Privacy Policy

01Who we are

"LocalBites," "we," "us," and "our" refer to 2166613 Alberta LTD, a corporation registered in the Province of Alberta, Canada, operating the LocalBites platform at localbites.ca.

For the purposes of PIPEDA (Canada's Personal Information Protection and Electronic Documents Act), the GDPR (EU/UK General Data Protection Regulation), and the CCPA/CPRA (California), we are the data controller of the personal information described in this policy.

Our registered address is Calgary, Alberta, Canada. You can reach our Privacy Office at privacy@localbites.ca.

02Information we collect

We collect the information below only to operate LocalBites. We do not collect personal information we don't need.

03How we use your information

We use the information we collect to:

• Take your order or reservation, route it to the restaurant, and confirm delivery or pickup.
• Process payments and, where required, issue refunds.
• Send you order confirmations, reservation reminders, and delivery updates by WhatsApp, SMS, or email.
• Operate our AI concierge Maya, who answers menu questions, suggests items, and processes orders through natural conversation.
• Provide restaurant partners with order management, reservation management, and — where they have enabled it — social media posting tools.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations, including tax reporting and responding to lawful requests from authorities.
• Improve our services — for example, by analyzing aggregated order patterns to improve Maya's accuracy.
• Send marketing communications where you have opted in (you can opt out at any time).

We do not sell your personal information. We do not use your conversation data with Maya to train third-party AI models.

04Legal basis for processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we process your personal information on the following legal bases:

• Performance of a contract — to provide the ordering, reservation, and delivery services you request.
• Legitimate interests — to operate and improve LocalBites, prevent fraud, and secure our systems, where those interests are not overridden by your rights.
• Consent — for optional marketing communications and for connecting your social media accounts. You may withdraw consent at any time.
• Legal obligation — where we must retain records for tax, accounting, or law-enforcement purposes.

05How we share information

We share personal information only with the parties below, and only to the extent necessary:

• Restaurants you order from. We share your name, delivery address (for delivery orders), phone number, order details, and any special instructions with the restaurant that needs to prepare your order.
• Delivery personnel. For delivery orders, we share your name, address, and phone number with the person delivering the order.
• Service providers who operate LocalBites on our behalf. This includes: Stripe (payments), Supabase (database hosting), Cloudflare (website hosting and DDoS protection), Cloudinary (image hosting), Resend (transactional email), Telnyx (SMS), Deepgram (voice transcription for phone ordering), Google (Gemini AI and reCAPTCHA), Anthropic (Claude AI), and Meta (WhatsApp Business Platform).
• Legal and safety. We may disclose information if required by law, to enforce our Terms, or to protect the rights, property, or safety of LocalBites, our users, or the public.
• Business transfers. If LocalBites is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. You will be notified.

We require all service providers to use your information only for the purposes we specify, and to protect it with appropriate security measures.

06Facebook, Instagram, and Meta Platforms

LocalBites integrates with Meta Platforms in two ways:

WhatsApp Business Platform

When you message our WhatsApp number (+1 403-493-2717), your messages are delivered to us through the WhatsApp Business Platform, which is operated by Meta. Meta's own privacy practices apply to the transport of those messages and are described in the WhatsApp Privacy Policy. We use the WhatsApp Business Platform solely to deliver our ordering, reservation, and concierge service. We do not advertise to you on WhatsApp unless you have opted in to marketing.

Facebook Pages and Instagram Business accounts (Partner feature)

Restaurant partners can choose to connect their Facebook Page and/or Instagram Business account to LocalBites so that promotions, menu updates, and blast messages can be cross-posted automatically. When a partner connects their account via Facebook Login, we request the following permissions, which require approval from Meta through Meta's App Review process:

• pages_show_list — to display a list of the partner's Pages so they can choose which one to connect.
• pages_read_engagement — to read Page performance metrics so partners can see how their posts are doing.
• pages_manage_posts — to publish posts to the connected Page when the partner schedules content.
• pages_manage_metadata — to configure webhooks so the partner's Page remains in sync with LocalBites.
• instagram_basic — to identify the Instagram Business account linked to a connected Page.
• instagram_content_publish — to publish content to the connected Instagram Business account when the partner schedules it.
• business_management — to operate within the partner's Meta Business Portfolio when they manage multiple Pages through a Business Manager.

We store the access token Meta returns to us, along with the Page and account identifiers. We use these only to perform the actions the partner has explicitly requested (scheduling or publishing content). Partners can disconnect at any time from the Partner Portal, which revokes the token.

Data we receive from Meta is used only to provide the social posting feature and is not sold, rented, or used for any other purpose.

07Cookies and similar technologies

We use a small number of cookies and similar technologies:

• Essential cookies — required for the site to function (for example, to keep you logged in to the Partner Portal).
• Analytics cookies — to understand how visitors use our site in aggregate.
• Advertising cookies — only set if you click on a Meta ad leading to LocalBites, so that Meta can measure the ad's performance. We do not use advertising cookies for tracking unrelated to our own campaigns.

You can control cookies through your browser settings. Disabling essential cookies may prevent parts of the site from working.

08How long we keep your information

We keep your personal information only as long as we need it for the purposes described in this policy, or as required by law:

• Order and reservation records: 7 years, to comply with Canadian tax and accounting requirements, after which records are anonymized or deleted.
• WhatsApp conversation history: 2 years from last activity, or until you request deletion.
• Marketing opt-in records: For as long as you remain opted in, plus 24 months after opt-out to demonstrate compliance with anti-spam law.
• Security and fraud logs: 13 months.
• Restaurant partner records: For the duration of the partnership, plus 7 years after it ends.

You may request deletion of your information at any time — see Section 11.

09How we protect your information

We use reasonable technical and organizational safeguards:

• All data in transit is encrypted using TLS 1.2 or higher.
• Databases enforce row-level security so that each restaurant partner can access only their own data.
• Payment card data is handled by Stripe, a PCI-DSS Level 1 certified provider. We do not store full card numbers.
• Access to production systems is restricted to a limited number of authorized personnel and requires strong authentication.
• We monitor for unauthorized access and unusual activity.

No system can be guaranteed 100% secure. If we become aware of a security incident that affects your personal information, we will notify you and the appropriate authorities in accordance with applicable law.

10International data transfers

LocalBites is operated from Canada. Some of our service providers (including Stripe, Supabase, Cloudflare, Meta, Google, and Anthropic) process data in the United States and other countries. When we transfer personal information outside Canada, we rely on legally recognized safeguards — such as Standard Contractual Clauses for transfers from the EU/UK, and contractual commitments equivalent to PIPEDA for transfers involving Canadian personal information.

11Your rights

Depending on where you live, you have some or all of the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct information that is inaccurate or incomplete.
• Deletion ("right to erasure") — ask us to delete your personal information, subject to legal retention requirements.
• Restriction or objection — ask us to stop or limit certain uses of your information, including direct marketing.
• Portability — request a copy of your information in a commonly used machine-readable format.
• Withdraw consent — where we process based on consent, you may withdraw it at any time without affecting prior processing.
• Lodge a complaint — with the Office of the Privacy Commissioner of Canada (priv.gc.ca), your local EU/UK data protection authority, or the California Privacy Protection Agency.

To exercise any of these rights, email privacy@localbites.ca or use our Data Deletion form. We will respond within 30 days (or 45 days in California, as permitted by law). We may need to verify your identity before acting on your request.

12California residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• The right to know what personal information we collect, use, disclose, and sell or share.
• The right to delete personal information we collect from you, subject to exceptions.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of your personal information.
• The right to limit the use of sensitive personal information.
• The right to non-discrimination for exercising any of these rights.

We do not sell your personal information, and we do not share it for cross-context behavioural advertising as those terms are defined under California law. To exercise your rights, email privacy@localbites.ca.

13Children's privacy

LocalBites is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at privacy@localbites.ca and we will delete it.

14Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will notify you by email or through a prominent notice on our website before they take effect.

15Contact us

Questions, concerns, or requests about this policy or your personal information: