1. Data Controller
The controller of your personal data is:
- Daniele Pratesi
- Address: Turin, Italy — [full address — TO BE COMPLETED]
- VAT Number: [TO BE COMPLETED]
- Certified Email (PEC): [TO BE COMPLETED]
- Email: daniele@l0calize.com
This Privacy Policy is issued pursuant to EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code), as amended by Legislative Decree 101/2018.
2. Personal Data Collected
2.1 User Data
- Registration: full name, email address, password (stored in encrypted form).
- Consents: acceptance of Terms and Privacy Policy, with consent timestamp.
- Gift Cards: codes of purchased or received gift cards, balances, usage history.
- Optional data: phone number, profile picture.
2.2 Merchant Data
- Onboarding: business name, VAT number, tax code, payout email address.
- Store: name, address, city, postal code, phone, public email, website, opening hours, social links (Instagram, WhatsApp, Google Maps, TripAdvisor), images and logo.
- Operational: sales history, redemptions made.
2.3 Gift Card Recipient Data
- Recipient email address, recipient name, and personal message (provided by the purchaser at the time of purchase).
- These data are used solely to deliver the gift card and, if the recipient registers on the platform with the same email, to link the gift card to their account.
2.4 Payment Data
Payments are processed by Stripe (PCI-DSS Level 1 certified). Localize does not store, collect, or have access to credit/debit card data.
Localize only stores:
- Stripe transaction ID and payment session ID
- Amount, currency, payment status
- Stripe receipt URL
- Refund ID and dispute ID (where applicable)
2.5 Technical Data
- IP address: used exclusively for rate limiting (anti-abuse protection). Not persisted in the database.
- Session cookies: required for authentication to function (Supabase Auth).
- Consent cookie: stores the user’s analytics cookie preference. Duration: 180 days.
2.6 Waitlist Data
If you submitted your information in the pre-launch waitlist: name, email, business name, city, phone, category. This data is retained until you request its deletion.
3. Legal Bases for Processing (Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Account registration and management | Contract performance (Art. 6.1.b) |
| Gift card purchase and management | Contract performance (Art. 6.1.b) |
| Payment processing | Contract performance (Art. 6.1.b) |
| Merchant fiscal data (VAT, tax code) | Legal obligation (Art. 6.1.c) |
| Payment record retention (10 years) | Legal/tax obligation (Art. 6.1.c) |
| Analytics cookies (Vercel Analytics) | Consent (Art. 6.1.a) |
| Platform security, fraud prevention, rate limiting | Legitimate interest (Art. 6.1.f) |
| Transactional emails | Contract performance (Art. 6.1.b) |
4. Data Processors and Transfers
To provide the Service, Localize uses the following third-party providers (“Data Processors” pursuant to Art. 28 GDPR):
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, image storage | Frankfurt, EU |
| Stripe | Payment processing | EU / USA (SCC) |
| Resend | Transactional email delivery | USA (SCC) |
| Inngest | Async jobs (post-purchase emails) | USA (SCC) |
| Vercel | Hosting, analytics (with consent only) | Global CDN, EU data |
For transfers to non-EU countries (USA), Localize and the relevant providers rely on Standard Contractual Clauses (SCC) approved by the European Commission as a safeguard under Art. 46 GDPR.
5. Cookies and Tracking Technologies
5.1 Essential technical cookies
Required for the Platform to function; no consent needed under Art. 5(3) of the ePrivacy Directive:
- Session cookies (Supabase Auth): keep the authenticated user’s session active.
- Consent cookie (
cookie_consent): stores your analytics cookie preference. Duration: 180 days.
5.2 Analytics cookies (with consent)
Only with your explicit consent, we use Vercel Analytics to collect aggregated, anonymous data about site usage. No personally identifiable data is collected.
You may withdraw consent at any time via the cookie banner on the site.
6. Retention Periods
| Data category | Retention period |
|---|---|
| User account data | Until account deletion + 30 days |
| Merchant account data | Until account deletion + 30 days |
| Payment and fiscal data | 10 years (Italian tax obligations) |
| Gift cards and redemption history | Until gift card expiry + 10 years |
| Gift card recipient data | Until gift card expiry + 30 days |
| Waitlist data | Until deletion request |
| IP logs (rate limiting) | In memory only, not persisted in database |
7. Your Rights (Arts. 15–22 GDPR)
You have the right to:
- Access (Art. 15): obtain confirmation of processing and a copy of your personal data.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17): request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Restriction (Art. 18): request restriction of processing in certain cases.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdraw consent: withdraw consent at any time, without affecting the lawfulness of prior processing.
How to exercise your rights: send a request to daniele@l0calize.com. We will respond within 30 days (Art. 12 GDPR).
Supervisory authority complaint: you have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) if you believe the processing of your data violates the GDPR.
8. Security Measures
We implement appropriate technical and organizational measures to protect personal data:
- HTTPS/TLS encrypted connections on all endpoints
- Security headers: HSTS, Content Security Policy, X-Frame-Options
- Row-Level Security (RLS) on the database: each user accesses only their own data
- Input validation and sanitization throughout
- Passwords stored as bcrypt hashes (Supabase Auth)
- Rate limiting on all sensitive endpoints
- No credit card data stored by Localize (fully delegated to Stripe PCI-DSS Level 1)
9. Minors
The Platform is intended for users aged 18 or older. We do not knowingly collect personal data from minors. If we become aware that a minor’s data has been inadvertently collected, we will delete it immediately.
10. Changes to this Privacy Policy
This Privacy Policy may be updated from time to time. In case of material changes, registered users will be notified by email and via a notice on the site at least 30 days in advance. The date of the last update is shown at the top of this page.