Privacy Policy

The Service is operated by Locasity LLC. For privacy questions or to exercise your rights, contact privacy@locasity.com.

From business owners.When you register or manage a business, we collect your name, email address, and phone number; your business's name, address, hours, type, and contact details; the menu items, descriptions, prices, ingredient lists, and dietary or allergen information you enter; and photos you upload (note that photo files may contain embedded metadata such as EXIF location or device information — remove it before uploading if you do not want to share it). We also record which version of our Terms and Privacy Policy you accepted and when.

From business owners — compliance features.If you use the license-tracking and inspection-record features, we also collect the license numbers, permit types, issue and expiry dates, inspector identifiers (our OCR tool defaults to extracting initials rather than full names; you may edit this field), inspecting authority, scores, violation codes and descriptions, and any notes or photos / PDFs you upload. License cards and inspection reports you upload are stored in your business's private storage area, are not displayed on your public listing, and are accessible only to you and to Locasity personnel with administrative access. Where a license is issued to a sole proprietor in their personal name, those records may contain personal identifiers; we treat such records as personal data for the purposes of access, correction, and deletion requests.

From customers (no account required).When someone scans a business's QR code or visits a business page, we collect their IP address, a general browser family (for example, “iOS Safari”), a short-lived session identifier stored in a cookie (see Section 8), and activity events such as menu views and review prompts. If a customer submits feedback, we collect the star rating, any written comment, and the table number if provided. Customer feedback is collected without an account and without a name or email — see Section 7 for what that means for data requests.

We use the information above to:

• create, operate, and display business listings;
• send transactional and account messages (for example, sign-in codes, password resets, listing-status updates) and, where applicable, low-rating alerts to the business owner;
• detect, prevent, and investigate fraud, abuse, spam, and duplicate or fake reviews (this is why we retain IP addresses for a limited time);
• generate optional AI-assisted menu descriptions, taglines, and allergen suggestions (see Section 5);
• produce aggregate, non-identifying analytics about how listings are used; and
• comply with law, enforce our Terms, and protect the rights and safety of our users and the public.

Where data-protection law requires a legal basis, we rely on: performance of our contract with you (operating the Service); our legitimate interests (securing the Service, preventing fraud, understanding usage); your consent (where we ask for it); and compliance with legal obligations.

When a business owner uses an optional AI feature, we send only the data needed for that feature to Anthropic (the provider of the Claude AI model), which acts as our service provider:

• AI menu suggestions — the menu photo, dish name, business details, and language preference, so Anthropic can return a suggested description, ingredient list, allergen flags, and translations.
• License and inspection OCR — the license card or inspection report you upload, so Anthropic can extract structured fields (license number, issue and expiry dates, inspector, violations, etc.) for you to review.
• Violation explanations — the violation code, description, severity, and a short business-context string, so Anthropic can return a plain-language explanation and remediation suggestions. Explanations are cached and may be reused for the same business when the violation text is the same.

AI output is a drafting and informational aid only. The business owner reviews everything before any structured field is saved. We do not send AI providers any customer feedback or analytics data.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only with service providers that process it on our behalf, under contract, for the purposes described in this policy:

• Google / Firebase — authentication, database, file storage, and Places lookups (privacy);
• Anthropic — AI-assisted menu copy and allergen suggestions (privacy);
• SendGrid (Twilio) — transactional and alert email delivery (privacy);
• Vonage — SMS delivery for sign-in codes (privacy).

We may also disclose information if required by law or legal process, to enforce our Terms, to protect rights and safety, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you).

Depending on where you live, you may have rights to know, access, correct, delete, or port your personal information, to opt out of its sale or sharing (we do not sell or share it), and to limit the use of sensitive information. This includes rights under the California Consumer Privacy Act (CCPA/CPRA), the Virginia, Colorado, Connecticut, Utah, and Texas privacy laws, and — where applicable — the EU/UK GDPR (access, rectification, erasure, restriction, portability, objection). We will not discriminate against you for exercising these rights.

To make a request, use our self-service form at /data-request. You will receive a confirmation email to verify the request, and we will respond within the timeframe required by law (generally 45 days). You may also email privacy@locasity.com.

A note on anonymous customer data.Customer feedback and activity events are collected without an account, a name, or an email address, so we generally cannot link them back to a specific individual on request. The most reliable identifier for that data is the session value in your browser's "lsy_sid" cookie; in any case, activity events and the associated IP addresses are automatically deleted within 90 days (see Section 9). If you have a specific concern, contact us and we will help to the extent we can.

We use a single first-party cookie, lsy_sid, which stores a short-lived random session identifier. It exists to keep your session consistent and to detect duplicate or fraudulent feedback submissions. It is set with the httpOnly flag, has a short lifetime, and is not used for advertising. We do not set third-party analytics or advertising cookies. If we add such technologies in the future, we will update this section and provide any consent controls required by law.

• Activity events and IP addresses — automatically deleted approximately 90 days after collection.
• Customer feedback — retained until the business owner deletes it or the business listing is removed.
• Business listing and owner account data — retained while the account is active and for a reasonable period afterward, then deleted or anonymized, unless we must keep it longer to comply with law, resolve disputes, or enforce our agreements.
• License and inspection records — retained while your account is active. When you delete a record, or your account, it is removed from active storage promptly. Copies may persist in routine encrypted backups for up to 90 days before being overwritten, and we may retain records longer where we must do so to comply with law or resolve disputes.
• Opt-out records (email/SMS) — retained as long as needed to honor your opt-out.

We use reasonable administrative and technical measures designed to protect personal information, including database security rules, access controls, attestation checks on sensitive endpoints, rate limiting, encryption in transit (HTTPS), and keeping credentials out of source code. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us and we will delete it.

The Service is operated from the United States and is intended for use in the United States. If you access it from elsewhere, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your country.

We will update the “Last updated” date above when we make changes. We will notify registered owners by email of material changes.

Questions or requests? Contact us at privacy@locasity.com.