1. Who We Are
Spacehubs Africa's intelligence platform at data.spacehubs.africa, is a directory and analytics platform for the African space ecosystem. The platform is operated through Spacehubs Africa's Estonian legal entity.
As the entity that determines the purposes and means of processing personal data, that operating entity is the data controller under the General Data Protection Regulation (GDPR).
For privacy-related enquiries, contact us at privacy@spacehubs.africa.
Spacehubs Africa OÜ (16002610), Lõõtsa tn 5-11, 11415 Tallinn, Estonia.
2. What Data We Collect
- Account data: email address, full name, country, organisation, role, areas of interest, use cases, and profile picture (optional).
- Authentication data: hashed password, email verification status, account creation timestamp, and terms acceptance timestamp.
- Subscription and payment data: subscription plan, billing interval, subscription status, payment references, and transaction history. We do not store full card numbers.
- Public audience analytics: aggregate public page analytics such as pages visited, referral and campaign metadata, approximate location, and device/browser metadata collected through Plausible without analytics cookies or user profiles.
- Product usage data (with consent): pages visited, landing pages, referral and campaign metadata, feature interactions, filter and navigation behaviour, session-level engagement metrics, approximate location, device/browser metadata, and limited session replay on selected pages collected through PostHog only after you accept analytics cookies. We do not send raw contact message content, payment payloads, or similar sensitive free-text into analytics events.
- Contact form data: name, email, subject, message, and whether you opted in to newsletter or product updates.
- Technical data: IP address used for rate limiting and security, browser type, and session identifiers.
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing and managing your account | Art. 6(1)(b) - performance of contract |
| Processing payments and subscriptions | Art. 6(1)(b) - performance of contract; Art. 6(1)(c) - legal obligation |
| Sending transactional emails | Art. 6(1)(b) - performance of contract |
| Cookieless public audience analytics | Art. 6(1)(f) - legitimate interest |
| Product analytics and usage tracking | Art. 6(1)(a) - consent |
| Responding to contact form enquiries | Art. 6(1)(f) - legitimate interest |
| Sending newsletter or product updates when you opt in | Art. 6(1)(a) - consent |
| Security, fraud prevention, and rate limiting | Art. 6(1)(f) - legitimate interest |
| Error monitoring and platform reliability | Art. 6(1)(f) - legitimate interest |
| Retaining anonymised transaction records | Art. 6(1)(c) - legal obligation |
4. Data Retention
- Account data: retained until you delete your account.
- Transaction records: anonymised and retained for 7 years where accounting law requires retention.
- Contact messages: retained for up to 2 years, then deleted by scheduled cleanup jobs.
- Newsletter opt-in from the contact form: retained with the related contact message so we can evidence the opt-in unless you withdraw it sooner.
- Analytics data: retained according to our Plausible and PostHog project settings and internal review schedule.
- Security tokens: expired or used verification and deletion tokens are removed by scheduled cleanup jobs.
- Session data: removed on logout or when sessions expire and are cleared from storage.
5. Backups and Deletion Timing
When data is deleted from our live systems, it may remain in secure backup copies until the relevant backup retention window expires. Our internal backup policy is: weekly backups retained for 5 weeks and monthly backups for 6 months. These automated backup copies are stored separately for disaster recovery and are not used to restore deleted accounts or expired contact messages during ordinary operations.
We document this operationally in BACKUPS_AND_DELETION.md.
7. International Data Transfers
Some of our service providers are located outside the EEA, including in the United States. Where required, we rely on recognised transfer mechanisms such as the EU-US Data Privacy Framework or Standard Contractual Clauses.
8. Your Rights Under GDPR
You have the right to access, correct, delete, restrict, object to, and port your personal data, subject to applicable legal limits.
- You can edit profile data from your account settings.
- You can delete your account from your profile page.
- You can download your account data in machine-readable form from your profile page.
- You can withdraw analytics or newsletter consent at any time by clearing your saved cookie choice for this site or by contacting us.
For privacy requests, email privacy@spacehubs.africa.
10. Security
We use technical and organisational measures including HTTPS, hashed passwords, rate limiting, reCAPTCHA, webhook signature verification, and error monitoring. No internet transmission or storage system is completely secure.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Where appropriate, we will notify users of material changes by email or in-product notice.