Built with security in mind

Security & data protection

We look after data for independent local businesses: restaurants, salons, coffee shops, florists and more. Here is exactly how we keep it safe.

Last updated: 9 July 2026

UK data hosting

Your account data is stored in the United Kingdom on Supabase’s UK region, so your core data stays under UK data-protection law rather than being shipped overseas.

Encrypted connections

Every page and API request is served over HTTPS with TLS, and we enforce HTTP Strict Transport Security (HSTS) so browsers only ever connect securely. Our infrastructure providers encrypt stored data at rest.

PCI-compliant payments

Card payments are handled entirely by Stripe, a PCI-DSS Level 1 provider. Local Brand Hub never sees or stores your full card number. Stripe processes it directly.

Row-level access control

The platform uses PostgreSQL row-level security so each business can only ever read or edit its own data. The dashboard is entirely behind authentication. There is nothing public to index.

Hardened by default

Every response carries a strict Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a locked-down Referrer-Policy and Permissions-Policy, plus HSTS preload.

Your data, your rights

You can export or delete your data at any time. We only collect what we need, and we comply with UK GDPR and the Data Protection Act 2018.

Who processes your data

We work with a small number of trusted providers to run the platform. Each operates under appropriate data-protection safeguards.

ProviderWhat they doSafeguard
SupabaseDatabase, authentication and file storageUK region, no international transfer
StripeSubscription paymentsPCI-DSS; SCCs + UK IDTA
VercelWebsite and application hosting / CDNSCCs and additional safeguards
ResendTransactional and newsletter emailEmail processor under data-processing terms
Google AnalyticsAnalytics (consent-gated)SCCs + EU-US Data Privacy Framework
Microsoft ClarityAnalytics (consent-gated)SCCs + EU-US Data Privacy Framework

For the full list of transfers and safeguards, see our GDPR page and Privacy Policy.

If something goes wrong

We maintain security incident response procedures and conduct regular security reviews. In the unlikely event of a personal data breach that is likely to put your rights at risk:

  • We notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.
  • If the breach is likely to result in a high risk to you, we tell you directly, without undue delay.
  • We document every breach: its effects and the steps we took to fix it.

Reporting a vulnerability

Found a security issue? We want to hear about it. Email hello@localbrandhub.com with the details and steps to reproduce. We investigate every report promptly and ask only that you give us a reasonable chance to fix the issue before disclosing it publicly. Please do not access or modify data that is not your own while testing.

Questions about security?

We are happy to talk through how we handle your data before you sign up.

Get in touch