Privacy Policy

Last updated: April 29, 2026

This notice describes how Lokly processes the personal data of its app and website users, in accordance with the EU General Data Protection Regulation (GDPR 2016/679).

1. Data Controller

Raffaele Lugibello, Via Tancredi D'Altavilla, 73026 Melendugno (LE), Italy. VAT no. 05334840757. Certified email: raffaelelugibello@pec.it. Privacy contact: privacy@lokly.it.

2. Data Collected

Provided by you: email, name, profile picture; for Restaurateurs: venue details, billing data, VAT number. Reviews, photos and uploaded content.

Collected automatically: geolocation (for "near me" search), push tokens, device identifiers, access logs (IP, user agent, timestamp).

From third parties: Google OAuth and Apple Sign In (email, name, picture if you choose social login); Stripe (last 4 digits and card brand only — the full card number is handled by Stripe and never reaches our servers).

3. Purposes and Legal Bases

• Service provision (account, search, reviews, subscription) — performance of contract, art. 6.1.b GDPR.
• Transactional and support emails — performance of contract.
• Geo-notifications and personalized recommendations — consent, revocable any time from settings.
• Marketing communications — consent.
• Security and anti-fraud — legitimate interest, art. 6.1.f GDPR.
• Tax and accounting obligations — legal obligation, art. 6.1.c GDPR.

4. Recipients

Data is processed by service providers appointed as data processors:

• Supabase — database, authentication, storage (EU servers, Frankfurt).
• Stripe — payments and billing.
• Resend — transactional email.
• Firebase Cloud Messaging / APNs — push notifications (Google LLC / Apple Inc.).
• Google Maps Platform — geocoding and address autocomplete.
• Apify — Google Places data import.
• AWS Rekognition — automated photo analysis.
• Netlify — website hosting.

5. International Transfers

Some providers (Stripe, Firebase, AWS) may transfer data to the United States. Such transfers are based on adequate safeguards, in particular the Standard Contractual Clauses adopted by the European Commission.

6. Retention

• Active accounts: for the duration of the relationship.
• Deleted accounts: personal data erased within 30 days.
• Tax data (Stripe invoices): 10 years as required by Italian law.
• Reviews: anonymized but retained (transparency interest).
• Technical logs: 12 months.

7. Your Rights

You have the right to: access your data (art. 15), rectify it (art. 16), request erasure (art. 17), restrict processing (art. 18), receive your data in portable format (art. 20), object to processing (art. 21), withdraw consent (art. 7) and lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it).

To exercise your rights write to privacy@lokly.it: we will respond within 30 days.

8. Security

We implement appropriate technical and organizational measures: encryption in transit (HTTPS) and at rest, password hashing (bcrypt via Supabase Auth), Row Level Security on the database, automatic daily backups, role-based access control.

9. Minors

The service is not intended for users under 16. If we become aware of an account belonging to a minor under 16, the account will be deleted.

10. Changes

Material changes to this notice will be communicated by email and in-app at least 15 days before they take effect.