Terms of ServicePrivacy PolicyRefund Policy

Privacy Policy

Last updated: 5 July 2026

Local Metal Detector is a public directory — being discoverable is the point. This policy explains exactly what we collect, what stays private, and the choices you have. We are based in New Zealand and comply with the New Zealand Privacy Act 2020, and where they apply, the EU/UK GDPR and US state privacy laws.

1. Who we are

Local Metal Detector (“we”, “us”) operates localmetaldetector.com, a global directory of metal detectorists, clubs, and stores. We are the “agency” under the New Zealand Privacy Act 2020 and the “data controller” under the GDPR for the personal information described here.

Privacy contact: privacy@localmetaldetector.com

2. Information we collect

Account & profile

  • Account: email address and a password (stored only as a secure hash by our authentication provider).
  • Listing profile (public by design): display name, bio, photos/logo, specialties, coverage area, service fees, gear, badges, and any links (website, Facebook, external profiles) you choose to add. Your profile page is visible to anyone, including search engines.
  • Location: members choose a suburb, not a street address. We deliberately round member coordinates to roughly 1 km and strip any street-level detail before storing — your exact home location is never kept. Stores and clubs list an exact business address by choice.
  • Phone number (optional): shown publicly only per your tier and our visibility settings; otherwise contact happens through our relay form and neither party sees the other’s email address.

Payments & identity

  • Payments: paid memberships are sold by Lemon Squeezy as merchant of record. We receive your subscription status, plan, and a customer reference — never your card number.
  • ID verification (optional, paid members): handled by Stripe Identity. Your ID document and selfie go directly to Stripe; we store only the verification outcome and a session reference. We never hold copies of your ID documents.

Community content

  • Reviews: reviewer name (optional), email (used once to verify the review), rating, text, and an optional photo (typically a picture of the recovered item).
  • Field Notes posts: a title, body text, and up to two photos per post about your finds. Approved posts appear on your public profile and in the directory-wide Field Notes feed.
  • Photos & images: your profile picture and logo, any Field Notes photos, and any review photo. These are stored in our file storage (Supabase) and displayed publicly. Photos can carry embedded metadata (for example camera details or GPS coordinates) — we don’t use that metadata, but you choose what you upload, so consider stripping location data from sensitive images first.
  • Finds, gear lists, and enquiry messages you submit through the platform.

You provide this community content, and the photos within it, voluntarily. Uploading an image or post is your consent to publish it publicly while it remains posted; you can withdraw that consent at any time by deleting it or asking us to remove it (see “Your rights” below).

Technical

  • Analytics: our own cookieless analytics — a random session id kept in your browser tab (sessionStorage), page views, and events. Your IP address is one-way hashed with a salt on our server; we keep derived country and device type, not the raw address. We honour Do Not Track and Global Privacy Control signals.
  • Security & pricing: your IP address is checked server-side (via ipapi.is) to detect fraud/VPN anomalies and set regional pricing. Form submissions are protected by Cloudflare Turnstile.

What we don’t collect: exact member home addresses, payment card numbers, copies of ID documents, advertising profiles, or third-party ad-tracking cookies. We do not sell personal information, and we do not use your data to train AI models.

3. How we use information

  • Operate the directory: publish your listing, place it on the map, and serve your public profile page.
  • Process memberships, apply tier benefits, and show verification badges.
  • Relay enquiries between visitors and members without exposing email addresses.
  • Verify and moderate reviews, links, and community content.
  • Detect fraud and abuse (including pricing-region anomalies) and secure the service.
  • Send transactional email — account confirmations, review links, enquiry relays, billing notices. We don’t send marketing email without a separate opt-in.
  • Understand aggregate usage through our privacy-first analytics.

Under the GDPR our legal bases are: performance of a contract (running your account and listing), legitimate interests (security, fraud prevention, aggregate analytics), consent (optional features like ID verification and the Telegram community), and legal obligation (tax and accounting records via our merchant of record).

4. Cookies & local storage

We do not use advertising or cross-site tracking cookies, so we don’t show a cookie consent banner. What your browser stores:

ItemTypePurposeLifetime
Supabase auth sessionlocalStorage (essential)Keeps you signed inUntil you sign out
lmd_sidsessionStorage (analytics)Random session id for our first-party analyticsCleared when the tab closes
Cloudflare TurnstileFunctionalBot detection on formsSet by Cloudflare during verification

Sending a Do Not Track or Global Privacy Control signal stops analytics collection automatically.

5. Third-party services we rely on

These providers process data on our behalf or as independent services. Each link goes to that provider’s own privacy policy:

ProviderRoleData involvedPolicy
SupabaseDatabase, authentication & file storageAccount email, hashed password, listing data, uploaded imagesView
VercelWebsite hostingStandard web server logs (IP address, user agent)View
Lemon SqueezyPayments (merchant of record)Name, email, billing address, payment card details (we never receive card numbers)View
StripeIdentity verification (paid members, optional)Government ID images and selfie, captured and held by Stripe — we store only the pass/fail statusView
ResendTransactional email deliveryEmail address, message contentView
Cloudflare TurnstileBot protection on formsIP address, browser signals (no tracking cookies for advertising)View
ipapi.isIP-based country lookup for regional pricing & fraud checksIP address (server-side only)View
Photon (Komoot) & Nominatim (OpenStreetMap)Address search / suburb autocompleteThe address text you type while choosing a locationView
OpenFreeMap & EsriMap tiles (street & satellite imagery)IP address and map area requested, as with any map serviceView
Google FontsWeb fonts on our marketing pagesIP address and browser details when fonts loadView
TelegramOptional community group for membersYour Telegram handle, only if you choose to joinView

6. How long we keep information

  • Account & listing: for as long as your account exists. Deleting your account removes your listing and profile from the directory.
  • Reviews: retained while the reviewed listing exists, to keep review history honest. Reviewer emails are kept only for verification and dispute handling.
  • Field Notes posts & photos: kept while posted. When you delete a post/photo (or your account) it stops being served publicly; a removed or rejected item may be retained briefly for moderation and abuse-prevention records, and short-lived copies can persist in backups before they cycle out.
  • Enquiry relays: kept briefly for delivery and abuse prevention, then removed from active systems.
  • Billing records: retained by us and Lemon Squeezy as required by tax law (typically 7 years in New Zealand).
  • ID verification: we keep only the outcome and session reference; document retention is governed by Stripe’s policy.
  • Analytics & logs: aggregate, IP-hashed data; raw server logs rotate on short cycles.

7. Your rights

Everyone: you can access and correct your information (New Zealand Privacy Act 2020, principles 6 and 7) — most of it directly from your profile — and you can delete your account, which removes your public listing.

Removing specific content & photos: you don’t have to delete your whole account to take something down. You can delete your own profile photos and Field Notes posts directly from your profile at any time. If you can’t remove something yourself — including a photo, post, or review that features you or your property and was posted without permission — email privacy@localmetaldetector.com or support@localmetaldetector.com and we’ll review and, where appropriate, remove it. Because uploading content is how you consent to publishing it, withdrawing consent is as simple as deleting it or asking us to. Once removed it stops being served publicly; limited copies may remain in backups or moderation/legal records as set out in section 6.

EEA & UK (GDPR)

You additionally have the rights of erasure, restriction, portability, and objection (Articles 15–22), and the right to withdraw consent at any time. You may complain to your local supervisory authority. New Zealand holds a European Commission adequacy decision, so transfers of EU data to us are recognised as adequately protected; our sub-processors in the United States rely on their own safeguards (Standard Contractual Clauses or the EU–US Data Privacy Framework — see their policies above).

California & other US states

You have the rights to know, delete, and correct. We do not sell or share personal information as defined by the CCPA/CPRA, and we honour Global Privacy Control as a valid opt-out signal. We do not use sensitive personal information beyond what is necessary to provide the service.

To exercise any right, email privacy@localmetaldetector.com. We respond within 20 working days (NZ) or one month (GDPR).

8. International transfers

We operate from New Zealand and our infrastructure providers are primarily in the United States. Where we disclose personal information overseas, we take reasonable steps to ensure it is subject to comparable safeguards, as required by IPP 12 of the Privacy Act 2020 — principally through the contractual commitments and certifications of the processors listed in section 5.

9. Children

The service is not directed at children. You must be at least 16 to create an account, and at least 18 to purchase a paid membership or complete ID verification. We delete accounts we discover to be under these ages.

10. Security

Passwords are hashed by our authentication provider, IP addresses used in analytics are salted and hashed, ID documents never touch our servers, member coordinates are coarsened before storage, and admin actions are restricted and reviewed. No online service can promise perfect security, but we design so that a breach exposes as little as possible.

11. If something goes wrong

If a privacy breach is likely to cause serious harm, we will notify the New Zealand Office of the Privacy Commissioner and affected people as required by the Privacy Act 2020 — and, where the GDPR applies, the relevant supervisory authority within 72 hours.

12. Changes to this policy

We’ll post any changes here with a new “Last updated” date, and email account holders about material changes. Continued use of the service after changes take effect means the updated policy applies.

13. Contact & complaints

Privacy questions: privacy@localmetaldetector.com · General support: support@localmetaldetector.com

If you’re not satisfied with our response, you can complain to the New Zealand Office of the Privacy Commissioner (privacy.org.nz) or, in the EEA/UK, to your local data protection authority.

See also our Terms of Service and Refund Policy.

Local Metal Detector© 2026 — All rights reserved.
MapAboutShopBlog
Terms of ServicePrivacy PolicyRefund Policy