Security & data protection
We look after data for independent local businesses: restaurants, salons, coffee shops, florists and more. Here is exactly how we keep it safe.
Last updated: 9 July 2026
UK data hosting
Your account data is stored in the United Kingdom on Supabase’s UK region, so your core data stays under UK data-protection law rather than being shipped overseas.
Encrypted connections
Every page and API request is served over HTTPS with TLS, and we enforce HTTP Strict Transport Security (HSTS) so browsers only ever connect securely. Our infrastructure providers encrypt stored data at rest.
PCI-compliant payments
Card payments are handled entirely by Stripe, a PCI-DSS Level 1 provider. Local Brand Hub never sees or stores your full card number. Stripe processes it directly.
Row-level access control
The platform uses PostgreSQL row-level security so each business can only ever read or edit its own data. The dashboard is entirely behind authentication. There is nothing public to index.
Hardened by default
Every response carries a strict Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a locked-down Referrer-Policy and Permissions-Policy, plus HSTS preload.
Your data, your rights
You can export or delete your data at any time. We only collect what we need, and we comply with UK GDPR and the Data Protection Act 2018.
Who processes your data
We work with a small number of trusted providers to run the platform. Each operates under appropriate data-protection safeguards.
| Provider | What they do | Safeguard |
|---|---|---|
| Supabase | Database, authentication and file storage | UK region, no international transfer |
| Stripe | Subscription payments | PCI-DSS; SCCs + UK IDTA |
| Vercel | Website and application hosting / CDN | SCCs and additional safeguards |
| Resend | Transactional and newsletter email | Email processor under data-processing terms |
| Google Analytics | Analytics (consent-gated) | SCCs + EU-US Data Privacy Framework |
| Microsoft Clarity | Analytics (consent-gated) | SCCs + EU-US Data Privacy Framework |
For the full list of transfers and safeguards, see our GDPR page and Privacy Policy.
If something goes wrong
We maintain security incident response procedures and conduct regular security reviews. In the unlikely event of a personal data breach that is likely to put your rights at risk:
- We notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.
- If the breach is likely to result in a high risk to you, we tell you directly, without undue delay.
- We document every breach: its effects and the steps we took to fix it.
Reporting a vulnerability
Found a security issue? We want to hear about it. Email hello@localbrandhub.com with the details and steps to reproduce. We investigate every report promptly and ask only that you give us a reasonable chance to fix the issue before disclosing it publicly. Please do not access or modify data that is not your own while testing.
Questions about security?
We are happy to talk through how we handle your data before you sign up.
Get in touch