Privacybeleid
Laatst bijgewerkt: March 2026 · Version 2.0
Data Controller
LocalSpotz B.V. · Herengracht 182 · 1016 BR Amsterdam · Netherlands
hello@localspotz.com · For privacy requests: privacy@localspotz.com
This Privacy Policy explains how LocalSpotz (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our platform. We comply with the General Data Protection Regulation (GDPR / AVG) for users in the European Economic Area, and relevant US state privacy laws (including CCPA for California residents).
1. What data we collect
| Category | Data | Legal basis (GDPR) |
|---|---|---|
| Account data | Name, email address, password (hashed) | Contract (Art. 6(1)(b)) |
| Profile data | Bio, photo, languages, location, expertise | Legitimate interest / Consent |
| Booking & payment | Transaction details, Stripe customer ID | Contract + Legal obligation |
| Messages | Chat messages between users | Contract (Art. 6(1)(b)) |
| Trip data | Trip entries, memories, photos you upload | Contract (Art. 6(1)(b)) |
| Usage analytics | Page views, feature usage (anonymised) | Legitimate interest (Art. 6(1)(f)) |
| Cookies | Session, language preference | Consent / Legitimate interest |
2. How we use your data
- To provide and operate the LocalSpotz platform
- To connect travelers with locals and process payments
- To send transactional notifications (booking confirmations, messages)
- To improve platform safety, detect fraud and abuse
- To comply with our legal and tax obligations
- We never sell your personal data to third parties.
3. Data retention
- Account data: retained until you delete your account
- Financial records (bookings, payments): retained for 7 years as required by EU tax law (Art. 52 VAT Directive)
- Messages: retained until account deletion
- Inactive accounts: we may anonymise accounts inactive for more than 3 years
4. Third-party processors
- Stripe: Payment processing — PCI DSS Level 1 certified. Stripe Privacy Policy
- Google: OAuth sign-in, optional Google Maps — Google Privacy Policy
- AWS S3: File and image storage — encrypted at rest (AES-256), stored in EU (eu-central-1)
- Vercel: Application hosting and deployment (edge network). Vercel Privacy Policy
- Neon: PostgreSQL database hosting — data stored in EU region. Neon Privacy Policy
- UploadThing: File upload infrastructure — encrypted transit and storage. UploadThing Privacy Policy
5. Your rights (GDPR / AVG)
As a user in the European Economic Area, you have the following rights:
🔍 Right of access (Art. 15)
Request a copy of all data we hold about you
✏️ Right to rectification (Art. 16)
Correct inaccurate personal data
🗑️ Right to erasure (Art. 17)
Request deletion of your account and all personal data
📦 Right to portability (Art. 20)
Download all your data in a machine-readable format
⏸️ Right to restriction (Art. 18)
Limit how we process your data in certain cases
🚫 Right to object (Art. 21)
Object to processing based on legitimate interest
To exercise any of these rights, go to Settings → Privacy or email us at privacy@localspotz.com. We respond within 30 days as required by GDPR.
6. California residents (CCPA)
California residents have additional rights under the CCPA, including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a CCPA request, email privacy@localspotz.com.
7. Cookies
We use the following cookies:
- next-auth.session-token: Essential. Keeps you logged in. HttpOnly, Secure, SameSite=Lax.
- localspotz_language_preference: Essential. Remembers your language choice.
- localspotz_cookie_consent: Essential. Stores your cookie consent choice.
We do not use advertising or third-party tracking cookies.
8. Security
- All data in transit is encrypted via TLS 1.2+ (HTTPS enforced)
- Passwords are hashed using bcrypt (cost factor 12)
- Authentication cookies are HttpOnly, Secure, and SameSite=Lax
- API endpoints are rate-limited to prevent brute-force attacks
- HTTP security headers are set on all responses (CSP, HSTS, X-Frame-Options)
- Payment data is handled exclusively by Stripe — we never store card numbers
9. Contact & complaints
Data Controller: LocalSpotz B.V.
Address: Herengracht 182 · 1016 BR Amsterdam · Netherlands
Privacy contact: privacy@localspotz.com
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your national supervisory authority. In the Netherlands: Autoriteit Persoonsgegevens (AP).