1. Introduction
Spatiko (the "Platform") is a cloud-based software-as-a-service platform designed for real estate media businesses. The Platform is provided by Spatiko ("Company," "we," "us," or "our").
This Privacy Policy applies to information collected through the Platform and our website. It does not apply to information collected through other channels, such as over the phone, in person, or through third-party websites or services not operated by us.
This Privacy Policy describes how we collect, use, disclose, store, and protect personal information when you access or use the Platform, visit our website, or otherwise interact with our services. This Policy applies to all users of the Platform, including Subscribers, Clients, Authorized Users, and Visitors (each as defined below).
By creating an account, using the Platform, or submitting information to us, you acknowledge that you have read and understood this Privacy Policy. If you are a Subscriber accepting this Policy on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity.
This Privacy Policy is incorporated by reference into our Terms of Service.
2. Definitions
- "Authorized User" means any individual authorized by a Subscriber to access and use the Platform under the Subscriber's account, including employees, contractors, and team members.
- "Client" means any third-party customer of a Subscriber who interacts with the Platform by placing Orders, making payments, receiving Deliverables, accessing delivery pages, or using Order Forms.
- "Content" means any data, text, images, photographs, videos, virtual tours, floor plans, graphics, logos, audio, documents, and other materials uploaded to, generated by, or transmitted through the Platform.
- "Deliverables" means photographs, videos, virtual tours, floor plans, drone footage, 3D tours, and any other real estate media content that a Subscriber delivers to a Client through the Platform.
- "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable natural person or household.
- "Subscriber" means a business or individual who registers for an account on the Platform to manage orders, deliver media, process payments, and use the Platform's business tools.
- "Visitor" means any individual who visits the Company's website or public-facing pages without creating an account or placing an Order.
3. Data We Collect
3.1 Information You Provide Directly
Subscriber Account Information: When you create a Subscriber account, we collect your name, email address, phone number, business name, business address, and login credentials. If you register using a third-party authentication provider (such as Google or Apple), we receive your name, email address, and profile identifier from that provider.
Billing and Payment Information: Payment information is collected and processed by our payment processor, Stripe, Inc. We do not store your full credit card number or bank account number. We may receive limited payment details from Stripe (last four digits, card brand, expiration date, billing address) for displaying payment history.
Client Information: When a Client places an Order through a Subscriber's Order Form, the Client provides information such as name, email address, phone number, property address, service selections, scheduling preferences, and payment information. This information is collected on behalf of the Subscriber and processed by the Company to facilitate the Order.
Client Accounts: Clients may create accounts on the Platform to access a client portal, view order history, download Deliverables, and manage their information. If a Client works with multiple Subscribers on the Platform, the Client's account may allow them to view orders and Deliverables across all Subscribers they have worked with. In this case, the Company acts as a data controller for the Client's unified account and cross-business order history, while each Subscriber remains the controller for the data they collected from that Client through their own Order Forms and services.
CRM and Contact Data: Subscribers may store client contact information, communication history, notes, and other relationship management data on the Platform.
Media and Content: Subscribers upload photographs, videos, virtual tours, floor plans, and other media files to the Platform. These files may contain metadata (such as EXIF data, geolocation tags, timestamps, and camera settings) and may incidentally capture personal items or identifying features of property occupants.
Communications: When you contact us for support or provide feedback, we collect the content of those communications along with associated metadata.
3.2 Information Collected Automatically
When you access the Platform, we automatically collect device and browser information (device type, operating system, browser type, screen resolution, IP address), usage data (pages viewed, features used, actions taken, timestamps, referring URLs), and log data (access times, pages viewed). We may infer your approximate location from your IP address. We also use cookies and similar tracking technologies as described in Section 5.
3.3 Information from Third Parties
We may receive information from authentication providers (name, email, profile identifier when you use social login), from Stripe (transaction status, limited payment method details, fraud risk assessments), and from advertising platforms (interaction data from Meta, Google, or LinkedIn ads).
4. How We Use Your Data
We use Personal Information for the following purposes:
- Providing the Platform: To create and manage accounts, process Orders, facilitate payments through Stripe Connect, deliver media, host Property Websites and Order Forms, and send transactional notifications.
- Communications: To send transactional emails, service announcements, and, with your express consent where required, marketing communications.
- Analytics and Improvement: To analyze usage patterns, monitor performance, diagnose technical issues, and improve the Platform.
- AI-Powered Features: To provide AI and machine learning features such as automated tagging, smart suggestions, and content analysis. See Section 10 for details.
- Security: To protect the Platform from unauthorized access, fraud, and abuse.
- Advertising: To measure advertising campaign effectiveness and retarget visitors on third-party platforms. We do not sell your Personal Information to advertisers.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
5. Cookies & Tracking Technologies
We use cookies and similar technologies to collect information about your browsing activity. A cookie is a small text file stored on your device by your web browser.
| Category | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Essential for the Platform to function. Cannot be disabled. | Session cookies, CSRF tokens, Cloudflare security |
| Analytics | Help us understand how users interact with the Platform. | Analytics tools (may include session recordings) |
| Functional | Remember your preferences and settings. | Language preferences, HubSpot |
| Marketing | Track visitors across websites for relevant advertising. | Advertising pixels and tags |
Session Recordings: We use behavior analytics tools that may record user sessions (mouse movements, clicks, scrolling). These tools automatically suppress sensitive fields such as passwords and payment inputs. You can manage your preferences through the cookie consent banner or your browser settings.
Managing Cookies: We present a cookie consent banner on your first visit, allowing you to accept, reject, or customize preferences. You can change preferences at any time via the "Cookie Settings" link in the footer, or through your browser settings.
6. How We Share Data
We do not sell your Personal Information. We share your information only in the following circumstances:
6.1 With Subscribers (for Client Data)
When a Client places an Order or interacts with a Subscriber's Order Form or delivery page, we share the Client's information with the relevant Subscriber to fulfill the Order. The Subscriber is independently responsible for their own use and protection of Client data.
Cross-Business Visibility: If a Client creates an account on the Platform and works with multiple Subscribers, the Client may be able to view their own order history and Deliverables across all Subscribers they have worked with through a unified client portal. In this context, each Subscriber can only see their own Client data — Subscribers cannot see a Client's orders or data from other Subscribers. The cross-business view is available only to the Client themselves.
6.2 Service Providers
We share Personal Information with third-party service providers who perform services on our behalf. These providers are contractually obligated to use your information only to provide services to us.
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, payment details, transaction amounts | Link |
In addition to Stripe, we use the following categories of service providers, each of which is contractually bound to protect your data:
- Cloud hosting and database providers: Store and process all Platform data, encrypted at rest and in transit.
- Content delivery and security providers: Cache and serve content, protect against attacks, and store media files.
- Analytics and behavior tracking providers: Collect anonymized usage data, including session recordings with sensitive fields suppressed.
- Marketing and CRM providers: Manage marketing communications and customer relationship data.
- Error monitoring providers: Collect device info and error context to diagnose technical issues.
- Mapping and geocoding providers: Process property addresses for location-based features.
- Email delivery providers: Deliver transactional and marketing emails on our behalf.
- AI service providers: Process data for AI-powered features as described in Section 10.
A complete list of specific sub-processors is available upon request by contacting support@spatiko.com.
6.3 Advertising Partners
We share limited data with advertising platforms to measure campaign effectiveness and deliver relevant advertisements. These platforms may receive hashed identifiers, page visit data, and conversion events. You can opt out through each platform's privacy settings, through the Digital Advertising Alliance, or by enabling Global Privacy Control in your browser.
Under certain privacy laws (such as the CCPA), sharing data with advertising partners for targeted advertising may be considered a "sale" or "sharing" of Personal Information. See Section 13 for opt-out information.
6.4 Other Circumstances
We may also share Personal Information when required by law, regulation, or legal process; to protect the rights, property, or safety of the Company, our users, or the public; in connection with a merger, acquisition, reorganization, or asset sale (with prior notice); or with your express consent.
7. User-Initiated Integrations
The Platform allows Subscribers to connect third-party services through integrations. These may include email, calendar, cloud storage, project management, accounting, and other business tools. Integrations require your explicit authorization (typically through an OAuth consent flow) and are initiated by you. When you connect an integration, you authorize the Platform to access and exchange data with that service as described in the authorization prompt. The Platform will only access the data and permissions you specifically authorize. You can disconnect any integration at any time through your account settings, which will revoke the Platform's access to that service. Data exchanged through integrations is subject to both this Privacy Policy and the third-party service's own privacy policy.
7.1 Google Services
The Platform integrates with Google services, including Google Sign-In (authentication), Google Calendar, Gmail, and Google Drive. When you authorize a Google integration, we access only the specific Google user data required for the feature you are using:
- Google Sign-In: We receive your name, email address, and profile identifier to authenticate your account. We do not receive your Google password.
- Google Calendar: We read and write calendar events to sync scheduling and appointment data between the Platform and your Google Calendar.
- Gmail: We send transactional emails (booking confirmations, delivery notifications, invoices) on your behalf from your connected Gmail address. We do not read your email.
- Google Drive: We create and manage only the folders and files our app generates for your orders; we do not access your other Drive files.
- YouTube: We receive your YouTube channel identifier and the permission to upload videos to your channel. We use this only to publish videos that you create or upload through the Platform. We do not access your viewing history, search history, subscriptions, comments, or any other YouTube account data beyond what is necessary for video upload and status reporting.
How we use Google user data: We use data received from Google APIs solely to provide and improve the Platform features you have authorized. We do not use Google user data for advertising, market research, or any purpose unrelated to the Platform's functionality.
How we store and protect Google user data: Google user data is stored on our infrastructure using the same encryption and security measures described in Section 12. We retain Google user data only for as long as necessary to provide the authorized features. When you disconnect a Google integration, we stop accessing new data from that service. Previously synced data may be retained as part of your Platform records (such as calendar events that were imported) unless you request its deletion.
How we share Google user data: We do not share, transfer, or disclose Google user data to third parties except as described in Section 6 of this Privacy Policy (service providers who process data on our behalf, legal obligations, and business transfers). We do not share Google user data with advertising platforms.
Limited Use Disclosure: Spatiko's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
YouTube — additional disclosures: The YouTube integration is subject to the YouTube Terms of Service and the Google Privacy Policy. You may revoke the Company's access to your YouTube data at any time through the Google security settings page. Public Property Website visitors who watch embedded YouTube videos are subject to YouTube's own data collection (cookies, IP, viewing data) under the Google Privacy Policy. Where applicable, Subscribers are responsible for disclosing such third-party data collection in their Property Website notices and cookie disclosures.
8. Media Content & Storage
The Platform stores and delivers media files (photographs, videos, virtual tours, floor plans) on behalf of Subscribers. With respect to media Content, the Company acts as a data processor — we store, process, and transmit media files at the direction of the Subscriber, who is the data controller for their Client relationships.
We use media files solely for providing the Platform's services: storing, hosting, processing for delivery (transcoding, compression, thumbnails, watermarking), delivering to Clients, displaying on Property Websites, and CDN caching. We do not use Subscriber media files for our own marketing, advertising, AI model training, or any purpose other than providing the Platform's services.
When a Subscriber creates a delivery page, gallery, or Property Website, the media on those pages becomes accessible to anyone with the link or publicly, depending on the Subscriber's configuration. The decision to make media publicly accessible is made by the Subscriber, not by the Company. Media files may contain embedded metadata (EXIF data, geolocation, timestamps); Subscribers should remove sensitive metadata before uploading if they do not wish it stored.
Media files are retained for a period determined by the Subscriber's plan and account settings. We may implement automatic deletion after a defined retention period, with advance notice to the Subscriber. See Section 11 for post-termination retention.
9. CRM Data
The Platform provides CRM features allowing Subscribers to store client contact details, communication history, order history, notes, and other relationship data. With respect to CRM data, the Company acts as a data processor on behalf of the Subscriber, who determines what Client data to collect and how to use it.
CRM data belongs to the Subscriber. Subscribers may request an export of their CRM data at any time by contacting the Company at support@spatiko.com. If a Subscriber's account is terminated, CRM data remains available for export for thirty (30) days following termination, after which it is permanently deleted. See Section 11 for details.
If a Client contacts us directly with a privacy request regarding data held in a Subscriber's CRM, we will direct the Client to the relevant Subscriber where possible. If the Subscriber is unreachable or their account has been terminated, we will handle the request directly in accordance with applicable law.
10. AI & Automated Processing
The Platform uses artificial intelligence and machine learning to power features such as automated image tagging, content suggestions, smart scheduling, text generation, workflow automation, and other AI-assisted tools. These features are provided through third-party AI service providers and may process media metadata, order and scheduling information, text content (such as property descriptions, communications, or notes), and usage patterns.
Third-Party AI Providers: When your data is processed by AI features, it may be sent to third-party AI service providers for processing. These may include both proprietary closed-API providers (such as commercial large language model APIs) and open-source models (such as Meta Llama) hosted by third-party inference providers. While we select providers that offer data processing agreements and represent that API inputs are not used for model training, we cannot guarantee how third-party AI providers process, store, or retain data once it is transmitted to their systems. Each provider's handling of data is governed by their own terms and privacy policies. We will identify our AI service providers in the sub-processor table in Section 6.2 as they are finalized.
What we commit to: We will clearly indicate within the Platform when a feature is AI-powered. We do not use AI or automated processing to make decisions that produce legal or similarly significant effects on you without human oversight. We do not intentionally provide your media files to AI providers for purposes unrelated to the Platform's features. We do not use your data to train our own AI models.
What we cannot guarantee: Third-party AI providers may process, cache, or temporarily retain data transmitted through their APIs in accordance with their own policies. While we take commercially reasonable steps to select providers with strong data handling practices, we cannot control and do not warrant the data practices of these third-party providers. If you do not wish your data to be processed by AI features, you may disable AI-powered features in your account settings where available.
11. Data Retention
We retain Personal Information only for as long as reasonably necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.
While your account is active: We retain all data associated with your account, including account information, order history, media files, CRM data, and usage data, for as long as your account remains active and as needed to provide you with the Platform's services.
After account termination: When a Subscriber's account is terminated, we will retain account data for thirty (30) days following termination to allow for data export and potential account reactivation, after which it will be permanently deleted from our active systems. Media files will be retained for a period determined by the Subscriber's plan and account settings, after which they will be permanently deleted from our storage infrastructure. Deletion from all backup systems may take additional time following deletion from active systems. We will provide advance notice before any scheduled deletion of media files or account data.
Billing and transaction records: We retain billing records, transaction history, and invoices for the period required by applicable tax and accounting laws (generally up to seven years), regardless of account status.
Aggregated and anonymized data: Data that has been aggregated and anonymized (such that it cannot identify any individual) may be retained indefinitely for analytics and Platform improvement purposes.
Client data: Client data associated with a terminated Subscriber is handled on a similar schedule. Clients with independent portal accounts will be notified and given an opportunity to download their Deliverables before deletion.
We may retain Personal Information beyond the periods described above if required by applicable law, regulation, or legal proceeding, or if necessary to establish, exercise, or defend legal claims. As we develop more specific retention schedules, we will update this Policy accordingly.
12. Data Security
We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Information, including encryption of data in transit (TLS/SSL) and at rest, access controls, regular security assessments, and incident response procedures.
NO METHOD OF TRANSMISSION OVER THE INTERNET OR ELECTRONIC STORAGE IS COMPLETELY SECURE. WHILE WE USE COMMERCIALLY REASONABLE MEANS TO PROTECT YOUR PERSONAL INFORMATION, WE CANNOT GUARANTEE ABSOLUTE SECURITY.
If we become aware of a security breach affecting your Personal Information, we will notify you and applicable regulatory authorities in accordance with applicable law.
13. Your Privacy Rights — Canada
The Company is based in Toronto, Ontario, Canada, and is subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) together with applicable provincial privacy legislation, including Quebec's Act respecting the protection of personal information in the private sector (Law 25), Alberta's Personal Information Protection Act, and British Columbia's Personal Information Protection Act.
Your rights. You have the right to access the Personal Information we hold about you, to request correction of inaccuracies, to withdraw consent (subject to legal or contractual restrictions), and, where applicable, to data portability and information about any automated decision-making. To exercise these rights, contact our Privacy Officer at support@spatiko.com; we will respond within thirty (30) days.
Privacy Officer (PIPEDA accountability). In accordance with PIPEDA's accountability principle, we have designated a Privacy Officer responsible for our compliance with PIPEDA. Questions, access requests, and complaints should be directed to the Privacy Officer at support@spatiko.com with the subject line "Privacy Request."
Complaints. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with your provincial privacy regulator (for example, the Commission d'accès à l'information du Québec, the Office of the Information and Privacy Commissioner of Alberta, or the Office of the Information and Privacy Commissioner for British Columbia).
CASL: We will not send commercial electronic messages without your express or implied consent, as required by Canada's Anti-Spam Legislation. Every commercial electronic message will identify the Company, include our mailing address, and provide a clear unsubscribe mechanism. You may unsubscribe at any time via the link in any marketing email; we will process your request within ten (10) days.
Quebec residents: You have additional rights under Law 25, including the right to data portability, the right to be informed of any automated decision-making with significant effect, and enhanced transparency rights. If a French-language version of this Policy is made available, it shall prevail in the event of any conflict with the English-language version, to the extent required by the Charter of the French Language.
14. Your Privacy Rights — United States
14.1 California (CCPA/CPRA)
If you are a California resident, you have the right to: know what Personal Information we collect and how we use it; request deletion of your Personal Information; request correction of inaccurate information; opt out of the "sale" or "sharing" of your Personal Information; and not be discriminated against for exercising these rights.
We do not sell Personal Information for monetary consideration. However, our use of advertising pixels (Meta Pixel, Google Ads, LinkedIn Insight Tag) may constitute "sharing" under the CCPA. You may opt out by clicking "Do Not Sell or Share My Personal Information" in the footer of our website, by enabling Global Privacy Control in your browser, or by contacting us at support@spatiko.com.
To exercise your rights, contact us at support@spatiko.com. We will verify your identity and respond within forty-five (45) days. You may designate an authorized agent to make requests on your behalf.
14.2 Other US States
If you are a resident of a state with comprehensive consumer privacy legislation (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana), you may have similar rights. Contact us at support@spatiko.com to exercise your rights under applicable state law.
15. Your Privacy Rights — Other Jurisdictions
The Platform is not offered to individuals or businesses located in, resident in, or accessing the Platform from the European Economic Area, the United Kingdom, or Switzerland (see Section 1.1 of our Terms of Service). The Company does not knowingly process Personal Information of subscribers, clients, or account holders in those jurisdictions.
European Economic Area, United Kingdom, and Switzerland: Notwithstanding the restriction above, certain limited processing of Personal Information of individuals in these jurisdictions may still occur — for example, when an EEA, UK, or Swiss resident visits the public marketing site, when access from these jurisdictions occurs before geographic restrictions take effect, or in cases of inadvertent access. To the extent that the EU General Data Protection Regulation, the UK GDPR and Data Protection Act 2018, or the Swiss Federal Act on Data Protection applies to such limited processing, you have, only in respect of that processing, the rights of access, rectification, erasure, restriction, portability, and objection; where we rely on consent, the right to withdraw consent at any time; and the right to lodge a complaint with your local supervisory authority, including the UK Information Commissioner's Office (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC). Our legal bases for any such limited processing include legitimate interests, consent, and legal obligation. To exercise these rights, contact us at support@spatiko.com.
Australia: If you are an Australian resident, the Privacy Act 1988 and Australian Privacy Principles apply. You have the right to access and correct your Personal Information. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
All Other Jurisdictions: We will comply with mandatory data protection laws applicable in your jurisdiction. Contact us at support@spatiko.com to exercise any available rights.
16. International Data Transfers
The Company is based in Toronto, Ontario, Canada. Your Personal Information may be stored and processed on servers operated by our cloud service providers, which may be located outside Canada (including in the United States and the European Union). Where Personal Information is transferred outside Canada, it may become subject to foreign laws, including lawful-access and disclosure requirements imposed on local service providers by their domestic authorities.
In accordance with PIPEDA Principle 4.1.3 and Quebec Law 25, we disclose cross-border processing so that you can make an informed decision about using the Platform. We implement contractual safeguards (data processing agreements, Standard Contractual Clauses for EEA/UK transfers, and confidentiality obligations binding each sub-processor) designed to provide a comparable level of protection regardless of where the data is stored.
If you have questions about our cross-border transfer practices or wish to request more information about a specific sub-processor, contact our Privacy Officer at support@spatiko.com.
17. Do Not Track & Global Privacy Control
We do not respond to "Do Not Track" (DNT) browser signals due to the absence of an industry standard. We do honor Global Privacy Control (GPC) signals, treating them as a valid opt-out of the sale or sharing of your Personal Information as required by the CCPA/CPRA. For more information, visit globalprivacycontrol.org.
18. Children's Privacy
The Platform is not intended for individuals under eighteen (18). We do not knowingly collect Personal Information from children. If we learn we have collected such information, we will promptly delete it. Contact us at support@spatiko.com if you believe a child has provided us with Personal Information.
19. Third-Party Links
The Platform may contain links to third-party websites or services not operated by us. We have no control over and assume no responsibility for their content or privacy practices. We encourage you to review the privacy policy of every website you visit.
20. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice by email and/or a prominent banner within the Platform. For non-material changes, we will update the "Last Updated" date at the top. Your continued use after the effective date of any update constitutes acceptance.
21. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Spatiko
Attn: Privacy Officer
2967 Dundas St. W. #239D
Toronto, Ontario M6P 1Z2, Canada
Email: support@spatiko.com
For privacy rights requests, email support@spatiko.com with the subject line "Privacy Request."