← Back to home

Privacy Policy

Last updated: 21 April 2026

1. Who we are

XSpacio is a software platform that enables tutoring centres and similar venues to operate coworking spaces. The platform is operated by XSpacio Pty Ltd (ACN pending), a company registered in New South Wales, Australia ("XSpacio", "we", "us", or "our").

This Privacy Policy explains how we collect, use, store, and disclose personal information when you use our platform — whether you are an operator (a venue that signs up to use XSpacio to run their coworking space) or a member (a person who books a desk or membership at an operator's venue).

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Information we collect

2.1 Information you give us directly

  • Account registration: name, email address, phone number, password (stored as a salted hash).
  • Operator onboarding: business name, ABN, venue address, bank account details (via Stripe), Stripe account credentials.
  • Member identity verification: government-issued photo ID (processed by our identity verification partner; we store only the verification outcome and a reference identifier — not the raw document images).
  • Liability waiver: your full name, date of signing, and IP address, retained as a legal record.
  • Payment information: card details are collected and stored by Stripe. We receive only a payment token, last four digits, card type, and expiry — never your full card number.
  • Communications: any messages or support requests you send us.

2.2 Information collected automatically

  • Access logs: date, time, and outcome of every smart lock check-in event associated with your account.
  • Usage data: pages visited within the portal, session duration, browser type, operating system, and IP address.
  • Cookies: session cookies required for authentication, and optional analytics cookies (see Section 8).

2.3 Information from third parties

  • Stripe: payment status, subscription status, and invoice history.
  • Identity verification provider: verified/not verified status and a reference token.
  • Smart lock provider (Tuya): lock command logs, including timestamps and success/failure status.

3. How we use your information

We use personal information only for the following purposes:

  • Creating and managing your account.
  • Processing bookings, credit packs, and membership payments.
  • Verifying your identity and eligibility to access a venue.
  • Operating smart lock access — generating and revoking PINs linked to valid check-ins.
  • Providing operators with the information they need to run their space (see Section 5).
  • Sending you transactional emails: booking confirmations, receipts, access PINs, and account alerts.
  • Responding to support requests.
  • Meeting our legal and regulatory obligations, including fraud prevention and record-keeping.
  • Improving the platform, where data is aggregated and de-identified before use.

We do not use your information for targeted advertising. We do not sell, rent, or trade your personal information to any third party.

4. Legal basis for processing

We process personal information on the following grounds:

  • Contract performance: to deliver the service you have signed up for.
  • Legitimate interests: security logging, fraud prevention, and platform improvement — where these do not override your rights.
  • Legal obligation: to comply with Australian law, including tax, financial record-keeping, and identity verification requirements.
  • Consent: for optional analytics cookies, where consent is obtained before collection.

5. Information shared with operators

When you use a coworking space powered by XSpacio, the venue operator can see:

  • Your name, email, and phone number.
  • Your membership status and credit balance.
  • Your visit history at their venue.
  • Your identity verification status (verified / not verified — not the underlying document).
  • Whether you have signed the liability waiver.

Operators cannot see your data from other XSpacio venues. Data is strictly isolated per venue. Operators are bound by confidentiality terms in their agreement with XSpacio and must handle your data in accordance with applicable privacy law.

6. Third-party service providers

We share personal information with the following categories of service providers, solely to the extent necessary to operate the platform:

  • Stripe Inc. — payment processing and subscription management (US-based; Privacy Shield / SCCs applicable).
  • Supabase Inc. — database hosting (data stored in the Sydney AWS region).
  • Vercel Inc. — application hosting and delivery (US-based; data processed in Sydney edge region where possible).
  • Tuya Smart Inc. — smart lock command delivery.
  • Identity verification provider — document verification (provider details available on request).
  • Resend Inc. — transactional email delivery.

All providers are contractually required to handle data in accordance with applicable privacy law and to use it only for the purpose of providing services to us.

7. International data transfers

Some of our service providers are located outside Australia. Where we transfer personal information overseas, we take steps to ensure recipients are subject to privacy standards comparable to the APPs, including contractual protections and, where applicable, adequacy decisions.

8. Cookies and analytics

We use the following types of cookies:

  • Essential cookies: required for authentication and session management. These cannot be disabled without breaking the service.
  • Analytics cookies (optional): used to understand how the platform is used in aggregate. We obtain your consent before setting these and you can withdraw consent at any time via your account settings.

We do not use advertising or retargeting cookies.

9. Data retention

  • Active accounts: data is retained for as long as your account is active.
  • Closed accounts: most personal data is deleted within 90 days of account closure. Exceptions apply where we are required by law to retain records (e.g., financial transaction records — 7 years under the Corporations Act 2001 (Cth)).
  • Access logs: retained for 12 months for security and dispute resolution purposes, then deleted.
  • Liability waivers: retained for 7 years from the date of signing.

10. Security

We implement appropriate technical and organisational measures to protect personal information, including:

  • Encryption in transit (TLS 1.2+) and at rest for all stored data.
  • Row-level security on all database tables — each operator can only query their own data.
  • Passwords hashed using bcrypt with unique salts.
  • Access to production systems limited to authorised personnel, with audit logging.
  • Regular dependency updates and security reviews.

No system is completely secure. If you believe your account has been compromised, contact us immediately at hello@xspacio.au.

11. Your rights

Under the APPs and applicable law, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and associated personal data (subject to retention obligations above).
  • Withdraw consent for optional analytics at any time.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, email hello@xspacio.au. We will respond within 30 days. Identity verification may be required before we can action a request.

12. Children

XSpacio is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information without parental consent, please contact us and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and update the "Last updated" date above. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

14. Contact us

For any privacy-related questions, requests, or complaints:

XSpacio Pty Ltd
Email: hello@xspacio.au
Australia