Back to home

Privacy Policy

v4.0Effective: 13 March 2026

This policy explains how Spixes collects, uses, and protects your personal data. We are committed to transparency and GDPR compliance.

Contents

1.Data Controller

2.Data Collected

3.Processing Purposes

4.Data Recipients

5.Data Transfers

6.Retention Periods

7.Your Rights

8.Security

9.Minors

10.Cookies

11.Modifications

12.Contact

In accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and Estonian law on personal data protection

Article 1 – Preamble and Commitment

Spixes OÜ (hereinafter "Spixes", "we", "the Company") attaches paramount importance to the protection of its users' personal data.

This Privacy Policy aims to inform you about how we collect, use, share and protect your personal data in the context of using the Spixes platform (hereinafter "the Platform").

This policy applies to all users of the Platform, regardless of the feature used:

  • Volunteering Service: matching between Establishments (hostels, hotels, associations) and Volunteers (Backpackers)
  • Job Offers Service: matching between Companies and Candidates for paid job opportunities

Article 2 – Data Controller Identification

Data controller

SPIXES OÜ

Legal form: Osaühing (private limited liability company under Estonian law)

Registration number: 17445798

Registered office: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145 Tallinn, Estonia

Data protection contact email: contact@wearespixes.com

Legal representatives: Nicolas Michaud, Jules Seyeux, Guillaume Sallé

Data Protection Officer (DPO)

DPO: Nicolas Michaud

Email: contact@wearespixes.com

Article 3 – Personal Data Collected

3.1 Data Collected Upon Registration

When registering on the Platform, we collect the following data:

For all users:

  • First and last name (or company name for legal entities)
  • Email address
  • Password (encrypted)
  • Date of birth (to verify legal age)
  • Nationality
  • Country of residence
  • Preferred language

For Backpackers / Candidates (Volunteering and Job Offers):

  • Profile photo (optional)
  • Biography / personal presentation
  • Interests and skills
  • Spoken languages
  • Past experience (volunteering or employment) – optional
  • CV and cover letter (Job Offers only) – optional
  • Social media or portfolio links (optional)

For Establishments / Companies:

  • Establishment or company name
  • Type of structure (hostel, hotel, association, company, etc.)
  • Full address
  • Phone number
  • Website (optional)
  • Business registration number or local equivalent
  • Logo and photos (optional)
  • Description of the job or mission offered

3.2 Data Collected During Platform Use

  • Navigation data: IP address, browser type, operating system, pages consulted, visit duration, timestamp
  • Geolocation data: if you enable this feature (with your explicit consent)
  • Communication data: content of messages exchanged via integrated messaging
  • Matching data: application history, acceptances and refusals
  • Transaction data: for Premium Backpackers: payment information (processed by our provider Stripe), subscription history and invoices
  • Social Space data: groups created or joined, events organized or participated in, publications and comments published, interactions with other Backpackers (likes, shares)

3.3 Identity Verification Data

To fight fraud and ensure security, we may ask you to provide:

  • A copy of your identity document (identity card, passport)
  • An additional photo for facial verification
  • Proof of address (for Establishments / Companies)

3.4 Cookies and Similar Technologies

We use cookies and tracking technologies. Consult our Cookie Policy for more information.

Article 4 – Processing Purposes and Legal Bases

We process your personal data for the following purposes, on the indicated legal bases:

  • Creation and management of your user account – Contract performance (art. 6.1.b)
  • Provision of connection services – Contract performance
  • Payment processing (Premium Subscription) – Contract performance
  • Identity verification and fraud prevention – Legitimate interest (art. 6.1.f) + Legal obligation (art. 6.1.c)
  • Platform improvement and new feature development – Legitimate interest
  • User experience personalization (recommendations, matching) – Legitimate interest
  • Sending transactional communications (confirmations, notifications) – Contract performance
  • Sending newsletters and marketing communications – Consent (art. 6.1.a) – with opt-in
  • Compliance with legal and regulatory obligations – Legal obligation
  • Response to competent authority requests – Legal obligation
  • Dispute and complaint management – Legitimate interest
  • Statistical analyses and market studies (anonymized data) – Legitimate interest
  • Platform security and cyberattack prevention – Legitimate interest
  • Social Space functioning (groups, events, interactions) – Contract performance
  • Moderation of content published in Social Space – Legitimate interest

Article 5 – Personal Data Recipients

Your personal data may be communicated to the following categories of recipients:

5.1 Within Spixes

Authorized Spixes personnel (developers, customer service, moderation team, management)

5.2 Other Platform Users

  • Public profile: certain information (name, first name, photo, biography, skills) is visible to other users
  • Messaging: your message content is accessible to your interlocutors

5.3 Service Providers (Processors)

  • Hosting: Railway – servers located within the EU
  • Payment: Stripe Payments Europe Ltd. (Ireland) – PCI-DSS certified
  • Emailing (SMTP): SendGrid – notifications and newsletters
  • Audience analytics: not yet determined
  • Customer support: not yet determined
  • Identity verification: not yet determined

Note: All our processors are contractually bound to respect GDPR and guarantee your data security.

5.4 Legal Authorities

In case of legal obligation or request from a competent judicial or administrative authority.

5.5 Third Parties in Case of Transfer

In case of merger, acquisition, asset sale or restructuring, your data may be transferred to the acquiring third party.

Article 6 – Data Transfers Outside EU/EEA

6.1 Principle

Your personal data is hosted on servers located within the European Union / European Economic Area (EU/EEA).

6.2 Exceptions

Some of our processors may be located in third countries (outside EU/EEA).

In this case, we ensure that the transfer is framed by one of the following guarantees:

  • European Commission adequacy decision (art. 45 GDPR)
  • Standard contractual clauses (SCC) approved by the European Commission (art. 46 GDPR)
  • Binding corporate rules (BCR) approved by a supervisory authority
  • The EU–US Data Privacy Framework (DPF), adopted in July 2023, for certified US sub-processors

You can obtain a copy of appropriate guarantees by contacting us at: contact@wearespixes.com.

Article 7 – Data Retention Period

We retain your personal data only for the duration necessary for the purposes for which it was collected, in compliance with legal obligations.

  • Active account data: Duration of Platform use + 3 years after last activity
  • Deleted account data (by user): Immediate deletion, except legal obligations
  • Job Offers applications (unsuccessful): 2 years from date of application
  • Billing and payment data: 10 years (accounting and tax obligation)
  • Identity verification data: 5 years after end of contractual relationship
  • Connection logs and technical data: 12 months (legal security obligation)
  • Cookies: In accordance with Cookie Policy (13 months maximum)
  • Litigation data: Duration of procedure + applicable limitation periods
  • Social Space data (groups, events, posts): Duration of group/event existence + 1 year after deletion or closure

Anonymized data: anonymized statistical data may be retained indefinitely for analysis purposes.

Article 8 – Your Rights Regarding Your Personal Data

In accordance with GDPR, you have the following rights:

8.1 Right of Access (art. 15 GDPR)

You have the right to obtain confirmation that your data is being processed and to access this data.

8.2 Right to Rectification (art. 16 GDPR)

You may request correction of inaccurate or incomplete data.

8.3 Right to Erasure / "Right to be Forgotten" (art. 17 GDPR)

You may request deletion of your data in the following cases:

  • Data is no longer necessary
  • You withdraw your consent
  • You object to processing
  • Data has been processed unlawfully
  • A legal obligation requires it

Exceptions: this right does not apply if retention is necessary to comply with a legal obligation or for establishment, exercise or defense of legal claims.

8.3 bis – Right to Erasure of Social Space Content

You may delete directly from the interface: your posts, comments, group participation, or events you created.

Upon full account deletion: all Social Space content is deleted, except where legal obligations apply. Comments on other users' posts will be anonymised (displayed as "Deleted User").

8.4 Right to Restriction of Processing (art. 18 GDPR)

You may request temporary suspension of your data processing in certain cases (contesting accuracy, unlawful processing, etc.).

8.5 Right to Data Portability (art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format, and to transmit it to another data controller.

8.6 Right to Object (art. 21 GDPR)

You may object at any time to processing of your data based on legitimate interest, particularly for commercial prospection purposes.

8.7 Right to Withdraw Consent (art. 7.3 GDPR)

If processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

8.8 Right to Define Post-Mortem Directives

You may define directives concerning the fate of your data after your death, in accordance with Article 85 of GDPR and applicable Estonian law (Personal Data Protection Act).

8.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

Estonia (data controller's country)

Data Protection Inspectorate (Andmekaitse Inspektsioon)

Address: Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: https://www.aki.ee

France (if you reside in France)

CNIL (Commission Nationale de l'Informatique et des Libertés)

Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: +33 1 53 73 22 22
Website: https://www.cnil.fr

8.10 Exercising Your Rights

To exercise your rights, you may:

  • Send an email to: contact@wearespixes.com
  • Send postal mail to: Spixes OÜ, Tornimäe tn 5, 10145 Tallinn, Estonia
  • Use the dedicated form in your personal space on the Platform

We undertake to respond within one (1) month from receipt of your request. This period may be extended by two months in case of complexity or multiplicity of requests.

Supporting document: for security reasons, we may ask you to prove your identity (copy of identity document).

Article 9 – Personal Data Security

9.1 Technical and Organizational Measures

Spixes implements all appropriate technical and organizational measures to guarantee a level of security adapted to the risk, including:

  • Encryption: encryption of sensitive data (passwords, banking data) with robust algorithms (AES-256, TLS 1.3)
  • Pseudonymization and anonymization: when possible
  • Access control: access limited to authorized persons only, with strong authentication
  • Monitoring and detection: intrusion detection systems, access logging
  • Regular backups: daily backup copies, stored securely
  • Security testing: regular audits, penetration testing
  • Staff training: awareness of data protection and security
  • Security policy: strict internal procedures

9.2 Personal Data Breach

In case of personal data breach likely to pose a high risk to your rights and freedoms, we undertake to:

  • Notify the competent supervisory authority within 72 hours (art. 33 GDPR)
  • Inform you as soon as possible (art. 34 GDPR)
  • Implement all necessary measures to limit consequences

Article 10 – Minors' Data

The Platform is strictly reserved for persons of legal age (18 years old).

Spixes does not knowingly collect personal data concerning minors.

If you are aware that a minor has provided personal data on the Platform, please contact us immediately at: contact@wearespixes.com.

We will proceed with immediate deletion of this data.

Article 11 – Cookies and Similar Technologies

Use of cookies and tracking technologies is detailed in our Cookie Policy.

You can manage your cookie preferences at any time via the cookie management banner or your browser settings.

Article 12 – Modifications to Privacy Policy

Spixes reserves the right to modify this Privacy Policy at any time, particularly to comply with any legal, regulatory or technical evolution.

Any substantial modification will be notified to you by:

  • Email to the address associated with your account
  • Notification on the Platform
  • Update of the "last update" date at the top of this document

Modifications will take effect thirty (30) days after their notification.

Continued use of the Platform after modifications take effect constitutes acceptance of the new policy.

Article 13 – Contact and Data Protection Officer

For any question regarding protection of your personal data or to exercise your rights, you may contact:

Data Protection Service

Email: contact@wearespixes.com

Mail: Spixes OÜ – DPO Department, Tornimäe tn 5, 10145 Tallinn, Estonia

Data Protection Officer (DPO)

DPO: Nicolas Michaud

Email: contact@wearespixes.com

Article 14 – Applicable Legislation

This Privacy Policy is governed by Regulation (EU) 2016/679 (GDPR) and Estonian legislation on personal data protection (Personal Data Protection Act).

END OF PRIVACY POLICY

Document established in accordance with GDPR and European Data Protection Board (EDPB) guidelines.
Last update: 13 March 2026

Spixes OÜ · Tallinn, Estonia · contact@wearespixes.com

TermsPrivacyCookies