Lokali

Privacy Policy

Last updated: June 2026

1. Controller

The controller responsible for data processing on this website and in the Lokali app is:

Andres Emilio Morales Munoz-Rivero e.U.
Dr.-Karl-Renner-Str. 12c/1
3425 Tulln an der Donau, Austria
Email: [email protected]

There is no legal obligation to appoint a data protection officer. Please direct data protection requests to the email address above.

2. Principles of Data Processing

We process personal data only to the extent necessary to provide a functional website and our app services, or where you have given your consent. Processing takes place in accordance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Austrian Telecommunications Act (TKG 2021, the framework governing access to terminal equipment that is equivalent to former TTDSG rules).

Lokali is a hyperlocal marketplace for connecting help, services and jobs between private individuals and businesses. We act purely as an intermediary platform; contracts are concluded directly between users.

3. Data on Registration and Account

When you use a Lokali account, we process:

  • Email address (required) - for account creation, sign-in and communication
  • Password (for email registration) - stored exclusively as a bcrypt hash, never in plain text
  • Name, display name, profile picture, bio (optional) - to personalise your profile
  • Phone number (optional) - only if you provide it
  • Location data (for the core function) - see section 5
  • CV data (optional, for applications) - skills, work experience, education, certificates, languages
  • Two-factor authentication (2FA) (optional) - the TOTP secret and recovery codes are stored encrypted or as a hash respectively
  • Sign-in via Google or Apple (optional) - see sections 8 and 9
  • Push token and web push subscriptions (optional) - to deliver notifications

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); for optional details and notifications Art. 6(1)(a) GDPR (consent).

4. Usage Data

As part of using the service, we process the content you create:

  • Listings (request, offer, service, tender, job posting) and their content
  • Applications, enquiries and attached documents
  • Chat messages between users
  • Ratings and reviews
  • Appointment bookings
  • Company profiles and associated details
  • Transaction and subscription data

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

5. Location Data and Address Privacy

Lokali uses location data to show listings near you. You control how precisely your location is visible to other users:

  • Exact: your precise address is shown (only if you actively choose this)
  • City (default): only city / district is shown
  • Hidden: your location is not shown to other users

For other users, your precise street address is by default not disclosed and the map coordinate is fuzzed by roughly 1 km, unless you have explicitly chosen the exact display. This means pins on the map cannot be matched to a precise home address.

Legal basis: Art. 6(1)(a) GDPR (consent to location access) and Art. 6(1)(b) GDPR (performance of a contract).

6. Device and Connection Data

When you access our services, we process certain connection data for technical reasons:

  • IP address and user agent: to deliver the services, to prevent abuse (rate limiting), for security audit logs and in server access logs.
  • Session and device information: for active sign-in sessions (for example to display your active sessions and to allow revocation).

The IP address and user agent are stored in security audit logs and session tokens for a maximum of 90 days; in our event tracking (section 7) the IP address is not stored (used only transiently to limit the request rate).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and operability).

7. Event Tracking and Analytics

Lokali operates its own, internal event tracking system to improve the app, sort listings sensibly and identify gaps in supply. No external analytics providers (for example Google Analytics, Meta Pixel, PostHog, Plausible) are integrated. The event data is stored in our own database on our server in Germany. This is distinct from measuring the success of our advertising via Google Ads (only with your consent); see section 8.7. Independently of this, we record certain functional usage events server-side; see section 17.

7.1 Events Recorded

We record structured events relating to session, search (including search term and filters), listing views and dwell time, applications, profile and company views, chat metadata (start, count, response times - not the message content), ratings, search agents, onboarding and payment transactions (amounts and product, no payment method details).

7.2 Technical Details and Identifiers

  • Storage location: our own MongoDB database on our server in Germany (Hetzner).
  • Identifiers: a session ID generated in the browser/device (a random UUID) and, if you are signed in, your user ID. Transparency note: after login the session ID is linked to your user ID and is then no longer anonymous.
  • No IP storage in the events; transmission is encrypted (HTTPS/TLS) and bundled in batches.
  • Retention period: 24 months, after which automatic deletion occurs. On account deletion your events are anonymised (user ID removed).

7.3 Legal Basis and Your Control

Analytics events are recorded only with your consent (Art. 6(1)(a) GDPR). Without consent given via the cookie/consent banner, no analytics event is created. Contract-related operations (for example application, checkout) rely on Art. 6(1)(b) GDPR, and security events (login) on Art. 6(1)(f) GDPR. You can withdraw your consent at any time via the cookie settings in the footer or under Profile > Settings, and have your previous tracking history anonymised.

8. Recipients and Processors

We use the following service providers to operate our platform. Where personal data is transferred to a third country (in particular the USA), this takes place on the basis of EU Standard Contractual Clauses; see section 9.

8.1 Hosting and Infrastructure

  • Hetzner Online GmbH (Germany) - hosting of our servers and our database in a data centre in Germany. We operate the database ourselves; no external database provider is involved anymore.
  • Cloudflare - CDN, protection against attacks, TLS (processes, among other things, the connection IP)
  • Cloudflare R2 (EU region) - storage of images and uploaded documents (for example application materials)

8.2 Sign-in (OAuth)

  • Google Sign-In (Google LLC, USA) - when signing in via Google. We receive your Google identifier, email address, name and possibly profile picture.
  • Apple Sign-In (Apple Inc., USA) - when signing in via Apple. We receive your Apple identifier and (on first sign-in) email and name.

8.3 Communication and Notifications

  • Brevo (EU/France) - transactional emails and notifications
  • Expo / EAS (650 Industries, Inc., USA) - push notifications on mobile devices as well as app updates
  • Browser push services (for example Google FCM, Mozilla, Apple) - delivery of web push messages

8.4 Maps and Location

  • Mapbox (Mapbox Inc., USA) - map display. Note: when map tiles are loaded, your IP address is transmitted to Mapbox. Address autocompletion, by contrast, runs via our server (no IP transmission to Mapbox).

8.5 Payment Processing

  • Stripe - card payments and subscriptions on the web (receives, among other things, name, email, billing address)
  • RevenueCat - management of in-app subscriptions (receives your internal user ID and the subscription status)
  • Apple In-App Purchase / Google Play Billing - payments via iOS and Android devices respectively

8.6 Security and Moderation

  • OpenAI Moderation (OpenAI, USA) - automated checking of text (for example listing titles and descriptions) for inadmissible content. In this process the text you enter is transmitted to OpenAI. This check is only performed if enabled.
  • Sentry - error and stability monitoring (technical error reports; without plain-text content and with reduced personal data). Legal basis: Art. 6(1)(f) GDPR.

Automated image moderation by external services is not currently active; reported content is reviewed manually.

8.7 Advertising and Conversion Tracking (Google Ads)

We use Google Ads, a service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to measure the success of our advertisements. If you reach Lokali via one of our ads, Google sets a cookie and we can track whether a relevant action (for example a registration) takes place. We only receive aggregated statistics, no data that would allow us to identify you personally.

  • Purpose: measurement and optimisation of our advertising campaigns.
  • Legal basis: your consent (Art. 6(1)(a) GDPR). The tag only loads if you accept the "Marketing" category in the cookie banner.
  • Recipient / third country: Google; a transfer of data to the USA is possible. Google is certified under the EU-US Data Privacy Framework, and EU Standard Contractual Clauses apply in addition.
  • Retention period: conversion cookies usually expire after 90 days.
  • Withdrawal: at any time via the cookie settings link in the footer (disable the "Marketing" category).

Data processing agreements pursuant to Art. 28 GDPR are in place with processors.

9. Transfer of Data to Third Countries

Some of the services named in section 8 are based in the USA or process data there (in particular Google, Apple, Mapbox, Stripe, RevenueCat, OpenAI and Expo). Where personal data is transferred to the USA or other third countries in this context, we base this on EU Standard Contractual Clauses (Art. 46 GDPR) or, where certified, on the EU-US Data Privacy Framework. Despite these safeguards, a level of data protection lower than in the EU may exist in third countries.

10. Cookies and Local Storage

The website uses the following cookies. Necessary cookies are required for operation and do not require consent.

NamePurposeDurationCategory
lokali_auth_tokenSign-in (access token)1 daynecessary
lokali_refresh_tokenRenewal of the sign-in90 daysnecessary
lokali_csrf_tokenProtection against cross-site request forgery1 daynecessary
NEXT_LOCALEselected language1 yearfunctional

In addition, we store data locally in the browser (localStorage), including your consent decision, display settings and drafts. For analytics (section 7), and only after your consent, a session ID is stored in localStorage. This storage requires consent under the TKG 2021 / ePrivacy rules and only takes place after your approval.

In the mobile app, sign-in tokens are stored encrypted in the secure device storage (Secure Store / Keychain).

11. Retention Period

  • Account data: until the account is deleted (see section 12)
  • Listings, applications, chats, appointments: until deleted by you or until account deletion
  • Analytics events: 24 months
  • Security audit logs, session tokens, notifications: 90 days
  • Invoices and payment receipts: 7 years (statutory retention obligation)

12. Account Deletion (Art. 17 GDPR)

You can delete your account yourself at any time (in the app under Profile > Settings, on the web under My Profile > Settings, or by request to [email protected]). Detailed instructions can be found under Delete account and data.

After the request, your account is deactivated immediately and permanently deleted after a period of 30 days; within this period you can reverse the deletion by signing in again. Upon final deletion we remove your personal data (profile, listings, messages, applications, ratings, search agents, company profile, as well as uploaded images and documents). Analytics events are anonymised. Data that we are legally required to retain (in particular invoice receipts, 7 years) remains stored until the period expires and is then deleted.

13. Your Rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) as well as to withdraw consent you have given (Art. 7(3) GDPR).

Self-service:You can carry out a machine-readable export of your data (Art. 15/20), the anonymisation of your tracking history and the cookie settings yourself under Profile > Settings. The data export includes, in particular, your profile, listings, applications, messages, conversations, ratings, appointments, search agents, transactions, subscriptions and your company profile. Very large datasets (events, messages) are limited and identified as such in the export; you can obtain the complete dataset on request.

On request: For further matters, please contact [email protected]. We respond within one month (Art. 12(3) GDPR).

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Email: [email protected] - Website: www.dsb.gv.at

15. Data Security

We take technical and organisational measures to protect your data, including: TLS encryption of all transmissions, bcrypt hashing of passwords, hashed storage of session tokens and 2FA recovery codes, rate limiting, protection against NoSQL injection, automatic account lockout after failed sign-in attempts, as well as EXIF/GPS removal on image uploads.

16. Anonymised Content for Market Analysis

From the content and events present on the platform we may derive aggregated, non-personal market statistics (for example demand by category and region). These analyses take place exclusively at an aggregated or anonymised level without any reference to individuals. Profile pictures or personal information are used for advertising purposes only with your explicit, separate consent.

17. Server-Side Recording of Usage Events

To provide and improve our service, we record certain usage events server-side as functional service data: searches (including category and region), listing views, contact initiations, applications and enquiries, and appointment confirmations. This recording takes place in our own system on our server (see section 7.2), without involving external providers and without additional cookies or access to device storage.

  • Purpose: operating the service and matching supply and demand (for example identifying which help or service is sought in a region).
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest: operation of the service, matching supply and demand).
  • Storage: in our own database in the EU (Germany); retention period 24 months, after which automatic deletion occurs.
  • Aggregated analysis: any data shown to businesses is exclusively aggregated and anonymised. A minimum-count threshold applies: analyses only appear when enough events are combined so that no individual is identifiable.
  • Your rights: the rights set out in section 13 (in particular access and erasure) also apply to this data; on account deletion the events are anonymised. You may object to the processing under Art. 21 GDPR.

18. Changes to This Privacy Policy

We adapt this privacy policy when the legal situation or our service changes. The current version is always available on this page.

19. Contact

If you have any questions about data protection, you can reach us at:

Andres Emilio Morales Munoz-Rivero e.U.
Dr.-Karl-Renner-Str. 12c/1
3425 Tulln an der Donau
Email: [email protected]