gospace
PricingDocsAPI ReferenceOpen Platform

Last updated October 1, 2024.

1. Overview & Scope

This Privacy Policy explains how gospace Ltd (“gospace”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you interact with our websites, web and mobile applications, APIs, SDKs, bots, integrations, and related modules (collectively, the “Services”).

gospace provides forecasting, optimisation, simulation, and automation capabilities across multiple sectors (including but not limited to workplace, logistics, transportation, healthcare, manufacturing, energy, government, education, and financial operations). This policy is designed to cover personal data processed in all such environments.

This Privacy Policy applies when we process personal data as a controller (for our own business operations) and as a processor (on behalf of our customers). Where our contractual terms (such as a Data Processing Agreement) conflict with this notice for processing under that contract, the contractual terms will control.

2. Our Role (Controller vs Processor)

gospace operates in two main roles under privacy and data protection laws:

  • Controller. We act as a controller for:
    • data about visitors to our marketing websites and public pages;
    • customer and user account data (for billing, contracts, security, and product operations);
    • support, sales, and communications data we manage directly.
  • Processor. We act as a processor when we process personal data that our customers (organisations) upload or connect to the Services (e.g., workforce rosters, sensor signals, operational data, business records). In that case, the customer remains the controller and determines the purposes and means of processing. We process such data only on their documented instructions and under a Data Processing Agreement.

When in doubt, if your organisation provides data to gospace to be processed inside a “tenant” or workspace, that data is typically treated as Customer Data for which your organisation is the controller and gospace is the processor.

3. Categories of Personal Data

Depending on how the Services are configured and used, we may process the following broad categories of personal data:

  • Account & Profile Data. Name, business email address, authentication identifiers, organisation, role, permissions, language and UI preferences.
  • Workforce & Directory Data (optional). Attributes about people and teams provided by customers, such as job role, department, team or unit, manager, shift group, project or assignment tags, capacity, entitlements, and scheduling constraints.
  • Operational & Attendance Signals. Where configured by customers, this can include shifts, rosters, bookings, attendance events, resource usage, task assignments, queueing or throughput information, and other signals (for example to plan staffing, capacity, or asset usage) across any industry.
  • Spatial & Asset Data. Space labels, floor plans, areas, rooms, zones, capacities, resource identifiers, asset classifications, routing and adjacency information associated with those assets or spaces.
  • Interaction & Bot Data. Commands, questions, prompts, configuration inputs, automation triggers, workflow state, and outputs generated by agents and modules (forecasts, simulations, recommendations, optimised plans). Message bodies and free-text content may be stored or truncated based on compliance mode and retention configuration.
  • Telemetry, Logs & Diagnostics. IP address, device and browser type, timestamps, request metadata, performance metrics, error logs, and auth/audit logs needed to operate and secure the Services.
  • Support & Communication Data. Content of support tickets, emails, call notes, attachments, optional screen recordings, and feedback that you choose to provide.

4. Where We Get Data From

We obtain personal data from three primary sources:

  • Directly from you. For example when you create an account, update profile settings, submit forms, interact with the console, use an agent or bot, or contact us for support.
  • From your organisation. Customer administrators may sync or upload data from their own systems (directory, HR, asset management, IoT platforms, operational systems, etc.) to enable forecasting, optimisation, and automation.
  • Automatically from your use of the Services. This includes telemetry, diagnostics, and product analytics that help us keep the platform stable, secure, and reliable.

5. Purposes of Processing

We use personal data only for legitimate and documented purposes. The main purposes are:

Purpose Examples Role
Provide & operate the Services Running dashboards, forecasts, simulations, automated allocations, recommendations, and workflows across any supported domain. Usually processor for Customer Data.
Secure & maintain integrity Authentication, access control, incident detection, abuse prevention, audit logging, and fraud mitigation. Controller and/or processor, depending on context.
Improve & develop features Analysing aggregated usage trends, performance metrics, and reliability data to refine models and UI. Controller, using minimised and aggregated data where possible.
Support & service communications Responding to tickets, sending status notifications, security alerts, and transactional emails. Controller for communications with you; processor where acting on customer instructions.
Legal, compliance & risk Complying with applicable law, audit, tax, accounting, sanctions, and regulatory obligations. Controller.

gospace does not use Customer Data for data brokerage, advertising networks, or unrelated profiling.

7. Sharing, Sub-processors & Integrations

We do not sell or rent personal data. We share it only in limited and controlled circumstances:

  • Sub-processors. We use vetted service providers for cloud infrastructure, storage, authentication, observability, communication, and security tooling. They act solely on our instructions, are bound by contract, and may not use Customer Data for their own purposes.
  • Customer-authorised integrations. Customers may enable connections with their own tools (for example, communication platforms, directories, workflow tools, operational systems, or sensors). Only the data required for the integration to function is shared, and administrators can revoke access at any time.
  • Corporate transactions. If gospace is involved in a merger, acquisition, restructuring, or asset sale, relevant data may be transferred under appropriate confidentiality and continuity commitments.
  • Legal and safety obligations. We may share data if required by law, regulation, court order, or to protect the rights, property, or safety of users, customers, or the platform.

A current list of sub-processor categories and, where applicable, regions can be made available to customers and updated in accordance with contract terms.

8. Retention & Deletion

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or as required by law or contract. Retention depends on the data type and customer configuration:

Data Category Typical Retention Notes
Account & billing data Subscription term + limited period May be retained longer where required by law (e.g. tax/audit).
Operational & forecast data 90–365 days or as configured by the customer Customers can choose shorter or longer periods depending on use case.
Bot & agent message bodies 7–30 days (or disabled) Controlled by compliance mode; may be truncated or not stored.
Logs & telemetry 30–180 days For security and reliability; retained longer only where mandated.

On contract termination, Customer Data is deleted or anonymised in accordance with the DPA and applicable law. Customers may request earlier deletion where permitted. Backup copies are removed on a rolling basis following standard retention windows.

9. International Data Transfers

gospace hosts data in regions selected by the customer (for example, EU, UK, US, or APAC). Customer Data is logically contained within the chosen region unless:

  • cross-region features or integrations are explicitly enabled;
  • a support or security investigation requires limited access from another region; or
  • a lawful request requires cross-border disclosure.

When personal data is transferred outside of its originating jurisdiction, we use appropriate safeguards, such as Standard Contractual Clauses (SCCs), the UK Addendum, or other approved mechanisms, and carry out transfer risk assessments where required.

10. Security Measures

We implement technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, or alteration. These include:

  • Encryption in transit and at rest
  • Role-based access control and least-privilege access
  • Network isolation and secret management
  • Audit logs, monitoring, and alerting
  • Backups, redundancy, and disaster recovery
  • Penetration testing and vulnerability management
  • Change management and secure development practices
  • Employee security training and access reviews

11. Automated Decisions & Profiling

The Services generate forecasts, simulations, and optimisation outputs that may be used to support resource planning and operational decisions. Customers control how these outputs are used (for example, as recommendations for humans or as inputs to automated workflows).

gospace itself does not make employment, credit, or legal status decisions about individuals. Where applicable law restricts solely automated decisions that have legal or similarly significant effects, customers are responsible for implementing appropriate review and override mechanisms, and gospace will provide supporting information about model inputs and configuration as reasonably necessary.

12. Cookies & Similar Technologies

We use cookies, local storage, and similar technologies to operate and improve the Services. These typically fall into the following categories:

Category Purpose Examples
Strictly necessary Authentication, security, routing, basic functionality Session cookies, CSRF tokens, load-balancing IDs
Functional Remembering preferences, layouts, language, or view settings Theme, filters, recently used items
Analytics Understanding feature usage, performance, and reliability Aggregated metrics about which pages are used most

Where required by law, we present consent options and allow you to manage preferences. You can also control cookies via your browser settings; doing so may affect some functionality.

13. Marketing & Product Communications

We may send customers and users product updates, invitations to events, and other information about gospace. In jurisdictions where consent is required, we will only send such communications if you have opted in, and you can opt out at any time using the unsubscribe link or by contacting us.

Regardless of marketing preferences, we will continue to send important service, security, or legal notices where they are necessary for the operation of the Services or our contractual relationship with you.

14. Your Rights & How to Exercise Them

Depending on your location, you may have rights over your personal data, which can include:

  • Right of access (to know what data is held about you)
  • Right to rectification (correction of inaccurate data)
  • Right to erasure (deletion) in certain circumstances
  • Right to restrict or object to processing
  • Right to data portability
  • Right not to be subject to certain solely automated decisions
  • Right to withdraw consent where processing is based on it

For Customer Data, requests will usually need to be made to your organisation (the controller), who may then instruct gospace to assist. For data where gospace is the controller (such as website and account data), you can contact us directly at privacy@gospace.ai.

We will verify your identity and respond within the timeframes required by applicable law. Where we cannot fully comply for legal or contractual reasons, we will explain why.

15. US State Privacy Notices

Certain US state laws (such as California’s CCPA/CPRA and similar laws in other states) grant residents additional rights, including rights to know, delete, correct, and opt out of certain data practices.

gospace does not “sell” personal information as that term is commonly understood. To the extent that certain limited disclosures could be interpreted as a “sale” or “sharing” under specific state laws, we honour applicable opt-out rights. We also respect legally recognised browser or device signals where required.

16. Additional Regional Disclosures

  • European Economic Area, UK, and Switzerland. You have the rights set out in the GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority.
  • Brazil. Where the LGPD applies, we process data under one or more legal bases similar to those described above and support data subject rights under that law.
  • Other regions. We align our practices with applicable local privacy laws and, where needed, provide region-specific terms in contracts or addenda.

17. Children’s Data

The Services are designed for professional and enterprise use and are not directed at children under the age of 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal data from children in this context. If you believe that a child’s data has been submitted to the Services, please contact us so that we can investigate and take appropriate action.

18. Incidents & Breach Notification

gospace maintains an incident response process designed to detect, assess, and respond to security events. If we become aware of a personal data breach that affects Customer Data, we will notify impacted customers without undue delay, consistent with our contractual obligations and applicable law, and provide relevant information and cooperation to support any required notifications to individuals or authorities.

19. Complaints & Regulatory Contacts

If you have concerns about how we handle personal data, we encourage you to contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with your local data protection authority or regulator where applicable.

20. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes to our Services, legal requirements, or privacy practices. When we make material changes, we will provide notice through the Services, by email to administrators, or by other appropriate means. The “Last Updated” date at the top of this page indicates when the policy was last revised.

21. How to Contact Us

gospace Ltd is the entity responsible for this Privacy Policy for gospace-branded Services.

Email (privacy): privacy@gospace.ai

Email (security): security@gospace.ai

Our registered office details and governing law are set out in your Subscription Agreement or Order Form.

22. Key Definitions

  • Customer. The organisation that enters into an agreement with gospace to use the Services.
  • Customer Data. Any data (including personal data) that a customer or its users upload to, or generate in, the Services.
  • Personal data. Any information relating to an identified or identifiable natural person, as defined by applicable law.
  • Controller. The entity that determines the purposes and means of processing personal data.
  • Processor. The entity that processes personal data on behalf of the controller.
  • SCCs. Standard Contractual Clauses approved for transferring personal data outside certain jurisdictions.
  • DSR. Data Subject Request, meaning a request by an individual to exercise their privacy rights.