BUYLOCAL

Legal

Privacy Policy

Version 2026-06-22 · Effective 22 June 2026

This Privacy Policy explains how Buy Local (“we”, “us”) collects and uses personal data when you use our website and services. It is written to satisfy the UK GDPR and the Data Protection Act 2018.

1. Data controller

Buy Local is the data controller for the personal data described in this policy. You can reach us at hello@buylocal.live for any privacy question, data subject request, or complaint.

Admin note: the registered company name and address will be added here before production launch.

2. What we collect

  • Account data: email address, display name, password hash (handled by our auth provider), and your chosen user role.
  • Profile & producer data: business name, county, fulfilment options, postcode, photos and any descriptions you publish.
  • Order data: items purchased, delivery details, contact details you provide at checkout, and the order status.
  • Messages & reviews: enquiries, replies and reviews you write on the platform.
  • Technical data: IP address, browser type, device, and pages visited. Used only for security and (with consent) analytics.
  • Consent data: a timestamped record of the choices you make about cookies, marketing emails, and policy acceptance, with the version of the policy that was in force at the time.

3. Why we use your data (lawful basis)

  • Contract: to create your account, process orders, communicate with you about purchases, and provide producer tools.
  • Legitimate interests: to keep the service secure, prevent fraud, and improve features. You can object at any time.
  • Legal obligation: to keep records required by tax, accounting and consumer-protection law.
  • Consent: for non-essential cookies and any marketing emails. You can withdraw consent at any time, including via the one-click unsubscribe link in every marketing email.

4. Who we share data with (sub-processors)

We share the minimum data needed with carefully chosen processors. Each is bound by a written data-processing agreement.

  • Lovable Cloud / Supabase — hosting, database and authentication. Data hosted in the EU.
  • Mapbox — map tiles and geocoding. Processes IP and location for tile rendering, hosted in the US under Standard Contractual Clauses (SCCs) / UK IDTA.
  • Stripe — payment processing (when you check out). Hosted globally under SCCs / UK IDTA. Stripe is also the controller for its own fraud-prevention purposes.
  • Resend — transactional email delivery (order receipts, enquiry notifications). EU/US under SCCs / UK IDTA.

Producers you order from receive your name, contact details and the information needed to fulfil the order.

5. International transfers

Where data leaves the UK / EEA, we rely on the UK International Data Transfer Addendum or Standard Contractual Clauses with the recipient.

6. How long we keep data (retention)

  • Account data: until you close your account, then a 30-day grace window in which you can cancel deletion.
  • Order & payment records: 6 years to meet UK tax law. Personal identifiers are anonymised when you close your account.
  • Enquiries & replies: 2 years from last activity, then automatically purged.
  • Consent & policy-acceptance log: 6 years (the limitation period for evidencing lawful processing).
  • Marketing preferences & suppression list: kept until you ask us to delete them, so we can honour your unsubscribe.
  • Producer profiles after account closure: unpublished and unlisted; contact details removed. The slug is retained so past orders, reviews and links keep resolving.

7. Your rights

Under UK GDPR you have the right to: access your data; correct it; erase it (“right to be forgotten”); restrict or object to processing; data portability; and to withdraw consent at any time. You can:

  • Export your data as a single JSON file from Settings → Privacy.
  • Delete your account from Settings → Privacy. Deletion is scheduled 30 days out so you can cancel by signing back in.
  • Unsubscribe from any marketing email with the one-click link, or by turning the marketing toggle off in Settings.
  • Email hello@buylocal.live for any other request. We respond within one month.

You can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Children

Buy Local is not intended for users under 16.

9. Security

Data is encrypted in transit (TLS) and at rest on our hosting provider. Access to personal data is limited to authenticated users via row-level security, and to administrators on a need-to-know basis.

10. Changes to this policy

When we change this policy we update the version number above and ask you to acknowledge the new version on your next visit.

See also: Cookie Policy · Terms of Service