GDPR & Data Protection

1. Our Commitment

Local Brand Hub (a trading name of Matthew 10:16 Ltd) is committed to protecting the personal data of our users in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We have implemented appropriate technical and organisational measures to ensure data is processed lawfully, fairly, and transparently. This page summarises your rights and our obligations under data protection law.

For full details on what data we collect and how we use it, please see our Privacy Policy.

2. Data Controller Information

The data controller responsible for your personal data is:

For data protection enquiries, contact us using the details above. We do not currently have a designated Data Protection Officer (DPO) as we are below the threshold requiring one, but we take all data protection enquiries seriously.

3. Legal Bases for Processing

We only process personal data when we have a valid legal basis. The bases we rely on are:

Contract (Article 6(1)(b))

Processing necessary to provide you with the Service you have signed up for. This includes account management, subscription billing, and delivering features.

Legitimate interests (Article 6(1)(f))

Processing where we have a legitimate business interest that does not override your fundamental rights. This includes analytics to improve the Service, fraud prevention, and ensuring platform security.

Consent (Article 6(1)(a))

Processing based on your explicit consent, which you can withdraw at any time. This includes marketing communications and non-essential analytics cookies.

Legal obligation (Article 6(1)(c))

Processing required to comply with UK law, such as retaining financial records for tax purposes.

4. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a commonly used electronic format within 30 days.

Right to rectification (Article 16)

You can ask us to correct any inaccurate or incomplete personal data. You can also update your information directly through your account settings.

Right to erasure (Article 17)

You can request that we delete your personal data. We will comply unless we have a legal obligation to retain it (e.g. financial records). Account deletion removes your data within 30 days.

Right to restriction (Article 18)

You can ask us to temporarily restrict how we process your data, for example while we verify the accuracy of your data or consider an objection you have raised.

Right to data portability (Article 20)

You can request your personal data in a structured, commonly used, machine-readable format (e.g. CSV or JSON) so you can transfer it to another service.

Right to object (Article 21)

You can object to processing based on legitimate interests or direct marketing. If you object to direct marketing, we will stop immediately.

Rights related to automated decision-making (Article 22)

We do not make decisions that produce legal or similarly significant effects based solely on automated processing. Our AI features generate suggestions for you to review and edit, not automated decisions.

5. Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• If the breach is likely to result in a high risk to you, we will notify you directly without undue delay
• We will document all breaches, including their effects and the remedial actions taken

We maintain security incident response procedures and conduct regular security reviews to minimise the risk of breaches.

6. International Data Transfers

Some of our service providers process data outside the UK. Where this occurs, we ensure adequate protections are in place:

• Supabase — data hosted in the EU (covered by UK adequacy decision)
• Stripe — operates under Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA)
• Vercel — operates under SCCs and additional safeguards
• Google (Analytics) — operates under SCCs and the EU-US Data Privacy Framework
• Microsoft (Clarity) — operates under SCCs and the EU-US Data Privacy Framework

We only transfer data to countries or organisations that provide an adequate level of data protection as determined by the UK government, or where appropriate safeguards are in place.

7. Data Processing Agreement

If you are a business customer and require a Data Processing Agreement (DPA) for your own compliance purposes, please contact us at hello@localbrandhub.com. We can provide a DPA that covers:

• The nature and purpose of processing
• The types of personal data processed
• Your obligations and rights as the data controller
• Our obligations as the data processor
• Sub-processor details and management
• Data breach notification procedures
• Data deletion and return upon termination

8. How to Exercise Your Rights

To exercise any of the rights described above:

• Email us at hello@localbrandhub.com with the subject line “Data Protection Request”
• Use our contact form at localbrandhub.com/contact
• Account settings — some rights (rectification, erasure) can be exercised directly through your account

We will verify your identity before processing any request and respond within 30 days. In rare cases where a request is particularly complex, we may extend this to 90 days with notice.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office: