Privacy Policy
Effective date: 2026. Last updated: 2026.
This Privacy Policy explains what information LocalFork (operated by OH Sweet Hospitality) collects when you use our service, how we use it, who we share it with, and the choices you have. We've tried to write this in plain English. Legal terms only appear where they're needed.
1. What we collect
1.1 Information you give us directly
- Account info: name, email address, password (stored as a one-way hash — we never see your actual password), and role.
- Business profile info (member businesses only): business name, logo, phone, address, website, and configuration choices.
- Chamber profile info (chambers only): chamber name, logo, brand color, contact info.
- Coupon content (member businesses only): the offers you publish.
- Payment info (consumers only): when you buy a coupon book, your card details go directly to Stripe — we never see your card number. We store only an identifier from Stripe that lets us look up the transaction.
1.2 Information we collect automatically
- Redemption records: when you redeem a coupon, we record which coupon, when, and at which business.
- Server logs: standard web server logs including IP address, browser type, and pages visited. Used for security and to debug problems.
- Session cookies: a single cookie keeps you logged in. We don't use third-party advertising trackers.
1.3 What we don't collect
- We don't collect your location (beyond the city associated with your IP address).
- We don't track you across other websites.
- We don't sell your data to anyone, ever.
- We don't use third-party advertising networks or behavioral ads.
2. How we use your information
| Purpose | What we use |
|---|---|
| Run the service (let you log in, view coupons, redeem) | Account info, session cookie |
| Process payments | Stripe identifiers, transaction status |
| Send service emails (purchase receipts, password resets, coupon notifications) | Email address, name |
| Show chambers and businesses their redemption data | Redemption records (without identifying who redeemed) |
| Security, fraud prevention, debugging | Server logs, IP address |
| Improve the product | Aggregate usage data (never individual identification) |
3. Who sees your data
- Your chamber. If you're a consumer, the chamber whose book you bought can see that you purchased and which of their coupons you've redeemed. They can't see your password or payment card info. They may use that data to improve future books.
- The business you redeemed at. When you redeem a coupon, the business owner sees that a redemption happened with a timestamp — they don't see your name or email.
- Stripe (payment processor) sees payment information. Stripe is a PCI-DSS Level 1 certified processor. Their own privacy policy covers what they do with that data.
- Our hosting provider (Namecheap) stores the data on their servers under their own privacy and security practices.
- Service providers we use to send transactional email or operate the platform. They only get the minimum needed to do their job.
- Authorities when required by law (subpoena, court order, or other valid legal process). We'll push back on overbroad requests where we can.
We will never sell or rent your personal data.
4. Cookies
We use a single first-party cookie to keep you logged in. It's marked HttpOnly and SameSite=Lax, so it can't be read by JavaScript and isn't sent on cross-site requests. We don't use third-party analytics cookies or advertising cookies.
5. Data security
We take reasonable measures to protect your information, including:
- HTTPS encryption for all traffic.
- Passwords stored using industry-standard one-way hashing (Bcrypt). We literally cannot see what your password is.
- Password reset tokens are stored only as SHA-256 hashes. The reset link expires in one hour and can be used only once.
- Sessions rotate after sensitive actions like password changes.
- Single-use redemption codes that can't be reused even if a screenshot is shared.
- Prepared SQL statements throughout the codebase to prevent injection attacks.
- Per-request CSRF tokens on every form submission.
No system is perfectly secure. If you believe your account has been compromised, please contact us immediately at mike@ohsweet-hospitality.com.
6. How long we keep data
- Account data: as long as your account is active. You can ask us to delete your account at any time.
- Purchase records: kept for at least seven years for tax and accounting compliance.
- Redemption records: kept as long as the chamber that issued the book is using LocalFork.
- Server logs: typically 30 to 90 days.
7. Your rights
You have the right to:
- Access the personal information we have about you.
- Correct inaccurate information.
- Delete your account and associated personal data (note: some records like tax-relevant purchase data must be retained even after deletion).
- Export your data in a portable format.
- Opt out of non-essential email communications. Essential transactional emails (password resets, purchase receipts) will continue.
To exercise any of these rights, email mike@ohsweet-hospitality.com from the email address on your account. We'll respond within a reasonable time (usually within 30 days).
Residents of California, the European Union, the United Kingdom, and certain other jurisdictions may have additional rights under local privacy laws (CCPA, GDPR, UK-GDPR). We will honor those rights consistent with applicable law.
8. Children's privacy
LocalFork is not directed to children under 13, and we don't knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we'll delete it.
9. International users
LocalFork is operated from the United States. If you use the service from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data-protection rules than your home country.
10. Changes to this policy
We may update this policy from time to time. If we make material changes, we'll notify you by email or by posting a notice on the service. The "Last updated" date at the top tells you when this policy was last revised.
11. Contact us
For any privacy question or to exercise your rights, email mike@ohsweet-hospitality.com.
Disclaimer about this document
This Privacy Policy template was drafted as a starting point and has not been reviewed by a licensed attorney. Before publishing in production, you should have it reviewed by counsel familiar with privacy law and your jurisdiction. CCPA, GDPR, and similar laws may require specific disclosures or rights that aren't fully captured here.