Privacy Policy

LocalSEO.uk is operated by [Legal Entity Name, Company Number], registered at [Registered Address, United Kingdom].

For all privacy questions, contact us at privacy@localseo.uk.

We collect the following categories of information:

• Account information — your name, email address, business name, phone, password (hashed), and authentication identifiers when you sign up or sign in (including via Google Sign-In).
• Billing information — billing address, VAT number where applicable, and payment metadata. Card details are processed directly by Stripe and never stored on our servers.
• Service data — data you submit through the Services, such as websites, target keywords, locations, audit results, and uploaded files.
• Google user data — see section 3.
• Technical data — IP address, browser type, device, pages viewed, and similar diagnostics collected through cookies and server logs.
• Communications — messages you send us via email, support chat, or contact forms.

When you connect your Google account to LocalSEO.uk, we use OAuth 2.0 to request specific scopes. We only request the minimum scopes needed to deliver the features you use:

• openid, userinfo.email, userinfo.profile — to identify your Google account, display your name, and link the connection to your LocalSEO.uk account.
• https://www.googleapis.com/auth/business.manage — to read and (where you ask us to) update information about the Google Business Profile locations you manage. This includes business name, address, categories, opening hours, attributes, photos, posts, reviews, Q&A, and performance insights.

We access this data only after you have explicitly granted consent on Google's consent screen, and only for the locations associated with the Google account you connected. We store the resulting OAuth access and refresh tokens in encrypted form so that scheduled audits and dashboards can keep working without you having to re-authenticate every session.

LocalSEO.uk's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

• We use Google user data only to provide or improve user-facing features that are prominent in the Services' UI.
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or the data has been aggregated and anonymised for internal operations.

We use the data described above to:

• Create and manage your account and authenticate you.
• Run Google Business Profile audits and generate optimisation recommendations.
• Display your locations, reviews, posts, and performance metrics inside your dashboard.
• Send transactional emails (sign-in, billing, account, security).
• Provide customer support and respond to your enquiries.
• Process payments and manage subscriptions.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Comply with our legal and tax obligations.
• Improve the Services through aggregated, non-identifying analytics.

• Contract — to deliver the Services you have signed up for.
• Legitimate interests — to secure the Services, prevent abuse, and run our business (e.g. analytics on aggregate usage). We balance these against your rights.
• Consent — for non-essential cookies, marketing emails, and the OAuth scopes you grant in Google's consent screen. You can withdraw consent at any time.
• Legal obligation — to keep accounting records and respond to lawful requests.

We do not sell your personal data or Google user data. We share it only with the trusted sub-processors below, and only as needed to operate the Services:

• Lovable Cloud (Stockholm, Sweden / EU) — application hosting, edge functions.
• Supabase — managed Postgres database, authentication, and storage (EU region).
• Stripe — payment processing and subscription billing.
• Google LLC — Google Sign-In and Google Business Profile APIs (only with your consent).
• Lovable AI Gateway (Google Gemini and OpenAI models) — to generate audit summaries and recommendations. See section 8.
• Email delivery provider — to send transactional and (with consent) marketing emails.

We also disclose information when required by law, court order, or to protect the rights, property, or safety of LocalSEO.uk, our users, or others.

We use large language models (currently provided by Google Gemini and OpenAI via the Lovable AI Gateway) to generate audit narratives, optimisation suggestions, and content drafts. Where Google user data is sent to these models:

• It is sent solely to produce a user-facing response within the Services.
• It is not used by us, or by our model providers under the contracted terms, to train or fine-tune generalised models.
• Human review of inputs or outputs is restricted to the cases described in section 4.

Personal data and Google user data are stored in EU-region infrastructure operated by our hosting and database sub-processors. OAuth tokens and other secrets are encrypted at rest. Data in transit is protected with TLS.

Some sub-processors (notably Stripe, Google, and our AI providers) may process data in the United States or other countries. Where personal data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses and equivalent safeguards.

• Account data — for as long as your account is active, and up to 24 months afterwards.
• Google OAuth tokens — until you disconnect Google, delete your account, or revoke access in your Google account, after which we delete them within 30 days.
• Synced Google Business Profile data — kept while your subscription is active and deleted within 30 days of account closure or disconnection (except aggregated, non-identifying audit metrics).
• Billing and tax records — retained for 7 years to meet UK statutory requirements.
• Support communications — up to 3 years after last contact.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten") where applicable.
• Restrict or object to certain processing.
• Data portability.
• Withdraw consent at any time, where processing relies on consent.

To exercise any of these rights, email privacy@localseo.uk. We will respond within 30 days.

You can disconnect LocalSEO.uk from inside the dashboard at any time, or revoke access directly from your Google account at myaccount.google.com/permissions. When you revoke access we delete the related OAuth tokens within 30 days and stop syncing new data from your Google Business Profile.

We use a small number of cookies that are strictly necessary to keep you signed in and to keep the site secure, plus optional analytics cookies that we only set with your consent. You can manage cookies through our cookie banner or your browser settings.

The Services are not directed to children under 16, and we do not knowingly collect personal data from them.

We may update this policy from time to time. Material changes will be notified to you by email or through the Services. The "Last updated" date at the top reflects the latest revision.

For privacy queries, email privacy@localseo.uk.

If you are unhappy with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.