Please enquire by email or through the contact form.

Privacy Notice

Last updated: 24 May 2026

1. Who We Are

This Privacy Notice explains how NATIVESPACE LTD collects, uses, stores, and shares personal data when you use our website, contact us, book meeting rooms, use our coworking or private office services, use our virtual office or postal address services, make payments, use the Native Away desk system, or otherwise interact with us.

The controller of your personal data is:

NATIVESPACE LTD
Company registration number: HE434209
Contact address: 20 Dimotikis Agoras, 6021 Larnaca, Cyprus
Email: info@native.com.cy
Website: https://native.com.cy

2. Personal Data We Collect

Website and Contact Enquiries

  • Name, email address, phone number where provided, message content, and enquiry details
  • Information you choose to include in your message
  • Basic technical and security information such as IP address, request headers, timestamps, spam-prevention data, and rate-limit data
  • Your privacy notice checkbox confirmation where applicable

Meeting Room Bookings

  • Name, email address, phone number, company name where provided, and number of attendees
  • Booking location, date, start time, end time, duration, price, and booking status
  • Notes you add to the booking
  • Private cancellation token and cancellation status
  • Google Calendar event identifiers and calendar status
  • Booking confirmation and admin notification email records

Coworking, Private Office, Waiting List, and Admin Customer Records

  • Name, surname, and email address
  • Service interest, customer type, desk or office allocation, and internal priority/order
  • Booking dates, duration, permanent booking status, and related notes
  • Customer category and monthly contribution information used for internal administration

Virtual Office and Postal Address Services

  • Full name, email address, phone number, company name, company registration number, and tax identification number where required
  • Virtual address, residential address, commencement date, business activity, service tier, plan type, add-ons, and notes
  • Signer name, surname, title, authority, signature, agreement acceptance timestamp, and signed contract records
  • Identity and verification documents such as passport, government ID, proof of address, company documents, directors/shareholders certificates, CVs for individual clients, and related supporting documents
  • Encyro secure document links or document receipt status
  • Onboarding status, invitation token, token expiry/revocation data, admin review notes, archive status, and related audit data

For company customers, we may also process data about directors, authorised representatives, beneficial owners, shareholders, signers, and ownership-chain companies where needed for onboarding, verification, screening, compliance, and service provision.

Screening and Compliance Checks

  • Name, company name, and role, such as director, authorised person, signer, shareholder, UBO, or ownership-chain company
  • Date of birth, country, nationality, or jurisdiction where provided
  • Screening provider, screening date, match score, top match details, datasets, raw response, review status, reviewer notes, and audit events

Payments and Accounting

  • Invoice number, amount due, currency, and payment status
  • Xero invoice ID and payment ID
  • Revolut order ID, checkout URL, payment ID, order status, webhook event data, and error status
  • Bank transfer reference or payment-related correspondence
  • Accounting and invoice records needed to manage our business and comply with legal obligations

Payment card details are processed by Revolut or the relevant payment provider. Native does not intentionally store full card numbers in this website application.

Native Away Desk System

  • Name, email address, desk ID, away date ranges, and notes
  • Booking type, start and end dates, credit amount, amount charged, customer name, and booking status
  • Access request status and admin approval/rejection data
  • Sign-in token/cookie data, IP-based and email-based rate-limit data, and related timestamps

Authentication and Administration

  • Sign-in email address and authentication session data
  • Admin permissions and access checks
  • Admin actions, review notes, preferences, dashboard ordering, and internal operational records

3. How We Collect Personal Data

  • Directly from you when you fill in forms, send messages, book rooms, upload or send documents, sign agreements, make payments, or use our services
  • From your company, representative, director, shareholder, authorised person, or other person acting for your organisation
  • From service providers, including payment, email, calendar, accounting, secure document, hosting, authentication, analytics, and compliance providers
  • From public or compliance databases used for sanctions, PEP, adverse media, or related checks
  • Automatically when you use our website, including through cookies, local storage, log files, and security tools
  • Through in-person interactions at our premises, including CCTV where used

4. Why We Use Personal Data and Our Lawful Bases

We process personal data only where we have a lawful basis under applicable data protection law.

PurposeExamplesLawful basis
Responding to enquiriesContact form, email replies, phone follow-upLegitimate interests; steps before a contract
Providing servicesCoworking, private office, meeting room, postal address, virtual office, Away, and related servicesContract; steps before a contract
Managing meeting room bookingsAvailability checks, booking confirmations, Google Calendar events, cancellation linksContract; legitimate interests
Virtual office and postal address onboardingClient details, documents, signatures, verification, service tier, agreement recordsContract; legal obligation; legitimate interests
Compliance and screeningIdentity checks, address checks, sanctions and related screening, misuse prevention, reporting unlawful use where requiredLegal obligation; legitimate interests; substantial public interest or other applicable lawful basis where required
Payments and accountingXero invoice verification, Revolut checkout, payment status, invoice recordsContract; legal obligation; legitimate interests
Service communicationsBooking emails, onboarding emails, Away emails, payment alerts, operational noticesContract; legitimate interests
Website security and abuse preventionRate limits, IP checks, honeypot fields, session cookies, security logsLegitimate interests; legal obligation where applicable
Analytics and advertisingGoogle Analytics, Google Ads, conversion measurementConsent where required; legitimate interests where permitted
Internal administrationAdmin dashboards, customer lists, waiting lists, revenue/admin reports, service improvementsLegitimate interests; contract
Legal claims and business protectionRecord keeping, disputes, debt recovery, fraud prevention, misuse investigationLegitimate interests; legal obligation
CCTV and premises security, if usedSecurity of people, property, and premisesLegitimate interests; legal obligation where applicable

Where we rely on legitimate interests, we consider whether our interests are overridden by your rights and freedoms. You may object to processing based on legitimate interests as explained in Section 10.

Where we rely on consent, you can withdraw consent at any time. Withdrawal does not affect processing that took place before consent was withdrawn.

5. Who We Share Personal Data With

We may share personal data with:

  • Hosting and infrastructure providers, including Vercel and Supabase
  • Database, storage, authentication, and security providers, including Supabase
  • Email delivery providers, including Postmark
  • Calendar providers, including Google Calendar
  • Analytics and advertising providers, including Google Analytics and Google Ads
  • Payment providers, including Revolut
  • Accounting and invoicing providers, including Xero
  • Secure document providers, including Encyro
  • Compliance and screening providers, including OpenSanctions
  • Professional advisers, including accountants, auditors, lawyers, insurers, and consultants
  • Banks, payment institutions, and financial service providers
  • Public authorities, regulators, courts, law enforcement, tax authorities, company registries, or other bodies where required by law or necessary to protect our rights or prevent misuse of our services
  • Service providers who help us operate our website, communications, IT, security, premises, and business systems

We require service providers to process personal data only for authorised purposes and to protect it appropriately.

6. International Transfers

Some of our service providers may process personal data outside Cyprus, the European Economic Area, or the United Kingdom. Where this happens, we rely on appropriate safeguards where required by law, such as adequacy decisions, the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or other lawful transfer mechanisms.

Please ask us if you want further information about the transfer safeguards relevant to your data.

7. How We Protect Personal Data

  • Access controls and admin-only areas
  • Authentication and session controls
  • Private storage buckets for onboarding documents
  • Signed URLs or secure external links for document access where applicable
  • Rate limiting and abuse-prevention measures
  • Server-side validation of booking, onboarding, payment, and admin requests
  • Role-based administrative access checks
  • Webhook signature checks for payment events
  • Encryption in transit through HTTPS
  • Limiting public database access and using service-role access for sensitive operations

No system is completely secure. If you believe personal data may have been compromised, please contact us immediately at info@native.com.cy.

8. How Long We Keep Personal Data

We keep personal data only for as long as needed for the purposes described in this Privacy Notice, including to provide services, comply with legal obligations, resolve disputes, collect debts, maintain business records, and protect our rights.

Data categoryTypical retention approach
Contact enquiriesFor as long as needed to respond, then for a reasonable period for follow-up and business records, unless the enquiry becomes part of a customer relationship
Meeting room bookingsFor the booking period and then as needed for accounting, customer service, legal claims, and operational records
Waiting list entriesUntil you are removed from the list, become a customer, ask us to delete the entry, or the list is no longer needed
Coworking/private office customer recordsFor the customer relationship and then as needed for accounting, legal claims, and business records
Virtual office and postal address recordsFor the service term and then as required for contracts, accounting, compliance, due diligence, legal claims, and regulatory obligations
Identity, address, and verification documentsFor as long as needed for onboarding, service operation, compliance, legal claims, and any applicable legal retention obligation
Screening results and audit recordsFor as long as needed to evidence compliance decisions and manage legal/regulatory risk
Payment and invoice recordsFor the period required by accounting, tax, audit, and payment rules
Authentication and security logsFor as long as needed for security, abuse prevention, troubleshooting, and legal claims
Cookies and browser storageAccording to the cookie/storage duration or until cleared by you, unless a shorter legal period applies
CCTV, if usedFor a short security retention period unless an incident requires longer retention

If you ask us to delete data, we will delete it unless we need to keep it for legal obligations, contractual administration, legitimate business records, legal claims, security, or another lawful reason.

9. Marketing

We may send you service-related communications, such as booking confirmations, onboarding emails, payment notices, Away desk emails, or important customer updates.

We will send direct marketing emails only where we have a lawful basis to do so. Where marketing consent is required, you can withdraw it at any time. You can also ask us to stop sending marketing by contacting info@native.com.cy.

10. Your Data Protection Rights

Subject to the conditions and limits in applicable law, you may have the right to:

  • Be informed about how we process your personal data
  • Access your personal data
  • Correct inaccurate or incomplete personal data
  • Ask us to erase your personal data
  • Restrict our processing of your personal data
  • Object to processing based on legitimate interests
  • Receive your personal data in a portable format
  • Withdraw consent where processing is based on consent
  • Object to direct marketing
  • Lodge a complaint with a supervisory authority

To exercise your rights, contact us at info@native.com.cy.

We may ask for information to confirm your identity before responding. We normally respond within one month, unless the request is complex or we receive multiple requests, in which case we may extend the response period as permitted by law.

You also have the right to lodge a complaint with the Cyprus Office of the Commissioner for Personal Data Protection:

Office of the Commissioner for Personal Data Protection
Website: https://www.dataprotection.gov.cy
Email: commissioner@dataprotection.gov.cy
Telephone: +357 22 818456

We would appreciate the chance to address your concern first, but you are not required to contact us before contacting the Commissioner.

11. CCTV and Premises Security

If CCTV is used at Native premises, we use it for the safety and security of visitors, members, staff, property, and premises, and for investigating incidents. CCTV data may be shared with law enforcement, insurers, advisers, or other relevant parties where necessary and lawful.

12. Cookies and Browser Storage

Cookies and similar technologies are small files or browser storage entries placed on your device. We use them to make the website work, remember preferences, support authentication, improve services, and measure website and advertising performance.

Strictly Necessary Cookies and Storage

NameTypePurposeTypical duration
native_cookie_consentLocal storageStores whether you accepted or rejected cookie choicesUntil cleared by you
form_submittedHTTP cookieTemporary contact form submission markerAbout 5 minutes
away_memberHTTP cookieKeeps an approved Away member signed inAbout 14 days
native_xero_oauth_stateHTTP cookieProtects Xero OAuth connection flow for adminsAbout 10 minutes
Supabase auth cookies, such as sb-*HTTP/browser storageAuthentication and session managementAccording to Supabase/session settings
native_booking_queue_v1Local storageTemporarily stores pending admin booking changes for offline syncUntil synced or cleared
Away cooldown entriesLocal storageHelps prevent repeated Away sign-in requestsUntil expiry or cleared
Away confirmation entriesSession storagePrevents duplicate confirmation requests in a browser tabUntil tab/session closes

Analytics and Advertising

The website includes Google Analytics and Google Ads tags. These may set cookies such as _ga, _ga_*, _gid, _gat, _gcl_*, and advertising-related cookies, and may process information about your visit, device, browser, approximate location, pages viewed, interactions, and conversion events.

Where legally required, we use non-essential analytics and advertising cookies only with consent. You can withdraw or change consent by using the Cookie Settings link in the website footer, clearing the relevant browser storage/cookies and revisiting the site, or using your browser settings.

Managing Cookies

You can control cookies through your browser settings. Blocking some cookies may affect site functionality, authentication, booking flows, payments, or admin tools.

You can also opt out of Google Analytics across websites using Google's browser add-on: https://tools.google.com/dlpage/gaoptout

13. Third-Party Links

Our website may link to third-party websites and services, including Google Maps, Instagram, Revolut, Encyro, Xero, and other external platforms. Those third parties control their own privacy practices. Please read their privacy notices before using their services.

14. Children

Our services are not directed to children. We do not knowingly collect personal data from children through the website. If you believe a child has provided personal data to us, please contact info@native.com.cy.

15. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. The updated version will be posted on our website with a new "Last updated" date. For material changes, we may take additional steps to notify affected users where appropriate.