Privacy Policy

Who we are

localbot is a product of Fokusbloks Oy, a Finnish limited company. We are the data controller for the information we collect about our customers, account users, billing contacts, and people who contact us directly.

When your website visitors submit your localbot form or reply to localbot SMS messages, you are normally the controller and Fokusbloks Oy acts as your processor. You decide what data to collect, why you collect it, and what your own visitors must be told.

Privacy contact: hello@localbot.io.

What localbot does

localbot replaces a website contact form with a smarter form and background agent. Depending on your settings, it can store leads, notify you by SMS or email, send an AI-assisted SMS follow-up to the lead, summarize the conversation for you, scan your public website to help configure the agent, and let you manage your widget through the dashboard or API.

Data we collect

For account users and customers, we may store:

• Email address, login method, and account identifiers
• Phone number and business country for owner notifications and SMS setup
• Website URL, platform, widget settings, field settings, colors, labels, language, and reply methods
• Billing status, Stripe customer and subscription identifiers, plan, billing interval, payment events, and tax-relevant records
• Business setup details used by the background agent, such as business name, services, service area, hours, booking link, qualification questions, handoff rules, and safety instructions
• API key metadata, including key name, prefix, scopes, expiry, revocation status, and last-use time. We store hashes of API keys, not the full secret
• Locale, currency, consent choices, onboarding progress, UTM parameters, support messages, and operational logs
• For US or Canadian SMS registration where needed: business legal name, address, business type, tax or registration identifier if provided, contact person, contact details, use case, sample messages, and registration status

For your website visitors and leads, we process the data the form asks for and the visitor submits. This can include name, phone, email, company, postcode, message, source URL, language, test-lead status, widget ID, consent text, consent time, and IP address. If AI SMS follow-up is enabled, we also process inbound and outbound SMS message bodies, Twilio message IDs, conversation status, opt-out status, and the owner-facing summary.

If you use a public site scan during setup, we process the URL you provide, pages found on that public website, extracted text, metadata, source links, AI-generated setup suggestions, and the crawl output needed to explain or reproduce the setup.

If you use free tools such as calculators, we may store your email address, tool inputs, result segment, result summary, source page, and report delivery status.

Why we process data

• To provide the service: account access, widget hosting, form submissions, lead storage, SMS and email notifications, AI-assisted lead qualification, owner summaries, API access, support, and security
• To process payments, invoices, renewals, cancellations, refunds, and subscription emails
• To configure and improve the product, including setup suggestions, installation checks, rate limits, fraud prevention, abuse prevention, diagnostics, and service reliability
• To send requested tool reports, onboarding emails, product notices, and important account messages
• To comply with accounting, tax, telecom, anti-abuse, and other legal obligations
• To protect Fokusbloks Oy, our customers, website visitors, and service providers from misuse, spam, security incidents, and unlawful activity

Our legal bases for customer and account data are contract, legitimate interests, legal obligation, and consent where required. For visitor lead data that we process for you, you are responsible for choosing and documenting the correct legal basis.

Processors and subprocessors

We use trusted service providers to run localbot. Current providers include Supabase for database and authentication, Vercel for hosting, Stripe for payments, Twilio for SMS and phone number services, Resend for email, Anthropic for AI processing, Firecrawl for public website scanning when you use that feature, Upstash for rate limiting and job queues, Google Identity Services if you choose Google sign-in, PostHog for product analytics, and analytics tools built into Vercel.

Some providers or their group companies may process or access data outside the EU or EEA. Where required, we use appropriate transfer safeguards such as Data Processing Agreements, Standard Contractual Clauses, adequacy decisions, and provider security commitments.

Your visitor data

The content your visitors type into your localbot form is your data. You are responsible for your own privacy notice, lawful basis, consent wording, SMS disclosure, record keeping, and honoring requests from your visitors. localbot includes fields for consent text and stores consent evidence where relevant, but it does not make your site compliant by itself.

Do not use localbot to collect special-category data, health data, payment card data, passwords, government identifiers, children's data, or other highly sensitive information unless you have a lawful basis, written permission from us, and a suitable agreement in place.

A GDPR Data Processing Agreement for customer visitor data is available from hello@localbot.io.

AI and SMS

If you request the localbot SMS demo, we use your phone number to send the demo messages you asked for and related replies. Message frequency varies based on your interaction with the demo, your account configuration, or the lead conversation. Message rates may apply. You can reply STOP to opt out or HELP for help where supported.

SMS consent is voluntary. It is not required to buy localbot, create an account, access localbot, submit a non-SMS request, or complete any transaction.

We do not sell, rent, share, or transfer SMS opt-in data, mobile phone numbers collected for SMS consent, or text messaging consent with third parties, affiliates, or lead generators for marketing or promotional purposes. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes at any time. SMS opt-in data, mobile phone numbers, and messaging consent are not shared, sold, rented, transferred, or disclosed to affiliates, lead generators, or third parties for marketing or promotional purposes. The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.

We may use service providers such as Twilio only to deliver, route, support, secure, and document SMS messages you requested or consented to receive. Those providers are not permitted to use SMS opt-in data, mobile phone numbers, or messaging consent for their own marketing or promotional purposes.

If AI SMS follow-up is enabled, relevant lead details, conversation history, business setup instructions, and public website context may be sent to Anthropic so the background agent can ask qualification questions and create summaries. AI output can be wrong, incomplete, delayed, or unsuitable for a particular lead. You remain responsible for reviewing how localbot is configured and for any business decisions you make from its messages or summaries.

Leads can opt out of SMS conversations with standard stop words or natural opt-out language. localbot records the opt-out status for the relevant conversation and stops that conversation.

Retention

We keep customer account data while the account is active. If you delete your account, we cancel active subscriptions, suspend related SMS resources where possible, and delete the Supabase auth user. Product data linked to that user is deleted through database cascade rules where configured. Some billing, accounting, security, backup, support, provider, and audit records may remain for legal, operational, or fraud-prevention reasons.

Leads, SMS conversations, site crawl records, and API key metadata are kept while your account exists unless deleted, expired, revoked, or removed through account deletion. API keys expire after 30 days unless changed in the product. Held Twilio numbers may be retained for a short period after cancellation before release.

Accounting records are kept for the period required by Finnish law, typically at least six years. Backups and provider logs may retain data for limited periods according to normal backup, security, and incident-response cycles.

Security

We use access controls, row-level database policies, HTTPS, provider security controls, rate limits, abuse checks, origin checks, webhook signature validation, IP and fingerprint-based throttling, encrypted Twilio subaccount tokens, and hashed API keys. No internet service is perfectly secure. You must keep your login, API keys, devices, and website access secure.

Cookies, local storage, and analytics

localbot uses essential cookies or local storage for sign-in, checkout, security, locale, currency, consent, selected plan, redirects, and product preferences. We do not sell personal data and we do not use advertising cookies.

We use PostHog product analytics, pageview and pageleave capture, performance metrics, heatmaps, session recording with masked personal data, console capture, Vercel Speed Insights, scroll-depth events, UTM session storage, and server-side product events to understand whether the site and product are working. The banner stores an acknowledgement or preference in local storage.

Your rights

Under the GDPR, you may have the right to access, correct, delete, restrict, object to processing, or export your personal data. You can also withdraw consent where processing is based on consent. Email hello@localbot.io and we will respond within one month unless the law allows more time.

For data your visitors submitted to your localbot form, they should normally contact you first because you control that relationship. If they contact us directly, we may forward or refer the request to you unless we are legally required to handle it ourselves.

If you think we mishandled your data, you can complain to the Finnish Data Protection Ombudsman at tietosuoja.fi.

Changes

If we change how we handle data in a meaningful way, we'll update this page and, where appropriate, email active customers or show an in-product notice. The "last updated" date above is the source of truth.