The short version
We collect only what we need to run the marketplace: your account details, your bookings, and the messages you send us. We never sell your data, and we show no ads. The only analytics we use is cookieless and counts anonymous page views — no cross-site tracking, no profile of you. You can ask us to delete everything at any time.
1. Who we are
Spot a group is operated by Sistemas Técnicos Avanzados de Galicia (CIF B32281453), C/ Valle Inclán 22, 4 B, 32004 Ourense, Spain (“spot a group”, “we”, “us”). We are the data controller for the personal data described in this policy. For anything privacy-related, reach us through the contact page.
2. What we collect
- Account data. Your name, email address and password (stored only in hashed form by our authentication provider). If you sign in with Google, we receive your name and email from your Google profile instead.
- Activity data. The groups and events you book, attend or host on the platform. We do not link the pages you browse to your identity or build a browsing profile of you.
- Analytics data. We measure anonymous, aggregated page views (which pages are visited, and roughly from where) using a cookieless analytics service. It sets nothing on your device and cannot identify you — see section 5 and our cookie policy.
- Messages. When you use the contact form we receive the name, email, topic and message you send.
- Payment data. Payments are processed by Stripe, and your card details live only with Stripe — we never see or store them. We keep only the booking and billing records we need (what you booked, when, and for how much).
- Host verification data. If you apply to host, the credentials and licence information you provide so we can verify you.
- Technical data. IP address, browser and device information, and server logs — used to keep the platform secure and running.
3. Why we use it
Under the GDPR, each use of your data rests on a legal basis:
- To provide the service — creating your account, processing bookings, connecting you with hosts (performance of a contract).
- To answer you — replying to messages you send us (legitimate interest, or steps prior to a contract).
- To keep the platform safe — preventing fraud and abuse, securing accounts (legitimate interest).
- To understand our traffic — measuring anonymous, aggregated page views so we can improve the site (legitimate interest). This uses no cookies and builds no profile of you.
- To meet legal obligations — tax, accounting and consumer-law records.
- Anything else — only with your consent, which you can withdraw at any time.
4. A note on sensitive topics
Many groups on spot a group relate to mental health and personal wellbeing. The simple fact that you join one can reveal information about your health, which the GDPR treats as a special category of data. We take that seriously:
- We use this information only to provide the service — showing you your bookings and letting your host know you are attending.
- It is never used for advertising and never sold or shared beyond the host of the group you joined.
- Live sessions run on our built-in video, powered by Stream. Video and audio are transmitted only to run the call and are never stored — not by us and not by Stream. When a session ends, the call is deleted; nothing is recorded or kept. What happens in a group stays in the group.
5. Who we share it with
We never sell personal data and we run no third-party advertising. To operate the platform we rely on a small number of service providers who process data on our behalf:
- Supabase — database and authentication.
- Vercel — website hosting and cookieless, anonymous traffic analytics.
- Stripe — payment processing.
- Stream — live video for group sessions.
- Resend — email delivery (e.g. contact form messages).
- Google — only if you choose to sign in with Google.
Hosts see the names of members who book their group, so they know who is attending. We may also disclose data where the law requires it.
6. International transfers
Some of our providers may process data outside the European Economic Area (for example, in the United States). Where that happens, transfers are protected by safeguards recognised under the GDPR, such as the EU Standard Contractual Clauses or the EU–US Data Privacy Framework.
7. How long we keep it
What we store is deliberately minimal: your basic registration data (name, email), your bookings, and the records described above. Live session video and audio are never stored at all — calls are deleted as soon as they are completed.
We keep your data while your account is active. If you delete your account, we delete or anonymise your personal data, except what we must keep to meet legal obligations (for example, billing records required by Spanish tax law). Contact-form messages are kept only as long as needed to handle your request.
8. Your rights
You can ask us at any time to access, correct, delete or export your data, to restrict or object to how we use it, or to withdraw a consent you previously gave. Just write to us through the contact page — a human answers within one business day.
If you believe we have not handled your data properly, you have the right to lodge a complaint with the Spanish Data Protection Agency (aepd.es) or your local supervisory authority.
9. Security
Data is encrypted in transit, passwords are stored only as hashes, and access to personal data inside our team is limited to what each person needs. No system is perfectly secure, but we design ours so that the least possible data is exposed if something goes wrong.
10. Under 18s
Spot a group is for adults. You must be at least 18 to create an account, and we do not knowingly collect data from anyone younger. If you believe a minor has created an account, please tell us and we will remove it.
11. Changes to this policy
If we change this policy, we will update the date at the top of this page. For material changes we will let you know by email or with a notice on the platform before they take effect.