Spacebring Logotype
Book a demo

Spacebring data processing addendum

Last Modified: February 1, 2026

This Data Processing Agreement (“DPA”) is entered into between the customer entity that has entered into the Agreement (“Controller”) and Spacebring Sp. z o.o. with a place of business at ul. Polanki 76, Gdańsk 80-302, Poland, KRS: 0000772992, NIP: PL5842781756, REGON: 38263506000000 (“Processor”).

Controller and Processor are referred to individually as “Party” and collectively as “Parties”. 

I. Background and Objective

By entering into the Agreement (including by creating an account, starting a Trial Subscription, placing an Order through our checkout, clicking to accept the Terms, paying an invoice, or otherwise accessing or using the Services), the Parties have entered into a contractual relationship to which this DPA is supplemental. Within the scope of its assignment, Processor will/may gain access to and process personal data for which Controller is the data controller. This means that Processor is a data processor for Controller, or another company affiliated with Controller, in accordance with the applicable data protection legislation (“Data Protection Legislation”).

The objective of the DPA is to comply with the requirements in the Data Protection Legislation for a written agreement between Controller and Processor. 

II. Definitions

The terms used in the DPA shall have the same meaning as assigned to them below and in the Data Protection Legislation, which inter alia imply that:

“Personal data” means any information that, directly or indirectly, can identify a living natural person;

“Processing” means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction;

“Data controller” means anyone who alone or jointly with others determines the purposes and means of the processing of personal data; 

“Data processor” means anyone who processes personal data on behalf of the data controller;

“Sub-processor” means a sub-contractor that is engaged by Processor. The sub-processor processes personal data on behalf of Controller in accordance with the sub-processor’s obligation to provide its services to Processor;

“Standard Contractual Clauses” means the standard contractual clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 (as may be amended, replaced, or superseded), and where applicable the UK Addendum / UK IDTA and Swiss addendum for transfers subject to UK or Swiss law.

Data Protection Legislation” means applicable data protection legislation. As from 25 May 2018, Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; the “GDPR”) and such national legislation implementing the GDPR is the applicable data protection legislation.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

III. Undertaking and Instruction

Processor undertakes to process the personal data that it has access to under the Agreement on behalf of Controller, for the purpose of fulfilling the Agreement and during the term of the Agreement. Processor further undertakes:

  1. To process the personal data in accordance with the Data Protection Legislation and the Agreement. Processor may, however, process information required by laws of the European Union or national legislation in a member state to which Processor is subject, but shall inform Controller of such requirement prior to processing, provided that Processor is not prohibited to give such information with reference to important grounds of public interest; and
  2. Not to use or utilize personal data transferred to or transferred by Processor, collected to or collected by Processor, produced to or produced by Processor or any other way processed personal data under this DPA in its business, other than in cases permitted by this DPA; and
  3. To keep the personal data confidential and not to disclose the personal data to any third parties other than in cases permitted by this DPA, or in any other way use the personal data in contradiction with the Agreement and the DPA. Processor shall also ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
  4. To assist Controller, taking into account the nature of the processing, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to and to fulfil requests from data subjects exercising their rights laid down in Chapter III of the GDPR; and
  5. To assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (implement security measures, manage personal data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the processing and the information available to Processor.

Through mechanisms defined in Agreement, Controller may grant Processor temporary access to personal data for the sole purpose of fulfilling its obligations under Agreement.

IV. Consent for Collecting Personal Data

Controller stipulates that all relations between Controller and its end users resulting from the performance of the Agreement are regulated by a lease contract or by other similar documents between Controller and its end users, that inter alia regulates collection and processing of all required consents for processing personal data.

V. Processing Activities

Controller may submit personal data to the Services, the extent of which is determined and controlled by Controller and which may include, but is not limited to, personal data relating to the following categories of data subject:

  • Authorized Users;
  • employees of Controller;
  • consultants of Controller;
  • contractors of Controller;
  • agents of Controller; and/or
  • third parties with which Controller conducts business.

The personal data transferred concern the following categories of data: 

  • full names;
  • contact information (including, but not limited to email addresses, phone numbers);
  • information about software and hardware used to access Services;
  • other personal data, which data subjects may choose to submit through Services, the extent of which is determined and controlled by Controller in compliance with applicable Data Protection Law.

The Services are not intended for processing Special Categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). Controller will not provide such data to Processor unless the Parties have expressly agreed in writing and Processor has implemented appropriate safeguards.

The personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:

  • storage and other processing necessary to provide, maintain, and update the Services provided to Controller;
  • to provide customer and technical support to Controller;
  • in aggregate and anonymized form for improvement of Services; and
  • disclosures in accordance with the Agreement, as compelled by law.

VI. Information Security

Processor implements all appropriate technical and organisational measures necessary in order to ensure a level of security, as required pursuant to Article 32 GDPR and other applicable Data Protection Legislation necessary in order for Processor to comply with the security requirements set out in the Agreement.

Processor may update its technical and organizational measures from time to time, provided that such updates will not materially diminish the overall security of the Services. Processor will provide notice where a change materially reduces security (if any), or where required by applicable law.

In the event of data breach or any potential violation of information security, Processor shall notify Controller without delay after becoming aware of the infringement of information security of personal data or any other violation of Data Protection Legislation or this DPA. As a part of the notification, Processor must inform Controller without delay and in writing all the necessary information about the disturbance and the related measures, especially:

  1. A description of the nature of the infringement of information security, including the information of registered groups and estimated amount of registered persons affected by the infringement along with the information required by Data Protection Legislation;
  2. Necessary information regarding the statutory obligations and fulfillment of the contractual obligations of Controller. These obligations shall be based on, inter alia, Data Protection Legislation, agreements made with third parties and/or a request, a guidance and/or a ruling made by the supervisory authority or a tribunal;
  3. Necessary information for preventing similar infringements of the information security and information required for the notifications made for the registered persons and possible third parties.

VII. Audit 

  1. Upon written request, Processor will provide Controller with information reasonably necessary to demonstrate Processor’s compliance with this DPA. Where available, Processor may satisfy this obligation by providing summaries of its security program and/or relevant third-party audit reports (e.g., PCI DSS) or similar documentation.

  2. Controller may conduct an audit of Processor’s compliance with this DPA no more than once per twelve (12) months (Planned audit), unless (a) required by a competent supervisory authority, or (b) following a reasonable suspicion of Personal Data Breach affecting Personal Data that Processor has access to under the Agreement on behalf of Controller, (c) in the event of any material changes to the Processor's data security measures, systems, or processes that could reasonably impact the security of the Controller's personal data (Ad hoc or incidental audit).

  3. Planned audit must be: (i) scheduled at least thirty (30) days in advance; (ii) conducted during normal business hours; (iii) subject to confidentiality obligations; and (iv) performed in a manner that does not unreasonably interfere with Processor’s business operations, security, or other customers. Ad hoc or incidental audits may be conducted with reasonable prior notice appropriate to the circumstances (but no less than seventy-two (72) hours), subject to the other conditions in this clause.

  4. Controller will bear all costs of any audit and will reimburse Processor for reasonable time and expenses incurred in supporting the audit, except where the audit identifies material non-compliance by Processor.

  5. Processor may object to any auditor that is not independent or is a direct competitor of Processor, and the Parties will work in good faith to select an alternative auditor.

VIII. Engaging Sub-processors

Controller acknowledges and agrees that Processor may engage third-party Sub-processors for the performance of Processor's processing of personal data under the DPA. Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the work of each Sub-processor directly under the terms of this DPA. Processor will notify Controller of any new Subprocessors to the extent required under the Agreement. A current list of third-party providers (Sub-processors), including the identities of those Sub-processors, the purpose of their involvement and information shared is accessible via Privacy Policy (accessible at https://www.spacebring.com/privacy or a successor URL.) Controller may reasonably object to Processor’s use of a new Sub-processor by notifying Processor promptly in writing within fourteen (14) business days after receipt of Processor’s notice. To the extent Processor or its Sub-processors process or transfer Personal Data outside the EEA, the UK, or Switzerland, Processor will ensure that such transfers are subject to appropriate safeguards under applicable Data Protection Legislation (such as the Standard Contractual Clauses and, where applicable, the UK Addendum/UK IDTA and Swiss addendum) and will provide information about such safeguards upon request.

IX. Order of Validity of Contract Documents

This DPA forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA will control solely with respect to the Parties’ rights and obligations relating to the processing and protection of Personal Data. For all other matters, the Agreement will control.

X. Term

This DPA is effective as of the date the Agreement becomes effective and remains in force for as long as Processor processes personal data on Controller’s behalf.

Upon termination or expiration of Controller’s subscription to Processor’s Services (including expiration of Trial Subscriptions without conversion to paid subscription), the Controller should decide whether to delete or return any personal data for which Controller is the data controller provided to the Processor under this agreement. If Controller does not provide Processor with instructions to return or delete Customer Data, the following default data retention and deletion procedure applies automatically:

(a) Day 0 – Initial notification: On the date of termination or expiration of Controller’s subscription, we send an automated notification to the Controller’s registered email address informing that all data associated with their Account, including all Users’ personal data, will be permanently and irrevocably deleted within 60 (sixty) calendar days from the date of termination. This notification includes: 

  • The exact date by which data will be deleted, 

  • Information about the possibility of recovering data during the 60-day period, 

  • Instructions on how to export data from the Services, 

  • Contact information for our support team (support@spacebring.com) for data recovery requests. 

(b) Day 30 – Reminder notification: 30 (thirty) calendar days after termination of Controller’s subscription, we send a second automated reminder to the Controller’s registered email address informing that data will be permanently deleted in 30 (thirty) days. This reminder includes the same information as the initial notification and emphasizes the approaching deadline for data recovery.

(c) Day 60 – Automatic data deletion: 60 (sixty) calendar days after termination of Controller’s subscription, all data associated with the Controller’s Account is automatically and permanently deleted from our systems. This deletion is irreversible and includes: 

  • All Users’ personal data (names, email addresses, phone numbers, profile information, etc.), 

  • All business data (invoices issued by Controller to their clients, booking records, membership plans, room/desk/office details, payment information, etc.), 

  • All usage data and logs, 

  • Customer Data will be deleted from production systems and scheduled for deletion/overwriting from backups in accordance with Processor’s backup retention cycle.

After the 60-day period expires, Processor will have no obligation to restore Customer Data and may be unable to do so.

(d) Data recovery during the 60-day period: During the 60-day post-termination period, Controller may recover their data by: 

  • Contacting our support team at support@spacebring.com with a data recovery request. Our support team will provide instructions on how to export data or restore access to the Account. 

  • Re-subscribing to our Services. Upon re-subscription (and provided the data has not been deleted pursuant to Controller’s instructions), access to the Account and Customer Data is restored.

(e) Controller’s obligations: Controller is responsible for: 

  • Ensuring that they have exported all necessary data from the Services before the expiration of the 60-day post-termination period.

 - Informing their Users about the termination of subscription and the upcoming deletion of data, in accordance with Controller’s own privacy policy and applicable data protection laws. 

  • Ensuring that they have an alternative means of storing and processing Users’ data after termination of Spacebring Services.

Spacebring is not responsible for any loss of data or business disruption resulting from Controller’s failure to export data before the expiration of the 60-day period. 

For avoidance of doubt, this procedure applies to Personal Data for which Controller is the data controller provided to the Processor under this agreement, except to the extent Processor is required to retain certain information under applicable law (e.g., tax, accounting, fraud prevention, or security obligations). Any such retained data will be protected and access-restricted. Residual copies in backups will be deleted or overwritten in accordance with Processor’s backup retention cycle.

XI. Governing Law and Dispute Resolution

The DPA shall be governed by and construed in accordance with laws of the Republic of Poland. Disputes regarding interpretation and application of the DPA shall be settled in accordance with the provisions in the Agreement regarding dispute resolution.