Privacy Policy

Last updated: 29 October 2025

1. Introduction

Arete Workspace Ltd ("Arete Workspace," "we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our website, workspace booking platform, and related services (the "Services"). It also outlines your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

By using our Services, you agree to this Privacy Policy.

2. Who We Are

Data Controller: Arete Workspace Ltd

Registered Office: The Mount, 72 Paris Street, Exeter, EX1 2JY, United Kingdom

Email: privacy@areteworkspace.co.uk

We have not appointed a Data Protection Officer, as we are not required to do so. For any privacy-related questions, please contact our privacy team using the email above.

3. Information We Collect

We collect and process the following personal data:

3.1 Account & Identity Information

  • Full name, email address, password (securely hashed)
  • Phone number (optional, used for verification or SMS notifications)
  • Profile details such as bio or profile photo (optional)

3.2 Workspace Provider Information

  • Company name, contact details, VAT number (if applicable)
  • Workspace descriptions, pricing, amenities, and photos
  • Business verification or compliance documents

3.3 Booking & Transaction Data

  • Booking details (dates, times, workspace selections)
  • Messages and enquiries between users and workspace providers
  • Transaction records (we do not store full payment card details)

3.4 Technical & Usage Data

  • IP address, browser type, device information
  • Pages visited, time spent, navigation patterns
  • Cookie identifiers and similar tracking technologies

3.5 Data from Third Parties

  • Data from workspace providers to complete bookings or handle disputes
  • Fraud prevention or authentication partners
  • Publicly available business information (e.g. Companies House)

We do not intentionally collect sensitive data (e.g. health, ethnicity, religious beliefs). Please avoid submitting such information through our Services.

4. How We Use Your Information

We use personal data to:

  • Provide and manage your account and bookings
  • Facilitate payments and send confirmations
  • Enable communication between users and workspace providers
  • Improve, personalise, and maintain our Services
  • Detect, prevent, and respond to fraud or security issues
  • Send marketing communications (only with consent)
  • Comply with our legal obligations

We do not use automated decision-making that has legal or significant effects on users.

5. Legal Bases for Processing

We process data under the following lawful bases:

Purpose:
Account creation, bookings, and payments
Legal Basis:
Contractual necessity (Article 6(1)(b))
Purpose:
Fraud prevention, analytics, service improvement
Legal Basis:
Legitimate interests (Article 6(1)(f))
Purpose:
Marketing communications and cookies
Legal Basis:
Consent (Article 6(1)(a))
Purpose:
Record-keeping and tax compliance
Legal Basis:
Legal obligation (Article 6(1)(c))

You can withdraw consent at any time by updating your preferences or contacting us.

6. Cookies & Tracking

We use cookies and similar technologies to provide and enhance our Services. Cookies help us remember preferences, secure accounts, and analyse traffic.

We only use non-essential cookies (analytics or marketing) with your consent. You can change or withdraw consent via our cookie banner or your browser settings. For more details, see our Cookie Policy.

7. Sharing Your Information

We do not sell or rent your personal data. We only share it when necessary:

7.1 Workspace Providers

When you make a booking or enquiry, we share your name, contact details, and booking information with the relevant provider to fulfil your request. Providers act as independent data controllers for their own business activities.

7.2 Service Providers

We use trusted partners who process data on our behalf:

  • Supabase – database hosting and authentication
  • Vercel – web hosting and content delivery
  • Resend – email delivery
  • Twilio – SMS notifications (when enabled)
  • Payment Processors – secure payments (we never store card numbers)

All processors are contractually required to protect your data and use it only as instructed.

7.3 Legal and Business Transfers

We may disclose data to:

  • Authorities or regulators if required by law
  • Prevent or respond to fraud, security, or legal issues
  • Successors in case of merger, acquisition, or asset transfer (with notice provided)

8. International Data Transfers

Some service providers operate outside the UK. Where data is transferred internationally, we use legally approved safeguards, such as:

  • UK Adequacy Regulations
  • International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
  • The UK-US Data Bridge (for US providers certified under the Data Privacy Framework)

9. Data Security

We apply strong technical and organisational safeguards, including:

  • Encryption of data at rest and in transit
  • Multi-factor authentication for admin access
  • Regular security updates and audits
  • Restricted access based on job role
  • Secure hosting on Supabase and Vercel

Although no system is 100% secure, we follow industry standards to minimise risk.

10. Data Retention

We keep data only as long as needed:

  • Account data: while your account is active + 24 months
  • Bookings & transactions: 7 years (for tax and legal purposes)
  • Support enquiries: 24 months
  • Marketing preferences: until you withdraw consent
  • Security logs: 6–12 months

After these periods, data is securely deleted or anonymised.

11. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (in certain cases)
  • Restrict or object to processing
  • Data portability (transfer to another service)
  • Withdraw consent

To exercise your rights, email privacy@areteworkspace.co.uk. We'll respond within one month.

12. Marketing Communications

We send marketing emails or SMS messages only with your consent or under the soft opt-in rule (for similar services). You can opt out anytime using the unsubscribe link or by emailing us.

Transactional messages (like booking confirmations) are not marketing and cannot be opted out of.

13. Children's Data

Our Services are not designed for children under 13. We do not knowingly collect data from children. If you believe we have done so, contact us and we'll delete it promptly.

14. Updates to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on our website with a new "Last updated" date. Significant updates may also be sent via email or in-app notification.

15. Contact

Arete Workspace Ltd
The Mount, 72 Paris Street, Exeter, EX1 2JY, United Kingdom
Email: privacy@areteworkspace.co.uk
Website: areteworkspace.co.uk

© 2025 Arete Workspace Ltd. All rights reserved.