CoWork
G
Privacy
How we handle your data
cowork exists so people in London can show up and work alongside each other in real life. To do that we hold a small amount of information about you. This page tells you exactly what, why, and how to take it back if you change your mind.
Who runs this
cowork is operated by Mya Indigo in the United Kingdom. Under UK GDPR, Robert de Souza is the data controller for everything on joincowork.org. If you want to talk to a real person about your data, the email below reaches him directly:
coworkjoin@gmail.com
What we collect
The short version: as little as we can get away with. The longer version:
Email address. Required so we can sign you in and send confirmations.
Profile bits. Name, handle, avatar colour, optional bio. Optional except for the handle, which we need so other members can find you.
Borough preference. Optional. Helps us surface sessions near you.
RSVPs. Which sessions you joined, who hosted them, whether the host approved you.
Session messages. Anything you write inside a session chat is stored against your account.
Technical metadata. IP address, browser, timestamps. Held by Supabase and Vercel in their standard request logs. We use this for security, debugging, and spotting abuse. We do not run analytics cookies, we do not run ad tracking, and we do not sell any of it.
Why we hold it
Sign you in and keep your seat across visits.
Show your handle and colour to hosts and other attendees.
Send confirmation and reminder emails for sessions you RSVP to.
Spot spam, abuse, and crashes before they hurt anyone.
Legal basis under GDPR: contract (we cannot run the service without your email + handle), legitimate interest (security logs, abuse prevention), and consent for anything optional you give us, such as bio or borough.
Who else touches it
We use two outside companies to run the site. They each hold their own data-processing agreements with us:
Supabase stores the database and handles sign-in. Our project sits on EU servers (eu-central-1). See supabase.com/privacy.
Vercel hosts the website and serves pages from edge locations around the world. See vercel.com/legal/privacy-policy.
Resend is on the roadmap for transactional emails. We will update this page before we switch it on. Resend sends via Amazon SES from US infrastructure.
We share with no one else. Your data is not sold, rented, or traded to advertisers, brokers, or partners.
Who can see what
When you RSVP to a session, the host sees:
Your handle, name, avatar initial, and colour.
Anything you have made public on your profile (bio, borough).
Your RSVP timestamp.
Other attendees see the same. They do not see your email address. The venue address is visible on every open session so people can plan their journey. If a session is cancelled, the address is hidden again.
Cookies
We use one cookie. It keeps you signed in and tells the database which posts and RSVPs belong to you. That is it. No analytics cookie, no advertising pixel, no third-party tracker. If we ever add analytics we will update this page first and ask before turning it on.
Your rights under GDPR
You can ask us to do any of the following. We will respond within 30 days, usually much sooner.
Access. Get a copy of everything we hold about you.
Rectification. Fix anything wrong or out of date.
Erasure. Delete your account. That wipes your profile, RSVPs, and messages.
Portability. Take your data elsewhere in a machine-readable form.
Restriction or objection. Pause processing or push back on a specific use.
Email coworkjoin@gmail.com with the subject "data request". If you think we have messed up your rights, you can complain to the UK Information Commissioner's Office at ico.org.uk.
How long we keep it
Profile, RSVPs, and messages stay while your account is open.
When you delete your account, everything is soft-deleted for 30 days. That gives you a recovery window if you change your mind. After 30 days it is wiped from the live database.
Audit logs, things like sign-in events and admin actions, are held for 12 months for security and then dropped.
Backups roll on a 30-day cycle. After that any deleted record is gone from backups too.
Where the data sits
The Supabase database is on EU servers. Vercel serves pages from its global edge network, which means a static page might render from a server outside the EU, but the underlying personal data still lives in Supabase EU. Where personal data crosses borders (Vercel logs in the US, Resend in the future), we rely on the Standard Contractual Clauses approved by the European Commission.
Under 16s
cowork is for adults and older teens. You need to be 16 or over to sign up. If you find out an under-16 has an account, email us and we will close it.
When this page changes
We will tell you by email and put a banner on the site at least 14 days before any material change. Small fixes like typos go in quietly with the date below bumped.
Get in touch
Questions, corrections, complaints, anything at all: coworkjoin@gmail.com.
Last updated 2026-05-27.
CoWork
Made in London. London co-working sessions, hosted weekly.
Home
Sign in
Privacy
Terms
Contact