Skip to main content

Legal

Privacy Policy

Last updated Feb 17, 2026

This Privacy Policy explains what data LocalAd (operated by Kastana LLC) collects, why we collect it, how we use it, and the choices you have. It applies to the LocalAd website, dashboard, and any QR-code redirect that resolves through localad.io/q/<code>.

1. Who we are

LocalAd is operated by Kastana LLC, a company organized under the laws of the State of Oregon with its mailing address in Portland, Oregon, USA. For the purposes of privacy law, Kastana LLC is the “controller” of personal information collected through the Service. Questions about this policy or a specific data request can be emailed to hello+privacy@localad.io.

2. Data we collect

We collect only what we need to run the Service. The categories below are exhaustive. If something is not listed here, we are not collecting it.

  • Account information. When you create an account we collect your name, email address, and a hashed password. You may optionally provide a business name, phone number, and physical address.
  • Purchase information. When you buy a slot we record the zone, drop, slot type, ad content you submit, and the order total. Credit-card numbers are not stored by LocalAd; they are collected and processed directly by our payment processor (see Section 4 for the named sub-processor). We keep only a non-sensitive payment token and the last four digits of the card for receipts and refunds.
  • QR scan events.When someone scans one of your ad's QR codes we log the timestamp, the IP address, the user agent string, a coarse location derived from the IP, and a rotating hashed fingerprint used to identify unique scanners. We do not collect precise GPS location.
  • Site usage. Standard server logs capture requested URLs, referrer, response status, and timing. These logs are used for security and debugging and are retained for a short window.

3. Why we collect it

  • Deliver the Service. Process your purchases, generate and approve ad designs, print and mail your cards, operate the QR redirect, and show you dashboard analytics.
  • Operate QR tracking. Attribute scans to the right ad, count unique visitors, and produce the analytics dashboard.
  • Billing. Authorize payments via our payment processor and send receipts.
  • Transactional email. Send you order confirmations, drop status updates, underfill notifications, and occasional service announcements.
  • Security and fraud prevention. Detect account takeover attempts, scraping, and abuse of the Service.

4. Sharing & sub-processors

We use the following sub-processors to run the Service:

  • Vercel, Inc.: hosting and edge network for the LocalAd web application. Receives request logs (including IP) for operations and security purposes. vercel.com/legal/privacy-policy.
  • Supabase, Inc.: managed Postgres database and authentication. Stores your account records and ad data encrypted at rest. supabase.com/privacy.
  • Stripe, Inc.: payments. Collects and stores cardholder data on our behalf under its own privacy policy. We never see or store full card numbers. stripe.com/privacy.
  • Resend, Inc.: transactional and outreach email delivery. Receives recipient email addresses, sender identity, and message bodies. resend.com/legal/privacy-policy.
  • Anthropic, PBC: large-language-model assistant and business-discovery features. Receives the text of the prompts you submit to those features. Anthropic does not train on customer inputs by default. anthropic.com/legal/privacy.
  • Google LLC (Gemini API): ad-image generation. Receives the business-info inputs and generated image outputs. policies.google.com/privacy.
  • Functional Software, Inc. (Sentry): error and performance monitoring. May receive limited request metadata; we scrub personal data (email, phone, IP, address, tokens) from event payloads server-side before transmission. sentry.io/privacy.
  • USPS & our print partners: we share only the finished-ad artwork and the mailing-list information needed to deliver your cards.

We do not share your data with advertising networks. We do not sell your data. We do not run marketing pixels, retargeting scripts, or third-party analytics trackers on the LocalAd site. We may disclose information if compelled by law (subpoena, court order) or to protect the rights and safety of LocalAd, our customers, or the public.

5. Your rights

You can exercise any of the rights below by emailing hello+privacy@localad.io from the email address on file. We typically respond within 7 business days.

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to fix inaccurate or incomplete data.
  • Deletion. Ask us to delete your account and personal data. We may retain minimal records required for tax, audit, or legal purposes.
  • Portability. Receive your data in a common machine-readable format.
  • Opt out of marketing email. Every marketing email has an unsubscribe link. Transactional email (receipts, drop status) will continue while your account is active.

6. Cookies & tracking

We use a small number of session and essential cookies to keep you signed in, remember your cart during checkout, and maintain security tokens. We do not use third-party marketing cookies, advertising pixels, or cross-site tracking. If your browser sends a Global Privacy Control (GPC) signal we honor it as a valid opt-out request under state law.

7. Data retention

  • Account data is retained while your account is active and deleted on request (see Section 5).
  • QR scan events are retained for 24 months, after which they are either deleted or aggregated into non-identifying statistics.
  • Purchase records are retained for the period required by tax and accounting law (generally 7 years).
  • Server logs are retained for up to 90 days for security and debugging.

8. Children

LocalAd is a B2B service intended for adults operating a business. The Service is not directed at children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, email hello+privacy@localad.io and we will delete it.

9. California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what categories of personal information we have collected about you, the sources, and the purposes.
  • Delete personal information we have collected (subject to the retention carve-outs in Section 7).
  • Correct inaccurate personal information.
  • Opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising. Note: we do not sell or share personal information as those terms are defined under the CCPA.
  • Non-discrimination. We will not deny service, charge a different price, or provide a different level of quality because you exercised any right under the CCPA.

Exercise these rights by emailing hello+privacy@localad.iowith “California request” in the subject line.

10. GDPR (European Economic Area, UK, Switzerland)

If you are in the EEA, UK, or Switzerland, Kastana LLC acts as the data controller for your personal information. Our legal bases for processing are: (a) performance of the contract (your order), (b) legitimate interests (security, product improvement, fraud prevention), and (c) consent (where specifically requested, such as for marketing email). You have the rights described in Sections 5 and 9 above, plus the right to lodge a complaint with your local supervisory authority. Contact hello+privacy@localad.io to exercise any right.

11. Security

We use encryption in transit (TLS) and at rest, strong password hashing, least- privilege access inside the team, and routine audit logging. No system is perfectly secure. If we detect a breach affecting your data we will notify affected users as required by applicable law.

12. Changes to this policy

We may update this policy as the Service, our sub-processors, or applicable law changes. The “last updated” date at the top reflects the most recent revision. For material changes we will notify active users by email or in-product notice at least 14 days before they take effect.

13. Contact

Privacy questions, access requests, and deletion requests: hello+privacy@localad.io.

Kastana LLC
Portland, Oregon, USA