Legal

Privacy Policy & UK GDPR

Last updated: 5 June 2026

This policy explains how TrueLocal ("we", "us", "our") collects, uses and protects your personal data. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR) and guidance issued by the UK Information Commissioner's Office (ICO).

1. Data controller

TrueLocal is the data controller for personal data processed through this website and app and is established in the United Kingdom. For any privacy enquiry, subject access request, or to contact our Data Protection lead, email truelocaluk@outlook.com. You can also write to: TrueLocal Privacy, PO Box (to be confirmed), United Kingdom.

2. What data we collect

The categories below reflect the most recent updates to the platform, including business listings, business analytics, the live community feed and the messaging service.

  • Personal account details: full name, date of birth (to confirm you are 18+), email address, hashed password, optional phone number.
  • Member profile: display name, avatar, postcode / approximate location, bio, reliability score and review history.
  • Business listings (sellers/traders): business name, trading address, contact details, opening hours, category, description, photos, website / social links, and (where you choose to provide them) company number, VAT number or proof of trading address used for verification.
  • Business analytics: aggregated counts of profile views, listing impressions, inquiries received, reviews and reply rates. These metrics are derived from interactions on the platform and shown only to the business owner in their dashboard.
  • Listings & trades: titles, descriptions, photos, prices, offers, meet-up arrangements and transaction status.
  • Messaging service: chat messages, image attachments, delivery and read timestamps, and reports of abuse. Messages are stored so conversations can be resumed across devices and to support dispute resolution and safety investigations.
  • Reviews, inquiries & replies: star ratings, written reviews, business inquiries you send or receive, and replies — these feed both public profiles and the business analytics dashboard.
  • Live community feed: public listings you publish appear in a rolling feed for up to 24 hours from the time of posting and are then automatically removed from the feed (the underlying listing remains until you end or delete it).
  • Technical data: device type, browser, IP address, app/website version, crash and error logs, and basic security telemetry.
  • Location data: only when you tap "Near me" or set a postcode — used to sort nearby listings. Precise GPS location is used in-session and is not stored.

3. Why we process it (lawful basis under UK GDPR)

We rely on one or more of the following legal bases for every processing activity on TrueLocal, in line with UK GDPR Art. 6 and ICO guidance.

  • Contract (Art. 6(1)(b)): processing necessary to perform our contract with you — e.g. creating and running your account, publishing listings, delivering chat messages, processing inquiries, reviews and trades, and verifying a business so it can appear on the platform.
  • Legitimate interest (Art. 6(1)(f)): fraud and scam prevention, safety moderation, calculating reliability scores, generating business analytics for the business owner, debugging and improving the service. A balancing test is recorded for each use; you have the right to object (see section 11).
  • Legal obligation (Art. 6(1)(c)): retaining tax / accounting records, responding to lawful requests from UK authorities, complying with consumer protection law for businesses on the platform.
  • Consent (Art. 6(1)(a)) and PECR: marketing emails, non-essential cookies/analytics, and precise device location. You can withdraw consent at any time.

4. Legal bases by processing activity

The table below sets out the specific legal basis we rely on for each major processing activity.

Processing activityUK GDPR basisWhy it applies
Account registration & loginArt. 6(1)(b) ContractNecessary to create and manage the account you request.
Publishing listings & tradesArt. 6(1)(b) ContractNecessary to provide the listing and trading service.
Business verificationArt. 6(1)(b) Contract
and
Art. 6(1)(f) Legitimate interest
Contract: we must confirm the business exists so the listing can go live.
Legitimate interest: preventing fraudulent or misleading business listings protects buyers and platform integrity. We only collect the minimum data needed (trading name, address, optional company/VAT number, proof of address), verify it, and delete it once the check is complete or the listing is removed. Our balancing test records show the interests of genuine traders and buyers outweigh any limited privacy impact.
Messaging service (chat, images, offers)Art. 6(1)(b) Contract
and
Art. 6(1)(f) Legitimate interest
Contract: storing messages so they sync across devices and remain available for ongoing negotiations.
Legitimate interest: retaining a conversation record for up to 24 months to support dispute resolution, safety investigations and scam detection. Automated scanning for prohibited content is limited to patterns and hashes; human moderators access content only when reported, flagged or required by law.
Delivery & read receiptsArt. 6(1)(f) Legitimate interestLow-privacy-impact metadata that confirms message status and contributes to reply-rate reliability scores. Users can still send and receive messages if they disable such indicators in their device settings where supported.
Business analytics (views, inquiries, reviews, reply rate, reliability)Art. 6(1)(f) Legitimate interest
and
Art. 6(1)(b) Contract
Legitimate interest: showing business owners aggregated metrics about their own listings so they can improve service, respond to customers and build trust. We deliberately aggregate data and never reveal the personal identity of every visitor. Our balancing test confirms the commercial benefit to the trader does not override the privacy interests of individual visitors because the metrics are anonymised/aggregated.
Contract: where the business has a paid or subscription relationship with us, analytics form part of the service we deliver.
Reviews, inquiries & repliesArt. 6(1)(b) ContractProcessing the review or inquiry you submit, displaying it on the relevant profile or listing, and enabling the business to reply. This is necessary to operate the feedback and communication system you choose to use.
Reliability scoringArt. 6(1)(f) Legitimate interestComputing a score from public behaviour (listings honoured, on-time meet-ups, reply rates) to help the community assess trustworthiness. The score is derived from activity data you already provide for the core service; you may object (section 11).
Live community feed (24-hour rolling)Art. 6(1)(b) ContractDisplaying your public listing in the feed for up to 24 hours is part of the publishing service you request.
Fraud / scam prevention & safety moderationArt. 6(1)(f) Legitimate interestProtecting users, preventing crime and maintaining platform integrity. We limit human review to reported or flagged content and retain supporting logs only as long as necessary.
Marketing emails & non-essential cookiesArt. 6(1)(a) Consent + PECROnly sent or placed after you opt in through the cookie banner or sign-up preferences. You can withdraw consent at any time in settings.
Financial / tax record retentionArt. 6(1)(c) Legal obligationUK tax and company law requires retention of certain transaction records for 6 years.

5. Business listings & trader information

  • If you list as a business, certain information is treated as published business information rather than private personal data (e.g. trading name, business address, opening hours, public contact details) and is shown on your public profile.
  • Sole traders should be aware that a trading name or address tied to an individual may still constitute personal data under UK GDPR; only publish what you are comfortable making public.
  • Verification documents (e.g. proof of address, company number checks) are used only to confirm legitimacy, are access-restricted, and are deleted once verification is complete or your business listing is removed.
  • Businesses acting as separate data controllers for customers they meet through the platform are responsible for their own UK GDPR compliance with those customers.

6. Messaging service

  • Messages, image attachments and offers are stored on our UK/EEA hosted infrastructure so conversations sync across your devices and remain available for dispute resolution.
  • We do not read private messages routinely. Automated systems scan for prohibited content, scams and safety risks. Human moderators only access a conversation when it is reported, flagged by automated systems, or required by law.
  • Delivery and read receipts are processed to provide reliability scoring and to confirm that messages have been received.
  • You can delete your own messages; copies may remain in encrypted backups for up to 90 days before being purged.

7. Business analytics

  • Analytics shown to business owners (views, inquiries, reviews, reply rate, reliability) are computed from real-time interactions on their own listings.
  • We show businesses aggregated metrics — not the personal identity of every visitor. Where an inquiry, review or reply is shown, it is shown because the other user chose to interact with the business publicly or directly.
  • Analytics are used to help businesses improve their service; they are not sold to third parties or used for cross-site advertising.

8. Who we share data with

  • Other members — only your public profile, listings, reviews and the chat messages you choose to send.
  • Trusted processors acting on our instructions under UK GDPR-compliant data processing agreements: cloud hosting, database, email delivery, image storage, error monitoring and (where you have consented) analytics.
  • UK authorities and law enforcement, where we are legally required to disclose.
  • Professional advisers (legal, accounting, insurance) bound by confidentiality.
We never sell your personal data and we do not use it for third-party advertising.

9. International transfers

Personal data is primarily stored in the United Kingdom and the European Economic Area (EEA). Where a processor transfers data outside the UK/EEA, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy regulation made under the UK GDPR, and apply additional safeguards as required by ICO guidance.

10. How long we keep data

  • Account data: for as long as your account is open + 30 days after deletion.
  • Live community feed entries: visible in the feed for up to 24 hours, then auto-removed.
  • Listings, reviews, inquiries and chat history: 24 months for safety and dispute resolution.
  • Business analytics records: 24 months, then aggregated/anonymised.
  • Business verification documents: deleted once verification is complete or the listing is closed.
  • Financial / tax records: 6 years (UK legal requirement).
  • Encrypted backups are purged on a rolling 90-day cycle.

11. Your rights under UK GDPR

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your account and data.
  • Restriction — ask us to pause processing while issues are resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interest, including profile reliability scoring.
  • Withdraw consent — for marketing, analytics or precise location at any time.
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113. You may also complain to your local supervisory authority if you are based outside the UK.

We respond to all verified requests within one calendar month, as required by the UK GDPR. To request deletion of your account and all associated data, visit our account deletion request page or email truelocaluk@outlook.com.

12. Security

  • TLS 1.2+ encryption in transit, AES-256 encryption at rest.
  • Row-level security policies on all user, listing, message and business tables.
  • Passwords hashed with industry-standard algorithms; multi-factor authentication available.
  • Least-privilege access controls, audit logging and regular security reviews.
  • Personal data breaches notified to the ICO within 72 hours where required, and to affected users without undue delay where the risk is high.

13. Children

TrueLocal is intended for adults aged 18 and over and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, contact us and we will remove the account promptly.

14. Cookies, analytics & marketing (PECR)

We use strictly-necessary cookies for login, security and core functionality without consent, as permitted by PECR. Analytics, preference and any marketing cookies are only set after you give consent through our cookie banner, and you can change your choices at any time in settings. Marketing emails are only sent where you have opted in (or, for existing business customers, on a soft opt-in basis with an unsubscribe link in every message).

15. Safety on the platform

  • Meet in public places and share trip details with someone you trust.
  • Never share bank PINs, full card details, ID numbers or one-time codes in chat.
  • Report suspicious behaviour using the report button on any listing, profile or chat.
  • We use automated and human moderation to detect scams and prohibited items.

16. Changes to this policy

We will notify you in-app and by email of any material changes at least 14 days before they take effect. Minor clarifications may be published immediately with an updated "last updated" date at the top of this page.

17. Contact

Privacy enquiries and data protection requests: truelocaluk@outlook.com. Postal queries: TrueLocal Privacy, PO Box (to be confirmed), United Kingdom.