Privacy policy

PRIVACY POLICY OF SPACE TO GROW SP. Z O.O.

Dear Users,

In the interest of your security and to ensure that your personal data is processed lawfully, fairly, and transparently while using our services, we have adopted this document, referred to as the Privacy Policy.

This document pertains to the processing and protection of personal data of Users in connection with their use of the Website and has been prepared by Space to Grow sp. z o.o.

At Space to Grow, we prioritize the protection of our Users’ personal data and implement appropriate organizational and technical measures to prevent any interference with their privacy. Our actions ensure a level of security compliant with applicable legal regulations, including:

  • The Act of May 10, 2018, on Personal Data Protection;
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR);
  • The Act of July 18, 2002, on the Provision of Electronic Services;
  • The Act of July 16, 2004, Telecommunications Law;
  • The Act of July 12, 2024, on Electronic Communications Law.

The use of the Website is secured by an SSL Protocol, which ensures the protection of data transmission over the Internet.

I. Definitions

  1. User  – an entity that uses the Service, which may be a natural person with full legal capacity, a legal person or an organizational unit that is not a legal person, to which special regulations grant legal capacity;
  2. Space to Grow – Space to Grow limited liability company with its registered office in Warsaw, Żelazna 51/53 00-841 Warsaw, entered into the register of entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register under the KRS No. 0001065446, share capital: 12 500 PLN, NIP: 5273082241, REGON: 52677133900000;
  3. Website – a website operated by Space to Grow at the address URL: www.spacetogrow.io.
  4. Cookies – small data files stored on the User’s device by the Website’s server, which can be retrieved by the server during subsequent visits to enhance the functionality and performance of the Website.
  5. SSL Protocol – a secure data transmission standard that encrypts information exchanged over the Internet, ensuring protection against unauthorized access, in contrast to unencrypted data transmission.
  6. System Log – a record of technical data automatically transmitted by the User’s device to the server upon connection, which may include information such as the IP address, enabling the identification of the source of the connection
  7. IP Address –  a unique numerical identifier assigned to a device connected to the Internet, which may be either static (permanently assigned) or dynamic (temporarily assigned for a specific session).
  8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
  9. Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  10. Processing – any operation performed on personal data, including but not limited to collection, recording, storage, adaptation, modification, retrieval, disclosure, transmission, deletion, or destruction, particularly when carried out using automated systems.

II. Personal Data – Information Clause

Pursuant to Article 13 of Regulation (Eu) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR), we hereby inform you that:

  1. The controller of your personal data is Space to Grow sp. z o.o., with its registered office in Warsaw (00-841), at ul. Żelazna 51/53 (hereinafter: „Controller”).
  2. You may contact the Controller via email at admin@spacetogrow.io
  3. or by traditional mail at: ul. Żelazna 51/53, 00-841 Warsaw.
  4. You can contact the Data Protection Officer (DPO) at admin@spacetogrow.io.
  5. Your personal data will be processed for the following purposes, based on the respective legal grounds, and for the periods specified below: 
    1. to use the functionalities of the Website, your data will be processed based on the agreement for the provision of electronic services, which is concluded when you access the Website and accept its Terms of Service, pursuant to Article 6(1)(b) GDPR. Your data will be processed for as long as you remain on our Website. Providing personal data is voluntary, but refusal to do so will prevent you from using the Website’s functionalities;
    2. to comply with legal obligations, including those arising from the Act on the Provision of Electronic Services, and to process complaints related to the operation of the Website, your data will be processed pursuant to Article 6(1)(c) and (f) GDPR for the period necessary to handle complaints, and thereafter for the legally required retention period for potential claims. Providing personal data is voluntary, but refusal to do so will prevent you from using the Website’s functionalities;
    3. to schedule and conduct consultations, your data will be processed based on your consent, pursuant to Article 6(1)(a) GDPR, for the period necessary to complete consultation-related activities. Providing personal data is voluntary, but refusal to do so will prevent the consultation from taking place;
    4. to store contact details, your data will be processed based on your consent, pursuant to Article 6(1)(a) GDPR, for the duration of responding to inquiries or maintaining contact. Providing personal data is voluntary, but refusal to do so will prevent us from responding to your inquiry;
    5. to register for and conduct a webinar, your data will be processed pursuant to Article 6(1)(b) GDPR for the duration of the webinar. Providing personal data is voluntary, but refusal to do so will prevent you from participating in the webinar;
    6. to send a newsletter, your data will be processed pursuant to Article 6(1)(a) and (b) GDPR for as long as you remain subscribed. Providing personal data is voluntary, but refusal to do so will prevent you from subscribing to the newsletter.
  1. If you provide separate consent, your personal data may also be processed for the marketing and commercial purposes of the Controller. 
  2. Regarding the processing of your personal data, you have the following rights: the right to access your data, the right to rectification, the right to erasure, the right to restrict processing, the right to object to processing, the right to data portability, and the right to withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
  3. If you believe that the processing of your personal data by the Controller violates GDPR regulations, you have the right to lodge a complaint with the President of the Personal Data Protection Office.
  4. Your personal data will not be subject to automated processing, including profiling
  5. Your personal data may be disclosed only to authorized recipients or categories of recipients in justified cases, based on relevant legal provisions or an agreement concluded by the Controller, including entities providing legal assistance services, entities managing the Controller’s IT systems and websites, entities that jointly with the Controller carry out or cooperate with the Controller in informational and promotional activities related to the Controller’s operations, as well as entities organizing events and conferences, and entities affiliated with the Controller.
  6. As a general rule, your personal data will not be transferred outside the European Economic Area. However, if you use social media platforms where the Controller maintains a profile, your data may be transferred to third countries outside the European Economic Area. For the purpose of such transfers, the providers of these platforms declare compliance with the EU-U.S. Data Privacy Framework and rely on the European Commission’s adequacy decision confirming an appropriate level of data protection for transfers from the EU to the United States or apply standard contractual clauses approved by the European Commission. Detailed information can be found in the privacy policies of the respective social media platform providers. 
  7. When participating in our webinar or subscribing to our newsletter, your personal data will be transferred to the service provider, GetResponse. These data will be processed within the European Economic Area (EEA) and will not be transferred outside this region. Detailed information on the processing of personal data by GetResponse and its privacy policy can be found at: https://www.getresponse.pl/informacje-prawne/polityka-prywatnosci?_gl=1*7mmdgo*_up*MQ..*_gs*MQ..&gclid=CjwKCAiA6t-6BhA3EiwAltRFGCC8fyZTc563LrMEbI3CxaA9LeM9H55c4CpRuWp2AlCYh2eohekZEBoC1DsQAvD_BwE 

III. Cookies

The use of the Website is secured by the SSL Protocol, which ensures the protection of data transmission over the Internet. The Website, in compliance with legal regulations, utilizes Cookies, which are pieces of IT data, particularly text files, stored on the User’s end device. Cookies are used for the following purposes:

  1. Facilitating the User’s navigation and use of the Website.
  2. Recognizing Users upon reconnecting to the Website from a device on which cookies have been previously stored.
  3. Generating statistics to help understand how Users interact with the Website, enabling improvements to its structure and content.
  4. Customizing the content of the Website according to the User’s preferences and optimizing the browsing experience to better suit individual needs.

Cookies typically contain the name of the website they originate from, the duration of their storage on the User’s device, and a unique identifier. The Website utilizes the following types of Cookies:

  • „session” – stored on the User’s device until they log out, leave the website, or close their browser;
  • „persistent” – remain on the User’s device for a predefined period specified in the Cookie settings or until manually deleted;
  • „performance” – collect information on how Users interact with the Website to help improve its functionality and performance;
  • „essential” – required for the proper operation of the Website and enabling access to its services;
  • „functional” – store User preferences and settings to personalize the browsing experience;
  • „first-party” – set directly by the Website;
  • „third-party” – set by external services integrated into the Website;
  • “Linkedin Cookies” – please refer to LinkedIn’s cookie policy for details:  https://pl.linkedin.com/legal/cookie-policy?
  • „Other Google Cookies” – please review Google’s cookie policy for details: https://policies.google.com/technologies/cookies?hl=en-US

 

IV. System Log Mechanism in the Website

User activity on the Website, including their Personal Data, is recorded in System Logs. The information collected in the Logs is primarily processed for purposes related to service provision, including:

  • facilitating communication between Users and Space to Grow, scheduling consultations, and providing access to Space to Grow’s offerings;
  • detecting misuse, identifying threats, and preventing risks to the stability and proper functioning of the Website..

V. Cookies mechanism in the Website

Our Website uses essential Cookies to enhance the user experience and facilitate navigation. Cookies contain useful information and are stored on the User’s device, allowing our server to retrieve them upon the User’s return to the Website. Most web browsers are set by default to allow Cookies to be stored on the User’s device.

Every User of our Website has the option to modify their Cookie settings through their web browser settings:

  • Google Chrome

To modify Cookie settings, navigate to the browser menu (typically located in the upper-right corner), then go to Settings > Show Advanced Settings. In the Privacy section, select Content Settings. Under the Cookies section, you can adjust the following options:

  • Delete Cookies,
  • Block Cookies by default,
  • Allow Cookies by default,
  • Keep Cookies and site data until the browser is closed
  • Set exceptions for Cookies from specific websites or domains
  • Internet Explorer 6.0 and 7.0

From the browser menu (upper-right corner), navigate to Tools > Internet Options > Privacy, then click the Sites button. Use the slider to adjust the privacy level, and confirm the changes by clicking OK..

  • Mozilla Firefox

From the browser menu, go to Tools > Options > Privacy. Enable the Firefox will use custom settings for history option. The handling of Cookies depends on whether the Accept Cookies option is checked or unchecked.

  • Opera

From the browser menu, navigate to Tools > Preferences > Advanced. The handling of Cookies depends on whether the Cookies option is enabled or disabled.

  • Safari

In the Safari drop-down menu, select Preferences and click the Security icon. Here, you can choose the security level for handling Cookies under the Accept Cookies section. 

Disabling Cookies in your browser does not restrict access to the Website’s resources. Most web browsers are set by default to allow Cookies to be stored on the User’s device. However, Users can modify these settings at any time. Web browsers also allow the deletion of Cookies and the option to block them automatically. Detailed information on managing Cookies can be found in the help section or documentation of the browser used.

If the User does not wish to allow Cookies, they can adjust their browser settings accordingly. However, disabling Cookies that are essential for authentication, security, or maintaining User preferences may hinder or, in extreme cases, prevent proper access to and use of the Website.

VI. Integration with Google and Microsoft Calendars

When a User connects their account to Google Calendar or Microsoft Outlook Calendar, the Space to Grow application obtains access to selected calendar data – only with the User’s explicit consent granted in the OAuth authorization process. Access is limited to the scope strictly necessary for the calendar integration feature to function.

  1. Requested OAuth scopes and their justification For the Google Calendar integration, Space to Grow requests the following scopes: https://www.googleapis.com/auth/calendar.events — to create, modify and delete calendar events related to coaching sessions and consultations scheduled in the application; https://www.googleapis.com/auth/calendar.calendarlist.readonly — to display the User’s list of calendars so they can choose which calendar to synchronize with the application; https://www.googleapis.com/auth/calendar.settings.readonly — to read the User’s calendar settings (including time zone) in order to display times correctly and avoid conflicts caused by time-zone differences. For the Microsoft Outlook Calendar integration, Space to Grow requests the following scopes: Calendars.ReadWrite — to create, modify and delete calendar events related to scheduled sessions and consultations; User.Read — to retrieve basic profile information needed to link the Microsoft account with the application account; OnlineMeetings.ReadWrite — to create Microsoft Teams meeting links for scheduled sessions; offline_access — to refresh access tokens in order to maintain continuity of calendar synchronization without requiring re-login on every operation. 
  2. Categories of data accessed Under the above permissions, the application may access in particular: the User’s list of calendars (e.g., names, time zones); calendar events (e.g., title, description, start and end date and time, attendees, busy/free status); calendar settings (e.g., time zone); basic User profile data needed to link the account (e.g., account identifier, email address). 
  3. Purposes of processing Data obtained from Google Calendar and Microsoft Outlook Calendar is processed solely to: synchronize the expert’s / User’s availability with their calendar; detect scheduling conflicts and block busy time slots; create, update and delete calendar events related to delivering the services offered in the application (coaching sessions, consultations); create online meeting links (e.g., Microsoft Teams) for scheduled sessions. 
  4. Limited Use (Google API Services User Data Policy) Space to Grow’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular, User data obtained from Google services (and, on analogous terms, from Microsoft Outlook Calendar): a) is used only to provide or improve user-facing features (the calendar integration) that are prominent in the application’s user interface; b) is not transferred to third parties except: (i) as necessary to provide or improve user-facing features; (ii) for security purposes; (iii) to comply with applicable laws; or (iv) as part of a merger, acquisition or sale of assets, following prior notice to the User and the User’s consent; c) is not used or transferred for serving advertisements, including personalized or targeted advertising; d) is not used to train, develop or improve generalized / general-purpose artificial intelligence or machine-learning models; e) is not read by humans (Space to Grow employees or subcontractors), except where: (i) the User has given affirmative consent for specific data; (ii) it is necessary for security purposes (e.g., investigating abuse); (iii) it is required to comply with applicable law; or (iv) the data has been aggregated and anonymized for internal operations. 
  5. Data sharing (with whom we share the data) Space to Grow does not sell calendar data and does not share it with third parties for their own purposes. Calendar data and OAuth tokens may be processed only by: Space to Grow sp. z o.o. as the data controller; the cloud infrastructure provider – Google Cloud (Google Cloud EMEA Limited / Google Ireland Limited), which hosts the application and stores the data (region europe-central2), acting as a processor under a data processing agreement; the source calendar service providers – Google (Google Ireland Limited) and Microsoft (Microsoft Ireland Operations Limited) – to the extent necessary to perform calendar API calls; public authorities and authorized bodies – only where disclosure is required by mandatory provisions of law. Data processing agreements compliant with Article 28 GDPR are in place with processors acting on behalf of Space to Grow. 
  6. Data protection and security measures Space to Grow applies technical and organizational safeguards appropriate to the nature of the data, in particular: encryption in transit (TLS/SSL); encryption at rest, including storage of OAuth access tokens in encrypted form within Google Cloud infrastructure (region europe-central2, within the EEA); access restriction to calendar data and tokens limited to authorized personnel on a need-to-know basis and with least-privilege access; data minimization – collecting and processing only the data necessary for the integration and within the requested OAuth scopes. Processing is carried out in accordance with applicable law, including the GDPR, and – for data from Google services – with the Google API Services User Data Policy. 
  7. Data retention and deletion Calendar data and OAuth access tokens are stored only for the period necessary to fulfill the integration purposes, i.e. for as long as the connection between the User’s account and the application remains active. The data is deleted: automatically, within 24 hours of the User withdrawing consent (revoking OAuth access) – whether on the Google/Microsoft account side or in the application settings – which includes revoking and permanently deleting the stored access tokens and associated calendar data; automatically, within 24 hours of the User deleting their application account or disconnecting the calendar integration; upon the User’s request sent to admin@spacetogrow.io – within the periods required by the GDPR. After deletion, Space to Grow does not retain copies of calendar data, except for any backups subject to automatic rotation and deletion on a cycle not exceeding 30 days, access to which is strictly restricted. 
  8. Revoking access The User may revoke Space to Grow’s access to their calendar at any time and without giving a reason: on the Google side – in Google account settings, on the app permissions management page: https://myaccount.google.com/permissions; on the Microsoft side – in Microsoft account settings, on the app permissions management page: https://account.microsoft.com/privacy (personal accounts: https://account.live.com/consent/Manage; work/school accounts: https://myapps.microsoft.com); directly in the Space to Grow application settings – by disconnecting the calendar integration. Revoking access results in the automatic invalidation and deletion of tokens and associated calendar data within the period indicated in section 7 above (within 24 hours).
 

VII. Additional information

  1. The Website may contain external links that allow Users to directly access other websites. Additionally, while using the Website, Cookies from third-party providers, such as Google, may be placed on your device to enable the use of Website functionalities integrated with these external services. Each provider defines its own rules regarding the use of Cookies in its privacy policy. For security reasons, we recommend reviewing these privacy policies before accessing such websites.
  2. We reserve the right to modify this Privacy Policy by publishing an updated version on our Website. After any changes, the updated Privacy Policy will be available with a new effective date. 
  3. More detailed information about the terms of service, including the Website’s functionality, procedures for contract formation, access requirements, and usage guidelines, can be found in the Website’s Terms and Conditions.