Privacy Policy

SPACE PENGUIN PROPRIETARY LIMITED
ABN 82 682 613 065 / ACN 682 613 065

Last Updated: 19 June 2026

This Privacy Policy describes how SPACE PENGUIN PROPRIETARY LIMITED (“Space Penguin”, “we”, “us”, “our”) collects, uses, discloses, and protects personal information when you visit our website, use our Virtual Address, Workspace Booking Marketplace, or other services (collectively, the “Services”), or otherwise interact with us.

We are an Australian company. This Policy is written to meet our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — because we have, and expect to continue to have, visitors and customers from the European Union, United Kingdom, and elsewhere — to meet our obligations under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR, where they apply to our processing of your personal information.

By using the Services, you agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree, please do not use the Services.

1. Who We Are

Space Penguin Pty Ltd is the controller (under GDPR) and the entity responsible (under the Privacy Act) for the personal information described in this Policy.

Registered office: Suite 1208/530 Little Collins St, Melbourne VIC 3000
Sydney office: 87–90 Jones Street, Ultimo, Sydney NSW
Contact: hello@spacepenguin.io

2. Changes to This Policy

We may update this Policy from time to time to reflect changes to our practices or for legal or operational reasons. We will post the revised Policy on this page and update the “Last Updated” date above. Material changes affecting how we handle your personal information will, where required by law, be communicated to you directly (e.g. by email) before they take effect.

3. What Personal Information We Collect

3.1 Information you give us directly

  • Account and signup information: name, email address, password.
  • Payment information: processed directly by our payment processor, Stripe — we do not store full card details ourselves. We receive limited information from Stripe such as payment confirmation, last 4 digits of a card, and billing name.
  • Virtual Address subscription information: business name, authorised person name(s) (maximum two per subscription), contact details, and the address to which you’d like mail forwarded (if requested).
  • Marketplace information: if you list a Space as a Host, your business/listing details and payout information; if you book a Space, your name and contact details, shared with the Host as needed to fulfil the booking.
  • Customer support information: anything you tell us via email, WhatsApp, or other support channels.
  • Mail and parcel content: when you use our Virtual Address service, the contents of mail and parcels addressed to you — including any personal information about you or third parties contained within that mail (e.g. a sender’s name, an account number, or other details on a letter) — are incidentally collected and scanned as part of providing the Service.

We do not currently collect government-issued ID or other identity-verification documents as part of signup. If this changes (for example, if required by future anti-money-laundering or know-your-customer obligations), we will update this Policy and obtain any consents required by law.

3.2 Information we collect automatically (Cookies and similar technology)

When you visit our website, we and our advertising and analytics partners automatically collect Usage Data via cookies, pixels, and similar technologies, including device and browser information, IP address, pages viewed, and how you interact with the Services. See Section 7 (Cookies) for detail, including how this differs for EU/UK visitors.

3.3 Information we receive from third parties

  • Stripe (payment processing) — payment confirmation and limited billing data.
  • Google Workspace / Gmail — we use Google Workspace for our business email; if you email us, that correspondence is held in our Google Workspace environment.
  • Zoho CRM — we use Zoho CRM to manage customer records, including, in most cases, storing or linking to scanned copies of your mail for Virtual Address purposes.
  • Advertising platforms (Meta, Google, TikTok, and other platforms we may use from time to time) — see Section 6.2 below.

4. How We Use Your Personal Information

  • Providing the Services: to create and manage your account, process payments via Stripe, provide your Virtual Address (including scanning, storing, and — where requested — forwarding mail), facilitate Marketplace bookings between Hosts and Bookers, and provide customer support.
  • Marketing and advertising (see Section 6.2): to send you marketing communications and to advertise our Services to you and to similar audiences on third-party advertising platforms.
  • Security and fraud prevention: to detect, investigate, and act on suspected fraudulent, illegal, or harmful activity, including suspected misuse of a Virtual Address.
  • Communicating with you: to respond to enquiries and provide support.
  • Legal compliance: to comply with our legal obligations (including tax and corporate record-keeping obligations), enforce our Terms of Service, and protect our rights and the rights of our users.

5. Legal Bases for Processing (GDPR)

Where GDPR or UK GDPR applies to our processing of your personal information, we rely on the following legal bases:

PurposeLegal basis
Providing the Virtual Address, Marketplace, and other Services you’ve signed up forPerformance of a contract with you (Art. 6(1)(b))
Processing payments via StripePerformance of a contract with you (Art. 6(1)(b))
Security, fraud prevention, and enforcing our TermsLegitimate interests (Art. 6(1)(f))
Complying with tax, corporate, and other legal obligationsLegal obligation (Art. 6(1)(c))
Sending you marketing communications and advertising to you on third-party platformsConsent (Art. 6(1)(a)), or legitimate interests where permitted, withdrawable at any time
Use of non-essential cookies (analytics, advertising) for EU/UK visitorsConsent (Art. 6(1)(a)), obtained via our cookie banner

6. Marketing and Advertising

6.1 Direct marketing

We may send you marketing communications about our Services by email or other channels. You can opt out at any time using the unsubscribe link in any marketing email, or by contacting us directly. Opting out of marketing does not affect non-promotional communications (such as account or subscription notices).

6.2 Advertising on third-party platforms

We use your personal information (such as your email address, in hashed form where supported) to advertise and market our Services on third-party advertising platforms, including Meta (Facebook/Instagram), Google (including Google Ads), TikTok, and any other advertising or marketing platform we may use from time to time. This includes:

  • building custom or lookalike audiences from our customer or website-visitor data;
  • using pixels or tags (such as the Meta Pixel, Google Ads tag, or TikTok Pixel) on our website to track conversions and re-target visitors with ads; and
  • measuring and optimising the performance of our advertising campaigns.

Each advertising platform processes the information we share with it as an independent controller (or, in some cases, jointly with us) under its own privacy policy and terms — we encourage you to review Meta’s, Google’s, and TikTok’s respective privacy policies. You can manage or opt out of personalised advertising directly through each platform’s ad preference settings, and you can opt out of our use of your information for advertising purposes by contacting us or (for EU/UK visitors) withdrawing cookie consent as described in Section 7.

This clause applies to any advertising or marketing platform we use now or add in future, whether or not specifically named above.

7. Cookies

We use cookies, pixels, and similar technologies to operate our website, understand how it’s used, and serve advertising as described in Section 6.2.

If you are visiting from the EU, UK, or another jurisdiction requiring opt-in consent: non-essential cookies (analytics and advertising cookies, including the Meta Pixel, Google Ads tag, and TikTok Pixel) will only be set with your prior, informed consent via a cookie consent banner. You can withdraw or change your consent at any time using the cookie preference tool on our website.

For all other visitors: cookies operate on an opt-out basis — most browsers accept cookies by default, and you can remove or block them through your browser settings, though this may affect site functionality.

We honour the Global Privacy Control (GPC) signal where required by applicable law, treating it as a request to opt out of the sale/sharing of information or targeted advertising for that browser/device.

8. How We Disclose Personal Information

We disclose personal information to:

  • Stripe, to process your payments.
  • Google Workspace / Gmail, in connection with our business email correspondence with you.
  • Zoho CRM, where your customer records (including, for Virtual Address customers, scanned mail in most cases) are stored and managed.
  • Our employees and contractors based in Sydney and Melbourne, who are granted access only as needed to provide the Services (currently, access to Virtual Address and mail-related records is limited to Rohan, Alisha, and Sydney/Melbourne-based employees and contractors).
  • Meta, Google, TikTok, and other advertising platforms, as described in Section 6.2.
  • Hosts and Bookers on the Marketplace, to the extent necessary to facilitate a booking (e.g. a Booker’s name and contact details may be shared with a Host, and vice versa).
  • Professional advisers, regulators, and authorities, where required by law, to enforce our Terms of Service, or to protect our rights or the rights of others.
  • A successor entity, in connection with a merger, acquisition, or sale of all or part of our business.

We do not sell your personal information for money. We do not use or disclose sensitive personal information to infer characteristics about you.

9. International Data Transfers

We are an Australian business and primarily store data on servers in Australia. However, your personal information may be transferred to, and processed in, other countries — including the United States and India (e.g. via Stripe, Google, Meta, and TikTok) — in connection with the Services described above.

For personal information originating in the EU/UK: where we or our service providers transfer your personal information outside the EEA or UK to a country that has not been recognised as providing an adequate level of data protection (including Australia and the United States), we rely on appropriate safeguards recognised under GDPR/UK GDPR — including the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum — with the relevant recipient.

10. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights. These are not absolute and may be subject to exceptions permitted by law.

  • Access — request access to the personal information we hold about you.
  • Correction / Rectification — request that we correct inaccurate or incomplete information.
  • Deletion / Erasure — request that we delete your personal information, subject to legal retention obligations (e.g. tax/corporate records).
  • Portability — request a copy of your information in a portable format, or that we transfer it to a third party, in certain circumstances.
  • Restriction of Processing — ask us to pause our processing of your information while a request or dispute is resolved.
  • Object — object to our processing of your information where we rely on legitimate interests, including for direct marketing, at any time and without needing to give a reason.
  • Withdraw Consent — where we rely on your consent (e.g. cookie consent, marketing consent), withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
  • Automated Decision-Making — we do not currently make any decisions about you based solely on automated processing (including profiling) that produce legal or similarly significant effects on you.
  • Lodge a Complaint — see Section 12 below.

You can exercise these rights by contacting us at hello@spacepenguin.io. We may need to verify your identity before actioning a request, and we will respond within the timeframes required by applicable law (including the one-month default response period under GDPR).

11. Australian Privacy Act and Notifiable Data Breaches

We handle personal information in accordance with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), including in relation to the cross-border disclosure of personal information (APP 8) as described in Section 9.

If we experience a data breach that is likely to result in serious harm to affected individuals (an “eligible data breach” under the Notifiable Data Breaches scheme), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, in accordance with the Privacy Act. Where GDPR also applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, and affected individuals where required.

12. Complaints

If you have a complaint about how we handle your personal information, please contact us first at hello@spacepenguin.io — all privacy complaints are handled centrally from our Melbourne, Victoria office, regardless of where you or the relevant service are based.

If you’re not satisfied with our response:

  • Australian residents may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
  • EU/UK residents may lodge a complaint with their local data protection supervisory authority (for example, the Information Commissioner’s Office (ICO) in the UK, or the relevant authority in your EU member state).

13. EU and UK Representatives

In accordance with Article 27 of the GDPR and UK GDPR, we intend to appoint a representative in the European Union and a representative in the United Kingdom for data protection matters, given we have visitors and customers based in those regions. Their contact details will be added here once appointed.

14. Security and Retention

We take reasonable technical and organisational measures to protect your personal information, but no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

We retain personal information for as long as needed to provide the Services, plus any additional period required to comply with our legal obligations (for example, Australian tax and corporate record-keeping laws typically require financial records to be kept for at least 7 years), resolve disputes, and enforce our agreements. Mail and parcel handling and retention follow the timeframes set out in our Terms of Service (Virtual Address — Mail and Parcel Handling). Marketing data is retained until you withdraw consent or opt out.

15. Children’s Data

The Services are not intended for use by children, and we do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, contact us to request its deletion.

16. User-Generated Content

If you post a review or other content in a public area of the Services, that content is publicly accessible, and we are not responsible for how others use information you choose to make public.

17. Third-Party Websites and Links

Our Services may link to third-party websites not controlled by us. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing them with information.

18. Contact Us

For any questions about this Privacy Policy, or to exercise any of your rights, contact us at:

SPACE PENGUIN PROPRIETARY LIMITED
hello@spacepenguin.io
Suite 1208/530 Little Collins St, Melbourne VIC 3000