Legal

Privacy Policy

Last updated: April 9, 2026

1. Who We Are

The Client Space ("we", "us", "our") is a secure file-sharing and client collaboration platform operated by Concepcion Design. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform at theclientspace.com and all associated subdomains.

Data Controller: Concepcion Design
Contact: [email protected]

2. What Data We Collect

Account Data

When you create an account or are invited to the platform, we collect:

Full name
Email address
Password (stored as a bcrypt hash — we never store plaintext passwords)
Multi-factor authentication enrollment status

Client Data

If you are an end-user (client) invited by a provider, they may also store:

Notes about your account
Notification preferences
Files uploaded to your client space
Form responses you submit

Usage Data

We automatically collect:

Access logs (login events, file uploads, downloads, deletions)
IP addresses associated with access events
Browser type and device information (via analytics, if consented)

Affiliate Data

If you register as an affiliate, we collect:

Referral code and referral link activity
Referral tracking (which signups used your link)
Commission records (amounts, status, payout history)

When you visit the platform via a referral link, we store a referral tracking cookie (see Section 11).

Analytics Data (with consent only)

If you accept analytics cookies, Google Analytics collects:

Pages visited and navigation patterns
Approximate geographic location (IP is anonymized)
Browser and device type
Session duration

We do not collect analytics data if you decline cookies. See Section 11 for details.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's privacy policy governs the handling of your payment data.

3. How We Use Your Data

We process your personal data for the following purposes:

Purpose	Legal Basis (GDPR)
Providing the platform (authentication, file storage, collaboration)	Performance of contract (Art. 6(1)(b))
Sending transactional emails (invitations, upload notifications, password resets)	Performance of contract (Art. 6(1)(b))
Security (access logging, rate limiting, fraud prevention)	Legitimate interest (Art. 6(1)(f))
Platform improvement via analytics	Consent (Art. 6(1)(a))
Billing and payment processing	Performance of contract (Art. 6(1)(b))
Affiliate program (referral tracking, commission calculation, payout processing)	Performance of contract (Art. 6(1)(b))
Responding to support requests	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

Onboarding and product emails

After you sign up as a tenant, we may send a short series of onboarding emails (a four-message drip campaign) to help you get the most out of the platform, as well as occasional product update messages. End-user clients of a tenant may also receive a weekly digest summarising recent activity in their portal. These messages are sent on the basis of legitimate interest (GDPR Art. 6(1)(f)) in keeping users informed about a service they are actively using. Every such email contains an unsubscribe link, and you can opt out at any time without affecting your ability to use the Service or receive transactional messages such as security alerts and billing notifications.

4. Data Storage & Security

We implement the following security measures to protect your data:

Encryption in transit: All data is transmitted over HTTPS/TLS.
Encryption at rest: Database (AES-256 via Supabase/AWS) and file storage (encrypted at rest via Cloudflare R2).
Authentication: Secure password hashing (bcrypt), optional multi-factor authentication (TOTP), session management via secure HTTP-only cookies.
Access control: Role-based access control with row-level security (RLS) enforced at the database level. Tenants cannot access other tenants' data.
File storage: Files are stored in tenant-isolated paths on Cloudflare R2 with presigned URLs that expire after 15 minutes.
Content Security Policy: Strict CSP headers to prevent cross-site scripting (XSS).
CSRF protection: All state-changing requests are protected against cross-site request forgery.
Rate limiting: Authentication and administrative endpoints are rate-limited to prevent brute-force attacks.
File validation: Uploaded files are validated for type, size, and content safety.
Immutable audit logging: File access events (uploads, downloads, deletions) are written to an append-only audit trail for accountability.

5. Sharing and Notification Features

Public share links

Tenants can generate public share links for individual files. A public share link allows anyone with the URL to download the file without signing in, until the link is revoked or expires. Tenants choose when to create a public share link, can revoke any link at any time from the file's options menu, and are responsible for ensuring that they only generate public links for files appropriate for unauthenticated access. Access via public share links is recorded in the audit trail in the same way as authenticated downloads.

Download notifications

Tenants can opt to receive an email notification when a client downloads a file from their portal. These download events are already recorded in the audit trail described in Section 4 — the notification is simply a configurable delivery of that audit event. Notifications can be enabled or disabled per tenant from the workspace settings.

6. AI-Powered Features

The Client Space includes two AI-powered chat features: an in-application support assistant on the Help page, and an embedded chatbot on our marketing website. When you use either feature, your messages — including any context you provide — are transmitted to a third-party AI provider (Anthropic or Google, depending on our current configuration) to generate a response. We use API-level access to these AI services, which operate under data processing agreements that do not permit your data to be used for training AI models.

In-application support assistant. Within the application, your messages may include references to client names, file activity, storage usage, or form submissions based on the questions you ask. Conversation content is not retained on our servers beyond the active session.

Marketing website chatbot. Conversations with the chatbot on theclientspace.com are stored on our servers so that our team can review them to improve the product and follow up on inquiries. Please avoid including sensitive personal information (such as passwords or payment details) in these conversations.

7. Sub-Processors

We use the following third-party services to operate the platform. Each processes data on our behalf under appropriate data processing agreements and/or Standard Contractual Clauses:

Service	Purpose	Data Processed	Location
Supabase	Database, authentication	Account data, files metadata, form responses, access logs	United States (AWS)
Cloudflare R2	File storage	Uploaded files, versioned file copies	United States
Vercel	Application hosting	Request logs, IP addresses	United States (edge network)
Cloudflare Pages	Marketing website hosting	Request logs, IP addresses	United States
Stripe	Payment processing	Provider billing data (name, email, payment method)	United States
Sinch Mailgun	Transactional email	Recipient email addresses, email content	United States
Google Analytics	Usage analytics (consent required)	Anonymized IP, page views, device info	United States
Anthropic	AI processing for support assistant and chatbot	Chat messages, contextual platform data	United States
Google	AI processing for support assistant (when active)	Chat messages, contextual platform data	United States
Sentry	Error tracking and monitoring	Error stack traces, browser and device type (IP addresses and user identifiers are stripped before transmission)	United States

All sub-processors maintain SOC 2 or equivalent certifications. Where data is transferred outside the European Economic Area (EEA) or UK, transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

8. Data Retention

Data Type	Retention Period
Account data	Retained while your account is active; deleted within 30 days of a deletion request
Uploaded files	Retained while your account is active; deleted (including all versions) when a client is removed
File versions	Retained alongside the current file; deleted when the file or client is removed
Form responses	Retained while your account is active; deleted when a client is removed
Access logs	Retained for up to 12 months for security and audit purposes
Analytics data	Retained per Google Analytics settings (currently 2 months)
Billing data	Retained as required by tax and accounting regulations (typically 7 years)
Affiliate records	Retained while the affiliate account is active; deleted within 30 days of a deletion request
Referral records	Retained for 24 months after creation for attribution and analytics
Commission and payout records	Retained for 7 years (financial/tax records)

When an account is deleted, all associated data (files, file versions, form responses, comments, and access logs) is permanently removed from our database and file storage within 30 days.

9. Your Rights

Under the GDPR and UK GDPR, you have the following rights:

Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
Right to data portability (Art. 20) — You can download your data in a machine-readable format (JSON) from your Account Settings page.
Right to rectification (Art. 16) — You can request corrections to inaccurate data. Contact your provider or email us.
Right to erasure (Art. 17) — You can request deletion of your account and all associated data from your Account Settings page. We will fulfil the request within 30 days.
Right to restrict processing (Art. 18) — You can request that we limit how we process your data.
Right to object (Art. 21) — You can object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)) — You can withdraw consent for analytics cookies at any time via the cookie preferences on any page or in your Account Settings.

To exercise any of these rights, use the self-service options in your Account Settings or contact us at [email protected]. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority:

UK: Information Commissioner's Office (ico.org.uk)
EU: Your national supervisory authority (edpb.europa.eu/about-edpb/about-edpb/members_en)

10. International Data Transfers

Our platform infrastructure is primarily located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States.

We ensure that all international data transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with sub-processors
Data Processing Agreements (DPAs) with all sub-processors
EU-US Data Privacy Framework certifications where applicable (Cloudflare, Google, Stripe)

11. Cookies

Essential Cookies (always active)

These are required for the platform to function and cannot be disabled:

Authentication cookies — Keep you signed in across pages
CSRF tokens — Protect against cross-site request forgery
MFA session cookies — Maintain multi-factor authentication state
Referral tracking cookie (tcs_ref) — When you arrive via an affiliate referral link, this cookie stores the referral code for 30 days to attribute your signup to the referring affiliate. It is deleted after you complete registration.

Analytics Cookies (optional, consent required)

These are only set if you accept analytics cookies:

Google Analytics (_ga, _ga_*) — Help us understand how the platform is used. IP addresses are anonymized. No data is shared with third parties for advertising.

You can manage your cookie preferences at any time:

Via the cookie banner shown on your first visit
Via the "Manage cookie preferences" option in your Account Settings
By clearing cookies in your browser settings

If you decline analytics cookies, Google Analytics will not collect any identifying information from your session.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page with a revised "Last updated" date
Sending an email notification for significant changes that affect your rights

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights:

Email: [email protected]

For data protection inquiries specifically, please include "GDPR" or "Data Request" in your subject line to ensure prompt handling.