Privacy Policy

Personal Data Processing Information

Last updated: January 10, 2026

🔒 Your privacy matters to us. This policy describes how we collect, use and protect your personal data in compliance with EU Regulation 2016/679 (GDPR).

BETA VERSION
Local Hours is currently in beta phase and is a personal project between private individuals. Many features are not yet fully implemented. Your data can be deleted at any time by deleting your account directly from the platform, or by sending a request to postmaster@localhrs.com.

Table of Contents

  1. Data Controller
  2. Personal Data Collected
  3. Processing Purposes
  4. Legal Basis
  5. Data Retention
  6. Data Sharing
  7. International Transfers
  8. Data Security
  9. Your Rights
  10. Cookie Policy
  11. Minors
  12. Policy Changes
  13. Contact Us

1. Data Controller

The Data Controller for your personal data is a private individual based in Italy who operates Local Hours as a personal project in beta phase.

Project: Local Hours (personal project)

Email: privacy@localhrs.com

Data Deletion Requests: postmaster@localhrs.com

For any privacy questions, you can contact us at the email addresses above.

2. Personal Data Collected

We collect the following categories of personal data:

2.1 Data you provide directly

Category Specific Data
Registration data Name, surname, email, password (encrypted), profile photo
Profile data Bio, languages spoken, city, interests, date of birth
Local data ID document (for verification), IBAN, tax address
Experience data Title, description, photos, location, price, availability
Communications Messages between Locals and Participants, reviews

2.2 Automatically collected data

Category Specific Data
Browsing data IP address, browser, device, operating system
Usage data Pages visited, time spent, clicks, searches
Geolocation Approximate location (only with your permission)
Cookies and trackers Session identifiers, preferences, analytics

2.3 Data from third parties

  • Social login: If you sign in with Google/Facebook, we receive name, email and profile photo
  • Payment providers: Stripe/PayPal sends us payment status (not card details)

3. Processing Purposes

Purpose Description Legal Basis
Service delivery Account management, bookings, payments, communications Contract
Security Fraud prevention, Local identity verification, content moderation Legitimate interest
Service communications Booking confirmations, reminders, important notices Contract
Marketing Newsletter, personalized offers, promotions Consent
Analytics Platform usage analysis, service improvement Legitimate interest
Legal obligations Invoicing, tax compliance, authority requests Legal obligation

5. Data Retention

We keep your data only as long as necessary:

Data Type Retention Period
Account data Until account deletion + 30 days backup
Transaction/invoice data 10 years (Italian tax requirement)
Messages and communications 3 years from account closure
Public reviews Indefinite (anonymized after deletion)
Navigation logs 12 months
Analytics cookies 26 months (Google Analytics)

6. Data Sharing

We do not sell your personal data. We only share it with:

6.1 Other platform users

  • Your public profile (name, photo, bio, reviews) is visible to other users
  • When you book, the Local sees: name, photo, email, special requests
  • When you host, the Participant sees: name, photo, bio, contacts

6.2 Service providers (Data Processors)

Provider Service Data Shared
Supabase Database and authentication All account data
Stripe / PayPal Payments Email, amounts, IBAN (Locals)
Cloudinary Image storage Uploaded photos
Aruba SMTP Email delivery Email, name
Google Analytics Analytics Anonymized browsing data
Vercel / Render Hosting Access logs

All providers have signed a GDPR-compliant Data Processing Agreement (DPA).

7. International Transfers

Some of our providers are based outside the EU/EEA (e.g. USA). In these cases, we protect your data through:

  • Standard Contractual Clauses (SCC) approved by the European Commission
  • EU-US Data Privacy Framework (for certified providers)
  • Binding Corporate Rules (for large multinationals)

8. Data Security

We implement technical and organizational measures to protect your data:

🔐 Encryption

  • HTTPS/TLS for all connections
  • Passwords hashed with bcrypt
  • Sensitive data encrypted at rest

🛡️ Access Control

  • Secure JWT authentication
  • Rate limiting against brute force
  • Need-to-know data access

🏢 Infrastructure

  • Certified data center servers
  • Automatic daily backups
  • 24/7 monitoring

📋 Procedures

  • Privacy training for team
  • Periodic security audits
  • 72h data breach procedure

9. Your Rights (GDPR Art. 15-22)

Under the GDPR, you have the following rights:

📋 Right of Access (Art. 15)

Request a copy of all data we hold about you.

✏️ Right to Rectification (Art. 16)

Correct inaccurate data or complete incomplete data.

🗑️ Right to Erasure (Art. 17)

Request deletion of your data ("right to be forgotten").

⏸️ Right to Restriction (Art. 18)

Request temporary restriction of processing.

📦 Right to Portability (Art. 20)

Receive your data in a structured format and transfer it elsewhere.

🚫 Right to Object (Art. 21)

Object to processing for marketing or legitimate interest.

🤖 Right Against Automated Decisions (Art. 22)

Request human intervention for automated decisions affecting you.

How to exercise your rights

We will respond within 30 days (extendable to 60 in complex cases).

⚠️ Complaint to Supervisory Authority

If you believe your rights have not been respected, you can file a complaint with the Italian Data Protection Authority (Garante): www.garanteprivacy.it

10. Cookie Policy

We use cookies and similar technologies to improve your experience:

Type Purpose Consent
Essential/Technical Login, session, security, language preferences Not required
Analytics Google Analytics, anonymous statistics Required
Marketing Retargeting, personalized advertising Required

How to manage cookies

  • Cookie banner: On first visit you can choose which to accept
  • Change preferences: You can change your preferences at any time
  • Browser settings: You can block all cookies in your browser
  • Analytics opt-out: Google Analytics Opt-out

Manage your cookie preferences:

11. Minors

🚫 Adults Only Service

Local Hours is restricted to users at least 18 years old. We do not knowingly collect data from minors. If we discover that a minor has created an account, we will delete it immediately along with all their data.

If you are a parent and believe your minor child has provided data to Local Hours, contact us at privacy@localhrs.com.

12. Privacy Policy Changes

We may update this Privacy Policy periodically to reflect changes in our services or regulations.

For significant changes:

  • We will publish the new version on this page
  • We will update the "Last updated" date
  • We will send you an email notification
  • If required, we will ask for your consent again

13. Privacy Contacts

For any privacy questions or to exercise your rights:

Privacy Email: privacy@localhrs.com

Data Deletion Requests: postmaster@localhrs.com

Response time: Within 30 business days from request.

Document valid from January 10, 2026 • Terms of ServiceBack to Home

Local Hours - Personal Project (Beta)

Back to Home