Legal

Privacy Policy

Last updated: July 2026

1. Information We Collect

We collect information in the following categories:

  • Account data: Email address, hashed password, display name, and role (business, creator, or admin).
  • Profile data: Business name, address, industry, website, phone number, creator bios, and social handles — provided voluntarily.
  • Campaign and submission data: Content URLs, engagement metrics, screenshots submitted by creators.
  • Tracking events: IP address, approximate geolocation (city, state, country), device type, browser, referrer, and event type when a tracked link or QR code is activated.
  • Usage data: Pages visited, features used, error logs.

We do not collect precise GPS coordinates unless explicitly provided. We do not collect payment card data directly — payments are handled by Stripe.

2. Legal Basis for Processing (GDPR)

For users in the EEA, UK, or Switzerland, our legal basis for processing personal data is:

  • Contract: Processing necessary to provide the platform services you signed up for.
  • Legitimate interest: Fraud detection, security monitoring, and service improvement.
  • Legal obligation: Maintaining financial records and audit logs for compliance purposes.
  • Consent: Marketing communications (you may withdraw at any time).

3. How We Use Your Information

  • Provide, operate, and improve the LocalReach Rewards platform
  • Calculate creator scores using verified local engagement data
  • Process payouts and verify payment eligibility
  • Detect and prevent fraud, abuse, and platform manipulation
  • Maintain an audit trail for compliance with SOC 2 and ISO 27001 controls
  • Send transactional notifications about your account and campaigns
  • Respond to support requests and enforce our Terms of Service

4. Location Data

IP-based geolocation is a core feature of the platform. When a tracked link or QR code is activated, we record the approximate city, state, and country of the visitor. This data is used exclusively to calculate the local engagement score that determines creator payouts. We store city/state/country only — not precise GPS. Location data is never sold or used for advertising targeting.

5. Data Sharing and Disclosure

  • Service providers: Supabase (database hosting), Stripe (payments), Netlify (CDN). Each bound by data processing agreements.
  • Business users: Can view aggregated, anonymized creator performance data for campaigns they own. Individual creator PII is not exposed to businesses.
  • Public result pages: Creator campaign results may be published publicly only with the creator's explicit consent.
  • Legal requirements: We may disclose data when required by law, court order, or to protect rights and safety.
  • We never sell personal data.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of a verified deletion request.
  • Tracking events: Retained for the campaign lifetime plus 3 years for audit and dispute purposes.
  • Audit logs: Retained for 7 years as required for financial compliance.
  • Payment records: Retained for 7 years as required by applicable law.

7. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access: Request a copy of personal data we hold about you.
  • Rectification: Correct inaccurate personal data.
  • Erasure: Request deletion of your account and associated personal data (subject to legal retention obligations).
  • Portability: Receive your data in a machine-readable format.
  • Object: Object to processing based on legitimate interest.
  • Opt-out of sale (CCPA): We do not sell personal data. No opt-out is necessary.

To exercise any of these rights, email privacy@localreachrewards.com. We will respond within 30 days.

8. Security

We implement technical and organizational measures aligned with ISO 27001 and SOC 2 standards, including TLS encryption in transit, AES-256 encryption at rest, role-based access control with row-level security, and an append-only audit log for all privileged actions. See our Security page for full details.

9. Cookies

We use essential session cookies for authentication. We do not use third-party advertising or tracking cookies. See our Cookie Policy for details.

10. Changes to This Policy

We will notify you of material changes via email or a prominent in-app notice at least 14 days before they take effect. Continued use of the platform constitutes acceptance of the updated policy.

11. Contact

For privacy inquiries: privacy@localreachrewards.com
For security issues: security@localreachrewards.com
Postal: LocalReach Rewards, [Address], Fort Worth, TX