The Localy platform is operated by HGA Systems SRL, which acts as the data controller for personal data processed in the context of Localy Services. Controller details: Legal name: HGA Systems SRL (limited liability company). Registered office: Bulevardul Tineretului, no. 5, block A11/2, stair B, apt. 19, Râmnicu Vâlcea, Vâlcea, Romania (EU). Email (legal/GDPR): support@localy.fun. Data Protection Officer: Considering the size and nature of processing, HGA Systems SRL is not required to appoint a DPO under Art. 37 GDPR. No DPO is currently appointed. Questions or requests regarding your personal data can be sent to support@localy.fun and we will respond within legal timeframes.
Localy is a venue discovery platform (restaurants, cafés, and other Venues) based on intelligent matching between user intents and each Venue’s specifics. Venue owners can create and manage location profiles through the Dashboard (B2B), benefiting from contextual visibility, intelligent matching, and basic analytics (monthly reports with aggregated impressions/interactions). The platform serves both businesses (B2B) and end users (B2C). At this stage, the platform does not process payments and does not involve direct financial transactions. The platform is available on iOS, Android, and Web.
A. Data provided by venue owners (B2B): Account registration data (contact name, email address, phone number, business name and registered office address) required to create/manage the Admin account and contact the Business; Venue data (address, hours, description, photos, services, and other information you provide) used to publicly display the Venue; Usage and analytics data about the Venue (impressions, interactions, matches) provided to the Admin as aggregated insights. Note: At this stage we do not collect financial data. B. Data collected from end users (B2C): Account data (email and optional profile name); Preferences and interests (provided or inferred from interactions); Searches and interactions (search terms, viewed/favorited locations, feedback); Device location (with explicit consent, necessary for core functionality); Push notifications (with consent). C. Additional data collected automatically (tracking and analytics): Technical device/app parameters, IP address and device identifiers (anonymized/pseudonymized), server logs, cookies and similar technologies (including PostHog). Important: Localy does not sell or disclose end‑user personal data to venue owners; venue owners only see aggregated statistics.
Performance of a contract [GDPR Art.6(1)(b)]: most data is processed to deliver the Services (account creation, Venue profile, recommendations). Legitimate interest [GDPR Art.6(1)(f)]: analytics, security, and platform improvement, while ensuring user rights are not unduly impacted. Consent [GDPR Art.6(1)(a)]: for device location, push notifications, and other non‑essential processing; consent can be withdrawn at any time [GDPR Art.7]. Legal obligation [GDPR Art.6(1)(c)]: in specific cases required by law.
Service delivery and operation: enable account creation, manage Brands/Venues, and provide recommendations to end users. Communication and support: confirmations, important service notices, updates to Terms/policies, and technical support. Platform improvement: analyze aggregated data and feedback to improve matching algorithms and UX. Security and abuse prevention: monitor and prevent unauthorized access, attacks, or misuse. Marketing (limited): we do not send unsolicited marketing; if we intend to send marketing communications, we will request consent where required.
Essential cookies: required for core website functionality. Analytics/performance cookies and mobile SDKs: we use tools like PostHog for usage statistics, in anonymized/pseudonymized form, to improve the service. Third‑party modules: no other tracking modules are used without consent; if introduced, we will update the policy and request consent. For web, users can manage consent for non‑essential cookies through a dedicated mechanism; only essential cookies are active by default. Users can manage cookie settings in their browsers and reset or limit advertising identifiers on mobile devices.
Localy does not sell personal data. Data may be disclosed to: Service providers (processors) necessary for platform operation, such as Supabase (hosting and databases in the EU), PostHog (analytics hosted in the EU), and AI providers (e.g., OpenAI/Azure OpenAI). In certain contexts, HGA Systems SRL acts as a processor for Businesses under a DPA compliant with Art. 28 GDPR. Legal obligations: we may disclose data if required by law. Business transfers: in case of restructuring or transfer, we will ensure compliance with applicable law. We sign data processing agreements with providers and implement appropriate safeguards for transfers outside the EEA (Standard Contractual Clauses) [GDPR Art.46].
Localy may use aggregated and anonymized information for statistical reports, market insights, or presentation materials (without identifying individuals or specific venues), research and development. With explicit Admin consent, we may use the Venue name, logo, and public images for public promotion (e.g., “Venue X joined Localy”), without commercial or sensitive data.
Localy integrates AI features to improve user and venue‑owner experience. We use LLMs to process text from venue descriptions and user queries and to generate suggestions (descriptions, keywords) and better matches. Data sent to AI: text fragments provided by Admins or user queries plus minimal context (venue name/category). Data not sent: identifying personal data, sensitive data, financial information. The AI provider acts as a processor and does not use the data for training, according to its policies. Processing may occur in the EU (Poland) and Switzerland. AI output may be inaccurate; we treat it as suggestions to be reviewed.
Location and retention: personal data is stored in Supabase infrastructure (EU). Redis cache and backend (Render) are hosted in the EU. Data sent to AI is processed in Poland and Switzerland. Account data is retained while your account is active; upon deletion, data is removed/anonymized except where legally required. Venue data is displayed until deleted/edited; backups may persist temporarily. Usage data is aggregated/anonymized periodically; raw logs may be kept 30–90 days. Security measures include encryption in transit (TLS), encryption at rest where applicable, role‑based access control, monitoring and regular updates, internal policies, and contractual confidentiality obligations. In case of a breach, we will notify in accordance with GDPR Arts. 33 and 34.
Right of access [GDPR Art.15], rectification [Art.16], erasure ("right to be forgotten") [Art.17], restriction of processing [Art.18], data portability [Art.20], objection [Art.21], withdrawal of consent [Art.7], and the right to lodge a complaint with the supervisory authority (ANSPDCP in Romania) [Art.77]. You can contact us at support@localy.fun to exercise your rights. We will respond within one month, with a possible extension of up to two months for complex requests, with prior notice.
Venue owners can delete their account via the Dashboard (if available) or by requesting deletion at support@localy.fun. We will deactivate the account and remove/anonymize associated personal data within reasonable timeframes. Some public Venue data may remain visible until deleted/edited or automatic expiration. Data may be temporarily retained in backups/logs before final deletion, and some information may be retained for legal obligations or dispute resolution, with restricted access.
We may update this Policy periodically. If significant changes occur, we will notify users via the Dashboard/app or email, as appropriate. Continued use of the platform after the effective date of the new version constitutes acceptance of the changes.
This Privacy Addendum is an integral part of the Localy Admin Dashboard Terms and Conditions. By accepting the Terms, you acknowledge the information on data processing and provide consent where required. For additional questions, contact support@localy.fun.