LocalKit
Explore cities

Privacy Policy

How we collect, use and protect your personal data.

Last updated: 29 May 2026
This document is being finalised: the identity details (legal name, VAT, address, email) must be completed before launch.

This Privacy Policy explains how [LEGAL ENTITY NAME] ("LocalKit", "we", "us") processes personal data when you visit our website or purchase and use our digital city guides. We are committed to data minimisation: we collect as little as possible and never sell your data.

1. Who is responsible for your data

The data controller is [LEGAL ENTITY NAME], [REGISTERED ADDRESS], Italy (VAT [VAT NUMBER / P.IVA]). For any privacy request, contact [PRIVACY EMAIL].

2. What we collect and why

  • Purchase & contact data — your email address and order details (order ID, the guide purchased, amount, currency, date). We use this to deliver your access code and provide support. We never receive or store your payment-card details: payments are processed by Lemon Squeezy (see section 5).
  • Access & device data — your access code, a randomly generated device identifier stored locally on your device, and your browser's user-agent string. We use these to bind your code to a limited number of devices (3 by default), so a single purchase isn't shared with the whole world.
  • Usage analytics — aggregate, first-party events about how a guide is used (a chapter opened or viewed, a link tapped, an in-guide search) and the page that referred you. We deliberately do not collect your IP address and do not fingerprint your device.
  • Technical data — minimal, short-lived server logs kept by our hosting providers for security, abuse-prevention and reliability.

3. Legal bases (GDPR Art. 6)

  • Performance of a contract — to deliver the guide you bought and give you access.
  • Legitimate interests — to prevent abuse and unlimited sharing (device binding), to improve our guides through aggregate analytics, and to keep the service secure.
  • Legal obligation — to meet tax and accounting requirements.
  • Consent — where we ask for it explicitly; you can withdraw it at any time.

4. Cookies & local storage

We use a single essential cookie for the operator's admin session — it is not set for buyers. For readers, we use local storage that is strictly necessary to run the product: a random device identifier and an offline copy of the guide you purchased. We do not use advertising, profiling or third-party tracking cookies and we do not track you across other websites — so no cookie-consent banner is required.

5. Who we share data with

We rely on a small set of carefully chosen processors. We do not sell your personal data.

  • Lemon Squeezy (Lemon Squeezy, LLC, USA) — our Merchant of Record: processes payments, calculates and remits EU VAT, and issues your receipt/invoice. It receives your email and billing information.
  • Resend (Resend, Inc., USA) — sends the transactional email containing your access code.
  • Convex — our application database and backend. Your data is stored in the European Union (Ireland).
  • Vercel — website hosting and content delivery.

6. International transfers

Some providers are based in the United States. Where personal data is transferred outside the EU/EEA, it is protected by appropriate safeguards such as the EU–US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses. Our primary database is hosted within the EU.

7. How long we keep data

  • Purchase & access data — for as long as your access is active and as required by tax and accounting law (invoices are retained by Lemon Squeezy as Merchant of Record, typically up to 10 years).
  • Device bindings — while the access code is active.
  • Analytics events — kept for up to 14 months, then deleted or aggregated.

8. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict and port your data, and to object to certain processing. To exercise any of these, email [PRIVACY EMAIL]. You also have the right to lodge a complaint with a supervisory authority — in Italy, the Garante per la protezione dei dati personali.

9. Children

Our service is intended for adults and is not directed to children under 16. We do not knowingly collect their data.

10. Security

Data is transmitted over TLS and stored with access controls. No method is perfectly secure, but we take reasonable technical and organisational measures to protect your data.

11. Changes

We may update this policy. We will revise the "last updated" date above and, for material changes, take reasonable steps to notify you.

12. Contact

[LEGAL ENTITY NAME] — [PRIVACY EMAIL].