Privacy policy
Last updated: 2026-06-01
This Privacy Policy describes how Spotwee (published by OBVEON GROUP) collects, uses, retains and protects the personal data of platform users, in accordance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and applicable national legislation (France, Luxembourg, Germany).
Data collected
Spotwee only collects data strictly necessary to deliver its services. The following categories may be collected:
Identification data
- Email address
- Password (hashed, never stored in plain text)
- First and last name (optional at MVP stage, required for venue listing)
Profile data
- Profile picture (optional)
- Declared location (city or region)
- Preferences (language, notification settings)
Technical browsing data
- IP address
- Browser type and operating system
- Pages visited and session duration
- Cookies and trackers (see Cookie Policy)
Marketplace-related data
- Venues added to favorites
- Booking requests sent
- Messages exchanged via the platform
- For hosts: information about listed venues (description, photos, capacity, etc.)
Payment data (planned service, upcoming)
Payment is not active at the current stage of the platform. Upon launch, payment processing will be delegated to Stripe (PCI-DSS Level 1 certified). Spotwee will never directly store users' banking data; only technical transaction identifiers will be retained.
Processing purposes
Your personal data is processed by Spotwee for the following purposes:
- Creation and management of your user account
- Connecting venue owners and users looking to rent
- Sending transactional communications (account confirmation, booking requests, service notifications)
- Sending marketing communications (newsletter, offers) — only with your consent
- Continuous product improvement and statistical analysis — subject to your consent to analytics cookies
- Platform security and fraud prevention
- Compliance with legal obligations (accounting, taxation, responses to requests from competent authorities)
- Mediation and amicable resolution of disputes
Legal bases for processing
Personal data processing operations carried out by Spotwee are based on the following legal bases provided for by Article 6 of the GDPR:
Performance of contract (Art. 6.1.b)
Account creation and management, connection between users, sending transactional communications.
Consent (Art. 6.1.a)
Non-essential cookies (analytics, marketing), newsletter, promotional communications. You may withdraw your consent at any time.
Legal obligation (Art. 6.1.c)
Retention of accounting data (10 years, French Commercial Code), response to legitimate requests from competent authorities.
Legitimate interest (Art. 6.1.f)
Platform security, fraud prevention, defence of Spotwee's rights in case of dispute. You may object to these processing operations via contact@spotwee.com.
Sub-processors
Spotwee uses third-party sub-processors to provide certain technical services. All our sub-processors are bound by a data processing agreement (DPA) compliant with Article 28 of the GDPR.
| Sub-processor | Service | Data location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting + authentication | Hosting region eu-west-1 (Ireland, European Union) | DPA available, Standard Contractual Clauses (SCC) if transfer outside EU |
| Vercel Inc. | Application hosting (frontend) | United States + global edge network | DPA available, SCC for transfers outside EU |
| Resend | Transactional email delivery | EU / United States | DPA available, SCC for transfers |
| Stripe (planned service, upcoming) | Payment processing — not active at current stage | EU / United States | DPA available, PCI-DSS Level 1 certified, SCC |
Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17), known as the right to be forgotten — request deletion of your data in cases provided by law.
- Right to restriction of processing (Art. 18) — temporarily freeze the processing of your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest, or for direct marketing purposes.
- Right to withdraw consent (Art. 7) — withdraw at any time your consent to processing that depends on it.
- Right to define post-mortem directives (French Data Protection Act, Art. 84-85) — applicable to users residing in France.
How to exercise your rights
To exercise your rights, contact us at contact@spotwee.com. If we have reasonable doubt about your identity, we may request additional information necessary to verify it.
Response time
We undertake to respond within one month of receipt of your request, extendable to three months in case of justified complexity (Art. 12.3 GDPR).
Complaint to a supervisory authority
If you believe your rights are not being respected, you may lodge a complaint with the competent supervisory authority:
- France — Commission Nationale de l'Informatique et des Libertés (CNIL) — https://www.cnil.fr
- Luxembourg — Commission Nationale pour la Protection des Données (CNPD) — https://cnpd.public.lu
- Germany — Data protection authority of the federal state of residence (Landesdatenschutzbehörde)
Retention periods
Your personal data is retained only for the time necessary for the purposes for which it was collected, in accordance with the following periods:
| Category | Retention period | Reference |
|---|---|---|
| Active user account | Duration of the account | — |
| Deleted account | 30 days reversible, then definitive deletion | Internal policy |
| Accounting data and invoices | 10 years | French Commercial Code, Art. L123-22 |
| Security logs | Up to 12 months, except where longer retention is required in case of incident, dispute or legal obligation | CNIL recommendation |
| Cookies and trackers | Lifespan up to 13 months depending on purpose; audience measurement data retained up to 25 months maximum | CNIL recommendation |
| Commercial prospecting data | 3 years after last contact or end of commercial relationship | CNIL recommendation |
| Booking requests and messages | 3 years after last interaction | Internal policy |
Beyond these periods, data is permanently deleted or irreversibly anonymized.
Messaging
The internal messaging system allows requesters and owners to communicate following an inquiry relating to a venue. These exchanges are subject to the personal data processing described below.
Purposes
- Connection between requester and owner following an inquiry about a venue
- Preparation of the booking and performance of pre-contractual measures
- Logistical coordination of the event and user support
- Prevention of fraud, abuse and circumvention of the Platform
- Detection, handling and evidence of reported content
- Monitoring of the advertised response time: automated processing of communication metadata to detect a request left unanswered, remind the owner and, failing that, allow the Platform to reply to the requester under a clearly identified identity
- Service security and defense of the Platform's rights
Legal basis
The exchanges necessary for the preparation of a booking and its follow-up are based on the performance of pre-contractual measures taken at your request and, where applicable, on the performance of the contract. Processing related to security, logging, abuse prevention, moderation and evidence preservation is based on the Platform's legitimate interest in securing its service and protecting its users.
Categories of data
- Participants' account identity
- Content of messages and, where applicable, attachments
- Communication metadata (date, time, conversation and message identifier, sending, receipt, read or report status)
- Technical and logging data necessary for security and incident handling
- Information related to a report, a moderation decision or a dispute
Recipients
Messaging data is accessible to the two participants in the exchange and, strictly on a need-to-know basis, to authorised staff members (support, security, moderation, fraud prevention, dispute handling) as well as technical service providers (hosting, infrastructure, maintenance, security). Automated processing operated by the Platform accesses communication metadata only (timestamps, sender, request status), excluding message content, for the purpose of monitoring the advertised response time. It may be disclosed to competent authorities where required by law or for the establishment, exercise or defense of a legal claim.
Retention periods
Conversations are stored in the active database for 3 years from the last interaction, then deleted. Logging data is retained for a period appropriate to its security purpose. In the event of a report, dispute, suspicion of fraud or legal obligation, the strictly necessary elements may be kept in restricted-access interim archives for the period required to handle the file or defend rights.
Contact details masking
Before acceptance of the request, certain direct contact details (email addresses, telephone numbers) may be automatically masked in the content of messages in order to limit abuse, secure the connection and prevent premature disintermediation. After acceptance, this masking may be lifted according to the service settings.
Your rights over conversations
You may exercise your rights of access, rectification, erasure, restriction and, where applicable, objection. Given the bilateral nature of conversations, a request for erasure may be assessed in light of the rights of others, legal obligations and the need to retain evidence or defend legal claims: depending on the case, it may result in deletion, de-referencing in the interface, anonymisation or partial masking rather than immediate full deletion.