Privacy Notice
Last updated: 24 May 2026
1. Who We Are
This Privacy Notice explains how NATIVESPACE LTD collects, uses, stores, and shares personal data when you use our website, contact us, book meeting rooms, use our coworking or private office services, use our virtual office or postal address services, make payments, use the Native Away desk system, or otherwise interact with us.
The controller of your personal data is:
NATIVESPACE LTD
Company registration number: HE434209
Contact address: 20 Dimotikis Agoras, 6021 Larnaca, Cyprus
Email: info@native.com.cy
Website: https://native.com.cy
2. Personal Data We Collect
Website and Contact Enquiries
- Name, email address, phone number where provided, message content, and enquiry details
- Information you choose to include in your message
- Basic technical and security information such as IP address, request headers, timestamps, spam-prevention data, and rate-limit data
- Your privacy notice checkbox confirmation where applicable
Meeting Room Bookings
- Name, email address, phone number, company name where provided, and number of attendees
- Booking location, date, start time, end time, duration, price, and booking status
- Notes you add to the booking
- Private cancellation token and cancellation status
- Google Calendar event identifiers and calendar status
- Booking confirmation and admin notification email records
Coworking, Private Office, Waiting List, and Admin Customer Records
- Name, surname, and email address
- Service interest, customer type, desk or office allocation, and internal priority/order
- Booking dates, duration, permanent booking status, and related notes
- Customer category and monthly contribution information used for internal administration
Virtual Office and Postal Address Services
- Full name, email address, phone number, company name, company registration number, and tax identification number where required
- Virtual address, residential address, commencement date, business activity, service tier, plan type, add-ons, and notes
- Signer name, surname, title, authority, signature, agreement acceptance timestamp, and signed contract records
- Identity and verification documents such as passport, government ID, proof of address, company documents, directors/shareholders certificates, CVs for individual clients, and related supporting documents
- Encyro secure document links or document receipt status
- Onboarding status, invitation token, token expiry/revocation data, admin review notes, archive status, and related audit data
For company customers, we may also process data about directors, authorised representatives, beneficial owners, shareholders, signers, and ownership-chain companies where needed for onboarding, verification, screening, compliance, and service provision.
Screening and Compliance Checks
- Name, company name, and role, such as director, authorised person, signer, shareholder, UBO, or ownership-chain company
- Date of birth, country, nationality, or jurisdiction where provided
- Screening provider, screening date, match score, top match details, datasets, raw response, review status, reviewer notes, and audit events
Payments and Accounting
- Invoice number, amount due, currency, and payment status
- Xero invoice ID and payment ID
- Revolut order ID, checkout URL, payment ID, order status, webhook event data, and error status
- Bank transfer reference or payment-related correspondence
- Accounting and invoice records needed to manage our business and comply with legal obligations
Payment card details are processed by Revolut or the relevant payment provider. Native does not intentionally store full card numbers in this website application.
Native Away Desk System
- Name, email address, desk ID, away date ranges, and notes
- Booking type, start and end dates, credit amount, amount charged, customer name, and booking status
- Access request status and admin approval/rejection data
- Sign-in token/cookie data, IP-based and email-based rate-limit data, and related timestamps
Authentication and Administration
- Sign-in email address and authentication session data
- Admin permissions and access checks
- Admin actions, review notes, preferences, dashboard ordering, and internal operational records
3. How We Collect Personal Data
- Directly from you when you fill in forms, send messages, book rooms, upload or send documents, sign agreements, make payments, or use our services
- From your company, representative, director, shareholder, authorised person, or other person acting for your organisation
- From service providers, including payment, email, calendar, accounting, secure document, hosting, authentication, analytics, and compliance providers
- From public or compliance databases used for sanctions, PEP, adverse media, or related checks
- Automatically when you use our website, including through cookies, local storage, log files, and security tools
- Through in-person interactions at our premises, including CCTV where used
4. Why We Use Personal Data and Our Lawful Bases
We process personal data only where we have a lawful basis under applicable data protection law.
| Purpose | Examples | Lawful basis |
|---|---|---|
| Responding to enquiries | Contact form, email replies, phone follow-up | Legitimate interests; steps before a contract |
| Providing services | Coworking, private office, meeting room, postal address, virtual office, Away, and related services | Contract; steps before a contract |
| Managing meeting room bookings | Availability checks, booking confirmations, Google Calendar events, cancellation links | Contract; legitimate interests |
| Virtual office and postal address onboarding | Client details, documents, signatures, verification, service tier, agreement records | Contract; legal obligation; legitimate interests |
| Compliance and screening | Identity checks, address checks, sanctions and related screening, misuse prevention, reporting unlawful use where required | Legal obligation; legitimate interests; substantial public interest or other applicable lawful basis where required |
| Payments and accounting | Xero invoice verification, Revolut checkout, payment status, invoice records | Contract; legal obligation; legitimate interests |
| Service communications | Booking emails, onboarding emails, Away emails, payment alerts, operational notices | Contract; legitimate interests |
| Website security and abuse prevention | Rate limits, IP checks, honeypot fields, session cookies, security logs | Legitimate interests; legal obligation where applicable |
| Analytics and advertising | Google Analytics, Google Ads, conversion measurement | Consent where required; legitimate interests where permitted |
| Internal administration | Admin dashboards, customer lists, waiting lists, revenue/admin reports, service improvements | Legitimate interests; contract |
| Legal claims and business protection | Record keeping, disputes, debt recovery, fraud prevention, misuse investigation | Legitimate interests; legal obligation |
| CCTV and premises security, if used | Security of people, property, and premises | Legitimate interests; legal obligation where applicable |
Where we rely on legitimate interests, we consider whether our interests are overridden by your rights and freedoms. You may object to processing based on legitimate interests as explained in Section 10.
Where we rely on consent, you can withdraw consent at any time. Withdrawal does not affect processing that took place before consent was withdrawn.
5. Who We Share Personal Data With
We may share personal data with:
- Hosting and infrastructure providers, including Vercel and Supabase
- Database, storage, authentication, and security providers, including Supabase
- Email delivery providers, including Postmark
- Calendar providers, including Google Calendar
- Analytics and advertising providers, including Google Analytics and Google Ads
- Payment providers, including Revolut
- Accounting and invoicing providers, including Xero
- Secure document providers, including Encyro
- Compliance and screening providers, including OpenSanctions
- Professional advisers, including accountants, auditors, lawyers, insurers, and consultants
- Banks, payment institutions, and financial service providers
- Public authorities, regulators, courts, law enforcement, tax authorities, company registries, or other bodies where required by law or necessary to protect our rights or prevent misuse of our services
- Service providers who help us operate our website, communications, IT, security, premises, and business systems
We require service providers to process personal data only for authorised purposes and to protect it appropriately.
6. International Transfers
Some of our service providers may process personal data outside Cyprus, the European Economic Area, or the United Kingdom. Where this happens, we rely on appropriate safeguards where required by law, such as adequacy decisions, the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or other lawful transfer mechanisms.
Please ask us if you want further information about the transfer safeguards relevant to your data.
7. How We Protect Personal Data
- Access controls and admin-only areas
- Authentication and session controls
- Private storage buckets for onboarding documents
- Signed URLs or secure external links for document access where applicable
- Rate limiting and abuse-prevention measures
- Server-side validation of booking, onboarding, payment, and admin requests
- Role-based administrative access checks
- Webhook signature checks for payment events
- Encryption in transit through HTTPS
- Limiting public database access and using service-role access for sensitive operations
No system is completely secure. If you believe personal data may have been compromised, please contact us immediately at info@native.com.cy.
8. How Long We Keep Personal Data
We keep personal data only for as long as needed for the purposes described in this Privacy Notice, including to provide services, comply with legal obligations, resolve disputes, collect debts, maintain business records, and protect our rights.
| Data category | Typical retention approach |
|---|---|
| Contact enquiries | For as long as needed to respond, then for a reasonable period for follow-up and business records, unless the enquiry becomes part of a customer relationship |
| Meeting room bookings | For the booking period and then as needed for accounting, customer service, legal claims, and operational records |
| Waiting list entries | Until you are removed from the list, become a customer, ask us to delete the entry, or the list is no longer needed |
| Coworking/private office customer records | For the customer relationship and then as needed for accounting, legal claims, and business records |
| Virtual office and postal address records | For the service term and then as required for contracts, accounting, compliance, due diligence, legal claims, and regulatory obligations |
| Identity, address, and verification documents | For as long as needed for onboarding, service operation, compliance, legal claims, and any applicable legal retention obligation |
| Screening results and audit records | For as long as needed to evidence compliance decisions and manage legal/regulatory risk |
| Payment and invoice records | For the period required by accounting, tax, audit, and payment rules |
| Authentication and security logs | For as long as needed for security, abuse prevention, troubleshooting, and legal claims |
| Cookies and browser storage | According to the cookie/storage duration or until cleared by you, unless a shorter legal period applies |
| CCTV, if used | For a short security retention period unless an incident requires longer retention |
If you ask us to delete data, we will delete it unless we need to keep it for legal obligations, contractual administration, legitimate business records, legal claims, security, or another lawful reason.
9. Marketing
We may send you service-related communications, such as booking confirmations, onboarding emails, payment notices, Away desk emails, or important customer updates.
We will send direct marketing emails only where we have a lawful basis to do so. Where marketing consent is required, you can withdraw it at any time. You can also ask us to stop sending marketing by contacting info@native.com.cy.
10. Your Data Protection Rights
Subject to the conditions and limits in applicable law, you may have the right to:
- Be informed about how we process your personal data
- Access your personal data
- Correct inaccurate or incomplete personal data
- Ask us to erase your personal data
- Restrict our processing of your personal data
- Object to processing based on legitimate interests
- Receive your personal data in a portable format
- Withdraw consent where processing is based on consent
- Object to direct marketing
- Lodge a complaint with a supervisory authority
To exercise your rights, contact us at info@native.com.cy.
We may ask for information to confirm your identity before responding. We normally respond within one month, unless the request is complex or we receive multiple requests, in which case we may extend the response period as permitted by law.
You also have the right to lodge a complaint with the Cyprus Office of the Commissioner for Personal Data Protection:
Office of the Commissioner for Personal Data Protection
Website: https://www.dataprotection.gov.cy
Email: commissioner@dataprotection.gov.cy
Telephone: +357 22 818456
We would appreciate the chance to address your concern first, but you are not required to contact us before contacting the Commissioner.
11. CCTV and Premises Security
If CCTV is used at Native premises, we use it for the safety and security of visitors, members, staff, property, and premises, and for investigating incidents. CCTV data may be shared with law enforcement, insurers, advisers, or other relevant parties where necessary and lawful.
12. Cookies and Browser Storage
Cookies and similar technologies are small files or browser storage entries placed on your device. We use them to make the website work, remember preferences, support authentication, improve services, and measure website and advertising performance.
Strictly Necessary Cookies and Storage
| Name | Type | Purpose | Typical duration |
|---|---|---|---|
| native_cookie_consent | Local storage | Stores whether you accepted or rejected cookie choices | Until cleared by you |
| form_submitted | HTTP cookie | Temporary contact form submission marker | About 5 minutes |
| away_member | HTTP cookie | Keeps an approved Away member signed in | About 14 days |
| native_xero_oauth_state | HTTP cookie | Protects Xero OAuth connection flow for admins | About 10 minutes |
| Supabase auth cookies, such as sb-* | HTTP/browser storage | Authentication and session management | According to Supabase/session settings |
| native_booking_queue_v1 | Local storage | Temporarily stores pending admin booking changes for offline sync | Until synced or cleared |
| Away cooldown entries | Local storage | Helps prevent repeated Away sign-in requests | Until expiry or cleared |
| Away confirmation entries | Session storage | Prevents duplicate confirmation requests in a browser tab | Until tab/session closes |
Analytics and Advertising
The website includes Google Analytics and Google Ads tags. These may set cookies such as _ga, _ga_*, _gid, _gat, _gcl_*, and advertising-related cookies, and may process information about your visit, device, browser, approximate location, pages viewed, interactions, and conversion events.
Where legally required, we use non-essential analytics and advertising cookies only with consent. You can withdraw or change consent by using the Cookie Settings link in the website footer, clearing the relevant browser storage/cookies and revisiting the site, or using your browser settings.
Managing Cookies
You can control cookies through your browser settings. Blocking some cookies may affect site functionality, authentication, booking flows, payments, or admin tools.
You can also opt out of Google Analytics across websites using Google's browser add-on: https://tools.google.com/dlpage/gaoptout
13. Third-Party Links
Our website may link to third-party websites and services, including Google Maps, Instagram, Revolut, Encyro, Xero, and other external platforms. Those third parties control their own privacy practices. Please read their privacy notices before using their services.
14. Children
Our services are not directed to children. We do not knowingly collect personal data from children through the website. If you believe a child has provided personal data to us, please contact info@native.com.cy.
15. Changes to This Privacy Notice
We may update this Privacy Notice from time to time. The updated version will be posted on our website with a new "Last updated" date. For material changes, we may take additional steps to notify affected users where appropriate.