Privacy Policy
Last updated: 26 May 2025
1. Who we are
Localo (“we”, “us”, “our”) operates the website at localo.work. Localo is the data controller for personal data processed through this service. You can contact us at info@localo.work.
2. What data we collect and why
Account data
When you sign in we store your email address, your name and avatar provided by your OAuth provider (Google), and — if you set them — a username and display name. Legal basis: performance of a contract (your account).
OAuth tokens
To authenticate you via Google we store OAuth provider tokens (access token, refresh token, expiry). These are used only for authentication and are deleted when you delete your account. Legal basis: performance of a contract.
User-generated content
Reviews, saved spots, and spot suggestions you submit are stored in our database linked to your account. Legal basis: performance of a contract / legitimate interest (maintaining accurate community data).
Affiliate click tracking
When you click a booking or affiliate link on a spot page we record the spot ID, your user ID (if signed in), a SHA-256 hash of your IP address, and a timestamp. We use this to measure referral performance. The IP hash is derived data — it cannot be reversed to your original IP, but under GDPR it is still considered personal data. Legal basis: legitimate interest (fraud prevention and referral attribution).
Analytics
With your consent we use Vercel Analytics to collect anonymised page view and interaction data. No personally identifiable information is sent to Vercel Analytics. Legal basis: consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time via the cookie preferences link in the footer.
4. Third-party processors
We share data with the following processors to operate the service:
- Vercel — hosting, edge network, and analytics.
- Neon — managed PostgreSQL database hosting.
- Google — OAuth sign-in; server-side Places API (place data is fetched server-side and is never sent to Google on your behalf from your browser).
- Resend — transactional email (sign-in magic links and spot suggestion notifications). Your email address is transmitted to Resend only to deliver these messages.
- Mapbox — map tile rendering in your browser. Mapbox may process your IP address to serve map tiles.
We do not sell your personal data to any third party, and we do not use your data for advertising.
5. Data retention
Your account data is retained for as long as your account is active. Session and verification tokens expire automatically (typically within 24 hours).
Affiliate click records are retained indefinitely at present. We plan to introduce automatic deletion of records older than 90 days.
When you delete your account all personal data linked to it (reviews, saved spots, suggestions, OAuth tokens, and sessions) is permanently deleted. Spots you submitted remain visible but are attributed to “Anonymous”.
6. Your rights
Under GDPR you have the right to:
- Access — download a copy of your data from Account settings.
- Erasure (“right to be forgotten”) — delete your account and all associated personal data from Account settings.
- Rectification — update your display name in Account settings.
- Portability — the data export includes your data in machine-readable JSON format.
- Objection / withdrawal of consent — withdraw analytics consent via the cookie preference banner.
To exercise any right not covered by the self-service tools above, email us at info@localo.work. We will respond within 30 days.
7. International data transfers
Our infrastructure is hosted by Vercel and Neon. Data may be processed in the United States or other countries outside the EEA. Where required, transfers are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards. Contact us for more information.
8. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top of this page will reflect any changes. Continued use of Localo after a change constitutes acceptance of the updated policy.