Skip to main content
Locale.

Legal

Privacy Policy

Last updated: 12 March 2026

1. Information We Collect

Account information

When you create an account, we collect your name, email address, and hashed password. If you sign up through a third-party provider (Google, GitHub), we receive your name, email, and profile picture from that provider.

Usage data

We automatically collect information about how you interact with Locale, including features used, timestamps, and performance metrics. This helps us improve the product and debug issues.

Payment information

Payment processing is handled by our third-party PCI-DSS-compliant payment provider. We never store your full credit card number, CVV, or bank details. We retain only the last four digits of your card and billing address for receipt purposes.

Device & log data

We collect IP addresses, browser type, operating system, referral URLs, and device identifiers. Server logs are retained for 90 days and then permanently deleted.

2. How We Use Your Information

Service delivery

We use your data to provide, maintain, and improve Locale — including managing your account and delivering support.

Communication

We may send transactional emails (password resets, billing receipts) and, with your consent, product updates. You can unsubscribe from marketing emails at any time.

Analytics & improvement

Aggregated, anonymized usage data helps us understand feature adoption, fix bugs, and prioritize our roadmap. We do not sell individual usage data to third parties.

Legal compliance

We may process your data to comply with applicable laws, respond to legal requests, or protect our rights and safety.

3. Data Sharing & Third Parties

Service providers

We share data with trusted providers who help us operate — including our payment processor, our cloud hosting provider, and our transactional email service. Each provider is bound by data processing agreements.

No selling of data

We do not sell, rent, or trade your personal information to advertisers or data brokers.

Business transfers

If the company is acquired or merged, your information may be transferred. We will notify you via email and provide options before any such transfer.

4. Security & Data Storage

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups are encrypted and stored in geographically separate regions.

Infrastructure

Our infrastructure is built around continuous control monitoring and audit-ready evidence collection. We conduct regular penetration tests and maintain a responsible disclosure program.

Data residency

By default, data is stored within our cloud hosting provider's European and North American regions, primarily Frankfurt and N. Virginia. Enterprise customers can choose alternative data residency for compliance with local regulations.

5. Your Rights & Choices (UK & EU GDPR)

Right of access

You may request a copy of the personal data we hold about you. Email privacy@localeapp.io and we will respond within one calendar month.

Right to rectification

You may correct inaccurate or incomplete personal data we hold.

Right to erasure ("right to be forgotten")

You may request deletion of your personal data where we no longer need it for the purpose collected, you withdraw consent, or you object to processing without overriding legitimate grounds.

Right to restrict processing

You may ask us to suspend processing of your data while we verify a request or evaluate an objection.

Right to data portability

You may receive the personal data you have provided to us in a structured, machine-readable format and ask us to transmit it to another controller.

Right to object

You may object to processing based on legitimate interests, including direct marketing and profiling. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights.

Right to lodge a complaint

You may complain to a supervisory authority — in the UK, the Information Commissioner's Office at ico.org.uk; in the EU, your local DPA.

Right not to be subject to automated decision-making (Art. 22)

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you, unless it is necessary for a contract, authorised by law, or based on your explicit consent. We use automated processing for fraud and chargeback screening on guest payments and for spam filtering in the guest inbox; neither produces a legal or similarly significant effect without human review.

Cookies

We use essential cookies for authentication and preferences. Optional analytics, marketing, and functional cookies are only set with your consent (see our cookie banner). You can withdraw consent at any time.

6. Your Rights — California & US State Privacy Laws

Right to know

California (CCPA/CPRA), Colorado, Connecticut, Texas, Virginia, and other US states with comprehensive privacy laws give residents the right to know what personal information we collect, the categories of sources, and the categories of third parties with whom we share it.

Right to delete

You may request deletion of personal information we have collected from you, subject to limited exceptions (e.g. transactions in progress, legal compliance).

Right to correct

You may request correction of inaccurate personal information.

Right to opt out of sale or sharing

If we sell or share your personal information for cross-context behavioural advertising, you may opt out via our "Do Not Sell or Share My Personal Information" page (linked in the footer when applicable). We honour the Global Privacy Control browser signal as a universal opt-out.

Right to limit use of sensitive PI

You may direct us to limit use of sensitive personal information to only what is necessary to provide the goods or services you requested.

Non-discrimination

We will not discriminate against you for exercising any privacy right (denial of service, different prices, lower quality).

Verification

Verifiable consumer requests may require us to confirm your identity before we action the request. CPRA gives us up to 45 days (extendable to 90).

7. Do Not Track Signals (CalOPPA)

Our response

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry consensus on how DNT should be honoured. We treat DNT as a request to disable analytics and behavioural-advertising cookies; functional and essential cookies continue to operate.

Global Privacy Control

We do honour the Global Privacy Control (GPC) signal as a universal opt-out from sale or sharing of personal information, as required by California, Colorado, Connecticut, and other states.

Questions about your privacy?

Contact our privacy team at privacy@localeapp.io

DemoUI kit preview — content is fictional.