SpaceHub · Mauritius Data Protection Act 2017

Data Protection Policy

Last updated: 2026-05-13

SpaceHub Ltd (“SpaceHub”, “we”) is the data controller for personal data processed via the platform at spacehub.mu. This policy explains what we collect, why we collect it, and how we comply with the Mauritius Data Protection Act 2017.

1. Personal data we process

  • Identity & contact: first and last name, email, phone, company name, profile photo.
  • Account & authentication: hashed password (or OAuth provider ID), role (Client / Owner), language preference, theme preference.
  • Bookings: spaces booked, dates and times, attendee counts, payment status, invoices.
  • Owner KYC: for Owner accounts only — national ID/passport scan, business registration, address proof (held until verification, then deleted within 30 days unless required for compliance).
  • Listings: photos, descriptions, location, pricing and availability you publish.
  • Communications: messages between Client and Owner, support emails, dispute records.
  • Technical: IP address (truncated for analytics), browser user-agent, device type, timezone, pages viewed, errors encountered.
  • Payment metadata: last 4 digits of card, payment method, transaction reference. We never store full card numbers — payment processors (see §5) handle that.

2. Why we process it (lawful basis)

  • Contract (Art. 28(b) DPA 2017): running the platform — creating your account, processing bookings, handling payments and refunds, dispute resolution.
  • Consent (Art. 28(a)): optional marketing emails, optional analytics/marketing cookies, location features. Withdrawable at any time from your settings or the cookie banner.
  • Legal obligation (Art. 28(c)): retention of financial records, response to lawful requests from authorities, KYC for Owner verification.
  • Legitimate interest (Art. 28(f)): security monitoring, fraud prevention, aggregated platform analytics, abuse investigation. We balance these against your rights and have a process for objections.

3. How we use your data

  • Match Clients and Owners and fulfil bookings.
  • Communicate transactional information (booking confirmations, reminders, dispute updates).
  • Display Owner profile information to Clients viewing their listings, and Client identity (name + email) to the Owner of a booked space.
  • Detect and prevent abuse, fraud, and policy violations.
  • Improve the platform via aggregated, anonymised analytics — no individual profiling.
  • Comply with tax, anti-money-laundering, and other regulatory obligations.

4. Who we share it with

We do not sell or rent personal data. We disclose data only as follows:

  • The other party to a booking — necessary identity and contact details so a Client and Owner can complete a booking.
  • Service providers acting on our written instructions: hosting and serverless compute (Vercel, Inc., USA), database and authentication (Supabase, Inc., USA — Postgres data hosted in the EU region), transactional email (Resend, Inc., USA), image and asset CDN, and our AI assistant provider when you use the in-app assistant.
  • Public authorities when required by Mauritian law, court order, or a binding request from the Data Protection Office.
  • Successors in the event of a corporate transaction (merger, acquisition, restructuring). Your data follows the platform; we will inform you in advance and your rights remain unchanged.

5. International transfers

Some of our service providers are located outside Mauritius. Where data leaves Mauritius we rely on standard contractual clauses, the recipient’s certifications, or your explicit consent. We assess each provider’s safeguards before engaging them and document the transfer in our processing register.

6. Data retention

  • Bookings & invoices: 7 years (tax and accounting law).
  • Messages between users: 2 years from the last message, then deleted.
  • Dispute records: 3 years from resolution.
  • Owner KYC documents: destroyed within 30 days of verification unless we are legally required to keep them longer.
  • Account profile: retained while your account is active. Deleted within 30 days of account closure, except records we are required by law to retain.
  • Server logs: 90 days.
  • Backups: rolling 35 days; entries removed from production are removed from backups within that window.

7. Your rights under the Data Protection Act 2017

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectify — correct inaccurate or incomplete data (most fields are self-editable in your settings).
  • Erase — delete your account and associated personal data, subject to records we must legally keep.
  • Object — to processing based on legitimate interest, including profiling.
  • Restrict — pause processing while we resolve a dispute over your data.
  • Portability — receive your data in a machine-readable format (JSON export).
  • Withdraw consent — for any processing based on consent. Withdrawal does not affect prior processing.
  • Lodge a complaint with the Mauritius Data Protection Office (dataprotection.govmu.org) if you believe your rights have been breached.

To exercise any of these rights, email our Data Protection Officer at dpo@spacehub.mu. We respond within 30 days (extendable once by a further 60 days for complex requests, with notice).

8. Security

We protect personal data using industry-standard measures: TLS 1.2+ in transit, AES-256 at rest where the underlying storage supports it, role-based access control with least-privilege defaults, audit logging of all administrative actions, multi-factor authentication for staff accounts, regular dependency scanning and security review of third-party components, and a documented incident response plan. We test these controls regularly and disclose material incidents to affected users and the Data Protection Office within 72 hours of detection where required by law.

9. Children

SpaceHub is not directed to children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact our DPO and we will delete it.

10. Cookies and similar technologies

We use a small number of strictly necessary cookies — primarily an authentication cookie that keeps you signed in, a CSRF token, and a preference cookie for language / theme. These do not require consent under the DPA 2017 because they are essential to operating the service.

Optional cookies(analytics, marketing, A/B testing) are set only with your explicit consent via the cookie banner. You can change your choices at any time from the banner’s “Preferences” link or by clearing your cookies.

11. Automated decision-making

We do not make decisions about you that have legal or similarly significant effects using solely automated processing. Automated systems we operate (e.g. fraud-detection heuristics, pricing-rule evaluation, the AI assistant) all surface decisions for human review before any action that would materially affect a user.

12. Changes to this policy

We may update this policy to reflect changes in our practices or in the law. Material changes are announced in-platform and by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact

Data Protection Officer — SpaceHub Ltd, Port Louis, Republic of Mauritius. Email: dpo@spacehub.mu. General queries: support@spacehub.mu.

SpaceHub — Book Amazing Spaces in Mauritius