Spaitz
Login

Legal

Privacy Notice

Last updated: 4 June 2026 · Draft pending legal review

Spaitz operates the Spaitz local-produce marketplace and procurement platform. This notice explains what personal data we process, why, on what legal basis, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Romanian Law no. 190/2018.

Who is responsible for your data

Spaitz is the data controller for the account, workspace, marketplace, and billing data described here. For data that a business workspace (a farm or HoReCa buyer) manages about its own members and customers, that workspace is a controller in its own right and Spaitz acts as its processor under a data processing agreement. You can reach us at privacy@spaitz.com.

What data we collect

  • Identity and contact data — your name, email address, and the account identifier issued by Microsoft Entra External ID when you sign in.
  • Workspace and membership data — the workspaces you own or belong to, your role, and invitations sent to your email.
  • Address and fulfilment data — the pickup and delivery addresses you add to a workspace.
  • Order and list data — the shopping lists, procurement plans, and orders you create, and the supplier confirmations that result.
  • Billing data — for platform subscriptions, a Stripe customer reference and payment-lifecycle records. Card details are handled by Stripe and are not stored by Spaitz.
  • Notification data — the in-app notifications addressed to you and your notification preferences.
  • Technical data — strictly necessary session and language cookies and, only with your consent, any non-essential cookies described in our Cookie Notice.

Why we process your data and our legal basis

We rely on the following legal bases under Article 6 GDPR:

  • Providing your account and workspaces and operating the marketplace, orders, and notifications — performance of a contract (Art. 6(1)(b)).
  • Keeping billing and tax records for platform subscriptions — compliance with a legal obligation (Art. 6(1)(c)).
  • Setting non-essential cookies and sending any optional communications — your consent (Art. 6(1)(a)), which you can withdraw at any time.

Who we share data with

We do not sell your personal data. We share it only with service providers who act on our instructions:

  • Microsoft — Microsoft Entra External ID for sign-in and identity, and Microsoft Azure for hosting and storage.
  • Stripe — payment processing for platform subscriptions.
  • Other workspace members — people in a workspace you join can see your display name and role within that workspace.

International transfers

We host personal data in the European Union. Some providers, such as Microsoft and Stripe, may process data outside the EU; where they do, the transfer is protected by an adequacy decision or by the European Commission's Standard Contractual Clauses. Details are listed in our sub-processor register.

How long we keep your data

We keep personal data only as long as needed for the purpose for which it was collected. Expired or declined invitations, deactivated workspaces, and archived addresses are purged or anonymised on a defined schedule; billing records are retained for the period required by Romanian accounting and tax law. When you delete your account, your personal data is anonymised in the systems you interact with immediately, and any residual copies in our internal processing records are removed within 30 days. Our full retention schedule is available on request.

Your rights

Under the GDPR you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data where it is no longer needed.
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on our legitimate interest.
  • Withdraw consent — at any time, where we rely on consent.

To exercise any of these rights, email privacy@spaitz.com. We respond within one month. You also have the right to lodge a complaint with the Romanian supervisory authority, ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), at www.dataprotection.ro.

Cookies

We use strictly necessary cookies to keep you signed in and to remember your language. Non-essential cookies are set only with your consent. See our Cookie Notice for details and to change your choices.

Read our Cookie Notice

Children

Spaitz is not directed at children. In Romania the digital age of consent is 16; we do not knowingly create accounts for, or allow workspace membership by, anyone under 16.

Changes and contact

We will update this notice as the platform evolves and will revise the date above when we do. If you have any questions, email privacy@spaitz.com.

This notice is a draft pending review by qualified counsel before Spaitz's production launch.

Back to Spaitz