SpaceCare

Privacy Policy

Last updated 21 May 2026

This policy explains how EmotiPal LTD (trading as SpaceCare) collects, uses, stores, and protects personal data when you use the SpaceCare platform. It is written to comply with the UK GDPR and the Data Protection Act 2018.

1. Who we are

SpaceCare is a trading name of EmotiPal LTD, a company incorporated in England and Wales with its registered office in London, United Kingdom. For most personal data processed through the SpaceCare platform - including Creator account data, billing data, and the platform-level data we collect about visitors and learners (security logs, fraud signals, aggregated usage) - EmotiPal LTD is the “controller” as defined in the UK General Data Protection Regulation (“UK GDPR”). For personal data that a Creator collects about their own learners and clients (such as contact lists, leads, quiz and questionnaire responses, and course progress), the Creator is the controller and EmotiPal LTD acts only as a “processor”. Section 2 explains this split, and the processor terms that govern our role are set out in Schedule 1 (Data Processing Terms) to our Terms of Service.

EmotiPal LTD (company number 16171148, registered in England and Wales), with its registered office at 40 Harcourt Terrace, Flat 5, London, SW10 9JR, United Kingdom. We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR; privacy questions are handled by our privacy team at privacy@space.care.

For any privacy-related question or to exercise your rights, write to us at privacy@space.care.

2. Who this policy covers

SpaceCare is a course-building platform used by independent practitioners (“Creators”) to package and sell educational content. This policy applies to two groups of people:

  • Creators - people who sign up for a SpaceCare account to build, publish, and sell courses.
  • Visitors and learners - people who visit a course page hosted on SpaceCare, leave their details on a lead form, or purchase a course from a Creator.

When a learner buys or enrols in a Creator’s course, the Creator is the controller of that learner’s data for the purposes of the Creator’s own business (CRM, follow-ups, marketing). EmotiPal LTD acts as a processoron the Creator’s behalf for that data, and as a controller for the platform-level data we collect about the same learner (security logs, fraud signals, aggregated usage).

The binding terms that govern our role as a processor for Creator-controlled learner data - the processing instructions, confidentiality, security, sub-processor, assistance, return and deletion, and audit obligations required by Article 28(3) of the UK GDPR - are set out in Schedule 1 (Data Processing Terms) to our Terms of Service, not in this Privacy Policy. Where a Creator accepts the Terms of Service, the Creator and EmotiPal LTD also enter into those Schedule 1 processor terms, which form a binding contract under Article 28(9) of the UK GDPR.

3. What personal data we collect

From Creators

  • Account data: name, email address, password (hashed), profile picture, language preference.
  • Business data: brand name, course content, pricing, public hub settings.
  • Billing data: Stripe customer identifier, subscription status, and the metadata Stripe shares with us. We do not see or store your full card number - that stays with Stripe.
  • Stripe Connect data: for Creators who accept payments, the connected-account identifier and the onboarding status Stripe reports back to us.
  • Usage data: pages visited, actions taken inside the dashboard, AI generations consumed, IP address, device and browser information.
  • Support communications: anything you send us by email or in-app.
  • Voice add-on data: if you enable the podcast voice add-on, the short voice recording you submit and the resulting voice model created by our text-to-speech provider (ElevenLabs), together with the date you consented to its use.

From visitors and learners

  • Contact details submitted to a Creator’s lead form (typically name and email, and optionally a phone number where the Creator’s gate requests one).
  • Purchase details when buying a paid course (handled by Stripe; we receive the transaction reference, amount, and the email used at checkout).
  • Course progress: the furthest point you have reached in a course (used to let you resume where you left off).
  • Assessment and feedback data: answers you submit to a Creator’s in-course quizzes and questionnaires (including selected options, rating scores, and any free-text comments), together with the email address if the form is email-gated.
  • Technical data: IP address, user agent, referrer, and basic analytics events.

We do not knowingly process special category data about learners (health, religion, biometrics, etc.). SpaceCare is positioned as a wellbeing and educational platform, not a healthcare or therapy service - Creators are contractually required not to upload clinical records or other special category data through the platform. Where a Creator opts into the voice add-on, we process the Creator’s own voice recording solely to narrate that Creator’s content; we do not use it for biometric identification.

4. Why we process your data and our lawful basis

  • To provide the service (contract, UK GDPR Art. 6(1)(b)) - creating and authenticating your account, hosting your courses, processing payments, sending transactional emails.
  • To run our business (legitimate interests, Art. 6(1)(f)) - securing the platform, preventing fraud and abuse, measuring usage so we can improve the product, and recovering debts (our legitimate interest is operating a secure, fraud-resistant platform and improving our product).
  • To operate Creators’ lead capture (legitimate interests, Art. 6(1)(f))- when a visitor submits details to a Creator’s lead form, we store and process that data as a processor on the Creator’s documented instructions; our own lawful basis for operating the lead pipeline is our legitimate interest in providing the platform to Creators.
  • To comply with the law (Art. 6(1)(c)) - keeping tax and accounting records, responding to lawful requests from authorities, complying with anti-money-laundering and consumer-protection obligations.
  • With your consent (Art. 6(1)(a)) - for optional marketing emails and any non-essential cookies. You can withdraw consent at any time.

5. AI features

SpaceCare uses third-party AI providers to power features such as course generation, the in-app assistant, audio transcription, and text-to-speech podcast narration. When you use an AI feature, the prompt you submit (which may include text you have typed, or the contents of a course module you are editing) is sent to the provider for processing.

If you enable the podcast voice add-on, a short voice recording you provide is sent to our text-to-speech provider, ElevenLabs (United States), to create a synthetic voice model that narrates your own content. We process that recording only with your consent and only to generate audio for your content; it is not used for biometric identification. See “What personal data we collect” and “International transfers” for the data involved and the transfer safeguards.

We have data-processing agreements with our AI providers that prohibit them from using your prompts to train their general-purpose models. We log AI usage at an aggregated level (counts, model used, token totals) for billing and abuse prevention; we do not retain the full prompt content beyond what is needed to return the result.

The in-app chat assistant is an exception: it stores your conversation so you can pick a thread back up where you left off. These conversations are kept on a short retention schedule and deleted automatically. See “How long we keep data” below.

6. Who we share data with

We share personal data only with the processors that help us run the platform, and only to the extent needed. Current categories of processor include:

  • Payments: Stripe Payments Europe, Ltd. and Stripe Payments UK, Ltd. for card processing, Stripe Connect onboarding, and payouts to Creators.
  • Cloud infrastructure: Amazon Web Services (eu-west-1 / eu-west-2) for application hosting, database (RDS), file storage (S3), video transcoding (MediaConvert), content delivery (CloudFront), and encryption key management (KMS).
  • Email delivery (AWS SES):transactional emails (account, billing, access links, notifications) and, where a Creator uses the newsletter feature, delivery of the Creator’s newsletters to learners who verified their email and opted in (each newsletter carries a one-click unsubscribe).
  • AI and audio providers:Anthropic (Claude, run via AWS Bedrock in the EU and, in development only, Anthropic’s direct API) for course generation and the in-app assistant; ElevenLabs for audio transcription, text-to-speech podcast narration, and voice cloning (including any voice sample you choose to upload).
  • Error monitoring: Sentry, for application error and performance diagnostics (configured to scrub personal data where we can).
  • Rate limiting: Upstash, where enabled, for abuse protection.
  • Authentication: identity providers (e.g. Google) when you choose to sign in with them.
  • Professional advisers: our accountants and lawyers, on a confidential basis.
  • Authorities: regulators, courts, or law-enforcement agencies where we are legally required to disclose.

We keep a current list of sub-processors available on request at privacy@space.care. Where we act as a processor for a Creator, the general written authorisation, prior-notice, and objection mechanism for changes of sub-processor required by Article 28(4) of the UK GDPR is set out in Schedule 1 (Data Processing Terms) to our Terms of Service.

We do not sell your personal data and we do not share it with advertising networks.

7. International transfers

Our core infrastructure (hosting, database, storage, and production AI inference) is located in the United Kingdom and the European Economic Area. Some processors - notably certain AI and audio-processing providers (for example, text-to-speech and transcription, such as ElevenLabs, and, where applicable, Anthropic and our error-monitoring provider Sentry) and content-delivery edges - process data in the United States. Where we transfer personal data outside the UK, we put in place a valid transfer mechanism - the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses - and carry out a transfer risk assessment, together with appropriate technical and organisational safeguards. You can request a copy of the relevant transfer safeguards by emailing privacy@space.care.

8. How long we keep data

  • Creator accounts: for as long as your account is active, and for up to 6 years afterwards to satisfy UK tax and company-law record-keeping requirements.
  • Course content and learner lists:kept for as long as the Creator’s account is active. Deleted within 30 days of account closure, except where retention is required by law.
  • Order and payment records:order and payment rows, including the buyer’s email and name on each transaction, are retained for up to 6 years from the end of the relevant tax year to meet HMRC requirements. When an account is closed, these are kept as financial records and de-linked from the closed account rather than deleted at the 30-day point.
  • Consent and acceptance records: including the IP address and device information captured when consent is given or withdrawn, retained for the life of the account plus up to 6 years as evidence of consent, then deleted or anonymised; deleted when you close your account.
  • Visitor lead records, quiz and feedback submissions: held for the Creator (as controller) and deleted within 30 days of the Creator’s account closure, or sooner on the Creator’s instruction.
  • Voice add-on samples and consent: the voice recording, the voice model, and the related consent record are deleted when you remove the voice add-on or close your account.
  • Follows, endorsements, and bookmarks: kept while your account is active and deleted on closure.
  • AI assistant conversations: chats with the in-app assistant, and onboarding-wizard chats, are kept for 30 days after your last message and then automatically deleted. You can ask us to delete them sooner, and they are removed immediately if you close your account.
  • Server and security logs: typically 90 days, longer where an active investigation is in progress.
  • Marketing-consent records: until you withdraw consent or 24 months of inactivity, whichever comes first.

9. Your rights under the UK GDPR

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have data erased where one of the legal grounds for erasure applies;
  • restrict or object to our processing in certain situations;
  • receive your data in a portable, machine-readable format and have it transmitted to another controller;
  • withdraw consent at any time where we are relying on consent; and
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, email privacy@space.care. We will respond within one month, in line with UK GDPR timelines.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (the “ICO”) at ico.org.uk/make-a-complaint. We would, however, appreciate the chance to address your concerns before you approach the ICO.

10. Cookies and similar technologies

We use a small number of cookies and similar technologies. The table below describes the cookies we currently set:

CookiePurposeDurationCategory
Session cookieKeeps you signed in to your account.Session / persistent until sign-out or expiryStrictly necessary
CSRF tokenProtects forms and actions against cross-site-request-forgery attacks.SessionStrictly necessary
Locale preferenceRemembers your language choice.Up to 1 yearStrictly necessary
_pl_vA first-party identifier used to count page views on a Creator’s public hub, course, and download pages. It is scoped to a single Creator and is not used for cross-site advertising.1 yearAnalytics (non-essential)

The _pl_v analytics cookie is set on public hub, course, and download pages when those pages are viewed. We keep analytics minimal and do not use cross-site advertising trackers, and we do not sell this data.

Where local law (including the Privacy and Electronic Communications Regulations) requires consent for non-essential cookies, that consent applies to the _pl_v analytics cookie. The strictly necessary cookies above do not require consent and cannot be disabled.

11. Security

We use industry-standard measures to protect personal data: TLS for data in transit, encryption at rest for our database and object storage, role-based access controls, and routine backups. No system is ever completely secure; if a personal-data breach happens that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, the affected individuals.

12. Children

SpaceCare is not directed at children under 13, and Creator accounts are intended for adults running a professional practice or business. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact privacy@space.care and we will delete it.

13. Changes to this policy

We may update this policy from time to time. When we make material changes we will notify Creators by email and update the “Last updated” date at the top of this page. Continued use of the platform after the changes take effect constitutes acceptance of the revised policy.

14. Contacting us

EmotiPal LTD (trading as SpaceCare)
Company number 16171148, registered in England and Wales
Registered office: 40 Harcourt Terrace, Flat 5, London, SW10 9JR, United Kingdom
Email: privacy@space.care