← Back to home

Privacy Policy

Last updated: May 19, 2026

This page explains what information Our Local Spotlight (“OLS,” “we,” “us”) collects, why we collect it, who we share it with, and how you can change your mind at any time. It’s deliberately written in plain English. If something here is unclear, email us at localspotlightinfo@gmail.com.

Who we are. Our Local Spotlight is a direct-mail and digital advertising platform headquartered at 27 Atlantic Ave, York, ME 03909. We operate www.ourlocalspotlight.com and the partner landing pages and virtual postcards accessible under /c/… and /partners/….

Two kinds of users. Our platform serves both partners (the businesses who buy advertising slots on community postcards) and consumers (the people who scan a postcard’s QR code or visit a partner’s page to redeem an offer). Different sections below describe what data each one encounters.

Information you give us as a consumer

When you redeem an offer or sign up for future drops:

  • Your name and email address. Required so we can deliver the coupon code and so the partner who published the card can see who claimed an offer.
  • Your phone number (optional). If you provide it, the partner who published the card may text you about offer updates or future drops. We do not text you ourselves. Providing a phone number is never a condition of redeeming an offer. See Text messages below for the full terms.
  • Your opt-in choices. Whether you ticked “Email me future offers from {partner}” and/or “Share my info with the advertiser” are stored alongside the disclosure text you saw at the time, so we can prove what you agreed to.
  • IP address and browser user-agent. Recorded automatically with each redemption to deter automated abuse. Never shown to partners, never sold.

Information you give us as a partner

  • Account details. Your name, business name, mailing address, business email, phone, ZIP codes you mail to, and other application fields used to set up your partner account.
  • Advertiser details you save. Names, logos, contact emails, contact phones, and optional Google Business Profile links for the local businesses you feature on your community cards.
  • Payment information. Subscription payments are processed by Stripe. We don’t see or store your card details — Stripe does. We retain a customer ID and the most recent payment status.

How we use this information

  • Deliver the service you signed up for — sending coupon emails, displaying partner landing pages, routing leads to partners, processing partner subscription payments.
  • Send transactional emails (e.g. redemption confirmations, application updates, payment receipts) using Resend as our outbound email provider.
  • Send broadcast announcement emails to consumers who opted in to future offers from a specific partner — see Marketing email below.
  • Defend the platform against fraud and abuse (rate limits, bot challenges, audit logs).
  • Comply with our legal obligations (preserving evidence of consent, honoring deletion requests, responding to court orders).

How and when we share your information

We never sell your personal information. We share it ONLY in the following narrow situations:

  • With the partner whose card you redeemed. When you claim an offer, the partner who published that card receives your name, email, and (if you provided it) phone, so they can keep a record of who responded to their cards. This is the core function of the platform.
  • With an advertiser only when you affirmatively opt in. The redemption form has a separate checkbox that says “Share my info with the advertiser so they can contact me.” That checkbox is unchecked by default. If you tick it, your name, email, and phone (if provided) are forwarded to that specific advertiser via a one-time email. They may then contact you about the offer you claimed. Untick the box to keep your info with the partner only.
  • With service providers we use to run the platform. These are limited to what each provider actually needs to do their job:
    • Supabase (database hosting) — stores the data described above.
    • Vercel (web hosting) — serves the pages, processes form submissions.
    • Resend (transactional + broadcast email) — receives the recipient address and email body to deliver each message.
    • Stripe (partner payments only) — handles partner subscription billing.
    • Cloudflare Turnstile (bot challenge) — runs the invisible captcha on submit.
    • Google Places API — when a partner saves a Google Maps URL for an advertiser, we call Google to fetch the cached business profile (address, hours, rating). We don’t send any consumer data to Google.
    • Mapbox — renders the maps on partner landing pages. We send anonymous map-tile requests only.
  • If required by law. A subpoena, court order, or written request from a law-enforcement agency we’re legally required to comply with.
  • To protect ourselves and others. If we believe disclosure is necessary to prevent fraud, abuse, or imminent harm.

We don’t use cross-site behavioral tracking. We don’t share data with ad networks. We don’t participate in third-party retargeting.

Marketing email

If you tick the “Email me future offers from {partner}” checkbox when you redeem, you join that specific partner’s subscriber list. The partner can email you when they publish a new community card — typically once a month, sometimes less often, sometimes a little more.

Every marketing email we send on a partner’s behalf includes:

  • A clear sender identification (“From” line).
  • A one-click unsubscribe link at the footer that takes effect immediately and applies to every future broadcast from that partner.
  • The physical postal address required by the CAN-SPAM Act (27 Atlantic Ave, York, ME 03909).

Unsubscribing from one partner does NOT unsubscribe you from another partner you also opted in to. Each partner’s subscriber list is independent.

Text messages

Our Local Spotlight does not send marketing text messages from its own systems today. The phone field on the redemption and subscribe forms is optional, and is collected so the partner can text you directly about the offer or future drops if they choose.

If you provide a phone number, the disclosure text shown directly beneath the phone input becomes your binding consent for the partner to text you (TCPA prior express written consent). The disclosure says:

By providing your phone, you agree that {partner} may text you with offer updates or future drops. Consent isn’t required to redeem this offer. Message and data rates may apply. Reply STOP to any message to opt out.

You can opt out of a partner’s texts any time by replying STOP. If you want us to delete your phone number from our systems entirely, email localspotlightinfo@gmail.com.

Cookies and tracking

We use a small number of cookies, all functional or essential:

  • Auth cookie (partners only) — issued by Supabase to keep partners signed in. HttpOnly and Secure.
  • Session ID — random per-tab UUID kept in sessionStorage on the consumer side. Used so a page reload doesn’t double-count as a pageview. Dies when you close the tab.

No third-party analytics, no Facebook Pixel, no Google Analytics, no advertising trackers.

How long we keep your data

  • Redemption records — kept as long as the partner who owns the card keeps their account. If the partner deletes a card, the underlying redemption rows are preserved for analytics and dispute resolution. If you ask us to delete your data, we’ll remove it within 30 days regardless.
  • Subscription list — kept until you unsubscribe, or until the partner deletes their account.
  • Email suppression list — kept permanently. If your address has hard-bounced or been marked as spam, we preserve that record indefinitely so we never try to send to it again, which protects every partner’s deliverability.
  • Consent records — kept as long as the redemption / subscription row they attach to.
  • Partner account data — kept while the partner subscription is active and for 12 months after cancellation, after which all PII is purged.

Your rights — and how to use them

Regardless of where you live, you can do the following at any time by emailing localspotlightinfo@gmail.com from the address on file:

  • See what we have. We’ll send you a copy of the personal data tied to your email address.
  • Fix it. If something’s wrong, we’ll correct it.
  • Delete it. We’ll remove your redemption rows, subscription rows, and any contact info — within 30 days. Note: we’ll keep your email on the global suppression list if you unsubscribed, so we never re-add you accidentally.
  • Opt out of marketing email — click Unsubscribe in any email, or email us.
  • Opt out of advertiser sharing — uncheck the “Share my info with the advertiser” box at the time of redemption. If you already redeemed, email us and we’ll forward a request to the advertiser to delete your record from their own list.

We don’t require an account, login, or fee for any of these requests. We may ask for one piece of identifying information (e.g. confirming you redeemed a specific offer) to make sure we’re responding to the right person.

California privacy rights (CCPA / CPRA)

If you’re a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you specific rights on top of the rights above:

  • Right to know. The categories of personal information we’ve collected about you in the past 12 months, the sources of that information, the purposes for collection, and the categories of third parties we’ve shared it with — all listed explicitly in this policy.
  • Right to delete. See above.
  • Right to correct. See above.
  • Right to opt out of “sale” or “sharing.” We do not sell personal information for money. The only time we “share” in the CCPA sense is when you affirmatively tick the box to share your info with a specific advertiser at redemption time — which is itself an opt-in. To revoke that share for a past redemption, email localspotlightinfo@gmail.com with the subject line “Do Not Sell or Share My Personal Information.”
  • Right to limit use of sensitive PI. We don’t collect “sensitive personal information” as the CPRA defines it (no SSNs, financial accounts, geolocation precision beyond ZIP, health, biometric, etc.).
  • Non-discrimination. Exercising any of the rights above does not affect any service or pricing offered to you.

If you’re an authorized agent acting on a California resident’s behalf, please include written authorization in your request.

Other state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and the growing list of other states with comprehensive privacy laws have access to substantially the same rights described in the California section. Email us using the contact above to exercise any of them. We don’t engage in “targeted advertising,” “profiling,” or “sale of personal data” as those terms are defined in the various state laws.

Visiting from outside the US

Our service is operated from the United States. If you visit from another country, the personal information you provide is transferred to and processed in the US.

If you’re a Canadian or EU/UK resident interacting with a partner’s page, you’re entitled to the equivalents of CASL, PIPEDA, and GDPR / UK GDPR rights respectively. The mechanisms described above (email us to access, correct, delete, or opt out) apply equally. Our lawful basis for processing your information under GDPR is your consent (when you tick a box) and our legitimate interest in delivering the service you signed up for.

Changes to this policy

We’ll update this page when our practices change. Material changes that affect how we share your data will be announced via an email to all partners (and, where relevant, to consumers on the affected partners’ subscriber lists). The “Last updated” date at the top reflects the most recent revision.

Contact us

Privacy questions, deletion requests, opt-out requests, or anything else — email localspotlightinfo@gmail.com or write to:

Our Local Spotlight
27 Atlantic Ave
York, ME 03909
United States