Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Locpats ("we", "us", "our"), the operator of the Local mobile application ("Local", "the App"), collects, uses, stores, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), the EU AI Act (Regulation 2024/1689), and applicable national data-protection laws.

1. Data Controller

The data controller is Locpats. For any data-protection enquiries, you can reach our Data Protection contact at locpats@gmail.com.

2. Personal Data We Collect

We collect the following categories of personal data:

• Account data: full name, email address, phone number, date of birth, username, and encrypted password.
• Profile data: profile photo, bio, origin countries, living city and country, university, industry, hobbies, user status (local / expat / just arrived / planning to move), and meeting preferences.
• User-generated content: messages, forum posts, comments, photos you upload, and event participation.
• Connection data: your connections with other users, block lists, and reports you file.
• Technical data: device type, operating system, app version, IP address, push-notification tokens, and crash/diagnostic logs.
• Usage data: timestamps of logins, features accessed, and in-app interactions, collected in aggregate form.

3. Legal Bases for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): to create and manage your account, enable connections, messaging, event participation, and all core App features.
• Legitimate interests (Art. 6(1)(f)): to maintain platform security, prevent fraud and abuse, improve the App, and send service-related communications. Our legitimate interest is balanced against your rights; you can object at any time.
• Consent (Art. 6(1)(a)): for optional processing such as marketing communications and non-essential analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)): where we are required by EU or national law to retain certain data.

4. How We Use Your Data

We use your data to:

• Provide and operate the App's core features (profiles, connections, messaging, events, forum).
• Personalise your experience (e.g., suggesting connections based on shared city, interests, or origin).
• Send transactional notifications (password resets, email verification codes, connection requests).
• Ensure platform safety by processing reports, enforcing blocks, and moderating content.
• Improve performance and fix bugs through anonymised analytics and crash reporting.
• Comply with legal obligations.

5. AI and Automated Processing

In compliance with the EU AI Act (Regulation 2024/1689):

• Local does not currently deploy any high-risk AI systems as defined by Art. 6 of the AI Act.
• We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).
• If we introduce AI-assisted features in the future (e.g., content recommendations, matching suggestions), we will: (a) clearly disclose when AI is used, (b) ensure human oversight, (c) provide you the right to contest automated decisions, and (d) update this policy accordingly.
• Any future AI features will be classified under the appropriate risk category per the AI Act and documented transparently.

6. Data Sharing and Recipients

We do not sell your personal data. We may share data with:

• Other users: your profile information (name, photo, bio, origin, city, interests) is visible to other App users. Messages are shared only with conversation participants.
• Service providers: we use third-party processors for hosting (cloud infrastructure), email delivery, push notifications, and crash analytics. All processors are bound by Data Processing Agreements (DPAs) and process data only on our instructions.
• Legal authorities: when required by applicable law, court order, or regulatory request.

We do not transfer personal data outside the European Economic Area (EEA) unless adequate safeguards are in place (e.g., EU Standard Contractual Clauses or an adequacy decision per Art. 45 GDPR).

7. Data Retention

We retain your personal data for as long as your account is active and necessary to fulfil the purposes described above.

• Account deletion: when you delete your account, all your personal data is permanently erased within 30 days, except where retention is required by law (e.g., financial records, fraud prevention).
• Password reset codes: expire and are deleted after 15 minutes.
• Email verification codes: expire and are deleted after 15 minutes.
• Reports: retained for up to 12 months for moderation and legal compliance, then anonymised or deleted.

8. Data Security

We implement appropriate technical and organisational measures to protect your data (Art. 32 GDPR), including:

• Passwords hashed with bcrypt.
• Authentication tokens stored in device-level secure storage (Keychain on iOS, encrypted SharedPreferences on Android).
• HTTPS/TLS encryption for all data in transit.
• Rate limiting on authentication endpoints.
• CORS restrictions on API access.
• Regular security reviews and access controls for production systems.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): correct inaccurate data via your profile settings, or contact us.
• Right to erasure (Art. 17): delete your account and all data through Settings > Delete Account, or contact us.
• Right to restriction (Art. 18): request that we limit processing of your data in certain circumstances.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format. Contact us to request an export.
• Right to object (Art. 21): object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw at any time.
• Right to lodge a complaint: you have the right to file a complaint with your national Data Protection Authority (e.g., the Hellenic Data Protection Authority — HDPA — if you are in Greece).

To exercise any of these rights, contact us at locpats@gmail.com. We will respond within 30 days as required by Art. 12 GDPR.

10. Children's Privacy

Local is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

11. Cookies and Tracking

The Local mobile app does not use cookies. We may use anonymised analytics for crash reporting and performance monitoring, which does not constitute tracking under ePrivacy rules.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes through the App or via email. Continued use of the App after changes constitutes acceptance. We recommend reviewing this policy periodically.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data-protection rights, contact us at:

Email: locpats@gmail.com
Data Protection Contact: locpats@gmail.com