SpaceCare

Privacy Policy

Last updated 21 May 2026

This policy explains how EmotiPal LTD (trading as SpaceCare) collects, uses, stores, and protects personal data when you use the SpaceCare platform. It is written to comply with the UK GDPR and the Data Protection Act 2018.

1. Who we are

SpaceCare is a trading name of EmotiPal LTD, a company incorporated in England and Wales with its registered office in London, United Kingdom. EmotiPal LTD is the “controller” of personal data processed through the SpaceCare platform, as defined in the UK General Data Protection Regulation (“UK GDPR”).

For any privacy-related question or to exercise your rights, write to us at privacy@space.care.

2. Who this policy covers

SpaceCare is a course-building platform used by independent practitioners (“Creators”) to package and sell educational content. This policy applies to two groups of people:

  • Creators — people who sign up for a SpaceCare account to build, publish, and sell courses.
  • Visitors and learners — people who visit a course page hosted on SpaceCare, leave their details on a lead form, or purchase a course from a Creator.

When a learner buys or enrols in a Creator’s course, the Creator is the controller of that learner’s data for the purposes of the Creator’s own business (CRM, follow-ups, marketing). EmotiPal LTD acts as a processoron the Creator’s behalf for that data, and as a controller for the platform-level data we collect about the same learner (security logs, fraud signals, aggregated usage).

3. What personal data we collect

From Creators

  • Account data: name, email address, password (hashed), profile picture, language preference.
  • Business data: brand name, course content, pricing, public hub settings.
  • Billing data: Stripe customer identifier, subscription status, and the metadata Stripe shares with us. We do not see or store your full card number — that stays with Stripe.
  • Stripe Connect data: for Creators who accept payments, the connected-account identifier and the onboarding status Stripe reports back to us.
  • Usage data: pages visited, actions taken inside the dashboard, AI generations consumed, IP address, device and browser information.
  • Support communications: anything you send us by email or in-app.

From visitors and learners

  • Contact details submitted to a Creator’s lead form (typically name + email, or name + WhatsApp number).
  • Purchase details when buying a paid course (handled by Stripe; we receive the transaction reference, amount, and the email used at checkout).
  • Course progress: which modules have been opened or completed.
  • Technical data: IP address, user agent, referrer, and basic analytics events.

We do not knowingly process special category data (health, religion, biometrics, etc.). SpaceCare is positioned as a wellbeing and educational platform, not a healthcare or therapy service — Creators are contractually required not to upload clinical records or other special category data through the platform.

4. Why we process your data and our lawful basis

  • To provide the service (contract, UK GDPR Art. 6(1)(b)) — creating and authenticating your account, hosting your courses, processing payments, sending transactional emails.
  • To run our business (legitimate interests, Art. 6(1)(f)) — securing the platform, preventing fraud and abuse, measuring usage so we can improve the product, and recovering debts.
  • To comply with the law (Art. 6(1)(c)) — keeping tax and accounting records, responding to lawful requests from authorities, complying with anti-money-laundering and consumer-protection obligations.
  • With your consent (Art. 6(1)(a)) — for optional marketing emails and any non-essential cookies. You can withdraw consent at any time.

5. AI features

SpaceCare uses third-party large-language-model providers to power features such as course generation and audio transcription. When you use an AI feature, the prompt you submit (which may include text you have typed, or the contents of a course module you are editing) is sent to the provider for processing.

We have data-processing agreements with our AI providers that prohibit them from using your prompts to train their general-purpose models. We log AI usage at an aggregated level (counts, model used, token totals) for billing and abuse prevention; we do not retain the full prompt content beyond what is needed to return the result.

6. Who we share data with

We share personal data only with the processors that help us run the platform, and only to the extent needed. Current categories of processor include:

  • Payments: Stripe Payments Europe, Ltd. and Stripe Payments UK, Ltd. for card processing, Stripe Connect onboarding, and payouts to Creators.
  • Cloud hosting: Amazon Web Services (typically the eu-west-1 / eu-west-2 regions) for application hosting, database, and file storage.
  • Email: our transactional email provider, for account, billing, and notification emails.
  • AI providers: the third-party LLM and transcription APIs that power AI features inside the editor.
  • Authentication: identity providers (e.g. Google) when you choose to sign in with them.
  • Professional advisers: our accountants and lawyers, on a confidential basis.
  • Authorities: regulators, courts, or law-enforcement agencies where we are legally required to disclose.

We do not sell your personal data and we do not share it with advertising networks.

7. International transfers

Our infrastructure is primarily located in the United Kingdom and the European Economic Area. Some processors (notably AI providers) are based in the United States or other jurisdictions outside the UK. When personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate technical and organisational measures.

8. How long we keep data

  • Creator accounts: for as long as your account is active, and for up to 6 years afterwards to satisfy UK tax and company-law record-keeping requirements.
  • Course content and learner lists:kept for as long as the Creator’s account is active. Deleted within 30 days of account closure, except where retention is required by law.
  • Payment records: 6 years from the end of the relevant tax year (HMRC requirement).
  • Server and security logs: typically 90 days, longer where an active investigation is in progress.
  • Marketing-consent records: until you withdraw consent or 24 months of inactivity, whichever comes first.

9. Your rights under the UK GDPR

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have data erased where one of the legal grounds for erasure applies;
  • restrict or object to our processing in certain situations;
  • receive your data in a portable, machine-readable format and have it transmitted to another controller;
  • withdraw consent at any time where we are relying on consent; and
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, email privacy@space.care. We will respond within one month, in line with UK GDPR timelines.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (the “ICO”) at ico.org.uk/make-a-complaint. We would, however, appreciate the chance to address your concerns before you approach the ICO.

10. Cookies and similar technologies

We use a small number of cookies and similar technologies, namely:

  • Strictly necessary cookies — to keep you signed in, remember your language choice, and protect against cross-site-request-forgery attacks. These cannot be disabled.
  • Analytics — to understand how the dashboard is used in aggregate. We keep analytics minimal and do not use cross-site advertising trackers.

Where local law (including the Privacy and Electronic Communications Regulations) requires consent for non-essential cookies, we ask for it before setting them.

11. Security

We use industry-standard measures to protect personal data: TLS for data in transit, encryption at rest for our database and object storage, role-based access controls, and routine backups. No system is ever completely secure; if a personal-data breach happens that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, the affected individuals.

12. Children

SpaceCare is not directed at children under 13, and Creator accounts are intended for adults running a professional practice or business. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact privacy@space.care and we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we make material changes we will notify Creators by email and update the “Last updated” date at the top of this page. Continued use of the platform after the changes take effect constitutes acceptance of the revised policy.

14. Contacting us

EmotiPal LTD (trading as SpaceCare)
London, United Kingdom
Email: privacy@space.care