training (per our data processing agreements).
We do not store your raw prompts or AI responses beyond what is necessary for service provision.
We do not profile you based on your prompts or generated content.

6.4 Article 22 GDPR Analysis (Automated Decision-Making)

Our assessment: The AI code generation feature does not constitute automated decision-making under Article 22 GDPR because:

No decision about you: The AI generates code output for you, not decisions about you.
No legal effects: Code generation does not affect your legal rights, status, or contractual position.
No similarly significant effects: The processing does not significantly affect your circumstances, behavior, or choices—you receive a service output that you can accept, modify, or reject.

The AI does not evaluate, score, or profile you as an individual. It transforms your text descriptions into code output.

6.5 Transparency Safeguards

Even though Article 22 does not apply, we provide the following transparency:

Clear disclosure: You are informed that you are interacting with AI systems.
Human support: You can contact our support team for human assistance.
Output control: You have full control over whether to use, modify, or discard generated code.
Feedback mechanism: You can report concerns about AI outputs to contact@spacia.ai.

6.6 EU AI Act Compliance

The EU AI Act (Regulation 2024/1689) requires disclosure when users interact with AI systems. By using Spacia, you acknowledge that you are interacting with AI systems when using code generation features. Full Article 50 compliance will be implemented by August 2, 2026.

7. Data Sharing and Third-Party Processors

7.1 Categories of Recipients

We share personal data with the following categories of recipients:

Category	Purpose	Examples
AI model providers	Code generation	Anthropic, OpenAI
Infrastructure providers	Hosting, database, authentication	Supabase
Payment processors	Billing and payments	Stripe
Deployment providers	Website hosting	Vercel
Analytics providers	Service analytics	Google Analytics, PostHog
Authentication providers	OAuth sign-in	Google, GitHub

7.2 Processor List

The following third parties process personal data on our behalf:

Processor	Location	Purpose	Transfer Mechanism	DPA Status
Anthropic, PBC	USA	AI model provider	Standard Contractual Clauses (2021)	✓ Executed
OpenAI, Inc.	USA	AI model provider	Standard Contractual Clauses (2021)	✓ Executed
OpenRouter	USA	AI model routing	Standard Contractual Clauses (2021)	✓ Executed
Requesty	EU	AI model routing	EU processing	✓ Executed
Supabase, Inc.	USA (EU region)	Authentication, database, storage	Standard Contractual Clauses (2021)	✓ Executed
Stripe, Inc.	USA	Payment processing	EU-US Data Privacy Framework	✓ Incorporated
Vercel Inc.	USA	Deployment hosting	EU-US Data Privacy Framework	✓ Incorporated
Google LLC	USA	Analytics (with consent)	EU-US Data Privacy Framework	✓ Incorporated
GitHub, Inc.	USA	OAuth authentication, repository integration	EU-US Data Privacy Framework	✓ Incorporated

7.3 Sub-Processor Changes

We may engage new sub-processors to provide parts of our Service. We will:

Update this processor list when changes occur.
Notify users of material changes via email at least 30 days in advance.
Allow users to object to new sub-processors (objection may result in account termination if the processor is essential).

Current list last updated: February 2026

7.4 When We Disclose Data Without Your Consent

We may disclose personal data without your consent only when required or permitted by law:

Circumstance	Legal Basis
Valid legal process (court order, subpoena)	Legal obligation
Law enforcement requests compliant with applicable law	Legal obligation
Protection of vital interests	Article 6(1)(d) GDPR
Establishment, exercise, or defense of legal claims	Article 9(2)(f) GDPR

We will notify you of such disclosures unless prohibited by law.

7.5 Business Transfers

If Spacia B.V. is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you via email and/or prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

8.1 Transfers Outside the EEA

We transfer personal data from the European Economic Area (EEA) to the United States to provide our Service. We ensure appropriate safeguards are in place for all transfers.

8.2 Transfer Mechanisms

We use the following legal mechanisms for international transfers:

Mechanism	Description	Applicable Processors
EU-US Data Privacy Framework (DPF)	Adequacy decision by European Commission (July 2023)	Stripe, Vercel, Google, GitHub
Standard Contractual Clauses (2021)	Commission Decision (EU) 2021/914	Anthropic, OpenAI, OpenRouter, Supabase

8.3 Transfer Safeguards by Processor

Anthropic (AI models):

Transfer mechanism: Standard Contractual Clauses (Module 2: Controller to Processor).
Supplementary measures: Encryption in transit, access controls, contractual prohibition on data use for training.
Data transferred: Your prompts and generated outputs.

OpenAI (AI models):

Transfer mechanism: Standard Contractual Clauses (Module 2).
Supplementary measures: Zero data retention option enabled, encryption in transit.
Data transferred: Your prompts and generated outputs.

Supabase (infrastructure):

Transfer mechanism: Standard Contractual Clauses (Module 2).
Data residency: EU region (Frankfurt) configured where available.
Data transferred: Account data, authentication data, project metadata.

Stripe (payments):

Transfer mechanism: EU-US Data Privacy Framework (certified).
Verification: dataprivacyframework.gov.
Data transferred: Payment and billing information.

Vercel (deployment):

Transfer mechanism: EU-US Data Privacy Framework (certified).
Supplementary measures: EU function regions available.
Data transferred: Deployed website content, deployment metadata.

Google Analytics:

Transfer mechanism: EU-US Data Privacy Framework (certified).
Supplementary measures: IP anonymization enabled, data retention limited to 14 months.
Data transferred: Usage data, device data (with your consent only).

PostHog:

Transfer mechanism: EU-US Data Privacy Framework (certified).
Supplementary measures: Minimal data collection, no third-party sharing.
Data transferred: Usage data, feature interaction data (with your consent only).

8.4 Transfer Impact Assessment

We have conducted transfer impact assessments for transfers to the United States, considering:

The legal framework in the destination country.
Supplementary measures implemented.
The nature and sensitivity of data transferred.
Risks to data subjects.

We have concluded that our transfer mechanisms and supplementary measures provide adequate protection for your personal data.

8.5 Obtaining Copies of Safeguards

You have the right to obtain a copy of the safeguards used for international transfers. To request copies of Standard Contractual Clauses or other transfer documentation, contact us at contact@spacia.ai.

9. Data Retention

9.1 Retention Principles

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

9.2 Retention Periods by Data Category

Data Category	Retention Period	Reason
Account data	Duration of account + 2 years	Service provision + limitation period for claims
Project data	Duration of account + 30 days	Service provision + export period
Payment/billing records	7 years from transaction	Dutch tax law (Algemene wet inzake rijksbelastingen)
AI processing logs	90 days	Debugging, abuse prevention
Customer support communications	3 years from resolution	Quality assurance, legal claims
Usage analytics	14 months	Service improvement (Google Analytics)
Security logs	12 months	Security monitoring, incident investigation
Marketing consent records	Duration of consent + 3 years	Demonstrate consent validity

9.3 Retention After Account Termination

When you terminate your account:

We delete or anonymize most personal data within 30 days.
We retain financial records for 7 years as required by Dutch tax law.
We retain data necessary to establish, exercise, or defend legal claims.
We may retain aggregated, anonymized data indefinitely.

9.4 Criteria for Determining Retention

Where specific periods are not stated, we determine retention based on:

The purpose for which data was collected.
Legal requirements (tax, accounting, regulatory).
Statute of limitations for potential claims.
Industry standards and best practices.
Data subject expectations.

10. Your Rights

10.1 Summary of Your Rights

Right	Description
Access	Obtain confirmation of processing and a copy of your data
Rectification	Correct inaccurate or incomplete data
Erasure	Request deletion of your data ("right to be forgotten")
Restriction	Limit how we process your data
Portability	Receive your data in a structured, machine-readable format
Object	Object to processing based on legitimate interests
Withdraw consent	Withdraw consent for consent-based processing
Complaint	Lodge a complaint with a supervisory authority

10.2 Right of Access (Article 15)

You have the right to:

Confirm whether we process your personal data.
Obtain a copy of your personal data.
Receive information about how we process your data.

What we provide: A copy of your personal data in a commonly used electronic format, along with information about processing purposes, categories of data, recipients, retention periods, and your rights.

10.3 Right to Rectification (Article 16)

You have the right to correct inaccurate personal data and complete incomplete data.

How to exercise: Update information directly in your account settings, or contact us for data you cannot modify directly.

10.4 Right to Erasure (Article 17)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the purpose collected.
You withdraw consent (for consent-based processing).
You object to processing and no overriding legitimate grounds exist.
Data was unlawfully processed.
Erasure is required by law.

Exceptions: We may retain data when necessary for:

Compliance with legal obligations (e.g., tax records).
Establishment, exercise, or defense of legal claims.
Archiving in the public interest (where applicable).

10.5 Right to Restriction (Article 18)

You have the right to restrict processing when:

You contest data accuracy (during verification).
Processing is unlawful but you prefer restriction over erasure.
We no longer need the data but you need it for legal claims.
You have objected to processing (pending verification).

Effect of restriction: We will store the data but not process it further except with your consent, for legal claims, to protect others' rights, or for important public interest.

10.6 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Applies to: Data you provided to us, processed by automated means, based on consent or contract performance.

Formats available: JSON, CSV

How to exercise: Use the export feature in your account settings or contact us at contact@spacia.ai.

10.7 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests at any time.

To object, contact us at contact@spacia.ai with subject "Objection to Processing." Explain which processing you object to and your grounds.

Upon receiving your objection, we will:

Stop the relevant processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Respond within one month explaining our decision.

Direct marketing: You have an absolute right to object to processing for direct marketing purposes. We will stop such processing immediately upon objection.

10.8 How to Exercise Your Rights

Online: Through your account settings at spacia.ai/settings/privacy

Email: contact@spacia.ai with subject "Data Request - [Right Name]"

Required information: Your name, email address associated with your account, the specific right you wish to exercise, and any additional details to help us process your request.

10.9 Identity Verification

To protect your data, we verify your identity before processing requests. Typically, we verify via:

Confirmation from your registered email address.
Logged-in request from your account.

We only request additional identification (such as ID documents) when we have genuine doubts about your identity or for sensitive data requests, in accordance with the data minimization principle.

10.10 Response Timeframes

Standard response: Within one month of receiving your request.
Complex requests: Up to two additional months if necessary (we will inform you within one month and explain the delay).
If we cannot comply: We will explain reasons within one month, inform you of your right to complain to a supervisory authority, and your right to seek judicial remedy.

10.11 Fees

We provide the first copy of your data free of charge. For additional copies or manifestly unfounded/ excessive requests, we may charge a reasonable fee based on administrative costs or refuse to act.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. We also use similar technologies such as pixels, local storage, and session storage.

11.2 Cookie Categories

We use the following categories of cookies:

Category	Purpose	Consent Required?
Strictly Necessary	Essential for website function (authentication, security, preferences)	No
Functional	Remember your preferences and enhance usability	Yes
Analytics	Measure usage to improve service	Yes
Marketing	Track effectiveness of marketing campaigns	Yes

11.3 Strictly Necessary Cookies

These cookies are essential and cannot be disabled:

Cookie	Purpose	Duration
`sb-auth-token`	Supabase authentication	Session
`__stripe_mid`	Stripe fraud prevention	1 year
`__stripe_sid`	Stripe session	30 minutes
Session cookies	Maintain your logged-in state	Session
CSRF tokens	Security protection	Session

11.4 Analytics Cookies (Consent Required)

With your consent, we use:

Cookie	Provider	Purpose	Duration
`_ga`	Google Analytics	Distinguish users	2 years
`_ga_*`	Google Analytics	Session state	2 years
`_gid`	Google Analytics	Distinguish users	24 hours

Google Analytics configuration:

IP anonymization enabled.
Data sharing with Google disabled.
Data retention set to 14 months.
Advertising features disabled.

11.5 Cookie Consent

Before placing non-essential cookies, we obtain your consent through our cookie banner.

In accordance with Dutch DPA requirements:

Our cookie banner displays "Accept All" and "Reject All" buttons with equal prominence.
Rejecting cookies requires the same number of clicks as accepting.
No cookies (except strictly necessary) are placed before you make a choice.
You can change your preferences at any time.

11.6 Managing Cookie Preferences

On our website: Click "Cookie Settings" in the footer to update your preferences at any time.

In your browser: You can also control cookies through your browser settings. Note that blocking all cookies may affect website functionality.

11.7 Do Not Track

Our website does not currently respond to "Do Not Track" browser signals because there is no industry standard for compliance. However, you can control tracking through our cookie consent mechanism.

12. Data Security

12.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Technical measures include:

Encryption of data in transit (TLS 1.2+).
Encryption of data at rest.
Secure authentication mechanisms.
Access controls and least-privilege principles.
Regular security assessments and updates.
Automated threat detection and monitoring.

Organizational measures include:

Security awareness and training.
Access limited to personnel who need it.
Vendor security assessments.
Incident response procedures.
Regular policy reviews.

12.2 Your Security Responsibilities

You are responsible for:

Maintaining the confidentiality of your account credentials.
Using a strong, unique password.
Notifying us immediately of any unauthorized access.
Keeping your contact information current.

12.3 Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. We continuously improve our safeguards based on evolving threats and best practices.

13. Data Breach Notification

13.1 Our Breach Response

We maintain procedures for detecting, investigating, and responding to personal data breaches.

13.2 Notification to Supervisory Authority

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.

13.3 Notification to You

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 GDPR.

Notification will include:

Description of the breach.
Contact point for more information.
Likely consequences.
Measures taken or proposed to address the breach.

Exceptions: We may not notify you individually if:

We have implemented measures that render data unintelligible (e.g., encryption).
Subsequent measures ensure high risk is no longer likely.
Individual notification would involve disproportionate effort (in which case we will make a public communication).

14. Children's Privacy

14.1 Age Restriction

Our Service is not directed at children under 16 years of age. In accordance with Article 8 GDPR and the Dutch GDPR Implementation Act (UAVG), we do not knowingly collect personal data from children under 16 without parental consent.

14.2 Registration Requirement

By creating an account, you represent that you are at least 16 years old or have obtained parental/guardian consent.

14.3 If We Learn of Child Data

If we learn that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data as soon as possible. If you believe we have inadvertently collected such data, please contact us at contact@spacia.ai.

15. Changes to This Policy

15.1 How We Update This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

15.2 Notification of Changes

Material changes: We will notify you by email at least 30 days before material changes take effect. Material changes include new categories of data collection, new purposes for processing, new third-party sharing, or changes to your rights.

Non-material changes: We will update the "Last updated" date at the top of this policy. Minor changes (corrections, clarifications, formatting) do not require advance notice.

15.3 Your Options

If you disagree with changes, you may:

Stop using the Service before changes take effect.
Delete your account.
Contact us with concerns.

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15.4 Version History

We maintain a version history of this policy. Previous versions are available upon request by contacting contact@spacia.ai.

16. Contact Us and Supervisory Authority

16.1 Contact Spacia

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Spacia B.V.
De Nieuwe Erven 3, Unit 14124
5431 NV Cuijk
Netherlands

Email: contact@spacia.ai
Subject line for privacy matters: "Privacy Inquiry"
Subject line for data requests: "Data Request"

Response time: We aim to respond within 5 business days for general inquiries and within one month for formal data subject requests.

16.2 Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. For Spacia B.V., the lead supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Bezuidenhoutseweg 30
2594 AV The Hague
Netherlands

Website: https://autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500

If you reside in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority.

16.3 EU Online Dispute Resolution

For EU consumers, you may also use the European Commission's Online Dispute Resolution platform:

https://ec.europa.eu/consumers/odr

Appendix A: Legal Basis Summary Table

Processing Activity	Legal Basis	GDPR Article
Account creation and management	Contract performance	6(1)(b)
AI code generation	Contract performance	6(1)(b)
Project storage	Contract performance	6(1)(b)
Payment processing	Contract performance	6(1)(b)
Deployment services	Contract performance	6(1)(b)
Customer support	Contract performance	6(1)(b)
Service debugging	Legitimate interest	6(1)(f)
Security monitoring	Legitimate interest	6(1)(f)
Fraud prevention	Legitimate interest	6(1)(f)
Service improvement	Legitimate interest	6(1)(f)
Analytics (aggregated)	Legitimate interest	6(1)(f)
Tax record retention	Legal obligation	6(1)(c)
Law enforcement response	Legal obligation	6(1)(c)
Marketing communications	Consent	6(1)(a)
Non-essential cookies	Consent	6(1)(a)
Google Analytics	Consent	6(1)(a)
PostHog analytics	Consent	6(1)(a)

Appendix B: International Transfer Summary

Processor	Country	Mechanism	Verification
Anthropic	USA	SCCs (2021)	DPA executed
OpenAI	USA	SCCs (2021)	DPA executed
OpenRouter	USA	SCCs (2021)	DPA executed
Requesty	EU	N/A (EU)	DPA executed
Supabase	USA (EU region)	SCCs (2021)	DPA executed
Stripe	USA	DPF	dataprivacyframework.gov
Vercel	USA	DPF	dataprivacyframework.gov
Google	USA	DPF	dataprivacyframework.gov
GitHub	USA	DPF	dataprivacyframework.gov

Appendix C: Data Retention Summary

Data Type	Retention Period	Legal Basis
Account data	Account duration + 2 years	Contract + limitation period
Project data	Account duration + 30 days	Contract + export period
Financial records	7 years	Dutch AWR (tax law)
AI processing logs	90 days	Legitimate interest
Support communications	3 years	Legitimate interest
Analytics data	14 months	Consent
Security logs	12 months	Legitimate interest
Consent records	Consent duration + 3 years	Legal obligation

This Privacy Policy was last updated in February 2026.

Spacia B.V.
KvK 98795198 | VAT NL868646507B01

Privacy Policy