Security & Privacy at Guanajuato Local Hub

• Accounts are created with email and password or with Google sign-in.
• Passwords are handled by our managed authentication provider; we never store plaintext passwords.
• You can sign out from any device by ending your session in your account menu.
• Administrative actions in our admin area require a server-verified admin role; the role is never trusted from the browser.

• Our database uses row-level security so that each user can only read and modify the rows they own.
• Business profiles, reviews, and other content intentionally published to the directory are public. User account profiles are not browseable by other visitors.
• Server-side checks enforce ownership before edits to listings, reviews, claims, or subscriptions.

• The application is built on the Lovable platform and runs on managed, TLS-terminated infrastructure. All traffic to the site is served over HTTPS.
• The database, authentication, and file storage are provided by our managed backend (Supabase).
• Server secrets (API keys, webhook signing secrets) are stored as managed secrets and are never bundled into client-side code.

• Account data: email address, display name, and (if you provide one) profile photo.
• Business listing data: information you choose to publish about your business — name, category, location, contact details, photos, videos, and links.
• Reviews and messages: content you post on listings and messages you exchange through the platform.
• Billing data: subscription status, plan, and billing period. Card details are handled by Stripe — we do not see or store them.

• Supabase — database, authentication, and file storage.
• Stripe — subscription billing and payments.
• Google Maps Platform — maps and place data for directory listings.
• Lovable AI Gateway — powers the in-app chat assistant and AI-assisted features.
• WhatsApp — optional 2-way messaging on Pro/Enterprise tiers, opened from the public link the business chooses to publish.

We use cookies and similar local storage for essential functionality such as keeping you signed in and remembering your language preference. We do not sell personal data.

• Listings, reviews, and account data are retained while your account is active.
• You can request deletion of your account and associated personal data by emailing us at the address below. Public reviews may be retained in anonymized form to preserve the integrity of business ratings.
• Backups are retained by our hosting providers per their standard retention windows.

If you believe you have found a security or privacy issue, please email gtolocalhub@gmail.com with details and steps to reproduce. Please give us a reasonable opportunity to investigate and remediate before any public disclosure.