• Features
      • Website
      • AI Assistant
      • All features
  • Solutions
  • Pricing
  • Help Center
Sign inStart Now
Legal

Trust & Legal

Security and retention practices, our data processing agreement for providers, rules on external payment links in platform content, and—where applicable—the KVKK addendum for Türkiye.

Trust & Legal

    • 1.1Our Security Philosophy
    • 1.2How We Protect Your Data
      • 1.2.1Infrastructure
      • 1.2.2Encryption
      • 1.2.3Access Control
      • 1.2.4Backups
    • 1.3Data Retention: How Long We Keep Info
    • 1.4Incident Response & Breaches
    • 1.5Deletion and Export
      • 1.5.1Provider Requests
      • 1.5.2Compliance
    • 1.6Where Your Data Lives
    • 1.7Your Security Responsibilities
    • 1.8Subdomains, usernames, and identifiers

    • 2.1The Core Roles (Definitions)
      • 2.1.1Controller
      • 2.1.2Processor
      • 2.1.3Sub-Processor
      • 2.1.4Data Subject
    • 2.2Purpose and Scope of Processing
    • 2.3Types of Data Handled
    • 2.4Provider Obligations (Your Job)
    • 2.5Suitespace Obligations (Our Job)
    • 2.6Approved Sub-Processors
      • 2.6.1AWS (Amazon Web Services)
      • 2.6.2Stripe
      • 2.6.3Amazon SES (AWS)
    • 2.7International Data Transfers
    • 2.8Data Security Measures
    • 2.9Retention and Deletion
      • 2.9.1Booking Data
      • 2.9.2Financial Records
    • 2.10Disputes and Governing Law

    • 3.1Purpose and Scope
    • 3.2Where This Policy Applies
      • 3.2.1Website and branding
      • 3.2.2Service listings
      • 3.2.3Other editable fields
    • 3.3Prohibited External Payment Links
      • 3.3.1Global gateways
      • 3.3.2Regional providers
      • 3.3.3Cryptocurrency and disguised links
    • 3.4Required Payment Method
    • 3.5Enforcement
    • 3.6Limitation of Liability
    • 3.7Related Policies
Security & Data Retention Policy

Security & Data Retention Policy

Last Updated: March 25, 2026

1. Our Security Philosophy

In Plain English

We take the "Fort Knox" approach to your data. We use world-class hosting, heavy encryption, and strict rules about who can see your information.

The purpose of this policy is to outline how Suitespace protects Provider and Customer data, ensuring we meet global standards like GDPR, KVKK, and PIPEDA.

2. How We Protect Your Data

In Plain English

We use the same security tech as top banks. Your data is encrypted whether it's sitting on our servers or traveling across the internet.

Infrastructure

Hosted on Amazon Web Services (AWS) in SOC 1, 2, and 3 certified data centers. This includes 24/7 physical security and network firewalls.

Encryption

All data is encrypted in transit (using TLS 1.2+) and at rest (using AES-256).

Access Control

We follow the "Principle of Least Privilege." Only essential Suitespace personnel can access systems, and they must use Multi-Factor Authentication (MFA).

Backups

We perform daily automated backups. These are stored in geographically redundant locations to ensure your data is safe even in a disaster.

3. Data Retention: How Long We Keep Info

In Plain English

We don't keep your data forever. We keep it as long as your account is active, and then for a specific "buffer" period afterward to satisfy tax laws and help with disputes.

Retention by category:

Data CategoryRetention PeriodReason
Provider Account DataLife of account + 12 monthsOperational continuity
Customer Booking Data12 months after account closureDispute resolution
Financial/Tax Records5 yearsLegal & tax compliance
Technical & Security Logs6 to 12 monthsSecurity auditing
System Backups30-day rolling cycleDisaster recovery

4. Incident Response & Breaches

In Plain English

If something goes wrong, we won't hide it. We will notify you immediately so you can take action.

In the event of a confirmed data breach, Suitespace will notify affected Providers without undue delay. We will provide details on what happened, what data was involved, and what we are doing to fix it. Providers are responsible for notifying their own Customers and local regulators where required by law.

5. Deletion and Export

In Plain English

Your data belongs to you. You can ask us to export it or delete it at any time. For step-by-step removal instructions, see https://suitespace.app/privacy/data-deletion.

Provider Requests

If you delete a Customer's data, it is removed from our active databases immediately. It may remain in our encrypted backups for up to 30 days until the next overwrite cycle.

Compliance

We assist Providers in fulfilling "Right to be Forgotten" requests from their Customers.

6. Where Your Data Lives

In Plain English

Our main "brain" is located in Northern Virginia, USA (AWS us-east-1). By using Suitespace, you agree to this international transfer of data.

To ensure global compliance, we use Standard Contractual Clauses (SCCs) and strict encryption for all cross-border data transfers.

7. Your Security Responsibilities

In Plain English

We provide the lock, but you have to turn the key. Use a strong password and don't share your login.

Security is a partnership. Providers must: Use unique, complex passwords. Enable Two-Factor Authentication (2FA) on their Suitespace and Stripe accounts. Notify us immediately at security@suitespace.app if they suspect an account compromise.

8. Subdomains, usernames, and identifiers

In Plain English

We may restrict or reclaim a subdomain, username, or other identifier if it could confuse users, pose security risks, or conflict with reserved or official-looking names. We can act with or without prior notice when needed to protect the Service and its users.

We reserve the right to restrict, suspend, or reclaim any subdomain, username, or identifier that, in our sole discretion, may cause confusion, impersonation, security risks, system conflicts, or otherwise interfere with the operation or integrity of the Service. This includes names that are reserved, system-related, misleading, or that could reasonably be mistaken for official functionality or personnel. We may take such action with or without prior notice, particularly where necessary to protect users, the platform, or third parties.

Data Processing Agreement

Suitespace Data Processing Agreement (DPA)

Last Updated: March 25, 2026

1. The Core Roles (Definitions)

In Plain English

You (the Provider) are the "Boss" of the data—you decide why it's collected. We (Suitespace) are the "Helper"—we only touch the data to make the app work for you.

Controller

The Provider (You). You determine the purpose of the data.

Processor

Suitespace Inc. We act on your instructions.

Sub-Processor

Third parties we use to help us (like AWS or Stripe).

Data Subject

Your Customer (the end-user booking the service).

2. Purpose and Scope of Processing

In Plain English

We only use your customers' info to run your booking site, send them reminders, and keep your account secure. We don't sell this info or use it for our own marketing.

Suitespace processes Customer data strictly to: Provide the booking and scheduling platform. Manage notifications and automated reminders. Host your provider website and booking pages. Ensure platform security and prevent fraud.

3. Types of Data Handled

In Plain English

We handle names, emails, and phone numbers. We do not handle credit card numbers—that's strictly Stripe's job.

We process: Names, contact details, booking times, and any custom notes you or your customers enter. Financial data is handled externally by Stripe Standard; Suitespace does not store or process raw cardholder data.

4. Provider Obligations (Your Job)

In Plain English

You must make sure it's legal for you to collect this data in the first place. You are responsible for telling your customers how you use their info.

As the Controller, you agree to: Comply with GDPR, KVKK, PIPEDA, or your local laws. Provide a clear Privacy Policy to your Customers. Get valid consent from Customers where required. Respond to your Customers if they ask to see or delete their data.

5. Suitespace Obligations (Our Job)

In Plain English

We only do what you tell us to do with the data. We keep it secret, keep it safe, and tell you immediately if there's a security breach.

As the Processor, Suitespace agrees to: Process data only on your documented instructions. Ensure our team keeps all data confidential. Notify you "without undue delay" if we confirm a data breach. Help you fulfill Customer data requests (Access, Deletion, Export).

6. Approved Sub-Processors

In Plain English

We use a few expert partners to keep the lights on. By using Suitespace, you're giving us the thumbs-up to use them.

We use the following key partners:

AWS (Amazon Web Services)

Cloud hosting and data storage.

Stripe

Payment processing infrastructure.

Amazon SES (AWS)

Email delivery via Amazon SES.

7. International Data Transfers

In Plain English

Our main servers are in the USA. We use "Standard Contractual Clauses" to make sure the data is protected even when it leaves your home country.

Data is processed in AWS us-east-1 (N. Virginia, USA). We implement high-level encryption and strict access controls to ensure these transfers meet global privacy standards.

8. Data Security Measures

In Plain English

We use encryption (TLS and AES-256), firewalls, and 24/7 monitoring to keep hackers out.

We maintain industry-standard technical measures, including: Encryption of data "at rest" and "in transit." Multi-factor authentication (MFA) for our internal systems. Daily backups and disaster recovery protocols.

9. Retention and Deletion

In Plain English

When you leave, we don't hold onto your customers' info forever. We keep it for 12 months in case of disputes, then it's gone.

Upon termination of your account:

Booking Data

Retained for 12 months, then deleted/anonymized.

Financial Records

Retained for 5 years for legal/tax audits.

10. Disputes and Governing Law

In Plain English

This agreement is governed by the laws of Ontario, Canada.

Any legal disputes related to data processing shall be resolved exclusively in the courts of Toronto, Ontario.

Platform Content Policy

Platform Content & External Payment Links Policy

Last Updated: June 5, 2026

1. Purpose and Scope

In Plain English

Suitespace gives you a safe way to take booking payments. You may not paste outside checkout links into your site or service pages to bypass that system.

This policy explains restrictions on external payment and checkout links in content you publish through Suitespace. It applies to all Providers using Launch, Connect, and related suite editing tools. It supplements our Acceptable Use Policy and Provider Terms.

2. Where This Policy Applies

In Plain English

This covers anything you type or paste into Suitespace editors—not just your main website pages.

These rules apply to customer-facing content you create or edit on the platform, including:

Website and branding

Launch and Connect website editors, branding fields, navigation copy, and site descriptions.

Service listings

Service summaries, descriptions, and other bookable-offering text fields.

Other editable fields

Any rich-text or plain-text field where Suitespace allows links or URLs in customer-facing content.

3. Prohibited External Payment Links

In Plain English

No Stripe Payment Links, PayPal.me, iyzico, PayTR, or similar checkout URLs in your content—anywhere in the world.

You may not embed, publish, or solicit payment through third-party checkout, billing, donation, or wallet-collection URLs. Prohibited examples include (but are not limited to):

Global gateways

Stripe, PayPal, Square, Gumroad, Paddle, and similar international checkout providers.

Regional providers

Local virtual POS and link-to-pay services (for example iyzico, PayTR, Param, Sipay, Shopier, Papara, or equivalent providers in your market).

Cryptocurrency and disguised links

Cryptocurrency payment URIs and URL shorteners or redirects used to hide payment destinations.

4. Required Payment Method

In Plain English

Use Suitespace booking and integrated payments for services you sell on the platform.

Payments for services booked through your suite must be collected using Suitespace's native booking flow and integrated payment architecture (including Stripe Connect where enabled for your suite). Configure bookable services inside Suitespace instead of directing customers to external checkout pages in your content.

5. Enforcement

In Plain English

We use automated checks and may block saves, remove content, or suspend accounts.

Suitespace may use automated filters, manual review, and related technical controls to detect external payment links. We may refuse to save or publish non-compliant content, remove violating material, issue warnings, suspend accounts, or terminate access in accordance with our Acceptable Use Policy.

6. Limitation of Liability

In Plain English

If someone pays you through an outside link you posted, that is between you and them—not Suitespace.

Suitespace is not responsible for fraud, chargebacks, disputes, regulatory issues, or financial losses arising from payments completed outside our integrated booking and payment flow. Any transaction facilitated by an external link you publish is solely between you and the payer.

7. Related Policies

In Plain English

This sits alongside our Acceptable Use Policy and Provider Terms—read those too.

This policy should be read together with the Suitespace Acceptable Use Policy (Section 3: Platform Content) and Provider Terms of Service. In the event of a conflict, the more specific restriction on payment integrity applies.

The workspace for your craft

Follow us
Product
  • Website
  • AI Assistant
  • Features
  • Solutions
  • Pricing
Company
  • About
  • Contact
  • Contact sales
Support & Legal
  • Help Center
  • Trust & Legal
  • Privacy & Terms

Stay updated

Subscribe to our newsletter to receive product updates, booking tips, and industry insights.

© 2026 Suitespace Inc. All rights reserved.
US