Privacy Policy
Spechio · spechio.com
Effective date: June 23, 2026 · Last updated: June 23, 2026
This Privacy Policy explains how Spechio LLC (“Spechio,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the Spechio platform at spechio.com and related services (the “Service”). It applies to our customers (organizations), their administrators and members, and to non-users such as guests listed on bookings and members of the public who submit rental inquiries through public share pages.
1. Our Roles: Controller and Processor
Processor / service provider. For personal information that a customer organization (the “Customer”) and its users submit to or generate within the Customer’s workspace — including account, organization, room, booking, and rental-inquiry data — the Customer is the controller (or “business”), and Spechio acts as the processor (or “service provider”) that processes such information only on the Customer’s documented instructions. If you are a user, guest, or inquiry submitter and have questions about how your information is handled, please contact the relevant Customer; we will support the Customer in responding.
Controller. For a limited set of activities — such as managing our own customer relationships and billing, operating and securing the Service and our website, sending our own service and (where permitted) marketing communications, and complying with law — Spechio acts as a controller. This Policy describes both roles.
2. Information We Collect
Identity and account information. Full name, email address, a hashed password, and, when you use single sign-on, identifiers from your Google or Microsoft account.
Organization information. Workspace name, optional team email domain, roles, and team membership.
Room and space information. Names, locations, capacity, amenities, operating hours, and user-uploaded 360° photographs of physical premises. These photographs may incidentally depict people or property.
Booking information. Event titles, booking times, the booking user’s name and email, and attendee email addresses.
Rental inquiries (from non-users). Name, email, message, desired dates, and submission metadata such as IP address, submitted through public share pages.
Payment information. Payments are processed by Stripe. We receive limited billing details, subscription status, and a Stripe customer identifier. We do not store full payment-card numbers.
Technical and usage information. IP address, browser and device information, server logs, and product analytics collected via Vercel Analytics.
Cookies and similar technologies. Authentication session cookies and similar technologies necessary to operate the Service. See Section 6.
3. Sources of Information
We collect information directly from you when you create an account, configure a workspace, make a booking, or submit an inquiry; automatically through your use of the Service (technical and usage data, cookies); from Customers and their administrators (for example, when an Admin invites you or adds your email as an attendee); and from third-party providers such as Google or Microsoft (when you use single sign-on) and Stripe (billing status).
4. How We Use Information
We use personal information to:
- provide, operate, maintain, and secure the Service, including authentication, multi-tenant isolation, bookings, and public share pages;
- send transactional communications such as booking confirmations and cancellations and rental-inquiry notifications (delivered via Resend);
- process payments and manage subscriptions (via Stripe);
- provide customer support, onboarding, and administrative dashboards and analytics;
- monitor, troubleshoot, prevent fraud and abuse, and improve the Service;
- send service-related notices and, where permitted and to opted-in contacts, marketing emails (which you can opt out of at any time); and
- comply with legal obligations and enforce our terms.
5. Legal Bases (EEA/UK Users)
Where the EU or UK General Data Protection Regulation applies and we act as a controller, we rely on the following legal bases: performance of a contract (to provide the Service and process payments); our legitimate interests (to secure, operate, and improve the Service and, where permitted, to send marketing), balanced against your rights; consent (where required, for example certain cookies or marketing, which you may withdraw); and compliance with legal obligations. Where we act as a processor, the relevant Customer is responsible for establishing the legal basis for processing.
6. Cookies and Tracking
We use cookies and similar technologies that are strictly necessary to operate the Service, such as authentication session cookies, and we use Vercel Analytics for privacy-oriented, aggregate product analytics. We do not use cookies to sell personal information or for cross-context behavioral advertising. If and when we serve users in the EEA or UK, or use any non-essential cookies, we will present a cookie consent banner and honor consent choices as required by the ePrivacy Directive and GDPR. You can also control cookies through your browser settings; disabling necessary cookies may prevent the Service from functioning.
7. How We Share Information; Sub-Processors
We do not sell personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only as follows: to the Customer and its authorized administrators (for data within that workspace); to service providers and sub-processors that help us operate the Service, under contracts that restrict their use of the information; to comply with law, legal process, or lawful requests, and to protect rights, safety, and the security of the Service; and in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy. Our current sub-processors are:
| Sub-processor | Purpose | Location / notes |
|---|---|---|
| Supabase | Authentication, PostgreSQL database, file storage | United States. 360° images stored privately; access via short-lived signed URLs. |
| Stripe | Payment processing and subscription billing | United States. Stores billing/payment details; we do not store full card numbers. |
| Resend | Transactional email (confirmations, cancellations, inquiry notices); marketing email to opted-in contacts | United States. |
| Vercel | Application hosting, content delivery network, and analytics | United States. |
| Optional single sign-on identity provider | United States (where SSO is used). | |
| Microsoft | Optional single sign-on identity provider | United States (where SSO is used). |
We maintain an up-to-date sub-processor list and will provide advance notice of new sub-processors to Customers as described in Section 9 and our DPA.
8. Data Retention and Deletion
We retain personal information for as long as needed to provide the Service and for the purposes described in this Policy, and as required to comply with legal, accounting, or reporting obligations. As general defaults (to be confirmed operationally):
- Account, organization, room, and booking data: retained while the workspace is active and for a limited wind-down period after account termination.
- Rental inquiries: retained within the Customer’s workspace until the Customer deletes them or the account is closed.
- Billing records: retained as required for tax and accounting purposes (commonly several years).
- Consent records for automatic renewal: retained at least three years, or one year after the contract ends, whichever is longer, as required by California law.
- Server logs and analytics: retained for a limited period for security and operational purposes.
On account termination, the Customer may request export of its data for a limited period (we intend to provide at least 30 days unless prohibited by law or the account was terminated for cause). After that, we delete or anonymize personal information in the ordinary course. Residual copies may persist in encrypted backups for a limited period before being overwritten, and we may retain information where required by law or to resolve disputes and enforce agreements.
9. Sub-Processor Change Notice
We will maintain a current list of sub-processors and, where we act as processor, provide Customers with advance notice of any intended addition or replacement of a sub-processor (for example, by email or through the Service), giving Customers an opportunity to object on reasonable data-protection grounds, as further described in our DPA.
10. International Data Transfers
We host and process personal information primarily in the United States. If we transfer personal information from the EEA, the UK, or Switzerland to the United States or another country, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum), and we take supplementary measures where required. You may request information about these safeguards using the contact details below.
11. Security
We apply administrative, technical, and organizational measures designed to protect personal information, including tenant isolation at the database level using row-level security, encryption of data in transit (HTTPS/HSTS), password hashing by our authentication provider, private storage of 360° images with access via short-lived signed URLs, and access controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
12. Data Breach Notification
We maintain procedures to detect, investigate, and respond to security incidents. Where we act as a processor and become aware of a personal-data breach affecting Customer Data, we will notify the affected Customer without undue delay and provide information reasonably necessary for the Customer to meet its own notification obligations; the Customer, as controller, is generally responsible for notifying affected individuals and regulators. Where we act as a controller, we will notify affected individuals and regulators as required by applicable law, including the GDPR’s 72-hour regulator-notification requirement and applicable U.S. state breach-notification laws.
13. Your U.S. State Privacy Rights (California and Others)
No sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and similar state laws.
Service-provider status. When we process personal information on behalf of a Customer, we do so as a “service provider” under the CCPA/CPRA and comparable laws, using the information only to perform the Service and not for our own purposes.
Subject to applicable law, you may have rights to know or access the personal information we hold about you, to request correction, to request deletion, to opt out of sale/sharing or targeted advertising (not applicable here, as we do not engage in these), to limit use of sensitive personal information, and to be free from discrimination for exercising your rights. To exercise rights regarding data within a Customer’s workspace, please contact the relevant Customer; we will assist them. For information we control, contact us using the details below. We will verify your request and respond within the timeframes required by law. You may use an authorized agent where permitted.
14. Your Rights (EEA/UK Users)
If the GDPR or UK GDPR applies, you may have rights to access, rectify, erase, restrict, or object to processing of your personal information, to data portability, and to withdraw consent where processing is based on consent. You may also lodge a complaint with your supervisory authority. Where we act as a processor, we will refer requests to the relevant Customer (controller) and support their response. We do not engage in solely automated decision-making that produces legal or similarly significant effects.
15. Education and Children
Intended for adults. The Service is intended for organizations and adults and is not directed to children. We do not knowingly collect personal information from children under 13. Where a Customer is a school, the Service is used by authorized adult staff, not students.
FERPA. To the extent any data constitutes “education records” under FERPA, we act as a “school official” with a legitimate educational interest under the school’s direct control, use such records only to provide the Service, and do not re-disclose them except as authorized or required by law.
Student-data-privacy laws. Where applicable, we handle student personal information consistent with laws such as California’s SOPIPA and New York Education Law § 2-d: we do not use student personal information for targeted advertising, do not sell it, and do not build non-educational profiles. Schools may require a separate data privacy agreement or addendum, which we will honor where signed.
COPPA. Because the Service is not directed to children under 13, we do not knowingly collect their information. If a school directs limited use involving such information, the school is responsible for any required parental or school consent, and we act only on the school’s instructions. If we learn we have collected information from a child under 13 without proper authorization, we will delete it.
16. Notice to Public Inquiry Submitters
If you submit a rental inquiry through a public share page, we collect the information you provide (name, email, message, desired dates) and submission metadata (such as IP address) and deliver it to the relevant organization’s administrators, storing it within their workspace. That organization is the controller of your inquiry and determines how it is used and how long it is kept. Please direct questions or requests about your inquiry to that organization; we will assist as a processor. Do not submit sensitive personal information through inquiry forms.
17. Marketing Communications
Where permitted, we may send marketing emails to contacts who have opted in. Every marketing email includes an unsubscribe link, and you can opt out at any time. Opting out of marketing does not stop transactional or service messages necessary to operate your account.
18. Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice (such as email or in-product notice) where required. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
19. Contact Us
Spechio LLC
Attn: Privacy
Privacy and general inquiries: hello@spechio.com