Last updated May 25, 2025

Privacy Policy

Effective May 25, 2025

Summary: We collect only what we need to run Nano Spaces. We never sell your data. Your organization’s data is strictly isolated from other tenants. You can export or delete your data at any time.

1. Data Controller

Nano Spaces is operated by Nano Tech Productions (“we,” “our,” or “us”). We are the data controller for personal data processed through the Nano Spaces platform. For privacy inquiries, contact us at privacy@nanospaces.app.

2. Data We Collect

We collect only the data necessary to operate the Service:

CategoryExamplesPurpose
Account dataName, work email, role, organizationIdentity & access control
Authentication dataHashed password, 2FA config, session tokensSecurity & account protection
Booking dataReservations, check-ins, cancellationsCore service functionality
Usage & audit dataActivity logs, IP address, browser typeSecurity, fraud prevention, compliance
PreferencesTimezone, notification settingsPersonalized experience
Billing dataSubscription plan, payment statusBilling & invoicing (via PayPal)
OAuth profile dataName, profile photo from Google / LinkedIn / SlackAccount creation via social login

We do not collect: government IDs, sensitive health data, financial account numbers, or precise geolocation. Passwords are hashed and are never stored in recoverable form.

3. Lawful Basis for Processing

Where the GDPR or similar regulations apply, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Nano Spaces service under your organization’s subscription agreement.
  • Legitimate interests: Security monitoring, fraud prevention, audit logging, and improving the Service — where these interests are not overridden by your rights.
  • Legal obligation: Retention of billing records and compliance with applicable law.
  • Consent: Marketing emails and push notifications, where you have explicitly opted in. You may withdraw consent at any time.

4. How We Use Your Data

  • Provision and operation of the Nano Spaces platform.
  • Authentication, two-factor verification, and session management.
  • Transactional notifications: booking confirmations, reminders, security alerts.
  • Billing, invoicing, and subscription management via PayPal.
  • Security monitoring, account lockout enforcement, and abuse prevention.
  • Aggregate, anonymized analytics to improve the Service.
  • Legal compliance: responding to lawful requests from public authorities, courts, or regulators.

We do not use your data to train AI or machine-learning models. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

5. Sub-processors & Third Parties

The following sub-processors handle personal data on our behalf under data processing agreements that include standard contractual clauses where applicable:

ProviderPurposeLocation
SupabaseDatabase, authentication, file storage, real-timeUnited States
VercelApplication hosting, edge compute, CDNGlobal (primary: US)
ResendTransactional email deliveryUnited States
PayPalSubscription billing and payment processingUnited States
UpstashRate limiting (ephemeral, no PII stored)United States
Cloudflare TurnstileBot protection on login formsGlobal CDN
SentryError monitoring (email and full name stripped before transmission)United States
Google / LinkedIn / SlackOAuth identity verification (optional; only when you choose social login)Global

6. Multi-Tenancy & Data Isolation

Every record in Nano Spaces is scoped to an organization. Row-Level Security (RLS) policies are enforced at the Postgres database layer — not just in application code — ensuring that no user, query, or API call can access another organization’s data. Supabase anon-key clients operate under RLS at all times; only our service-role key bypasses RLS, and it is never exposed to the browser or end-user.

7. Security Measures

  • Encryption in transit: All connections use TLS 1.2 or higher.
  • Encryption at rest: Database and storage volumes are encrypted by Supabase.
  • Mandatory 2FA: All users must enroll in two-factor authentication (TOTP or email OTP) before accessing the Service.
  • Password protection: Passwords are hashed with bcrypt and checked against the HaveIBeenPwned breach database at signup and reset.
  • Account lockout: Progressive lockout after failed login attempts.
  • Audit chain: All admin actions are logged with a tamper-evident SHA-256 hash chain.
  • Strict CSP: A per-request Content Security Policy nonce prevents cross-site scripting.

We will notify affected users and, where legally required, relevant regulators within 72 hours of discovering a confirmed personal data breach.

8. Cookies

We use a minimal set of cookies — all strictly necessary:

CookiePurposeLifetime
sb-*Supabase authentication sessionSession / 1 hour (refreshed)
ns_2faTwo-factor verification state (HMAC-signed)8 hours

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. Data Retention

  • Active accounts: Personal data is retained for as long as your account is active.
  • Deleted accounts: Personal data is removed within 30 days of deletion, except where retention is required by law.
  • Billing records: Retained for 7 years for tax and legal compliance.
  • Audit logs: Retained for 2 years for security and compliance purposes.
  • Breach / security incident records: Retained for 5 years.

10. Your Rights

Depending on your jurisdiction, you may have the following rights. To exercise any of them, contact privacy@nanospaces.app.

RightHow to exercise
Access & portabilityExport your data (CSV/ZIP) from Settings → Account
CorrectionUpdate your profile in Settings at any time
ErasureRequest deletion from Settings → Account, or email us
Restrict / object to processingEmail privacy@nanospaces.app
Withdraw consentUnsubscribe from emails in Settings → Notifications, or email us
Lodge a complaintContact your local data protection authority (EU/UK users)

We will respond to all rights requests within 30 days. In complex cases, we may extend this by a further 60 days with notice.

11. California Residents (CCPA / CPRA)

California residents have additional rights under the CCPA and CPRA. We do not sell or share personal information as defined under California law. You have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any sale (there is none). To exercise these rights, contact privacy@nanospaces.app. We will not discriminate against you for exercising any of these rights.

12. International Data Transfers

Nano Tech Productions is based in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States and other countries. We rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms approved by relevant data protection authorities to provide appropriate safeguards for these transfers.

13. Children’s Privacy

Nano Spaces is a B2B workplace platform and is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently received personal data from a child, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email and an in-app notification at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect when the most recent revision was made.

15. Contact Us

For privacy questions, rights requests, or to report a concern, contact Nano Tech Productions at:

Nano Tech Productions

Privacy inquiries: privacy@nanospaces.app

General support: support@nanospaces.app

© 2026 Nano Tech Productions