Privacy Policy
Last updated: March 2026 — Version 1.0
GDPR / RGPD · UK GDPR · CCPA · COPPA · PIPEDA
1. Who We Are
Gardspace is operated by The Citadel-Épopée SAS, a French company registered under SIREN 999 058 829. The Citadel-Épopée SAS is the Data Controller for all personal data processed through gardspace.com and app.gardspace.com.
For all privacy matters: privacy@gardspace.com
2. What Data We Collect and Why
Data you provide directly
| Category | Who | Purpose & legal basis |
|---|---|---|
| Email address | Nanny · Family | Account creation and communication. Contract performance (Art. 6.1.b GDPR) or consent for Early Access (Art. 6.1.a GDPR). |
| Persona (Nanny / Family) | All users | Service personalisation. Contract performance. |
| Country & language | All users | Localisation and compliance. Legitimate interest. |
Data generated through use
| Category | Who | Purpose & legal basis |
|---|---|---|
| Care session logs (meals, nap, activities) | Child — indirect | Core service. Contract performance + explicit parental consent. |
| Observations and notes | Child · Nanny | Daily Report generation. Contract performance. |
| Medical documents | Child — indirect | Special category — Art. 9 GDPR. Explicit parental consent (Art. 9.2.a). |
| Session photos | Child — indirect | Session documentation. Explicit parental consent. By uploading photos of a child, the parent or legal guardian confirms they have the legal authority to share the image. Auto-deleted 448h after session close. |
| Daily Report content | Child · Nanny · Family | Service output. Contract performance. |
| Nanny Passport and NTR | Nanny | Professional profile. Consent + legitimate interest. |
Data collected automatically
| Category | Purpose & legal basis |
|---|---|
| Anonymous analytics (Plausible) | Product improvement — cookieless, no personal data. Legitimate interest. No consent banner required. |
| Technical logs / IP | Security and fraud prevention. Legitimate interest. Max 30 days. |
3. Children's Data
Gardspace is intended for adults only. No person under 18 may create an account or use the service. Children may not create accounts or interact directly with the platform.
Data concerning children (care records, observations, photos) is collected within a private Care Space. This data belongs to the parents or legal guardians of the child.
By creating a Care Space, the parent or legal guardian confirms they consent to the processing of their child's care data. See Section 11 for COPPA-specific rights.
4. How Long We Keep Your Data
| Data type | Retention | Deletion | Legal basis |
|---|---|---|---|
| Session photos | 48h after session close | Automatic | GDPR Art. 5.1.e · COPPA |
| Medical documents | 5 days | Automatic | GDPR Art. 5.1.e · Art. 9 |
| Session logs & Daily Reports | Duration of active Care Space | On request | GDPR Art. 5.1.e · Contract |
| Nanny Passport & NTR | Duration of active account | On request | Consent · Legit. interest |
| Early Access email | Until unsubscription | On request | Consent |
| Technical logs / IP | 30 days maximum | Automatic | Legitimate interest — security & fraud prevention |
| All data after account deletion | 30 days maximum | Automatic | GDPR Art. 17 |
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only with the following processors under signed Data Processing Agreements:
| Processor | Role | Location | DPA |
|---|---|---|---|
| Supabase | Database & file storage | EU — Frankfurt | Signed |
| Vercel | Application hosting | EU region | Signed |
| Resend | Transactional emails | EU — verified | Signed |
| Plausible | Cookieless analytics | EU — Germany (Hetzner) | Signed |
6. International Transfers
All personal data is stored and processed within the European Union by default. Where any processor operates outside the EU, we ensure appropriate safeguards: Standard Contractual Clauses (SCC) or the EU-US Data Privacy Framework (DPF).
7. Your Rights — EU & France
- Access — obtain a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data
- Portability — receive your data in a machine-readable format within 30 days (GDPR Art. 20). Nanny Passport and NTR are exportable on request.
- Object — object to processing based on legitimate interest
- Restriction — limit how we process your data
- Withdraw consent — at any time, without affecting prior processing
- Lodge a complaint — with the CNIL (cnil.fr)
To exercise any right: privacy@gardspace.com — we respond within 30 days.
8. Security
- All data encrypted in transit (TLS 1.2+) and at rest, using industry standard security measures
- Row-Level Security (RLS) enforced at database level — no data crosses Care Spaces
- Photos auto-deleted 48 hours after session close — never stored permanently
- Data breach: CNIL notified within 72 hours where legally required · affected users notified without undue delay
- Analytics: Plausible is cookieless — no tracking cookies are set. Technical session cookies (authentication) may be set by the application infrastructure and are strictly necessary for the service to function. No advertising or profiling cookies are used.
9. UK Privacy Rights — UK GDPR
If you are a UK resident, your data is processed in accordance with the UK GDPR and the Data Protection Act 2018. Your rights mirror those described in Section 7. Lodge a complaint with the ICO (ico.org.uk).
Prior to accepting UK-resident users, Gardspace will designate a UK Representative as required under UK GDPR Article 27. Details will be published in this section.
10. California Privacy Rights — CCPA / CPRA
If you are a California resident, you have the right to Know, Delete, Correct, and Opt-Out. Response time: 45 days.
11. Children's Privacy — COPPA (USA)
Gardspace is intended for adults only. No person under 18 may create an account or use the service.
As a parent or legal guardian, you have the right to: review data collected about your child · request its deletion · refuse further collection · withdraw consent at any time.
Contact: privacy@gardspace.com — Subject: COPPA Parental Request
12. Canadian Privacy — PIPEDA & Loi 25
Canadian residents are protected under PIPEDA. Québec residents have additional rights under Loi 25. Complaints may be filed with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
13. Changes to This Policy
Material changes will be communicated by email at least 14 days before they take effect.