Privacy Policy
1. Introduction
Locabee ("Locabee," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, applications, and services (collectively, the "Service").
This Privacy Policy applies to all users of the Service, including:
- Clients — Individuals searching for and using services listed on the Platform
- Providers — Businesses and professionals listing their services on the Platform
- Visitors — Individuals browsing the Platform without creating an account
1.1 Data Controller
The Data Controller for personal data processed through the Platform is:
[COMPANY LEGAL NAME] Registration number: [INSERT] Registered office: [INSERT ADDRESS], Budapest, Hungary Email: [INSERT EMAIL] Data Protection Officer: [INSERT DPO EMAIL]
1.2 Legal Framework
This Privacy Policy is designed to comply with:
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
- Hungarian Information Act (Infotv.) — Act CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information
- Hungarian E-Commerce Act — Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services
- ePrivacy Directive — Directive 2002/58/EC (as transposed into Hungarian law)
- German Federal Data Protection Act (BDSG) — Where applicable to German users
- Other applicable national implementations of GDPR across the EU/EEA
2. Personal Data We Collect
We collect personal data from various sources and for different purposes. Below we detail the categories of data collected.
2.1 Data You Provide Directly
| Category | Data Types | When Collected |
|---|---|---|
| Account Data | Email address, name, profile picture (if OAuth) | Registration |
| Provider Profile Data | Business name, address, phone number, WhatsApp, website, description, services offered, pricing, opening hours, amenities, languages spoken | Provider onboarding |
| Client Profile Data | Name, email, phone (optional), delivery preferences, photo uploads | Profile setup |
| Communication Data | Contact form messages, lead inquiries, review text, review replies, support requests | User-initiated contact |
| Financial Data | Billing information, transaction history (payment card data is processed by our payment processor and never stored by Locabee) | Purchases |
| CRM Data | Client names, emails, phone numbers, visit history, notes — entered by Providers about their own clients | Provider CRM usage |
| Brand & Content Data | Brand voice settings, brand colors, content preferences, generated social media content, gallery images | Provider brand setup |
| Team Data | Invited team member names, emails, roles | Team management |
| Order Data | Supplier information, product lists, order history | Smart Order usage |
| Visual Data | Uploaded photos, gallery images, profile pictures, product photos | Gallery & content creation |
2.2 Data Collected Automatically
| Category | Data Types | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, click patterns, time on page, referral source | Service improvement, analytics |
| Device Data | IP address, browser type and version, operating system, device type, screen resolution | Technical compatibility, security |
| Location Data | Approximate location derived from IP address; precise location if you use "near me" features (with your consent) | Geo-targeted results |
| Session Data | Session cookies, authentication tokens, CSRF tokens | Security, session management |
| Log Data | Server logs, error logs, API call logs | System maintenance, debugging |
| Performance Data | Page load times, feature response times | Service optimization |
2.3 Data from Third Parties
| Source | Data Types | Purpose |
|---|---|---|
| OAuth providers (e.g., Google) | Name, email, profile picture (based on your account settings) | Account creation and authentication |
| Analytics providers | Anonymized usage and behavior data | Traffic analysis and Service improvement |
| Tag management services | Tag firing data and events | Marketing and analytics orchestration |
| Advertising platforms | Conversion data, campaign attribution, hashed identifiers | Advertising measurement and audience building |
| Consent management provider | Consent preferences | Cookie consent management |
| UX research tools (if enabled) | Anonymized heatmaps, session recordings, user polls | UX research (subject to consent) |
| Social media publishing providers | Social media account tokens, post publication status, scheduling metadata | Social media content publishing on behalf of Providers |
2.4 Special Categories of Data
We do not intentionally collect special categories of personal data (also known as "sensitive data") as defined in GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, or sexual orientation.
If you voluntarily include such information in free-text fields (e.g., reviews, messages, or profile descriptions), we process it solely for displaying the content you provided and do not use it for profiling or other purposes.
3. How We Use Your Personal Data
3.1 Purposes and Legal Bases
| Purpose | Data Categories | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account creation and management | Account data, authentication data | Contract performance (Art. 6(1)(b)) |
| Service delivery | Profile, listing, content, order data | Contract performance (Art. 6(1)(b)) |
| Payment processing | Financial data, transaction history | Contract performance (Art. 6(1)(b)) |
| Contact and lead management | Communication data, lead data | Legitimate interest (Art. 6(1)(f)) — connecting Providers with Clients |
| AI content generation | Brand data, gallery images, content preferences | Contract performance (Art. 6(1)(b)) — delivering subscribed features |
| Analytics and Service improvement | Usage data, device data, performance data | Legitimate interest (Art. 6(1)(f)) — improving the Service |
| Marketing communications | Email address, name, preferences | Consent (Art. 6(1)(a)) |
| Customer support | Communication data, account data | Contract performance / Legitimate interest |
| Security and fraud prevention | IP address, session data, log data, behavior patterns | Legitimate interest (Art. 6(1)(f)) — protecting the Service and users |
| Legal compliance | Financial records, identity data | Legal obligation (Art. 6(1)(c)) |
| Cookie-based analytics | Usage data, device data | Consent (Art. 6(1)(a)) — via cookie consent manager |
| Advertising (pixel-based tracking) | Conversion data, cookie identifiers, hashed audience data | Consent (Art. 6(1)(a)) — via cookie consent manager |
| Social media publishing | Social account tokens, generated content, scheduling data | Contract performance (Art. 6(1)(b)) — feature requested by Provider |
| Automated image tagging and AI analysis | Uploaded images, visual metadata | Contract performance (Art. 6(1)(b)) — part of the Service's features |
| Loyalty program (BeeRich) | Account data, transaction history | Contract performance (Art. 6(1)(b)) |
| Review management | Review text, ratings, reviewer identity | Legitimate interest (Art. 6(1)(f)) — maintaining trust and transparency |
3.2 Legitimate Interest Assessments
Where we rely on legitimate interest as a legal basis, we have conducted Legitimate Interest Assessments (LIAs) to ensure our interests do not override your rights and freedoms. You may request details of these assessments by contacting our Data Protection Officer.
3.3 Automated Decision-Making
We use limited automated decision-making, including:
- Review moderation: Automated spam detection for submitted reviews (final moderation decisions are made by humans)
- AI content suggestions: Automated content recommendations based on your business profile (you always retain full editorial control)
- Search ranking: Algorithmic ordering of search results based on relevance, location, rating, and promotional status
None of these constitute "solely automated decision-making" producing legal or similarly significant effects as defined in GDPR Article 22. You always retain the ability to review and modify automated outputs.
4. How We Share Your Personal Data
We do not sell your personal data to third parties. We share personal data only in the following circumstances:
4.1 Service Providers (Data Processors)
We engage trusted third-party service providers who process personal data on our behalf, under strict contractual obligations including Data Processing Agreements (DPAs):
| Provider Category | Service | Data Processed | Data Location |
|---|---|---|---|
| AI text generation providers | Content generation, text analysis | Text prompts, business descriptions (anonymized) | USA (Standard Contractual Clauses apply) |
| AI image generation providers | Visual content creation | Image prompts, dimension data (no PII) | USA (Standard Contractual Clauses apply) |
| Search infrastructure providers | Semantic search and discovery | Content embeddings (vector representations, not raw data) | EU |
| SEO data providers | Search volume and keyword data | Keywords, location data (non-personal) | USA |
| Analytics and advertising platforms | Analytics, advertising, authentication | Usage data, conversion data, auth tokens | USA (EU-US Data Privacy Framework) |
| Advertising platforms | Pixel-based tracking, audience matching | Hashed identifiers, conversion events, ad interaction data | USA/EU (EU-US Data Privacy Framework) |
| Social media publishing providers | Content scheduling and distribution | Social account tokens, post content, scheduling metadata | EU |
| Consent management provider | Cookie consent management | Consent preferences, anonymized identifiers | EU |
| UX analytics providers (if enabled) | Behavioral analytics, UX research | Anonymized session data, heatmaps | EU |
| Cloud infrastructure provider | Infrastructure hosting | All platform data | EU |
| Payment processor | Payment processing | Payment card data, billing address | EU/USA |
| Email delivery provider | Transactional and marketing emails | Email addresses, email content | EU |
A complete and current list of our sub-processors is available upon written request to our Data Protection Officer. See our Data Processing Agreement for further details.
4.2 Public Display
The following data is publicly visible on the Platform:
- Provider business profiles (name, address, services, hours, photos, ratings)
- Client reviews (display name, review text, rating, date)
- Gallery images and tags
- Lookbook and inspiration board content
4.3 Between Users
- Leads: When a Client submits a contact form, their name, email, and message are shared with the Provider
- Reviews: Client reviews are visible to the Provider and other users
- Team access: Team members can see their Provider's business data based on their role permissions
4.4 Legal Requirements
We may disclose personal data when required to:
- Comply with applicable laws, regulations, or legal processes
- Respond to valid government requests (court orders, subpoenas)
- Protect the rights, property, or safety of Locabee, our users, or the public
- Enforce our Terms of Service
4.5 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred as part of the transaction. We will notify you via email and/or prominent notice on the Service of any such transfer and any choices you may have regarding your data.
5. International Data Transfers
5.1 Transfer Mechanisms
As some of our service providers are based outside the EU/EEA (primarily in the USA), personal data may be transferred to countries that may not provide the same level of data protection as the EU.
We ensure appropriate safeguards for international transfers through:
- EU-US Data Privacy Framework — For providers certified under this framework (e.g., Google)
- Standard Contractual Clauses (SCCs) — Approved by the European Commission (Implementing Decision (EU) 2021/914), for providers not covered by adequacy decisions
- Adequacy Decisions — Transfer to countries recognized by the European Commission as providing adequate data protection
5.2 Your Rights Regarding Transfers
You may request information about the specific safeguards applied to international transfers of your data by contacting our Data Protection Officer.
5.3 Country-Specific Transfer Provisions
German Users (Ergänzende Hinweise für deutsche Nutzer): We additionally comply with the requirements of the BDSG (Bundesdatenschutzgesetz) regarding international data transfers, including the requirement under § 49 BDSG for additional risk assessments for transfers to third countries.
UK Users: For transfers of personal data from the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the ICO under the Data Protection Act 2018. The UK has not granted an adequacy decision to the USA, so all US transfers are covered by the IDTA or UK Addendum.
Romanian Users: International transfers comply with Law No. 190/2018 implementing GDPR in Romania, and are supervised by the ANSPDCP.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.
6.1 Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 6 months after deletion | Contract performance |
| Provider profile data | Duration of account + 6 months after deletion | Contract performance |
| Contact/Lead messages | 2 years from submission | Legitimate interest |
| Reviews | Indefinitely (anonymized upon account deletion) | Legitimate interest (platform integrity) |
| Financial/billing records | 8 years from transaction | Hungarian Accounting Act (Szt., Act C of 2000) |
| Tax-related records | 8 years | Hungarian tax law |
| AI prompt logs | 6 months | Legitimate interest (debugging, quality, abuse prevention) |
| API usage logs | 12 months | Legitimate interest (cost monitoring) |
| Session and security logs | 6 months | Legitimate interest (security) |
| Cookie consent records | 5 years from consent | ePrivacy Directive compliance |
| Marketing consent records | Duration of consent + 5 years | GDPR accountability |
| Analytics data (aggregated) | Indefinitely (non-identifiable) | Legitimate interest |
| Backup data | Maximum 180 days after deletion from active systems | Data security |
| CRM data (Provider's clients) | Duration of Provider account + 6 months | Contract performance (DPA governs) |
6.2 Deletion
When retention periods expire, personal data is either:
- Permanently deleted from active systems and backups (within 180 days of backup cycle completion)
- Anonymized so that re-identification is no longer possible
7. Your Rights
7.1 Rights Under GDPR and Infotv.
As a data subject, you have the following rights:
| Right | Description |
|---|---|
| Right of Access (Art. 15 GDPR) | You may request confirmation of whether we process your personal data and obtain a copy of the data |
| Right to Rectification (Art. 16 GDPR) | You may request correction of inaccurate or incomplete personal data |
| Right to Erasure (Art. 17 GDPR) | You may request deletion of your personal data ("right to be forgotten") subject to legal retention obligations |
| Right to Restriction (Art. 18 GDPR) | You may request restriction of processing under certain circumstances |
| Right to Data Portability (Art. 20 GDPR) | You may request your personal data in a structured, commonly used, machine-readable format |
| Right to Object (Art. 21 GDPR) | You may object to processing based on legitimate interest or for direct marketing purposes |
| Right to Withdraw Consent (Art. 7(3) GDPR) | Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing |
| Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR) | You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects |
7.2 How to Exercise Your Rights
You may exercise your rights by:
- Email: [INSERT DPO EMAIL]
- In-platform: Account Settings → Privacy → Data Requests
- Postal mail: [COMPANY LEGAL NAME], [INSERT ADDRESS], Budapest, Hungary
We will respond to your request within 30 days (or within 1 month as per GDPR). This period may be extended by 2 additional months for complex or numerous requests, in which case we will inform you within the initial 30-day period.
Identity verification may be required to process your request.
7.3 Right to Lodge a Complaint
If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority:
Hungary — National Authority for Data Protection and Freedom of Information (NAIH) Address: 1055 Budapest, Falk Miksa utca 9-11. Phone: +36 (1) 391-1400 Email: ugyfelszolgalat@naih.hu Website: https://naih.hu
EU — Your local Data Protection Authority Find your authority: https://edpb.europa.eu/about-edpb/board/members_en
Germany — Your State Data Protection Authority (Landesdatenschutzbeauftragter) You may complain to the data protection authority of your federal state of residence.
7.4 Country-Specific Rights
Hungary (Magyar-specifikus jogok)
Under the Hungarian Infotv. (Act CXII of 2011), you additionally have the right to:
- Request information about the data processing from the Data Controller
- Initiate court proceedings before the competent court (Fővárosi Törvényszék for claims in Budapest)
- Claim damages if your data protection rights have been violated
Germany (Zusätzliche Rechte für deutsche Nutzer)
Under the BDSG (Bundesdatenschutzgesetz):
- You may exercise your rights in German by contacting our DPO
- In case of automated individual decision-making (§ 37 BDSG), you have the right to obtain human intervention
- Your right to data portability extends to data processed based on consent or contract
- You may complain to the data protection authority of your federal state (Landesdatenschutzbeauftragter)
Austria (Österreich-spezifische Rechte)
Under the DSG (Datenschutzgesetz 2018):
- You have the right to lodge a complaint with the DSB (Datenschutzbehörde): Barichgasse 40-42, 1030 Wien, Austria. Website: https://www.dsb.gv.at
- You may bring legal action before Austrian courts if your data protection rights are violated
France (Droits spécifiques pour les utilisateurs français)
Under Loi Informatique et Libertés (Loi n°78-17, as amended) and the GDPR:
- You have the right to define directives regarding the storage, erasure, and communication of your personal data after your death (Article 85 of Loi Informatique et Libertés)
- You may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. Website: https://www.cnil.fr
Romania (Drepturi specifice pentru utilizatorii din România)
Under Law No. 190/2018 (implementing the GDPR in Romania) and Law No. 506/2004 (on data processing in electronic communications):
- You have the right to lodge a complaint with the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal): B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania. Website: https://www.dataprotection.ro
- You may bring claims before Romanian courts in the jurisdiction of your domicile
United Kingdom (Rights for UK Users)
Under the UK GDPR (retained EU law post-Brexit) and the Data Protection Act 2018:
- Your data protection rights are substantively the same as under the EU GDPR
- You may lodge a complaint with the ICO (Information Commissioner’s Office): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK. Website: https://ico.org.uk. Helpline: 0303 123 1113
- The UK Representative (if required under Article 27 UK GDPR): [INSERT UK REP DETAILS OR "Not required"]
- You may bring legal action before UK courts
United States (Rights for US Users)
Depending on the state in which you reside, you may have additional privacy rights:
California (CCPA/CPRA): Under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), California residents have the right to:
- Know what personal information is collected, used, disclosed, and sold
- Delete personal information held by us (subject to legal exceptions)
- Opt out of the sale or sharing of personal information — we do not sell your personal data, but certain advertising activities (e.g., Meta Pixel, Google Ads) may constitute "sharing" under the CPRA
- Correct inaccurate personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising your rights
To exercise your CCPA/CPRA rights, contact us at [INSERT EMAIL] or use our in-platform privacy settings. We will verify your identity before processing requests.
Categories of personal information collected (CCPA categories):
| CCPA Category | Examples | Sold/Shared? |
|---|---|---|
| Identifiers | Name, email, IP address | Not sold; shared for advertising |
| Commercial Information | Transaction history, Credits, subscriptions | Not sold or shared |
| Internet Activity | Browsing history, interactions with the Service | Not sold; shared for advertising |
| Geolocation | Approximate location from IP | Not sold or shared |
| Professional Information | Business name, services offered | Not sold or shared |
| Inferences | User preferences, content recommendations | Not sold or shared |
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), and other state laws: If you reside in a state with a comprehensive privacy law, you generally have similar rights to know, delete, correct, opt out of targeted advertising, and appeal our decisions. Contact us at [INSERT EMAIL] to exercise state-specific rights.
CAN-SPAM Act: If you are a US resident, we comply with the CAN-SPAM Act. You can unsubscribe from marketing emails at any time using the unsubscribe link in each email.
Other EU/EEA Countries
For all other EU/EEA countries, your rights are governed by the GDPR as transposed into your national law. You may always lodge a complaint with your national data protection authority. A directory of all EU/EEA authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
8. Cookies and Tracking Technologies
8.1 Cookie Consent Management
We use Cookiebot (by Cybot A/S) to manage cookie consent on our Platform. When you first visit our website, a consent banner will appear allowing you to accept or reject different categories of cookies.
Your consent preferences are stored and can be modified at any time through the cookie consent widget accessible from every page of the Platform.
8.2 Cookie Categories
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, authentication, CSRF protection, consent management | No (essential for Service operation) |
| Performance / Analytics | Google Analytics, usage statistics, error monitoring | Yes |
| Functional | Language preferences, UI personalization, saved preferences | Yes |
| Marketing / Advertising | Google Ads conversion tracking, Meta Pixel conversion tracking, remarketing, audience building | Yes |
| UX Research (if enabled) | Hotjar heatmaps and session recordings | Yes |
8.3 Detailed Cookie Information
For a complete, real-time list of cookies used on our Platform, please refer to the Cookiebot cookie declaration available at [INSERT URL] and accessible through the cookie consent settings on every page.
8.4 Managing Cookies
In addition to the Cookiebot consent management tool, you can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.
For more detailed information, see our Cookie Policy.
9. Children's Privacy
Our Service is not intended for children under the age of 16 years. We do not knowingly collect personal data from children under 16.
If we discover that we have inadvertently collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete such data as soon as possible.
If you believe that a child under 16 has provided us with personal data, please contact us at [INSERT EMAIL].
10. Security
10.1 Technical and Organizational Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption: HTTPS/TLS for all data in transit
- Authentication: Secure magic link and OAuth authentication (no password storage)
- Access Controls: Role-based access control; principle of least privilege
- Session Security: CSRF protection, secure session management, rate limiting
- Infrastructure: Firewalled servers, IP blocklists for known threats
- Data Minimization: We collect only data necessary for stated purposes
- Staff: Access to personal data is limited to authorized personnel who need it for their work
10.2 Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority (NAIH) within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches, including facts, effects, and remedial actions taken
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated Privacy Policy on the Platform with a new "Last Updated" date
- Sending an email notification to registered users for significant changes
- Displaying a notice on the Platform
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of those changes.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Data Controller: [COMPANY LEGAL NAME] [INSERT ADDRESS] Budapest, Hungary
General inquiries: [INSERT EMAIL] Data Protection Officer: [INSERT DPO EMAIL] Account deletion requests: [INSERT EMAIL]
Supervisory Authority (Hungary): NAIH — Nemzeti Adatvédelmi és Információszabadság Hatóság 1055 Budapest, Falk Miksa utca 9-11. Phone: +36 (1) 391-1400 Website: https://naih.hu
This Privacy Policy was last updated on [INSERT DATE].