Back to LocalSpotz

Privacy Policy

Last updated: March 2026 · Version 2.0

Data Controller

LocalSpotz B.V. · Herengracht 182 · 1016 BR Amsterdam · Netherlands
hello@localspotz.com · For privacy requests: privacy@localspotz.com

This Privacy Policy explains how LocalSpotz (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our platform. We comply with the General Data Protection Regulation (GDPR / AVG) for users in the European Economic Area, and relevant US state privacy laws (including CCPA for California residents).

1. What data we collect

CategoryDataLegal basis (GDPR)
Account dataName, email address, password (hashed)Contract (Art. 6(1)(b))
Profile dataBio, photo, languages, location, expertiseLegitimate interest / Consent
Booking & paymentTransaction details, Stripe customer IDContract + Legal obligation
MessagesChat messages between usersContract (Art. 6(1)(b))
Trip dataTrip entries, memories, photos you uploadContract (Art. 6(1)(b))
Usage analyticsPage views, feature usage (anonymised)Legitimate interest (Art. 6(1)(f))
CookiesSession, language preferenceConsent / Legitimate interest

2. How we use your data

  • To provide and operate the LocalSpotz platform
  • To connect travelers with locals and process payments
  • To send transactional notifications (booking confirmations, messages)
  • To improve platform safety, detect fraud and abuse
  • To comply with our legal and tax obligations
  • We never sell your personal data to third parties.

3. Data retention

  • Account data: retained until you delete your account
  • Financial records (bookings, payments): retained for 7 years as required by EU tax law (Art. 52 VAT Directive)
  • Messages: retained until account deletion
  • Inactive accounts: we may anonymise accounts inactive for more than 3 years

4. Third-party processors

5. Your rights (GDPR / AVG)

As a user in the European Economic Area, you have the following rights:

🔍 Right of access (Art. 15)

Request a copy of all data we hold about you

✏️ Right to rectification (Art. 16)

Correct inaccurate personal data

🗑️ Right to erasure (Art. 17)

Request deletion of your account and all personal data

📦 Right to portability (Art. 20)

Download all your data in a machine-readable format

⏸️ Right to restriction (Art. 18)

Limit how we process your data in certain cases

🚫 Right to object (Art. 21)

Object to processing based on legitimate interest

To exercise any of these rights, go to Settings → Privacy or email us at privacy@localspotz.com. We respond within 30 days as required by GDPR.

6. California residents (CCPA)

California residents have additional rights under the CCPA, including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a CCPA request, email privacy@localspotz.com.

7. Cookies

We use the following cookies:

  • next-auth.session-token: Essential. Keeps you logged in. HttpOnly, Secure, SameSite=Lax.
  • localspotz_language_preference: Essential. Remembers your language choice.
  • localspotz_cookie_consent: Essential. Stores your cookie consent choice.

We do not use advertising or third-party tracking cookies.

8. Security

  • All data in transit is encrypted via TLS 1.2+ (HTTPS enforced)
  • Passwords are hashed using bcrypt (cost factor 12)
  • Authentication cookies are HttpOnly, Secure, and SameSite=Lax
  • API endpoints are rate-limited to prevent brute-force attacks
  • HTTP security headers are set on all responses (CSP, HSTS, X-Frame-Options)
  • Payment data is handled exclusively by Stripe — we never store card numbers

9. Contact & complaints

Data Controller: LocalSpotz B.V.
Address: Herengracht 182 · 1016 BR Amsterdam · Netherlands
Privacy contact: privacy@localspotz.com

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your national supervisory authority. In the Netherlands: Autoriteit Persoonsgegevens (AP).