○localbike.shop
TermsPrivacyDPA

Privacy Policy

Effective date: May 31, 2026 Last updated: June 6, 2026

This Privacy Policy explains how LocalBike.Shop ("LocalBike.Shop," "we," "us," or "our") collects, uses, and protects personal information when you use the LocalBike.Shop platform and the associated shop-management software (collectively, the "Service").

This policy applies to two groups:

  • Shop owners and staff who create accounts to manage a bike shop on the Service.
  • Shop customers whose information is entered into the Service by a shop (e.g., a customer brought a bike in for service and the shop owner stored their contact info to send a pickup notification).

Where required by law, shops are responsible for providing their own customer-facing privacy notice to their customers and for obtaining any necessary consents.

1. What we collect

From shop owners and staff:

  • Account information: name and email from Google when you sign in.
  • Shop information: shop name, address, phone, hours, services offered, photos, public storefront content.
  • Operational data you choose to enter: customer contacts, job records, invoices, inventory, expenses, integration credentials, and similar shop-management data.
  • Usage and diagnostic data: pages visited, features used, error reports, IP address, browser type, device info, and timestamps. Used to operate, secure, and improve the Service.

From shop customers (entered by the shop):

  • Contact details: name, phone, email.
  • Service history: bikes serviced, jobs performed, invoices, payments.
  • Communications: SMS or email exchanges through the Service, if the shop uses those features.

From third-party integrations (only if the shop enables the integration):

  • Square: payment summaries, customer references, item data (per the shop's Square account).
  • Twilio: SMS delivery status for messages the shop sends through the Service.
  • Google Workspace: calendar events, email content the shop forwards to its inbox parser, and the OAuth tokens that authorize those connections.
  • Amazon: parsed order-confirmation emails for expense tracking.

What we don't collect:

  • We don't run third-party advertising trackers, analytics that share data with ad networks, or social-network pixels.
  • We don't sell or rent personal information to third parties.
  • We don't use shop or customer data to build profiles for sale or for advertising elsewhere.

2. How we use it

We use personal information to:

  • Provide, maintain, and improve the Service.
  • Authenticate shop accounts and prevent abuse.
  • Process payments and reconcile transactions on behalf of the shop.
  • Send transactional messages (e.g., job-status notifications, password reset emails) — to shop staff for account-related events, and from a shop to its customers if the shop uses the messaging features.
  • Respond to support requests.
  • Comply with legal obligations (tax records, lawful requests from law enforcement, etc.).
  • Detect, prevent, and investigate fraud, security incidents, and Terms-of-Service violations.

We do not use personal data for automated decision-making that produces legal or similarly significant effects without human review.

3. SMS and text messaging

If a shop enables text messaging, it may send you SMS messages related to your service — for example, booking confirmations, "your bike is ready" notices, and invoice reminders. These are transactional messages tied to a request you initiated with the shop.

  • Consent. By providing your mobile number to a shop (for example, on its booking form), you consent to receive service-related text messages from that shop at the number you provided.
  • Frequency. Message frequency varies based on your service activity.
  • Rates. Message and data rates may apply, depending on your mobile carrier and plan.
  • Opt-out. You can opt out at any time by replying STOP to any message. You will receive a confirmation and no further texts unless you opt back in. Reply HELP for assistance.
  • No marketing sale or sharing. Mobile information and SMS opt-in consent are used solely to deliver the messages you requested. We do not share or sell mobile opt-in data or phone numbers to third parties or affiliates for their marketing purposes.

SMS is delivered through our sub-processor Twilio (see the table below). Opt-out requests are honored at the carrier and platform level.

4. Sub-processors

We rely on the following sub-processors to deliver the Service. Each is contractually bound to handle data consistent with this policy and applicable law.

Sub-processor Purpose Data location
Supabase Database hosting, authentication, file storage United States
Vercel Application hosting and CDN United States (with global edge)
Cloudflare DNS, edge security, optional caching for storefront domains Global edge network
Anthropic AI-assisted features (if/when enabled in-app) United States
Twilio SMS delivery for shops that enable Twilio per-shop United States
Square Payment data sync for shops that connect a Square account United States
Amazon (via email forwarding) Parsing of forwarded order-confirmation emails for expense tracking United States
Google (Workspace APIs) Calendar sync, Gmail-based intake (per-shop OAuth) United States

When a shop enables an integration, the relevant third-party provider becomes a sub-processor for that shop's data only. A shop can disable any integration at any time from the in-app settings.

We will update this list when we add, remove, or change a sub-processor. Shops with a signed DPA will be notified of material changes consistent with that agreement (see /legal/dpa).

5. Where data is stored and how it is protected

All shop and customer data is stored in the United States.

We apply security measures consistent with industry practice:

  • Encryption in transit: TLS for all connections between your device, our application, and our database.
  • Encryption at rest: the database and file storage are encrypted at rest by Supabase.
  • Row-level security: the database enforces row-level security policies so that one shop cannot read or modify another shop's data, even if an application-level bug exists.
  • Audit logging: sensitive administrative actions (impersonation, ownership transfers, sub-processor configuration changes) are logged.
  • Access controls: production credentials are scoped, rotated, and accessible only to engineering staff who require them.

We do not currently hold SOC 2, ISO 27001, or comparable certifications. We do not offer end-to-end encryption — our servers and operators can technically access data to operate the Service, subject to the access controls above.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify affected shops without undue delay and consistent with the DPA terms (72 hours after confirmation, where feasible).

6. How long we keep data

We retain shop and customer data for as long as the shop's account is active. After account termination, exportable shop data is available for export for at least 30 days, then deleted from our production systems, subject to backup retention windows of up to 90 days and any specific legal-hold requirements.

Aggregated, de-identified data may be retained indefinitely for analytics, benchmarking, and product improvement, since it can no longer be tied to a specific person or shop.

7. Your rights

If you are a shop owner, you can:

  • Access and update your account and shop data directly in the application.
  • Export your shop's data on request.
  • Delete your account, which initiates the deletion process described above.

If you are a customer of a shop that uses LocalBike.Shop, the shop is the primary controller of your information. Contact the shop directly to request access, correction, or deletion of your data. If you cannot reach the shop, contact us at privacy@localbike.shop and we will help facilitate the request.

We honor data-subject access, correction, and deletion requests to the extent required by applicable law. We may verify your identity before fulfilling a request to protect against fraudulent claims.

We do not currently target California or EU residents with a separate consumer-rights regime; if a shop with California or EU customers joins the platform, we will revisit this section and the underlying compliance posture.

8. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided personal information through the Service, please contact privacy@localbike.shop and we will delete it.

9. Cookies and similar technologies

We use only the cookies and local-storage entries needed to operate the Service:

  • Session cookies for authentication.
  • A small amount of local storage for UI preferences (e.g., last-used filters).

We do not use third-party advertising cookies, behavioral-tracking pixels, or analytics that share data with ad networks. If that changes, we will update this policy and add an in-app consent banner consistent with applicable law.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to shop owners by email and in-app at least 30 days before the change takes effect, where feasible.

11. Contact us

Questions, complaints, or data-subject requests: privacy@localbike.shop.

Postal address: available on request at privacy@localbike.shop.