Privacy Policy

Version 4.0 Effective date: 13 March 2026

In accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and Estonian law on personal data protection

Article 1 – Preamble and Commitment

Spixes OÜ (hereinafter "Spixes", "we", "the Company") attaches paramount importance to the protection of its users' personal data.

This Privacy Policy aims to inform you about how we collect, use, share and protect your personal data in the context of using the Spixes platform (hereinafter "the Platform").

This policy applies to all users of the Platform, regardless of the feature used:

  • Volunteering Service: matching between Establishments (hostels, hotels, associations) and Volunteers (Backpackers)
  • Job Offers Service: matching between Companies and Candidates for paid job opportunities

Article 2 – Data Controller Identification

Data controller

SPIXES OÜ

Legal form: Osaühing (private limited liability company under Estonian law)

Registration number: 17445798

Registered office: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145 Tallinn, Estonia

Data protection contact email: [email protected]

Legal representatives: Nicolas Michaud, Jules Seyeux, Guillaume Sallé

Data Protection Officer (DPO)

DPO: Nicolas Michaud

Email: [email protected]

Article 3 – Personal Data Collected

3.1 Data Collected Upon Registration

When registering on the Platform, we collect the following data:

For all users:

  • First and last name (or company name for legal entities)
  • Email address
  • Password (encrypted)
  • Date of birth (to verify legal age)
  • Nationality
  • Country of residence
  • Preferred language

For Backpackers / Candidates (Volunteering and Job Offers):

  • Profile photo (optional)
  • Biography / personal presentation
  • Interests and skills
  • Spoken languages
  • Past experience (volunteering or employment) – optional
  • CV and cover letter (Job Offers only) – optional
  • Social media or portfolio links (optional)

For Establishments / Companies:

  • Establishment or company name
  • Type of structure (hostel, hotel, association, company, etc.)
  • Full address
  • Phone number
  • Website (optional)
  • Business registration number or local equivalent
  • Logo and photos (optional)
  • Description of the job or mission offered

3.2 Data Collected During Platform Use

  • Navigation data: IP address, browser type, operating system, pages consulted, visit duration, timestamp
  • Geolocation data: if you enable this feature (with your explicit consent)
  • Communication data: content of messages exchanged via integrated messaging
  • Matching data: application history, acceptances and refusals
  • Transaction data: for Premium Backpackers: payment information (processed by our provider Stripe), subscription history and invoices
  • Social Space data: groups created or joined, events organized or participated in, publications and comments published, interactions with other Backpackers (likes, shares)

3.3 Identity Verification Data

To fight fraud and ensure security, we may ask you to provide:

  • A copy of your identity document (identity card, passport)
  • An additional photo for facial verification
  • Proof of address (for Establishments / Companies)

3.4 Cookies and Similar Technologies

We use cookies and tracking technologies. Consult our Cookie Policy for more information.

Article 4 – Processing Purposes and Legal Bases

We process your personal data for the following purposes, on the indicated legal bases:

Purpose Legal basis (GDPR)
Creation and management of your user account Contract performance (art. 6.1.b)
Provision of connection services Contract performance
Payment processing (Premium Subscription) Contract performance
Identity verification and fraud prevention Legitimate interest (art. 6.1.f) + Legal obligation (art. 6.1.c)
Platform improvement and new feature development Legitimate interest
User experience personalization (recommendations, matching) Legitimate interest
Sending transactional communications (confirmations, notifications) Contract performance
Sending newsletters and marketing communications Consent (art. 6.1.a) – with opt-in
Compliance with legal and regulatory obligations Legal obligation
Response to competent authority requests Legal obligation
Dispute and complaint management Legitimate interest
Statistical analyses and market studies (anonymized data) Legitimate interest
Platform security and cyberattack prevention Legitimate interest
Social Space functioning (groups, events, interactions) Contract performance
Moderation of content published in Social Space Legitimate interest

Article 5 – Personal Data Recipients

Your personal data may be communicated to the following categories of recipients:

5.1 Within Spixes

Authorized Spixes personnel (developers, customer service, moderation team, management)

5.2 Other Platform Users

  • Public profile: certain information (name, first name, photo, biography, skills) is visible to other users
  • Messaging: your message content is accessible to your interlocutors

5.3 Service Providers (Processors)

  • Hosting: Railway – servers located within the EU
  • Payment: Stripe Payments Europe Ltd. (Ireland) – PCI-DSS certified
  • Emailing (SMTP): SendGrid – notifications and newsletters
  • Audience analytics: not yet determined
  • Customer support: not yet determined
  • Identity verification: not yet determined
Note: All our processors are contractually bound to respect GDPR and guarantee your data security.

5.4 Legal Authorities

In case of legal obligation or request from a competent judicial or administrative authority.

5.5 Third Parties in Case of Transfer

In case of merger, acquisition, asset sale or restructuring, your data may be transferred to the acquiring third party.

Article 6 – Data Transfers Outside EU/EEA

6.1 Principle

Your personal data is hosted on servers located within the European Union / European Economic Area (EU/EEA).

6.2 Exceptions

Some of our processors may be located in third countries (outside EU/EEA).

In this case, we ensure that the transfer is framed by one of the following guarantees:

  • European Commission adequacy decision (art. 45 GDPR)
  • Standard contractual clauses (SCC) approved by the European Commission (art. 46 GDPR)
  • Binding corporate rules (BCR) approved by a supervisory authority
  • The EU–US Data Privacy Framework (DPF), adopted in July 2023, for certified US sub-processors

You can obtain a copy of appropriate guarantees by contacting us at: [email protected].

Article 7 – Data Retention Period

We retain your personal data only for the duration necessary for the purposes for which it was collected, in compliance with legal obligations.

Data category Retention period
Active account data Duration of Platform use + 3 years after last activity
Deleted account data (by user) Immediate deletion, except legal obligations
Job Offers applications (unsuccessful) 2 years from date of application
Billing and payment data 10 years (accounting and tax obligation)
Identity verification data 5 years after end of contractual relationship
Connection logs and technical data 12 months (legal security obligation)
Cookies In accordance with Cookie Policy (13 months maximum)
Litigation data Duration of procedure + applicable limitation periods
Social Space data (groups, events, posts) Duration of group/event existence + 1 year after deletion or closure
Anonymized data: anonymized statistical data may be retained indefinitely for analysis purposes.

Article 8 – Your Rights Regarding Your Personal Data

In accordance with GDPR, you have the following rights:

8.1 Right of Access (art. 15 GDPR)

You have the right to obtain confirmation that your data is being processed and to access this data.

8.2 Right to Rectification (art. 16 GDPR)

You may request correction of inaccurate or incomplete data.

8.3 Right to Erasure / "Right to be Forgotten" (art. 17 GDPR)

You may request deletion of your data in the following cases:

  • Data is no longer necessary
  • You withdraw your consent
  • You object to processing
  • Data has been processed unlawfully
  • A legal obligation requires it
⚠️ Exceptions: this right does not apply if retention is necessary to comply with a legal obligation or for establishment, exercise or defense of legal claims.

8.3 bis – Right to Erasure of Social Space Content

You may delete directly from the interface: your posts, comments, group participation, or events you created.

Upon full account deletion: all Social Space content is deleted, except where legal obligations apply. Comments on other users' posts will be anonymised (displayed as 'Deleted User').

8.4 Right to Restriction of Processing (art. 18 GDPR)

You may request temporary suspension of your data processing in certain cases (contesting accuracy, unlawful processing, etc.).

8.5 Right to Data Portability (art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format, and to transmit it to another data controller.

8.6 Right to Object (art. 21 GDPR)

You may object at any time to processing of your data based on legitimate interest, particularly for commercial prospection purposes.

8.7 Right to Withdraw Consent (art. 7.3 GDPR)

If processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

8.8 Right to Define Post-Mortem Directives

You may define directives concerning the fate of your data after your death, in accordance with Article 85 of GDPR and applicable Estonian law (Personal Data Protection Act).

8.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

🇪🇪 Estonia (data controller's country)

Data Protection Inspectorate (Andmekaitse Inspektsioon)

Address: Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: [email protected]
Website: https://www.aki.ee

🇫🇷 France (if you reside in France)

CNIL (Commission Nationale de l'Informatique et des Libertés)

Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: +33 1 53 73 22 22
Website: https://www.cnil.fr

8.10 Exercising Your Rights

To exercise your rights, you may:

  • Send an email to: [email protected]
  • Send postal mail to: Spixes OÜ, Tornimäe tn 5, 10145 Tallinn, Estonia
  • Use the dedicated form in your personal space on the Platform

We undertake to respond within one (1) month from receipt of your request. This period may be extended by two months in case of complexity or multiplicity of requests.

Supporting document: for security reasons, we may ask you to prove your identity (copy of identity document).

Article 9 – Personal Data Security

9.1 Technical and Organizational Measures

Spixes implements all appropriate technical and organizational measures to guarantee a level of security adapted to the risk, including:

  • Encryption: encryption of sensitive data (passwords, banking data) with robust algorithms (AES-256, TLS 1.3)
  • Pseudonymization and anonymization: when possible
  • Access control: access limited to authorized persons only, with strong authentication
  • Monitoring and detection: intrusion detection systems, access logging
  • Regular backups: daily backup copies, stored securely
  • Security testing: regular audits, penetration testing
  • Staff training: awareness of data protection and security
  • Security policy: strict internal procedures

9.2 Personal Data Breach

In case of personal data breach likely to pose a high risk to your rights and freedoms, we undertake to:

  • Notify the competent supervisory authority within 72 hours (art. 33 GDPR)
  • Inform you as soon as possible (art. 34 GDPR)
  • Implement all necessary measures to limit consequences

Article 10 – Minors' Data

The Platform is strictly reserved for persons of legal age (18 years old).

Spixes does not knowingly collect personal data concerning minors.

If you are aware that a minor has provided personal data on the Platform, please contact us immediately at: [email protected].

We will proceed with immediate deletion of this data.

Article 11 – Cookies and Similar Technologies

Use of cookies and tracking technologies is detailed in our Cookie Policy.

You can manage your cookie preferences at any time via the cookie management banner or your browser settings.

Article 12 – Modifications to Privacy Policy

Spixes reserves the right to modify this Privacy Policy at any time, particularly to comply with any legal, regulatory or technical evolution.

Any substantial modification will be notified to you by:

  • Email to the address associated with your account
  • Notification on the Platform
  • Update of the "last update" date at the top of this document

Modifications will take effect thirty (30) days after their notification.

Continued use of the Platform after modifications take effect constitutes acceptance of the new policy.

Article 13 – Contact and Data Protection Officer

For any question regarding protection of your personal data or to exercise your rights, you may contact:

Data Protection Service

Email: [email protected]

Mail: Spixes OÜ – DPO Department, Tornimäe tn 5, 10145 Tallinn, Estonia

Data Protection Officer (DPO)

DPO: Nicolas Michaud

Email: [email protected]

Article 14 – Applicable Legislation

This Privacy Policy is governed by Regulation (EU) 2016/679 (GDPR) and Estonian legislation on personal data protection (Personal Data Protection Act).

END OF PRIVACY POLICY

Document established in accordance with GDPR and European Data Protection Board (EDPB) guidelines.
Last update: 13 March 2026