Privacy Policy
Effective May 25, 2025
1. Data Controller
Nano Spaces is operated by Nano Tech Productions (“we,” “our,” or “us”). We are the data controller for personal data processed through the Nano Spaces platform. For privacy inquiries, contact us at privacy@nanospaces.app.
2. Data We Collect
We collect only the data necessary to operate the Service:
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, work email, role, organization | Identity & access control |
| Authentication data | Hashed password, 2FA config, session tokens | Security & account protection |
| Booking data | Reservations, check-ins, cancellations | Core service functionality |
| Usage & audit data | Activity logs, IP address, browser type | Security, fraud prevention, compliance |
| Preferences | Timezone, notification settings | Personalized experience |
| Billing data | Subscription plan, payment status | Billing & invoicing (via PayPal) |
| OAuth profile data | Name, profile photo from Google / LinkedIn / Slack | Account creation via social login |
We do not collect: government IDs, sensitive health data, financial account numbers, or precise geolocation. Passwords are hashed and are never stored in recoverable form.
3. Lawful Basis for Processing
Where the GDPR or similar regulations apply, we process your personal data on the following legal bases:
- Contract performance: Processing necessary to provide the Nano Spaces service under your organization’s subscription agreement.
- Legitimate interests: Security monitoring, fraud prevention, audit logging, and improving the Service — where these interests are not overridden by your rights.
- Legal obligation: Retention of billing records and compliance with applicable law.
- Consent: Marketing emails and push notifications, where you have explicitly opted in. You may withdraw consent at any time.
4. How We Use Your Data
- Provision and operation of the Nano Spaces platform.
- Authentication, two-factor verification, and session management.
- Transactional notifications: booking confirmations, reminders, security alerts.
- Billing, invoicing, and subscription management via PayPal.
- Security monitoring, account lockout enforcement, and abuse prevention.
- Aggregate, anonymized analytics to improve the Service.
- Legal compliance: responding to lawful requests from public authorities, courts, or regulators.
We do not use your data to train AI or machine-learning models. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Sub-processors & Third Parties
The following sub-processors handle personal data on our behalf under data processing agreements that include standard contractual clauses where applicable:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage, real-time | United States |
| Vercel | Application hosting, edge compute, CDN | Global (primary: US) |
| Resend | Transactional email delivery | United States |
| PayPal | Subscription billing and payment processing | United States |
| Upstash | Rate limiting (ephemeral, no PII stored) | United States |
| Cloudflare Turnstile | Bot protection on login forms | Global CDN |
| Sentry | Error monitoring (email and full name stripped before transmission) | United States |
| Google / LinkedIn / Slack | OAuth identity verification (optional; only when you choose social login) | Global |
6. Multi-Tenancy & Data Isolation
Every record in Nano Spaces is scoped to an organization. Row-Level Security (RLS) policies are enforced at the Postgres database layer — not just in application code — ensuring that no user, query, or API call can access another organization’s data. Supabase anon-key clients operate under RLS at all times; only our service-role key bypasses RLS, and it is never exposed to the browser or end-user.
7. Security Measures
- Encryption in transit: All connections use TLS 1.2 or higher.
- Encryption at rest: Database and storage volumes are encrypted by Supabase.
- Mandatory 2FA: All users must enroll in two-factor authentication (TOTP or email OTP) before accessing the Service.
- Password protection: Passwords are hashed with bcrypt and checked against the HaveIBeenPwned breach database at signup and reset.
- Account lockout: Progressive lockout after failed login attempts.
- Audit chain: All admin actions are logged with a tamper-evident SHA-256 hash chain.
- Strict CSP: A per-request Content Security Policy nonce prevents cross-site scripting.
We will notify affected users and, where legally required, relevant regulators within 72 hours of discovering a confirmed personal data breach.
9. Data Retention
- Active accounts: Personal data is retained for as long as your account is active.
- Deleted accounts: Personal data is removed within 30 days of deletion, except where retention is required by law.
- Billing records: Retained for 7 years for tax and legal compliance.
- Audit logs: Retained for 2 years for security and compliance purposes.
- Breach / security incident records: Retained for 5 years.
10. Your Rights
Depending on your jurisdiction, you may have the following rights. To exercise any of them, contact privacy@nanospaces.app.
| Right | How to exercise |
|---|---|
| Access & portability | Export your data (CSV/ZIP) from Settings → Account |
| Correction | Update your profile in Settings at any time |
| Erasure | Request deletion from Settings → Account, or email us |
| Restrict / object to processing | Email privacy@nanospaces.app |
| Withdraw consent | Unsubscribe from emails in Settings → Notifications, or email us |
| Lodge a complaint | Contact your local data protection authority (EU/UK users) |
We will respond to all rights requests within 30 days. In complex cases, we may extend this by a further 60 days with notice.
11. California Residents (CCPA / CPRA)
California residents have additional rights under the CCPA and CPRA. We do not sell or share personal information as defined under California law. You have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any sale (there is none). To exercise these rights, contact privacy@nanospaces.app. We will not discriminate against you for exercising any of these rights.
12. International Data Transfers
Nano Tech Productions is based in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States and other countries. We rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms approved by relevant data protection authorities to provide appropriate safeguards for these transfers.
13. Children’s Privacy
Nano Spaces is a B2B workplace platform and is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently received personal data from a child, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email and an in-app notification at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect when the most recent revision was made.
15. Contact Us
For privacy questions, rights requests, or to report a concern, contact Nano Tech Productions at:
Nano Tech Productions
Privacy inquiries: privacy@nanospaces.app
General support: support@nanospaces.app