Applies to: the Local Hero website at getlocalhero.ie, the Local Hero application at app.getlocalhero.ie, all subdomains, and the Local Hero service.
1. Who we are
Local Hero is a Google Business Profile autopilot SaaS operated by WebFluence Digital LLC, a US-registered limited liability company with its operational base in Dublin, Ireland.
- Legal entity: WebFluence Digital LLC, 1603 Capitol Ave, Suite 413G-1297, Cheyenne, WY 82001, USA
- Operational base: Dublin, Ireland
- Founder & sole operator: Dusan Walla
- Privacy contact: privacy@getlocalhero.ie (forwards to dusan.walla@webfluence.digital)
- Postal contact (EU): Dublin, Ireland (specific address provided on request to verified data subjects under Article 15)
- Data Protection Authority: Data Protection Commission (DPC), Ireland — dataprotection.ie
We are the data controller for personal data we collect about you as a Local Hero customer (or a visitor to getlocalhero.ie). We act as a data processor on behalf of our customers when handling end-customer data they import into Local Hero (e.g., their own customers' phone numbers for review-request SMS). See Section 10.
This product-specific Policy supplements the umbrella WebFluence Digital LLC Privacy Policy at webfluence.digital/privacy. Where they conflict regarding Local Hero data flows, this Policy controls.
2. What we collect
2.1 You provide directly (account holder)
- Account registration: full name, email address, business name, Google Business Profile location ID, postal address, phone number, locale (en-IE / en-GB), timezone.
- Billing: billing address, country, VAT ID (optional, B2B). Card details are handled by Stripe — we never see card numbers.
- Tone-of-voice settings: free-text describing your business voice, sample reply texts you provide.
- Customer list import: names, phone numbers, email addresses, opt-in flags for the customers YOU import into Local Hero so we can send review requests on your behalf.
- Direct communications: any email, message, or call to support — content stored.
2.2 We collect automatically (account holder)
- Server logs at
app.getlocalhero.ie: IP address, timestamp, request path, user agent, response code. Retained 90 days for security and abuse prevention. - Usage telemetry: which app screens you visit, which features you use, login times. Pseudonymised to your
org_id— used to debug, prioritise features, and detect account compromise. Retained 12 months. - Cookies: see Section 4 and our separate Cookie Policy.
2.3 From third parties (account holder)
- Google Business Profile — when you connect your GBP via OAuth, we receive (subject to your explicit consent and the Google API Limited Use disclosure in Section 9): business name, address, phone, location ID, place ID, reviews, posts, photos, insights metrics. We do NOT receive your Google account password or any data from other Google services.
- Stripe — we receive subscription status, invoice history, last-4 digits of card, billing country. We do NOT receive full card details.
2.4 End-customer data (your customers)
When you import your customer list into Local Hero, we process those records on your behalf as your data processor. See Section 10 for processor responsibilities and our DPA.
3. Why we use your data — legal bases
| Purpose | Data | Legal basis (GDPR Art 6) |
|---|---|---|
| Provide the Local Hero service | Account, billing, GBP, customer list | Contract (6(1)(b)) |
| Send review-request SMS/WhatsApp on your behalf | Your customers' phone + opt-in flag | Contract with you + Consent (6(1)(b) + 6(1)(a)) for the end-customer |
| Bill you and comply with VAT/OSS rules | Billing data, VAT ID | Legal obligation (6(1)(c)) — IE Revenue + EU OSS |
| Debug crashes, prevent abuse | Server logs, telemetry | Legitimate interest (6(1)(f)) — keeping the service running safely |
| Send service emails (billing, security, breaking changes) | Contract (6(1)(b)) | |
| Send product updates, marketing | Consent (6(1)(a)) — opt-in only, separate from service email | |
| Defend legal claims | All data | Legitimate interest (6(1)(f)) — limited to dispute scope |
4. Cookies
getlocalhero.ie and app.getlocalhero.ie use cookies. See the full Cookie Policy.
Summary:
- Strictly necessary (always on): session token, RLS auth cookie, cookie-consent choice.
- Functional (always on): currency selection (€/£), theme.
- Analytics (consent-gated, off by default in EU/UK): Google Analytics 4 — only after you click Accept.
- Marketing/advertising: none. We do not run ad pixels.
We use Google Consent Mode v2 so that GA4 receives only consented signals; pre-consent traffic is anonymised at source.
5. How long we keep data
| Category | Retention |
|---|---|
| Account record (active) | While you have an active subscription + 30 days post-cancellation |
| Account record (post-deletion) | Removed within 30 days of deletion request, except where retained for legal obligation |
| Billing records (Stripe + our DB) | 7 years from invoice date — Irish Revenue requirement |
Server logs (app.getlocalhero.ie) | 90 days, then deleted |
| Audit log (your tenant write trail) | 7 years — defence of disputes + GDPR Art 30 |
| End-customer data (review requests, opt-ins) | While the underlying customer record exists in your account; deleted with the customer record |
| Backups | Encrypted, rolling 30-day window |
| Marketing emails (opt-in) | Until you unsubscribe |
| Support communications | 3 years from last message |
6. Who we share data with — sub-processors
We use the following service providers ("sub-processors") to operate Local Hero. Each is contractually bound by GDPR-compliant terms (DPA + Standard Contractual Clauses where applicable):
| Sub-processor | Purpose | Data location | Transfer mechanism |
|---|---|---|---|
| Supabase (Supabase Inc.) | Application database, auth | EU (Frankfurt region) | Within EEA |
| Hetzner Online GmbH | Server hosting (n8n, redis) | Germany / Finland | Within EEA |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | Global edge | SCCs + DPF |
| Vercel Inc. | Marketing site + app frontend hosting | Global edge (EU primary) | SCCs + DPF |
| Stripe Payments Europe Ltd | Subscription billing, Tax MOSS | Ireland (EU) | Within EEA |
| Resend (Resend.com Inc.) | Transactional + magic-link email | US | SCCs + DPF |
| Twilio Ireland Ltd | SMS to your customers | EU | Within EEA |
| Meta WhatsApp Business | WhatsApp to your customers (when feature enabled) | EU | Within EEA |
| Google LLC (GBP API, OAuth) | Reading/writing your Google Business Profile | US | SCCs + DPF |
| Anthropic, PBC | LLM drafting of review replies | US | SCCs + DPF |
| DataForSEO LLC | Rank tracking grid data | US | SCCs + DPF |
| GoDaddy.com LLC | Domain registration only | US | SCCs + DPF |
The current canonical sub-processor list is maintained internally and notified to customers by email at least 30 days before any addition or change goes live.
We do not sell personal data. We do not share data with advertisers.
7. Where data goes — international transfers
Where data leaves the EEA (e.g., Resend in the US, Anthropic in the US), we rely on:
- EU–US Data Privacy Framework (DPF) where the recipient is certified, AND
- Standard Contractual Clauses (SCCs, 2021 modules) as a backstop, AND
- additional safeguards (encryption in transit + at rest, minimised data sets) as required by Schrems II.
A Transfer Impact Assessment is maintained internally and available to verified data subjects on request.
8. Your rights
Under GDPR you have the right to:
- Access the data we hold about you (Art 15)
- Rectification of inaccurate data (Art 16)
- Erasure (right to be forgotten — Art 17), subject to legal retention duties
- Restriction of processing (Art 18)
- Portability — receive your data in a machine-readable format (Art 20)
- Object to processing based on legitimate interest (Art 21)
- Withdraw consent at any time (Art 7(3)) — without affecting prior lawful processing
- Complain to the Data Protection Commission (Ireland) — dataprotection.ie
To exercise any right, email privacy@getlocalhero.ie. We respond within 30 days (extendable by 60 days for complex requests, with notice).
For Local Hero account deletion: log in → Settings → Delete account. We confirm via email within 24h and complete deletion within 30 days. Backups roll off within 60 days.
9. Google API Limited Use disclosure
Local Hero uses the Google Business Profile (GBP) API. Per Google's Limited Use Requirements, we confirm:
- Allowed use: We use GBP data only to provide and improve the user-facing Local Hero features you signed up for — review monitoring, AI-drafted reply generation (subject to your approval), post scheduling, photo management, rank tracking against your own GBP location.
- No advertising: We do NOT use GBP data for advertising purposes, our own or third parties'.
- No sale: We do NOT sell GBP data, ever.
- Limited human access: A Local Hero engineer may view GBP data only when (a) you give specific support consent, (b) for security/anti-abuse investigation, (c) to comply with applicable law, or (d) for internal aggregate operations like debugging — never to read individual review content for any other purpose.
- No transfer to AI training: GBP data is NEVER used to train or fine-tune any AI/ML model — including our LLM-drafted reply feature. We use Anthropic's API in non-training mode and pass only the specific review text needed to draft a reply, retaining no model state.
The full Google API Limited Use addendum is maintained internally and submitted to Google during the GBP API approval process.
10. End-customer data — when we are processor, not controller
When you import your customers' phone numbers, names, and addresses into Local Hero so we can send review requests on your behalf, you are the controller and we are the processor. Our obligations are governed by the Data Processing Addendum, which is automatically incorporated into our Terms of Service.
You are responsible for:
- Having a lawful basis (typically consent — GDPR Art 6(1)(a) + ePrivacy SMS opt-in) before importing each customer.
- Honouring opt-out requests promptly. Local Hero auto-honours STOP keywords on Twilio, but you must inform Local Hero of opt-outs received outside our channels.
- Keeping your customer list accurate.
11. Children
Local Hero is a B2B service. The end-customer data you may import (your own customers) is not expected to relate to children under 16. If you have reason to believe end-customer data relating to a child has entered Local Hero, contact privacy@getlocalhero.ie immediately.
12. Security
We protect data in transit (TLS 1.2+) and at rest (AES-256 at the database layer, libsodium for refresh tokens). Access is least-privilege via Supabase RLS. We maintain an audit log of every tenant write. We follow the OWASP Top 10 in app development. Backups are encrypted.
If a personal-data breach occurs, we notify the Irish DPC within 72 hours where required by Art 33, and notify affected data subjects without undue delay where Art 34 applies.
13. Changes to this Policy
We update this Policy when our practices change. Material changes are notified by email at least 30 days before the new version takes effect. The version number and effective date at the top of this document are the authoritative record.
14. Contact
- Privacy enquiries: privacy@getlocalhero.ie
- General support: hello@getlocalhero.ie
- Postal (EU): provided on request to verified data subjects
v1.0 · under periodic review.