Last Updated: 17 Aug 2018

SPCE Privacy Policy

This privacy policy (“the Policy”) applies to your use (in any capacity) of the SPCE Website and App (together “SPCE”)

SPCE is operated by SPCE Ltd (company registration number: 10341227), whose registered office is: 4th Floor Market Chambers, 5-7 St Mary Street, Cardiff, Wales, CF10 1AT (“we”/”us”/”our”).

For the purposes of processing the personal data described in this Policy, we are the data controller (as defined in the Data Protection Act 1998 (the “DP Law”).

Our registration number with the Information Commissioner’s Office is: ZA279411.

Thank you for using SPCE!

At SPCE, we take the issue of your Privacy very seriously, which is why we work hard to ensure we have policies and procedures in place to not only help you, but to do so in a way which is respectful to your rights. The following privacy policy explains what personal data we collect from you (or that you provide to us), how we process it and what we do to keep it safe.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which replaced the Data Protection Regulation (Directive 95/46/EC) on the 25th May 2018. The Regulation aims to harmonise data protection legislation across EU member states, enhancing privacy rights for individuals and providing a strict framework within which commercial organisations can legally operate.

We provide a Website and App which allows students, landlords (private and institutional) and agencies to connect directly with one another, thereby streamlining the house hunting process:


SPCE allows students to tailor their letting requirements, agree rent and finalise the rental terms for their property of choice, whilst having the option to utilise a guarantor to assist in finalising the tenancy agreement. Once any given tenancy has begun, the app-based efficiency of SPCE’s revolutionary solution enables real-time management and communication between students and their landlords, as well as guarantors, finally bringing modern tech-enabled convenience to student lettings.

Private Landlords

For private landlords, the App and Website allow properties to be listed on a room by room basis and enable rental transactions to take place at a cost. Here, we take a commission (as per the rental value detailed in the tenancy agreement) as payment, so it works on a “no win no fee” basis.

Institutional landlords and agents

We allow institutional landlords and agents (who typically have in-house rent collection and tenancy systems in place) to advertise their properties on SPCE for a fee, determined by the number of properties and/or rooms they wish to advertise.

We ask that you read this Policy carefully as it contains important information about what to expect when we collect your personal data and how we use your personal data. Your use of the SPCE is also governed by our Terms of Use. Please ensure you read the Terms of Use as well as this Policy. By registering with the SPCE, you agree to us collecting and utilizing your data in accordance with this policy. If you do not agree with this policy, please do not use SPCE. Where we require your consent to comply with DP Law, for example, for the transfer of data outside the EEA will ask for this separately.

1. What personal data do we collect and why?

1.1 Information you give to us

We ask for and collect the following personal information about you when you use the SPCE platform. This information is necessary for the adequate performance of the contract between you and us and to allow us to comply with our legal obligations. Without it, we may not be able to provide you with all the requested services.

Determined by your use of SPCE (i.e. the personal information you upload to our App or Website) and whether you sign into SPCE using your social media profile (i.e. Facebook, or any other social media platform that may be available from time to time) and the corresponding log in details, we may collect and process the following information about you:

Where you are a student and you register with SPCE:

  • your name, age, gender;
  • your contact details including telephone number, mobile number, email address and postal address, and any proof of address you may provide;
  • your location, GPS co-ordinates;
  • your image, where this is included on your Facebook profile or other social media platform;
  • your university name and university id and any other id you may provide;
  • your payment information such as bank account details;
  • the name of your guarantor and their details such as name, address;
  • information about your computer or mobile device, including where available, your IP address, operating system and browser type;
  • information in relation to your living habits, search specifications; and
  • any other information that you may provide to us through the SPCE Website and/or App.

Where you are a guarantor and you are guaranteeing a student’s account:

  • your name, age, gender;
  • relationship to student;
  • your contact details including telephone number, mobile number, email address and postal address;
  • a valid proof of identity, proof of address and any proof of income you may provide;
  • other financial information such as bank account details, sort codes;
  • information about your computer, including where available your IP address, operating system and browser type; and
  • any other information that you may provide to us through the SPCE Website and/or App.

Where you are a landlord (private or institutional), agent or university and you register and/or work with SPCE:

  • your name or employee and/or agents name and address;
  • your photo or employee and/or agents photo;
  • where applicable, your company, agent or university name, address, legal address, director name and address;
  • financial information, such as bank account details, sort codes;
  • details of your property(ies) such as address, house type, rooms, features, amenities, amount of rent;
  • photos of the property(ies);
  • details of other tenants located at property(ies);
  • tenant requirements;
  • information about your computer or mobile device, including where available your IP address, operating system and browser type.; and
  • any other information that you may provide to us through the SPCE Website and/or App.

1.2 Information you may choose to give to us

You may choose to provide us with additional personal information in order to obtain a better user experience when using SPCE Platform. This additional information will be processed based on your consent.

  • Additional Profile Information: You may choose to provide additional information as part of your SPCE profile (such as gender, preferred language(s), city, and a personal description). Some of this information as indicated in your account settings is part of your public profile page, and will be publicly visible to others.
  • Address Book Contact Information: You may choose to import your address book contacts or enter your contacts’ information manually to access certain features of the SPCE Platform, like inviting them to use SPCE.
  • Other Information: You may otherwise choose to provide us information when you fill in a form, conduct a search, update or add information to your SPCE Account, respond to surveys, post to community forums, participate in promotions, or use other features of the SPCE Platform.

1.3 Information we automatically collect from your use of the SPCE platform

When you use the SPCE Platform and the Payment Services, we automatically collect information, including personal information, about the services you use and how you use them. This information is necessary for the adequate performance of the contract between you and us, to enable us to comply with legal obligations and given our legitimate interest in being able to provide and improve the functionalities of the SPCE Platform and Payment Services.

  • Geo-location Information: When you use certain features of the SPCE Platform, we may collect information about your precise or approximate location as determined through data such as your IP address or mobile device’s GPS to offer you an improved user experience. Most mobile devices allow you to control or disable the use of location services for applications in the device’s settings menu. SPCE may also collect this information even when you are not using the App  if this connection is enabled through your settings or device permissions.
  • Usage Information: We collect information about your interactions with the SPCE Platform such as the pages or content you view, your searches for Listings, bookings you have made, and other actions on the SPCE Platform.
  • Log Data and Device Information: We automatically collect log data and device information when you access and use the SPCE Platform, even if you have not created an SPCE Account or logged in. That information includes, among other things: details about how you’ve used the SPCE Platform (including if you clicked on links to third party applications), IP address, access dates and times, hardware and software information, device information, device event information, unique identifiers, crash data, cookie data, and the pages you’ve viewed or engaged with before or after using the SPCE Platform.
  • Cookies and Similar Technologies: We use cookies and other similar technologies, such as web beacons, pixels, and mobile identifiers. We may also allow our business partners to use these tracking technologies on the SPCE Platform, or engage others to track your behaviour on our behalf. While you may disable the usage of cookies through your browser settings, the SPCE Platform currently does not respond to a “Do Not Track” signal in the HTTP header from your browser or mobile application due to lack of standardization regarding how that signal should be interpreted. For more information on our use of these technologies, see our Cookie Policy.
  • Payment Transaction Information: SPCE Payments collects information related to your payment transactions through the SPCE Platform, including the payment instrument used, date and time, payment amount, payment instrument expiration date and billing postcode, PayPal email address, IBAN information, your address and other related transaction details. This information is necessary for the adequate performance of the contract between you and SPCE Payments and to allow the provision of the Payment Services.

1.4 Information we collect from third parties

SPCE may collect information, including personal information, that others provide about you when they use the SPCE platform or obtain information from other sources and combine that with information we collect through the SPCE platform. We do not control, supervise or respond for how the third parties providing your information process your personal data, and any information request regarding the disclosure of your personal information to us should be directed to such third parties.

  • Third Party Services: If you link, connect, or login to your SPCE Account with a third party service (e.g. Google, Facebook, WeChat), the third party service may send us information such as your registration and profile information from that service. This information varies and is controlled by that service or as authorized by you via your privacy settings at that service.
  • Your References: If someone has written a reference for you, it will be published on your SPCE public profile page with your consent. To learn more, see our Help Centre article about References.
  • Background Information: To the extent permitted by applicable laws, SPCE may obtain reports from public records of criminal convictions or sex offender registrations. For Members outside of the United Kingdom, to the extent permitted by applicable laws and with your consent where required, SPCE may obtain the local version of police, background or registered sex offender checks. We may use your information, including your full name and date of birth, to obtain such reports.
  • Other Sources: To the extent permitted by applicable law, we may receive additional information about you, such as demographic data or fraud detection information, from third party service providers and/or partners, and combine it with information we have about you. For example, we may receive background check results (with your consent where required) or fraud warnings from service providers like identity verification services for our fraud prevention and risk assessment efforts. We may receive information about you and your activities on and off the SPCE platform through partnerships, or about your experiences and interactions from our partner ad networks.

2. How do we use your information?

We may use the personal data described above for the following purposes:


  • to maintain and improve the functionality of the SPCE Website;
  • to perform any contract we may have in place with you;
  • to communicate with you including sending you notifications about your account;
  • to allow us to manage your account you hold with us;
  • to improve your user experience and to prevent abuse;
  • for tax, risk management and other internal record keeping purposes;
  • to respond to any questions or other matters raised by you in relation to us, the SPCE Website or any of our products and services;
  • to understand your use of the SPCE Website, or keep a record of your product or service preferences;
  • to provide you with information regarding our products and services, where you have consented to be contacted for such purposes or it is otherwise lawful for us to do so;
  • for compliance with legal, regulatory and other good governance obligations; and
  • for any other purposes related to the management of your legal relationship with us.

Where you are a student:

  • in order for us to process and complete your property searches;
  • in order for us to assist you in managing your SPCE including the management of fees; and
  • to allow us to contact third parties such as guarantors to verify information about you.

Where you are a guarantor:

  • to allow you to guarantee someone’s application for accommodation, which will include us contacting you to verify the student’s information;
  • to allow you to place a cap on the student’s rental price limit; and
  • to allow us to contact third parties such as banks and credit agencies to verify financial information.

Where you are a landlord, agent or university:

  • to allow us to facilitate contact with prospective tenants including agreeing the terms of your SPCE and liaising via direct chat on the platform; and
  • in order for us to process and complete your property listings that you have placed with us.


Please note that when we obtain a photo from your mobile or computer i.e. photos of your property or your profile photo, a copy is stored on our database which is associated with SPCE. A copy may also exist in our archived systems. We may also store the details you enter on the SPCE Website in a database. This database, along with one or more backup copies is stored on computers based in the European Union. Please note that all information captured via the Website shall be sent to cloud storage where an internet connection is available.

We may store and process your information on our own technology systems or on systems owned by third parties that may store and process your information on our behalf.

3. Aggregated information

We may also convert your personal data into anonymous data and use it (normally on an aggregated statistical basis) for research and analysis to improve the SPCE Website and/or our products and services.

Anonymised aggregated personal information does not personally identify you or any other user of the SPCE Website and is therefore not personal data.

4. On what legal basis do we process your personal data?

Our legal basis for the processing of personal data is our legitimate business interests, described in more detail below, although we will also rely on contract, legal obligation and consent for specific uses of data.

We will rely on contract if we are negotiating or have entered into a tenancy agreement with you or your organisation or any other contract to provide services to you or receive services from you or your organisation.

We will rely on legal obligation if we are legally required to hold information on to you to fulfil our legal obligations.

We will in some circumstances rely on consent for particular uses of your data and you will be asked for your express consent, if legally required. Examples of when consent may be the lawful basis for processing include permission to share your details with landlords or prospective tenants when you have given it.

4.1 Our Legitimate Business Interests

We have a number of lawful reasons that mean we can use your personal information, including your consent, where you give it. One lawful reason is something called ‘legitimate interests’. In general terms, “Legitimate Interests” means we can process your personal information if:

  • We have a genuine and legitimate reason; and
  • We are not harming any of your rights and interests.

5. Consent

Should we want or need to rely on consent to lawfully process your data we will request your consent orally, by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time.

6. Do we share your personal data with any third parties?

In order to process your personal data for the purposes described in this Policy, your personal data may need to be disclosed to (or otherwise processed by) third parties acting on behalf of us. Such third parties could include employees or agents who are employed to administer and provide support for your account with SPCE.

We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data, in order to comply with any legal regulations or good governance obligations, or in order to enforce or to protect our rights, property, or safety, or that of our customers or other persons with whom we have a business relationship, or to purchasers or prospective purchasers in relation to a disposal of our business or assets.

We will share your data for the purpose of carrying out analytics. For analytics data, we use Google Analytics, MailChimp, Mandril and HotJar. If you would like to review their respective privacy policies, please refer to the following links:

  • Google Analytics: For further information on Google Analytics please see our Cookie Policy - www.liveinspce.com/cookie-policy
  • Mailchimp/Mandrill: Mailchimp, our email campaign service provider, to keep you up to date with our news. Mailchimp has certified its agreement to the EU/US Privacy Shield. See further here – link mailchimp.com/legal/privacy

Hotjat: Hotjar is a way for us to understand how visitors to SPCE interact with our App and Website. See further here - www.hotjar.com/privacy

With your consent, we may also permit selected third parties to use your data, to provide you with information about goods and services which may be of interest to you and they may contact you about these by email, post or telephone (further details below).

We may also permit selected third parties to use your data, to help provide you the best service we can, you can see a full list of our partner here: www.liveinSPCE.com/partners

In relation to digital marketing if you have visited our Website or interacted with us through social media then we may share information with our marketing partners (listed below) to create and run marketing campaigns, including, marketing and retargeting:

  • The Tab
  • BAM Marketing
  • Cup the Market
  • Kiss FM
  • The University Paper
  • Save the Student
  • National Association of Student Money (NASMA)
  • National Landlord Association (NLA)
  • Social Chain
  • Studio Graphene
  • Hello Consultants
  • Various Universities and/or higher education bodies

In addition, we work with Experian, a third-party credit reference agency, which may use your personal data as part of its Rental Exchange service. This information will be used to allow tenants to improve their credit score without having to take on additional debt.  Prospective payment data will be shared with the Rental Exchange and may be made available to other organisations. For more information, please refer to the following link: www.experian.co.uk/rental-exchange

You may at any time log into your account and delete your details from our system if you are no longer interested in receiving our service. However where you have entered into a tenancy, whether as a landlord or student you will be bound by our Terms of Service. If you would like to review our Terms of Service, please refer to the following link: www.liveinSPCE.com/terms

Where you are a student:

In order to provide you with the service, we will share your personal data with prospective landlords who have property vacancies to fill. Landlords will have access to your information, such as your name and details. Landlords will be able to contact you where you have shown interest in their SPCE. Landlords will also be able to start live chats with you, where you permit this or initiate this. We will also share your information with your named guarantor in order to verify your information.

Where you have added other students to the same SPCE, we will share your information with these additional students (subject to you initiating this request).

As part of your use of SPCE we will share your information with the landlord, your guarantor and a third-party payment provider (where a tenancy is successful) - Stripe. If you would like to review Stripe’s privacy policy, please refer to the following link:stripe.com/gb/privacy

Where you are a guarantor:

In order to provide you with the service, we will verify the financial information you submit, with a third-party credit reference agency such as Experian or Homelet. These third parties will have access to your information, such as your name and details.

Where you provide a guarantee for a student, we will share your financial information with a third-party payment provider - Stripe. If you would like to review Stripe’s privacy policy, please refer to the following link: stripe.com/gb/privacy

In order to provide you with the service, we will have to obtain all necessary financial information from you such as debit or credit card numbers.

Where you are a landlord or agency:

As part of the service, we will share your personal data with prospective tenants who are interested in your property listing(s). They will receive details of your property and your name. You will be able to liaise with tenants over direct chat and tenants will be able to contact you to raise queries and inform you where i.e. a repair is required in your SPCE.

7. Where do we store your data and what safeguards are in place to protect it?

The data that we collect from you is stored on Amazon Web Services (AWS) servers within the European Economic Area (”EEA”). We take appropriate steps with a view to protecting the security of your personal information. We will treat all your information in strict confidence and we will endeavour to take all reasonable steps to keep your information secure once it has been transferred to our systems. We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information.

All information you provide to us is stored on these secure servers and any payment transactions are encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Please note that the transmission of information via the internet is not completely secure. We cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

8. How do we conduct direct marketing?

We would like to provide you with information about new products, services, promotions and offers from us and or our third party partners (as listed on the SPCE Website), which may be of interest to you. This communication may occur by post, e-mail. SMS or telephone. From time to time we may also wish to share your contact details with these third parties so that they can contact you directly about their own products, services, promotions and offers.

Where we need consent for this we will ask for it separately (outside of this Policy). Where we need to give you an opt-out opportunity before we send you our own marketing we will do so.  Any direct marketing that you receive from us in electronic form will also provide a simple means for you to opt-out of receiving further marketing communications.  For example, in e-mails we may provide you with an “unsubscribe” link, or an e-mail address to which you can send an opt-out request. We will take steps to stop any marketing to which you object or in respect of which you withdraw your consent within a reasonable period, but please allow sufficient time for the change to be administered.

Please note, we are not responsible for any direct marketing sent to you by any third party in respect of which you have given your consent. In such instances, you should refer to the privacy policy of that third party. If you wish to unsubscribe you will need to contact them directly.

9. Transfers to other countries

Your personal data may be transferred by us as data controller to countries and territories outside the UK and the European Economic Area which do not have the same level of protections for personal data as apply in the UK.  We are required by the DP Law to ensure that there are adequate protections for it in those other countries and territories.

10. How you can change your details

You can manage your information and amend your details within SPCE by accessing your account. If you are a guarantor, you will not have a separate SPCE account, please contact us instead using the details contained in section 14.

If you stop using SPCE, your information will be retained on our servers and affiliated database for a period of time after which it shall be deleted. All data retention shall be in accordance with DP Law and applicable law and regulatory requirements.

11. What are your rights in relation to your personal data?

The GDPR provides you with the following rights. To:

  • Request correction

of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

  • Request erasure

of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

  • Object to processing

of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

  • Request the restriction of processing

of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

  • Request the transfer

of your personal information to another party in certain formats, if practicable.

  • Make a complaint

to a supervisory body which in the United Kingdom is the Information Commissioner’s Office. The ICO can be contacted through this link: ico.org.uk/concerns/

  • Access to information

You have the right to request access to or receive copies of the personal data that we hold about you. If you would like to exercise this right, please contact us at info@liveinspce.com.

If you believe that any information we have about you is incorrect or incomplete and you are unable to change it yourself via your account, please contact us using the details provided above us as soon as possible.  We will take steps to seek to correct or update any information if we are satisfied that the information we hold is inaccurate.

12. How do we use cookie on our Website?

Our Website uses cookies to distinguish you from other users of our Website. This helps us to provide you with a good experience when you browse our Website and also allows us to improve our site and app. For detailed information on the cookies we use and the purposes for which we use them see our Cookie notice – www.liveinspce.com/cookie-policy

13. What should I do if I suspect a data breach?

Under the GDPR, SPCE has a responsibility to keep the personal data it holds safe, and as part of this we must have appropriate safeguards in place to ensure that we act appropriately in the event of a data breach. If you suspect that there has been a data breach in relation to personal data that SPCE has under its control then please notify us immediately. Once we have been notified then we, SPCE, will act in accordance with of our Data Breach Policy, and the response team members (all of which have received the appropriate training) will ensure they respond in an adequate manner.

14. Changes to the Policy

We may change this Policy from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We will update the date at the top of the Policy accordingly. We encourage you to check this Policy for changes when you revisit the SPCE Website.


15. Contacting us

We hope that we have shared with you all the information you need, but in the event that we haven’t, or if you have any questions then please contact us at info@liveinspce.com.

Last Updated: 17 Aug 2018

SPCE Cookie Policy

This website uses cookies to help analyse how users use the site and to help us improve our service. Below you will find out all the information about how we use cookies.

If you want to find out more about how we deal with your personal date, then please see our Privacy Policy.

We are committed to protecting your right to privacy and respecting your rights, and if you think we ever fall short of this then please do get in touch and let us know and we will be happy to deal with your enquiries.

What is a cookie?

A cookie is a text file that is stored on your computer or mobile device by a website’s server, if you agree.  Only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain anonymous information such as a unique identifier and the site name.

Further information on cookies should be available in the help pages of your browser, and most browsers will recognise when a cookie is offered and allow users to control how and when they are accepted. However, you should be aware that if you choose to decline cookies, you may not be able to fully experience all of the features of the SPCE website, and other websites that you choose to visit.

How does SPCE use cookies?

SPCE uses cookies that are strictly necessary to enable you to move around the site or to provide certain basic features. We use cookies to provide better functionality of the website by storing your preferences, for example. We also use cookies to help us to improve the performance of our website to provide you with a better user experience.

The information we collect using cookies is anonymous. We will never (and will not allow any third party to) use the statistical analytics tool to track or to collect any personally identifiable information of visitors to our site or associate your IP address with any other data held about you. We will not associate any data gathered from this site with any personally identifiable information from any source, unless you explicitly submit that information via a fill-in form on our website.

We use the following types of cookies on our website:

  • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
  • Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
  • Targeting cookies. These cookies record a user's visit to a website, the individual pages visited and the links followed. If the cookie is set by a third party (for example, an advertising network) which also monitors traffic on other websites, this type of cookies may also be used to track a user's movements across different website and to create profiles of their general online behaviour. Information collected by tracking cookies is commonly used to serve users with targeted online advertising.

What are the specific cookies that SPCE uses?

Our website uses Google Analytics, which allows us to recognise and count the number of visitors to our site and to see how visitors move around the site when they are using it. The information generated by the cookie about your use of the website, including IP address, is transmitted to Google. This information is then used to evaluate your use of the website and to compile statistical reports on website activity for SPCE. Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.

If you would like to know exactly what cookies are being used by Google Analytics and how they operate, or if you would like to find out more about the EU Cookie Law, you can do so via the links below.

* ICO Cookie Regulations and the EU Cookie Law

* Cookies and Google Analytics

* The website also uses the following additional cookies

What if I don’t want cookies?

You can restrict or block web browser cookies which are set on your device through your browser settings.  You can be notified when cookies are sent to your browser, or you can refuse cookies completely. You can also delete existing cookies. The Help function of your browser will tell you how to do this.

You can visit www.aboutcookies.org for further information about disabling cookies.

For further information about cookies, visit the Interactive Advertising Bureau (www.iab.net), an industry body that develops standards and guidelines to support online business processes. It has produced a series of web pages that explain how cookies work and how they can be managed.

What if I have any questions?

SPCE works hard to make sure that we keep your data safe and respect your legal rights and your privacy. So if you have any questions or ever feel that we fall short in our attempts then please do get in touch and let us know.  SPCE has a dedicated Data Protection Officer who will be happy to deal with any questions you may have and you can contact him here at  info@liveinspce.com.

Last Updated: 6 Nov 2017

SPCE Data Breach Policy

SPCE is required under the Data Protection Act 2018 and under the General Data Protection Regulation 2018 to ensure the security and confidentiality of all the personal and sensitive personal data it processes including that processed by third parties acting on its behalf.  SPCE takes this very seriously and for this reason we have implemented a Data Breach Policy.

Extreme care should be taken by staff to protect the personal data they work with and to avoid the unauthorised disclosure or loss of personal data.  

Responsibilities within SPCE

1. Within SPCE the appropriate person who has overall responsible for any breaches is the CEO Leon Ifayemi and any breach should be notified to him at datasecurity@liveinspce.com  

Legislative framework

2. There are eight Data Protection Principles contained in the Data Protection Act which must be complied with when processing personal data. Failure to comply with any of these Principles is a breach of the Data Protection Act.  

3. Furthermore this framework seeks to both work to UK standard but also in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), enacted May 25, 2016, replaces the EU Data Protection Directive (Directive 95/46/EC) (EU Directive).

The Seventh Data Protection Principle

4. This policy is concerned with the Seventh Data Protection Principle: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

5. Examples of a breach of this Principle would include:

On an individual basis:

  • personal data accidentally being sent to someone inside or outside of the SPCE (either internally or externally) who does not have a legitimate need to see it;
  • databases containing personal data being compromised, for example being illegally accessed by individuals outside the SPCE;
  • Unauthorised access to the Student, Landlord, Agent and University information or records;
  • loss or care file, theft of laptops, mobile devices, or paper records containing personal data;
  • staff accessing or disclosing personal data outside the requirements or authorisation of their job;
  • being deceived by a third party into improperly releasing the personal data of another person; and
  • the loss of personal data due to unforeseen circumstances such as a fire or flood.

On a system wide level:

  • Data breach as a result of a hack/ security breach
  • Theft or access given to central user database
  • Abuse of access to account leading to prolonged access

The difference between a security breach and a data breach and the notification process to follow

6. A data breach relates to the loss of personal data and should be notified following the procedure described. A security breach relates to the loss of equipment containing personal data. Where a security breach has been notified that also involves personal data staff must also follow the data breach policy.

Action to be taken in the event of a data breach

7. On discovery of a data breach the following high-level actions should be taken: -

  • Containment and recovery:  how can the exposure be mitigated. Is the breach ongoing, if so how can it be stopped?
  • Assessing the risk: what type of data has been lost? What is the risk to the individuals?
  • Notification of breach: To the Information Commissioners Office and Notification of any affected residents and user.
  • Evaluation and response: review of the breach.

Who is responsible for action?

8. The individual committing the breach, management within SPCE or the owner of personal data such as a Student, University, Landlord or Agent.

SPCE together with any affected customers/owners of personal data will discuss who is the most appropriate person to take such action, this will involve determining the identity of the controller for the breach.

To determine the identity of the data controller for the purpose of the data security breach. The data controller is the party that determines the purpose for, and manner in which personal data is processed. Which party or parties this applies to may not always be obvious.

There may be more than one data controller, particularly where, for example, shared services are involved. This is also common in relation to pensions data, for both the public body employer, HRMC and the pension trustees to be data controllers for the same personal data.

Where there is more than one data controller, both parties may be liable for breach of the Security Principle.

In the event that one or more SPCE customers are affected then SPCE will inform the customers and a communication will be agreed between parties to send to those affected.  If the information relates to students from a particular University then we will consider if it is appropriate to notify the University and work with them to manage the breach and PR/communications regarding this.

To assist in deciding then you can ask the following questions:

  • Did the breach occur in relation to the SPCE database or through access to their software?
  • Did the breach occur at SPCE offices?
  • Or did the breach occur due to the actions of one of partners or suppliers?
  • Who is the best person to take the lead on the response and how can the exposure be minimised?

Action to be taken

9. The immediate priority is to contain the breach and limit its scope and impact, and mitigate any breach. Below are some suggested actions in terms of specific breaches.

10. When a breach is noticed then the following information should be collected and if it affects a particular client then they should be notified as soon as practically possible and provided the relevant information which should include:

· date and time of the breach;

· date and time breach detected;

· who committed the breach;

· details of the breach and what personal data is involved;

· number of data subjects involved; and

· details of actions already taken in relation to the containment and recovery.

Under GDPR you have 72 hours to notify the ICO of a breach, as such it is imperative that you respond in a timely manner.

Specifics steps to be taken in particular scenarios

Below is some guidance to be taken in relation to particular forms of data/ security breach.

Unauthorised distribution of personal data

11. Where personal data has been sent to someone not authorised to see it, or contractor has accidentally taken confidential personal data offsite, staff should:

  • tell the recipient not to pass it on or discuss it with anyone else;
  • tell the recipient to return it where possible, or if sent out by email to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;
  • warn the recipient of any implications if they further disclose the data; and
  • inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.

Compromised Systems

12. Where personal data is store on compromised systems or where intruders may have accessed or the potential to access personal data. Staff should:

·Make sure that no-one can access or alter compromised systems.

  • Isolate compromised systems from your network and unplug any network cables – without turning the systems off.
  • If using a wireless network, change the SSID (Service Set Identifier) on the wireless access point and other systems that may be using this wireless network (but not on any of the systems believed to be compromised).
  • Preserve all logs and similar electronic evidence, e.g. logs from your firewall, anti-virus tool, access control system, web server, application server, database, etc.
  • Perform a back-up of your systems to preserve their current state – this will also facilitate any subsequent investigations.
  • Keep a record of all actions you take.
  • Stay alert for further indications of compromise or suspicious activity in your environment, or that of your third parties.
  • Seek advice before you process any further payment card transactions.
  • If you can, gather details of all compromised or potentially compromised payment card numbers (the ‘accounts at risk’).

Loss of Equipment

  • The theft or loss of an asset, such as a PC, laptop or mobile device, must be reported immediately to a member of the management team and local law enforcement. This includes losses/thefts outside of business hours and at weekends.
  • If the device that is lost or stolen contained sensitive or payment card data, and the device is not encrypted, SPCE will complete an analysis of the sensitivity, type and volume of data stolen, including any potentially exposed payment card numbers.
  • Where possible, the respondents will use available technology/software to lock down/disable lost or stolen mobile devices (e.g. smart phones, tablets, laptops, etc.) and initiate a remote wipe. Evidence should be captured to confirm this was successfully completed.

Malware (or Malicious Code)

  • Disconnect devices identified with malware from the network immediately.
  • Examine the malware to identify the type (e.g. rootkit, ransomware, etc.) and establish how it infected the device. This will help you to understand how to remove it from the device.
  • Once the malware has been removed a full system scan must be performed using the most up-to-date signatures available, to verify it has been removed from the device.
  • If the malware cannot be removed from the device (as is often the case with rootkits) it should be rebuilt using original installation media or images. Prior to restoration from back-up media/images you must verify that the back-up media/images are not infected by the malware.
  • Protect the system(s) to prevent further infection by implementing fixes and/or patches to prevent further attack.

Assessing a breach

13. Questions to ask yourself in relation to reducing the risk/exposure:

  • Who is affected and who needs to be informed regarding the breach asap?
  • Can any access rights be revoked to reduce the exposure?
  • Is it possible to contain the breach by shutting of the affected systems or closing down access?
  • Would contacting the student, landlord, university or agency assist in reducing the risk/ exposure?
  • For example, are there risks to physical safety, reputation or financial loss?
  • What could happen if the personal data is used inappropriately or illegally?
  • For personal data that has been lost or stolen, are there any protections in place such as encryption?
  • Are there reputational risks from a loss of public confidence in the service the SPCE provides?

Notifying the Information Commissioner

Who is responsible for action?

14. Under the GDPR all breaches should be notified to the relevant authority. This may in some circumstances be a different person from the one above who has to respond to the breach.  As such SPCE together with any third parties involved will assess whether a breach has occurred and if so who is the relevant authority to be notified i.e. whether this is the ICO. And if so who is responsible for notifying the ICO.

15. In terms of the third parties such, assessment should be made as to who has been affected, the nature of the data and the amount of data involved.

16. Responsibility for notifying the ICO in the event of a data breach by SPCE rests with our CEO Leon Ifayemi who will complete a breach notification form and manage the process.

Breach Review and Improvement

17. Once the breach has been dealt with the cause of the breach needs to be considered. There may be a need to update policies and procedures, or to conduct additional training or a review surrounding the circumstances of the breach.

Last Updated: 6 Nov 2017

SPCE Terms Of Use: Website And App


The Website and App provided by SPCE, (together the “SPCE Website or App”), is operated by SPCE, The Shard, 32 London Bridge Street, London, UK, SE1 9SG  (company registration number 10341227) (“we”/”us”/”our”).

If you proceed to use the SPCE Website or App, we will take this to mean that you agree to these Terms of Use of use. They will govern your use of the SPCE Website or App.

These Terms of Use are effective from 6 November 2017. We may change these Terms of Use from time to time by updating this page.  Every time you wish to use the Website or App, please revisit this page to re-read these Terms of Use and to ensure you are aware of any changes. Your use of the SPCE Website or App after a change has been made constitutes your acceptance of the amended Terms of Use.  We may also make changes to the Website or App from time to time.

How to Contact Us

If you have any queries regarding the SPCE Website or App or any of the information or materials contained on or in it, or about any part of these Terms of Use, please use the contact details below.

E-mail address: info@liveinspce.com

Using the SPCE Website or App

These Terms of Use set out the basic rules that govern your use of the SPCE Website or App to access information regarding the services we offer and for all other purposes including, for example administration of your online account with us.  If you wish to use our service, our Terms and Conditions of Services will apply – www.liveinspce.com/terms   ​

Please note that the SPCE Website and App is intended for use by users globally.

Terms of Use

1. Intellectual Property​​

1.1 Either we or third parties that are our licensors, are the owner or the licensee of all copyright, design rights, database rights, trademarks and other intellectual property rights in the SPCE Website or App, and in the material published on it. Your use of the SPCE Website or App grants no rights to you in relation to our intellectual property rights or the intellectual property rights of third parties.  All such rights not expressly granted are reserved.

1.2 If you are using the SPCE Website or App and have access to a printer then you are permitted to electronically copy and to print in hard copy portions of the content of the SPCE Website or App for the sole purpose of your own personal use of this as an information resource for our Products, provided any copy which you make retains all copyright and other proprietary notices. Any other use of materials on the SPCE Website or App, including reproduction for purposes other than the above, modification, distribution or republication without our prior written consent is prohibited.

1.3 If you print off, copy or download any part of the content on the SPCE Website or App in breach of these Terms of Use, we reserve the right to suspend or terminate your use of the SPCE Website or App immediately and you must, at our option, return or destroy any copies of the materials you have made.

1.4 If you do not comply with the requirements of these terms, or if you misuse the Website or App we, and any service or technology providers affected, may take  appropriate legal action against you.

​1.5When you upload or post content to the Website or App, you grant us the following rights to use that content for various purposes including to:

1.5.1 verify your identify;

1.5.2  carry out credit checks;

1.5.3 marketing purposes;

1.5.4 form legally binding tenancy agreements;

1.5.5 storing data; and

1.5.6​​ analytics.

1.6 We are not responsible for viruses and you agree not to introduce them.

2. Links to Third Party Websites and Restrictions

2.1 The use of third party websites is entirely at your own risk.  Links contained in the SPCE Website or App are provided for information only and will lead to other websites not under our control, and we do not make any representation as to the accuracy, completeness, timeliness or suitability of information on those other websites and we accept no liability for the content of any linked site or any link contained in a linked site.  Links provided on the SPCE Website or App are provided to you only as a convenience and the inclusion of any link does not imply reliability and endorsement by us of the content of any third party’s website.

2.2 These Terms of Use do not apply to any third party linked to on the SPCE Website or App.  You should read the terms and conditions of use on those other websites before using them and direct any questions or comments about the content of those other websites to the relevant website provider.

2.3 You are not entitled (nor will you assist others) to set up links from any other websites to the SPCE Website or App (whether by hypertext linking, deep-linking, framing, toggling or otherwise) without our prior written consent, which we may grant or withhold at our absolute discretion.

3. Relying on the Website or App

​3.1 The content of the Website or App is provided for general information only. While we have taken reasonable steps to ensure the accuracy and completeness of the information on the SPCE Website or App, all such information is provided on an “as is” basis and, except where prohibited by law, we give no warranty and make no representation regarding the accuracy or completeness of its content.  

3.2 Some of the information contained on the SPCE Website or App may have been prepared or provided by third parties. Except where prohibited by law, no warranty is given that this SPCE Website or App will be available on an uninterrupted basis and no liability can be accepted in respect of losses or damages arising out of such unavailability.

3.3 All express warranties, representations, conditions of any kind or other terms implied by statute or common law with respect to the SPCE Website or App or the information, content, materials or products included on the SPCE Website or App are hereby expressly excluded to the fullest extent permitted by law.

4. Our responsibility to you for loss or damage

If you are a consumer or business user

​4.1 We do not exclude liability or limit our liability to you in any way in connection with:

4.1.1 any death or personal injury caused by us, our employees’, or our agents’ negligence,;

4.1.2 or fraud or fraudulent misrepresentation;

4.1.3 breach of our statutory obligations which apply in connection with the supply of services to you which cannot be limited or  excluded by law; or

4.1.4 or for any other liability that may not be limited or excluded by law.

For the avoidance of doubt, the terms of our Terms of Service will apply in connection with any services you purchase from us.

If you are a business user

4.2 Except where prohibited by law, we shall not be liable in any circumstances for any direct or indirect, special or consequential loss or damage (whether for profit or loss or otherwise) costs, claims, expenses or other claims for compensation whatsoever, whether caused by our acts, omissions or negligence or the acts, omissions or negligence of our employees or agents, which arise out of or in connection with the use of the Website or App or the information, content materials or products included on the SPCE Website or App,

4.3 In addition, except where prohibited by law, we are not liable to you for any of the following (whether or not we were advised of, or knew of, the possibility of such losses) whether arising from any claim arising out of or in connection with the use of the SPCE Website or App, including without limitation, under any tort, including negligence, for breach of contract, for misrepresentation (other than fraudulent misrepresentation), intellectual property infringement or under any statute or otherwise:

4.3.1 any losses or damages arising out of changes made to the content of the SPCE Website or App by unauthorised third parties;

4.3.2 any loss of business, data, profits, revenue, goodwill, use or anticipated savings;

4.3.3 loss or damage to your, or any third party’s, data or records;

4.3.4 any delay in, or failure of, performance of our obligations under these Terms of Use arising from any cause beyond our reasonable control including any of the following: act of God, governmental act, war, fire, flood, explosion or civil commotion, failure in information technology or telecommunications services, failure of a third party (including failure to supply data) and industrial action;

4.3.5 except as expressly provided in these Terms of Use, we exclude all representations, conditions and warranties whether express or implied (by statute or otherwise) to the fullest extent permitted by law.

If you are a consumer

4.4 We only provide our site for your private use.  You agree not to use the [Website or App] for commercial or business purposes.  We have no liability to you for any business losses, which may include loss of profit, loss of business, business interruption or loss of business opportunity.

4.5 If defective digital content that we have supplied, damages a device or digital content belonging to you and this is caused by our failure to use reasonable care and skill, we will either repair the damage or pay you compensation.  However, we will not be responsible to you for any damage that you could have avoided by following our advice to apply any update offered or by taking other steps to avoid any damage.

5. Security​

5.1 Please remember that the Internet is not a secure medium. Communications over the Internet such as e-mails are not secure unless they have been encrypted.  We seek to keep secure all confidential information and personal information submitted to us through the SPCE Website or App, in accordance with our obligations under applicable laws and regulations.  However, in common with all SPCE Website or App operators, we cannot guarantee the security of any data transmitted through the SPCE Website or App (except where the same is encrypted).  Please do not communicate with us through the SPCE Website or App, or otherwise use the SPCE Website or App, unless you accept the security implications of dealing online.  Information you send through the SPCE Website or App is sent at your own risk.  

6. Statement of Misuse​

We reserve the right to prevent your use of the SPCE Website or App if you misuse its content in any manner. Examples of misuse would include use of copyright materials on the SPCE Website or App not in accordance with these Terms of Use. We are the final arbiter as to what shall constitute misuse and our decision will be final.

7. Miscellaneous

7.1 In these Terms of Use the words “include”, “including”, “includes”, “such as”, “in particular” and any similar expression are to be construed as if they were immediately followed by the words “without limitation”.​

7.2 These Terms of Use and any non-contractual obligations arising out of or in connection with them, are governed by English law. In the event of any dispute or claim relating to the SPCE Website or App, these Terms of Use or any non-contractual obligations arising out of or in connection with them, then all SPCE Website or App users to whom these Terms of Use relate agree to the resolution of such claim or dispute exclusively in the English courts, in accordance with English law, unless you are a consumer who is a resident in Scotland, then you may bring proceedings in Scotland, and if you are a resident of Northern Ireland, you may bring proceedings in Northern Ireland.

7.3 If any provision of these Terms of Use is found to be invalid or unenforceable by a court, including without limitation the liability limitations or exclusions, it will be severed from the rest of these Terms of Use which shall remain unaffected.

7.4 No delay or failure by us to exercise any powers, rights or remedies under these Terms of Use will operate as a waiver of them, nor will any single or partial exercise of any such powers, rights or remedies preclude any other or further exercise of them.

7.5 We may, at any time, assign any or all of our rights or obligations under these Terms of Use to any person.  This includes without limitation any person who takes on responsibility for operating the SPCE Website or App (whether inside or outside our group of companies). This includes assignments where necessary as part of any restructuring relating to our companies, business or assets, or as part of a sale of SPCE Limited or its business or assets.​

7.6 Rights such as may be granted to any and all SPCE Website or App users, and obligations as may be incurred by any such person, in each case pursuant to these Terms of Use,  relate only to those persons, and they may not be transferred to any third party whatsoever.

8. Online Accounts

8.1 The following terms only apply to the extent that you open an online account with us via the SPCE Website or App (an “Account”).

8.2 You agree to comply with the following security procedures governing your use of your Account, for all purposes whatsoever,:

8.2.1 You will keep secret and secure at all times your username and password for your Account and you will never disclose them to any other person or allow any other person to use them.

8.2.2 You will destroy any notice from us concerning your username and password as soon as you have read and understood it.

8.2.3 If you know, or suspect, any other person has seen your username and password you will contact us immediately using the contact details referred to at the top of these Terms of Use.  You will never leave your computer, mobile, tablet or other device unattended whilst you are logged in to your Account or let anyone else use the computer, mobile, tablet or such other device until you have logged out of your account.

​8.2.4 You will use particular caution if you log in to your Account from a public or shared computer to ensure that others are not able to see seen your username and password.

​8.2.5 You will tell us immediately of any unauthorised access to your Account that you know about or suspect.

​8.2.6 You agree that we may terminate your registration to use your Account if you fail to comply with these security procedures or any other part of these Terms of Use.

8.3 Termination of your Account

8.3.1 We may cancel your account at any time for any reason and without notice, including without limitation, if: we discover or have reason to suspect that the information or details you have provided to us about yourself is false, misleading, inaccurate or incomplete;

​ you have made any use whatsoever of your  account or the SPCE Website or App, otherwise than in accordance with these Terms of Use;

​ you are using the services available through your account or the SPCE Website or App for an illegal purpose, or if we have reason to believe that your use would in our opinion jeopardise the security of the SPCE Website or App or your account, or would cause us to be in breach of any contractual duty we owe, or would be contrary, or would be in risk of being contrary, in our opinion, to any applicable laws or regulations; or

​ you have committed any other breach of these Terms of Use.

we discover or have reason to suspect that the information or details you have provided to us about yourself is false, misleading, inaccurate or incomplete;

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.