LocalSpots — Privacy policy
Last updated: 2026-05-12
Status: Draft — pending legal review.
This is the privacy policy for LocalSpots ("the App"), part of the Spots Project ("we", "us"). It explains what data we collect, why, how we store it, and your rights under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
If you also use other Spots Project apps, they have separate privacy policies because each app processes data differently.
1. Who is responsible
The data controller for LocalSpots is the Spots Project, contact email [email protected]. We do not yet have a registered Data Protection Officer; if you're in Cyprus or the EU and want to raise a concern, you can reach us at that address or contact your national supervisory authority directly. In Cyprus, that's the Office of the Commissioner for Personal Data Protection ([email protected]).
2. What we collect
Anonymous browsing. You can use most of LocalSpots without any account at all. We do not collect a name, email, phone, or device identifier when you browse spots, search, filter, or favourite locally.
Account data (if you sign up). To leave reviews or submit new spots, you need an account. We collect:
- Email address (used as your login — we send a magic-link sign-in instead of storing a password).
- Display name (your choice; can be a pseudonym).
- Optional: profile photo, short bio.
Content you create. Reviews, photos, spot submissions, ratings, and reports you send us. These are public once approved.
Technical data, minimised. We collect a small amount of anonymous app telemetry: crash logs, anonymised app version, OS version, screen the crash occurred on. No advertising ID. No precise location is logged on our servers.
Location. Your device may share your location with the app to show nearby spots — that lookup happens on your device. We do not store your live location on our servers. If you save a "home district" preference, we store that.
LocalSpots may collect approximate location of submitted spots (a coordinate of the place you're describing, not a coordinate of you). That spot location is public once approved.
3. Why we collect it (lawful basis)
Under GDPR Article 6, every piece of data has a specific lawful basis:
| Data | Purpose | Lawful basis |
|---|---|---|
| Email + display name | Run your account, authenticate, contact you about account matters | Article 6(1)(b) — contract |
| Reviews, submissions, photos | Make LocalSpots useful for everyone | Article 6(1)(b) — contract (the service you signed up for) |
| Crash logs, anonymous telemetry | Keep the app working, fix bugs | Article 6(1)(f) — legitimate interest |
| Reports of bad content | Moderation and trust & safety | Article 6(1)(f) — legitimate interest |
| Marketing emails | Tell you when new features launch | Article 6(1)(a) — explicit opt-in consent, only if you check the box |
4. Who we share it with (sub-processors)
We do not sell data. We never share data with advertisers. We do not show personalised ads — if and when LocalSpots shows ads in the future, they are non-personalised and not based on you.
We use a small set of EU-based service providers ("sub-processors") to run the service. The current list is at /sub-processors and is updated when changes happen. Each one has signed an EU-standard Data Processing Agreement with us.
5. Where the data lives
All databases, file storage, and backups are in the European Union. Specifically: Hetzner Online (Germany), Cloudflare R2 EU, Postmark EU. No data is stored in the United States or outside the EU/EEA. If we ever need to use a non-EU sub-processor, we'll update this policy and notify accounts before changes take effect.
6. How long we keep it
| Data | Retention |
|---|---|
| Account email + profile | Until you delete your account |
| Reviews and submissions you authored | Until you delete them, OR until your account is deleted (we anonymise them at that point — keeping the review, removing the author) |
| Crash logs | 30 days |
| Email correspondence | 12 months |
| Deleted accounts | Hard-deleted 30 days after deletion request (this 30-day window lets you recover an accidental deletion) |
7. Your rights under GDPR
You have all eight data subject rights guaranteed by EU law:
- Right of access — Request a copy of your data. Email [email protected].
- Right to rectification — Fix anything wrong about you. Most things you can edit yourself in the app.
- Right to erasure ("right to be forgotten") — Delete your account and all linked data. There's a button for this in the app's Settings → Account.
- Right to restriction — Ask us to pause processing while a dispute is resolved.
- Right to data portability — Get your data in a structured machine-readable format (we provide JSON).
- Right to object — Object to processing based on legitimate interest.
- Right not to be subject to automated decision-making — We don't make automated decisions about you.
- Right to withdraw consent — Where we rely on consent (e.g., marketing emails), you can withdraw it anytime.
To exercise any right, email [email protected]. We aim to respond within 30 days as required by GDPR Article 12.
8. Cookies and tracking
The website spotsproject.com uses no cookies as of this writing. We use Plausible Analytics — a privacy-friendly EU service that does not use cookies, does not track you across sites, and does not retain your IP address. Inside the LocalSpots mobile app there is no advertising identifier collected.
9. Children
LocalSpots is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact us and we'll delete the account.
10. Changes to this policy
If we change this policy materially, we'll notify account-holders by email at least 14 days before the change takes effect. The latest version always lives at spotsproject.com/localspots/privacy.
11. Contact
Privacy questions: [email protected]
LocalSpots-specific: [email protected]
You can also lodge a complaint with the Cyprus Office of the Commissioner for Personal Data Protection, or your national supervisory authority if you're elsewhere in the EU.