Privacy Policy
Last updated: 4 June 2026 · Version 2.0
This Privacy Policy (the "Policy") describes how Finikos S.r.l. ("Finikos", "we", "us" or "our") collects, uses, discloses, transfers, retains and otherwise processes personal data in connection with the mobile application Space Context (the "App") and the related websites, interfaces and services that link to this Policy (together with the App, the "Service"). It also explains the rights available to you under the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and applicable Italian data-protection law (Legislative Decree No. 196/2003, as amended, the "Privacy Code").
This Policy forms part of, and should be read together with, our Terms of Service. Capitalised terms not defined here have the meaning given to them in the Terms of Service. By installing, accessing or using the Service you acknowledge that you have read and understood this Policy. Where we rely on your consent, separate consent will be requested in the App.
1. Data controller and contact details
The controller of your personal data is:
Finikos S.r.l.
Registered office: Via Francesco Ostermann 6/7, 33033 Codroipo (UD), Italy
VAT / Tax code: IT03189520301
Privacy contact: privacy@finikos.it
We have not appointed a Data Protection Officer where one is not mandatory under Article 37 GDPR. You may contact us in relation to any matter described in this Policy using the address above.
2. Definitions
- "Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- "Processing" has the meaning given in Article 4(2) GDPR and includes collection, storage, use, disclosure and deletion.
- "Content" means the videos of physical spaces that you record or upload, the audio you capture, and the frames, transcripts, inventories, condition assessments, reports, structured data and question-and-answer outputs generated from them.
- "Sub-processor" means a third party engaged by us to process personal data on our behalf and on our instructions.
3. Categories of personal data we process
We practise data minimisation and collect only the data we need to operate the Service. The categories below depend on how you use the Service.
| Category | Examples | Collected |
|---|---|---|
| Account and authentication data | Email address; display name, where provided by your identity provider; provider identifier (Apple, Google); one-time codes sent by email | On sign-up and sign-in |
| Content | Videos of spaces you record, extracted frames, audio track and its transcript, generated inventories, condition assessments, reports and Q&A answers | When you use the capture and analysis features |
| Profile data | Avatar image, where you choose to upload one | Optional |
| Transaction and subscription data | Purchase and subscription status, plan, credit balance, renewal status. Payment-card data is processed by Apple and is not accessible to us | On purchase and renewal |
| Usage and product data | Number of scans and questions performed, features used, in-App events necessary to deliver and maintain the Service | While using the Service |
| Device and technical data | Device type and model, operating-system version, App version, language and region settings, and diagnostic data essential to operation, stability and security | While using the Service |
| Communications | The content of, and metadata relating to, messages you send to support | When you contact us |
We do not intentionally collect special categories of personal data (Article 9 GDPR). You are responsible for ensuring that the Content you capture does not contain such data unless you have a valid legal basis for it. See Section 7.
4. Sources of personal data
We obtain personal data: (a) directly from you, when you create an account, capture or upload Content, configure the App, make a purchase or contact us; (b) automatically, when you use the Service, through your device and the App; and (c) from third parties, namely the identity providers you choose to authenticate with (Apple, Google) and Apple in relation to your purchases.
5. Purposes of processing and legal bases
We process personal data only where a lawful basis under Article 6 GDPR applies. The table sets out each purpose, the categories involved and the corresponding legal basis.
| Purpose | Categories | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Create and administer your account; authenticate sign-in | Account and authentication data | (b) performance of a contract |
| Provide the Service: capture, AI analysis, generation of inventories, assessments, transcripts and reports, storage, synchronisation and export | Content, profile, usage, technical | (b) performance of a contract |
| Process purchases, manage credits and subscriptions, and meet tax and accounting obligations | Transaction and subscription, account | (b) performance of a contract and (c) compliance with a legal obligation |
| Provide customer support and handle your requests and complaints | Account, usage, communications | (b) performance of a contract and (f) our legitimate interest in assisting users |
| Maintain security, prevent and detect fraud, abuse and misuse, ensure stability, and debug | Technical, usage | (f) our legitimate interest in protecting the Service and its users |
| Comply with legal obligations and respond to lawful requests of competent authorities | As required | (c) compliance with a legal obligation |
| Establish, exercise or defend legal claims | As relevant | (f) our legitimate interest in protecting our rights |
Where we rely on legitimate interests, we have carried out a balancing assessment to ensure that those interests are not overridden by your rights and freedoms, and you may object as described in Section 12. We do not process your personal data for advertising, profiling or marketing purposes, and we do not sell your personal data.
6. How we process your Content and the role of artificial intelligence
The videos, frames and audio you capture are processed, including through third-party artificial-intelligence services, solely to produce the outputs you request, namely inventories, condition assessments, transcripts, structured data and reports. This processing is necessary to perform the contract under which you obtain the Service.
The Service does not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. The outputs generated by the Service are informational tools intended to assist you, may contain inaccuracies, and are subject to your independent review and judgement.
7. Content depicting third parties; your responsibilities and warranties
The Content you capture may depict premises, objects and, potentially, individuals other than you, including their images, voices or personal effects. With respect to such third-party personal data, you act as an independent data controller (or, where applicable, you are responsible for the lawfulness of the recording under other legislation), and Finikos and its sub-processors act solely as processors that process such data on your instructions for the purpose of delivering the outputs you request.
You represent, warrant and undertake that, before capturing or uploading Content, you hold all rights, permissions, consents and lawful bases required to record the relevant premises and any persons or property appearing in the Content, and to have that Content processed as described in this Policy, and that the capture and processing of such Content do not infringe any third party's privacy, image, property, confidentiality or other rights. You are solely responsible for providing any notices and obtaining any consents required by applicable law. As set out in the Terms of Service, you agree to indemnify us in respect of claims arising from a breach of these warranties.
8. Recipients and sub-processors
We disclose personal data only to the recipients necessary to operate the Service. These recipients act as our processors under written data-processing agreements that meet the requirements of Article 28 GDPR, or as independent controllers where they determine the purposes and means of processing in their own right (for example, the identity and payment providers in respect of authentication and payment).
To operate the Service we rely on a limited number of trusted providers. We use Apple for Sign in with Apple and for processing purchases and subscriptions through the App Store and StoreKit, and, where you choose it, Google for Sign in with Google; in respect of authentication and payment these providers also act as independent controllers. To deliver the core functionality we additionally rely on infrastructure and processing providers, namely a cloud hosting and storage provider, with storage and the database located in the European Union and encrypted at rest, a provider that performs the artificial-intelligence analysis used to generate inventories, assessments and transcripts, and a transactional email provider used to deliver sign-in verification codes. Some of these providers process data outside the European Economic Area, as described in Section 9. Content submitted to the artificial-intelligence provider through its interface is not used to train its models and is retained only transiently, for up to 30 days, for abuse and safety monitoring before deletion.
We may also disclose personal data: (a) to professional advisers (such as lawyers and accountants) under duties of confidentiality; (b) to public authorities, courts or regulators where required by law or to protect our rights; and (c) to a successor entity in the context of a merger, acquisition, reorganisation or sale of assets, subject to this Policy continuing to apply. We disclose recipients by category in this Policy; a current list of the specific providers we engage within each category is available on request at privacy@finikos.it, and that list may be updated from time to time as described in Section 16.
9. International transfers
Some of the providers described above process personal data outside the European Economic Area. Where this occurs, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place, namely the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), supplemented where appropriate by additional technical and organisational measures, or, where the recipient is certified, the EU-U.S. Data Privacy Framework. You may request a copy of the relevant safeguards using the contact details in Section 1.
10. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, after which it is deleted or irreversibly anonymised.
| Data | Retention period |
|---|---|
| Account and Content (including videos, frames, transcripts, inventories and reports) | For as long as your account or the related project remains active. Some pending items may also be stored locally on your device. You may delete individual items in the App at any time |
| Data following account deletion | Upon deletion of your account (Settings, then Delete account) the associated data is permanently deleted from our database and storage (this is not a soft delete), except data we are required to retain by law |
| Transaction, tax and accounting records | For the period required by applicable tax and accounting law, generally up to 10 years |
| Support communications | Generally up to 24 months after the matter is resolved |
| Security and diagnostic logs | Generally up to 12 months, unless a longer period is required to investigate an incident or to establish, exercise or defend a legal claim |
11. Security
We implement technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR. These include encryption of data in transit and at rest, storage of authentication tokens in the device Keychain, access controls and the principle of least privilege, segregation of environments, and contractual security commitments from our sub-processors. No method of transmission or storage is completely secure, and while we work to protect your personal data we cannot guarantee absolute security.
12. Your rights
Subject to the conditions and exceptions in the GDPR, you have the right to: (a) access your personal data and obtain a copy of it; (b) rectify inaccurate or incomplete data; (c) erase data ("right to be forgotten"); (d) restrict processing; (e) object to processing based on legitimate interests; (f) data portability, in a structured, commonly used and machine-readable format; and (g) where processing is based on consent, withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
You may exercise these rights by: deleting your account directly in the App (Settings, then Delete account); or contacting us at privacy@finikos.it. We will respond without undue delay and in any event within one month of receipt, a period that may be extended by two further months where necessary, taking into account the complexity and number of requests, in which case we will inform you. We may need to verify your identity before acting on a request, and we may decline or charge a reasonable fee for requests that are manifestly unfounded or excessive. You also have the right to lodge a complaint with a supervisory authority, in Italy the Garante per la protezione dei dati personali (www.garanteprivacy.it), or with the authority of your habitual residence or place of work.
13. Cookies, local storage and analytics
The App stores limited data locally on your device, including authentication tokens and items pending processing, in order to function. Our public website uses only strictly necessary technical cookies and local storage required to deliver the pages you request and does not employ profiling cookies, advertising trackers or third-party analytics that require consent. Where any non-essential technologies are introduced in future, we will request your consent in accordance with applicable law before they are used.
14. Children
The Service is not directed to, and is not intended for, children under the age of 13 (or any higher age of digital consent under applicable national law), and we do not knowingly collect their personal data. If you believe that a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.
15. Third-party services and links
The Service relies on, and may contain links to, third-party services and content (including those of the recipients listed in Section 8). Those third parties process data under their own privacy policies, over which we have no control and for which we are not responsible. We encourage you to review their policies.
16. Changes to this Policy
We may update this Policy from time to time, for example to reflect changes to the Service, to our sub-processors, or to legal requirements. We will update the "Last updated" date above and, where the changes are material, provide additional notice within the App or by other appropriate means. Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy, to the extent permitted by law.
17. How to contact us
For any question or request concerning this Policy or your personal data, contact us at privacy@finikos.it or by post at the registered office indicated in Section 1.