Privacy Policy
LocalNative.space — Privacy Policy
Last updated: June 1, 2026
1. Introduction
This Privacy Policy explains how mLab ("Company", "we", "us", "our"), operating the website localnative.space ("Website", "Platform"), collects, uses, stores, shares, and protects personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Data Protection Act 2018 (Ireland), and other applicable data protection laws.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller responsible for your personal data is:
mLab
Dublin, Ireland
Email: contact@localnative.space
For data protection inquiries, contact our Data Protection contact at: dpo@localnative.space
3. Data We Collect
3.1 Data from Clients (Website Visitors)
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Contact form submissions | Name, email, phone (optional), message | Facilitate contact with Specialist | Consent (Art. 6(1)(a)) |
| Browsing data | IP address, browser type, device, pages visited, referral source | Analytics, security, service improvement | Legitimate interest (Art. 6(1)(f)) |
| Cookie data | Session identifiers, preferences, analytics cookies | Website functionality and analytics | Consent (Art. 6(1)(a)) for non-essential cookies |
| Review submissions | Name, email, rating, review text | Display verified reviews | Consent (Art. 6(1)(a)) |
3.2 Data from Specialists (Provider Portal Users)
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Registration data | Name, email, password (hashed), category, city, languages | Account creation and management | Contract (Art. 6(1)(b)) |
| Profile data | Bio, qualifications, specialisations, photo, office address, availability, pricing | Display professional profile | Contract (Art. 6(1)(b)) |
| Contact data | Phone, email, website | Enable client contact | Contract (Art. 6(1)(b)) |
| Billing data | Subscription plan, payment history (processed by Stripe) | Payment processing | Contract (Art. 6(1)(b)) |
| Usage data | Login times, profile views, messages received | Service provision, analytics | Legitimate interest (Art. 6(1)(f)) |
3.3 Data from Public Sources (Unclaimed Specialist Profiles)
| Data Category | Specific Data | Source | Legal Basis |
|---|---|---|---|
| Professional identity | Name, qualifications, licence number | Professional registries (IACP, ICP, BACP, etc.) | Legitimate interest (Art. 6(1)(f)) |
| Professional contact | Office address, phone, email, website | Professional registries, public websites | Legitimate interest (Art. 6(1)(f)) |
| Professional details | Specialisations, approaches, languages, fees | Professional registries | Legitimate interest (Art. 6(1)(f)) |
Legitimate Interest Assessment for Public Data:
We have assessed that our legitimate interest in processing publicly available professional data is not overridden by the data subjects' rights and freedoms because:
- The data was voluntarily published by the professionals themselves or by their professional bodies for the purpose of being found by potential clients.
- We process only professional data, not private or sensitive personal data.
- The processing directly serves the data subjects' professional interest in being discoverable.
- We provide clear mechanisms for data subjects to claim, correct, or remove their data.
- The processing serves a public interest in facilitating access to multilingual professional services for expatriate communities.
4. How We Use Your Data
4.1 Primary Purposes
- Directory services: Displaying Specialist profiles to help Clients find professionals.
- Communication facilitation: Forwarding contact inquiries from Clients to Specialists.
- Account management: Managing Specialist accounts, subscriptions, and billing.
- Service improvement: Analysing usage patterns to improve the Platform.
- Security: Protecting against fraud, abuse, and unauthorised access.
4.2 Automated Processing
We use automated systems to:
- Tag extraction: Analyse Specialist profile text to extract structured specialisation tags using AI (Claude API by Anthropic). This processing categorises professional skills and does not involve profiling for automated decision-making that produces legal effects.
- Name-origin heuristics: Estimate a Specialist's likely native language from their name to improve directory sorting. This is used solely for display ordering and can be overridden by the Specialist at any time. No decisions affecting access to services are made based on this processing.
- Lead distribution: When a client inquiry is received for an unclaimed profile, we may automatically notify other unclaimed Specialists in the same area and category. This is done solely to facilitate professional engagement with the Platform.
4.3 What We Do NOT Do
- We do not sell personal data to third parties.
- We do not use personal data for targeted advertising.
- We do not share personal data with data brokers.
- We do not process special category data (health, religion, political views, sexual orientation) except where a Specialist voluntarily includes such information in their profile description.
5. Data Sharing
We share personal data only with:
| Recipient | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| Specialists | Client contact form data (name, email, phone, message) | Enable client-specialist communication | Data minimisation; only shared with intended Specialist |
| Stripe, Inc. (USA) | Payment data | Payment processing | EU-US Data Privacy Framework; Stripe DPA |
| Vercel, Inc. (USA) | Server logs, IP addresses | Website hosting | EU-US Data Privacy Framework; Vercel DPA |
| Neon, Inc. (USA) | Database content | Database hosting (Frankfurt, EU server) | Data stored in EU (Frankfurt); Neon DPA |
| Resend | Email addresses, email content | Transactional email delivery | Data processing agreement |
| Anthropic (USA) | Profile text (anonymised) | AI tag extraction | No personal identifiers sent; Anthropic DPA |
| Cloudflare, Inc. (USA) | IP addresses, request data | CDN, DNS, security (Turnstile) | EU-US Data Privacy Framework; Cloudflare DPA |
| Mapbox, Inc. (USA) | Location data (office coordinates) | Map display | Mapbox DPA |
We do not share data with any other third parties except where required by law (court orders, regulatory requests).
5.1 International Transfers
Where data is transferred outside the EEA (to US-based processors), we rely on:
- EU-US Data Privacy Framework (where the recipient is certified).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with all processors.
6. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Client contact form data | 2 years from submission | Legitimate interest (follow-up, dispute resolution) |
| Specialist account data | Duration of account + 2 years after deletion | Contract + legal obligation |
| Unclaimed Specialist profile data | Until removal requested or profile claimed | Legitimate interest |
| Payment records | 7 years | Legal obligation (tax/accounting) |
| System logs | 90 days | Legitimate interest (security, debugging) |
| Analytics/browsing data | 26 months | Legitimate interest (service improvement) |
| Reviews | Duration of Specialist profile + 1 year | Legitimate interest |
| Automation email tracking | 1 year | Legitimate interest |
After the retention period, data is permanently deleted or anonymised.
7. Your Rights (GDPR)
Under the GDPR, you have the following rights:
7.1 Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data, and if so, to access that data and receive a copy.
7.2 Right to Rectification (Art. 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
7.3 Right to Erasure (Art. 17)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purpose it was collected.
- You withdraw consent (where consent is the legal basis).
- You object to the processing and there are no overriding legitimate grounds.
- The data has been unlawfully processed.
For Specialists with unclaimed profiles: You may request removal of your profile at any time by emailing contact@localnative.space. We will process your request within 72 hours.
7.4 Right to Restriction (Art. 18)
You have the right to request restriction of processing in certain circumstances (e.g., while we verify the accuracy of data you have contested).
7.5 Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller.
7.6 Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
For automated lead distribution emails: You may object to receiving automated emails at any time by clicking the unsubscribe link in any email or by contacting us. We will process your opt-out immediately.
7.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)
We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Our automated tag extraction and name-origin heuristics are used for display/sorting purposes only and do not affect your access to any service.
7.8 How to Exercise Your Rights
Contact us at: contact@localnative.space or dpo@localnative.space
We will respond to all requests within 30 days (extendable by 60 days for complex requests, with notification). We may ask for identity verification before processing requests.
7.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. For Ireland:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: https://www.dataprotection.ie
Email: info@dataprotection.ie
8. Cookie Policy
8.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website. They serve various purposes including website functionality, analytics, and user preferences.
8.2 Cookies We Use
Essential Cookies (No Consent Required)
These cookies are strictly necessary for the Platform to function:
| Cookie Name | Purpose | Duration |
|---|---|---|
preferred_lang | Stores your language preference | 1 year |
admin_session | Admin panel authentication | Session |
provider_session | Provider Portal authentication | Session |
__cf_bm | Cloudflare bot management | 30 minutes |
cf_clearance | Cloudflare Turnstile verification | 30 minutes |
Analytics Cookies (Consent Required)
These cookies help us understand how visitors use the Platform:
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
_ga, _ga_* | Google Analytics 4 | Page views, user journeys, traffic sources | 2 years |
_gid | Google Analytics 4 | Session identification | 24 hours |
Note: Analytics cookies are only set if you consent through our cookie banner. If you decline, no analytics cookies are placed and your browsing is not tracked.
Third-Party Cookies
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
| Stripe cookies | Stripe, Inc. | Payment processing (only on billing pages) | Session |
| Mapbox cookies | Mapbox, Inc. | Map functionality | Session |
8.3 Managing Cookies
You can manage cookies through:
- Our cookie banner: Accept or decline non-essential cookies when you first visit.
- Browser settings: Most browsers allow you to block or delete cookies. Note that blocking essential cookies may impair Platform functionality.
- Opt-out links: Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout
8.4 LocalStorage
We use browser localStorage (not cookies) for:
| Key | Purpose | Duration |
|---|---|---|
ln_viewed_{id}_{date} | Profile view deduplication (prevents counting the same visit twice) | 7 days |
LocalStorage data is stored only on your device and is not transmitted to our servers.
9. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption: All data transmitted via HTTPS/TLS. Passwords hashed with bcrypt.
- Access controls: Admin and Provider Portal access protected by authenticated sessions.
- Infrastructure security: Hosted on Vercel (SOC 2 Type II compliant) with Cloudflare CDN and DDoS protection.
- Database security: PostgreSQL database hosted by Neon in EU (Frankfurt) with encrypted connections.
- Payment security: Payment processing handled entirely by Stripe (PCI DSS Level 1 compliant). We never store card details.
- Monitoring: System logs retained for 90 days for security monitoring.
Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
10. Children's Privacy
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately at contact@localnative.space and we will delete the data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on the Platform with a new "Last updated" date.
- Sending an email notification to registered Specialists.
Your continued use of the Platform after changes constitutes acceptance.
12. Contact Information
For privacy-related inquiries, requests, or complaints:
mLab
Dublin, Ireland
General: contact@localnative.space
Data Protection: dpo@localnative.space
Website: https://localnative.space