Privacy Policy

1. Information We Collect

When you use LocalePack, we collect:

• Email address: Used for order confirmations and download links.
• Uploaded files: Your i18n source files (e.g. messages.json) are processed for translation and stored for 7 days.
• Payment information: Processed securely by Stripe; we never store card details.
• Usage data: IP address, browser type, pages visited, and time spent — collected automatically via Vercel Analytics to improve our service.

2. How We Use Your Information

• Process and deliver your translation orders.
• Send order confirmations and download links via email.
• Provide customer support when you contact us.
• Improve our translation service and user experience.
• Comply with legal obligations.

3. Legal Basis for Processing (GDPR — EEA Residents)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases as defined in Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the translation service you requested.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law (e.g. payment records).
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests such as security, fraud prevention, and service improvement, provided those interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as accepting analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Data Retention

We store your source files and generated translations for 7 days so you can re-download them. After 7 days, all files are permanently deleted from our servers.

Your email address and order history are retained for customer support and legal compliance purposes (e.g. financial records required by law). Usage data collected via analytics is retained for a shorter period unless retention is necessary for security or legal purposes.

5. Third-Party Service Providers

We share your data only with the following service providers that process it on our behalf:

• OpenAI (OpenAI, LLC — US): Powers our AI translations. Your content is sent to OpenAI's API for processing. OpenAI does not use API data to train its models by default. Data is transferred under Standard Contractual Clauses. OpenAI Privacy Policy.
• Stripe (Stripe, Inc. — US): Handles payment processing securely. Subject to SCC for EU transfers. Stripe Privacy Policy.
• Supabase (Supabase, Inc. — US): Provides our database and file storage infrastructure. Subject to SCC for EU transfers. Supabase Privacy Policy.
• Vercel (Vercel, Inc. — US): Hosts our website and collects aggregated usage analytics (page views, referrers). Subject to SCC for EU transfers. Vercel Privacy Policy.

We do not sell or share your personal data with any other third parties.

6. International Data Transfers

Our service providers are located in the United States. When transferring personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of the applicable safeguards can be requested by contacting us.

7. Data Security

We implement industry-standard security measures including encryption in transit (HTTPS) and at rest. All file uploads and downloads use secure, signed URLs with limited validity. While we strive to use commercially reasonable means to protect your data, no method of transmission over the Internet is 100% secure.

8. Your Rights Under GDPR (EEA Residents)

If you are located in the EEA, you have the following rights:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to Restriction of Processing (Art. 18): Request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Rights Related to Automated Decision-Making (Art. 22): Not to be subject to decisions based solely on automated processing that produce significant effects.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
• Right to Lodge a Complaint: Lodge a complaint with the data protection supervisory authority in your country of residence or the competent EU member state authority.

To exercise any of the above rights, contact us at the details in Section 11. We will respond within 30 days. We may need to verify your identity before processing your request.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell personal information. If you believe analytics data constitutes “sharing” under CPRA, you may opt out by contacting us.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

Categories of personal information collected: Identifiers (email address, IP address); commercial information (order history, payment records); internet activity (pages visited, browser type).

To submit a CCPA request, contact us using the details in Section 11. We will respond within 45 days of receiving a verifiable consumer request.

10. Children's Privacy

Our service is not directed to anyone under the age of 16 (or 13 in the United States under COPPA). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Law Enforcement Disclosure

Under certain circumstances, we may be required to disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g. a court or government agency), or where disclosure is necessary to protect the rights or safety of any person.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. We recommend reviewing this policy periodically.

13. Contact Us

For privacy-related questions or to exercise your rights, visit our Support page or email us at support@localepack.app.