Privacy Policy
Last updated: 5 July 2026
Local Metal Detector is a public directory — being discoverable is the point. This policy explains exactly what we collect, what stays private, and the choices you have. We are based in New Zealand and comply with the New Zealand Privacy Act 2020, and where they apply, the EU/UK GDPR and US state privacy laws.
1. Who we are
Local Metal Detector (“we”, “us”) operates localmetaldetector.com, a global directory of metal detectorists, clubs, and stores. We are the “agency” under the New Zealand Privacy Act 2020 and the “data controller” under the GDPR for the personal information described here.
Privacy contact: privacy@localmetaldetector.com
2. Information we collect
Account & profile
- Account: email address and a password (stored only as a secure hash by our authentication provider).
- Listing profile (public by design): display name, bio, photos/logo, specialties, coverage area, service fees, gear, badges, and any links (website, Facebook, external profiles) you choose to add. Your profile page is visible to anyone, including search engines.
- Location: members choose a suburb, not a street address. We deliberately round member coordinates to roughly 1 km and strip any street-level detail before storing — your exact home location is never kept. Stores and clubs list an exact business address by choice.
- Phone number (optional): shown publicly only per your tier and our visibility settings; otherwise contact happens through our relay form and neither party sees the other’s email address.
Payments & identity
- Payments: paid memberships are sold by Lemon Squeezy as merchant of record. We receive your subscription status, plan, and a customer reference — never your card number.
- ID verification (optional, paid members): handled by Stripe Identity. Your ID document and selfie go directly to Stripe; we store only the verification outcome and a session reference. We never hold copies of your ID documents.
Community content
- Reviews: reviewer name (optional), email (used once to verify the review), rating, text, and an optional photo (typically a picture of the recovered item).
- Field Notes posts: a title, body text, and up to two photos per post about your finds. Approved posts appear on your public profile and in the directory-wide Field Notes feed.
- Photos & images: your profile picture and logo, any Field Notes photos, and any review photo. These are stored in our file storage (Supabase) and displayed publicly. Photos can carry embedded metadata (for example camera details or GPS coordinates) — we don’t use that metadata, but you choose what you upload, so consider stripping location data from sensitive images first.
- Finds, gear lists, and enquiry messages you submit through the platform.
You provide this community content, and the photos within it, voluntarily. Uploading an image or post is your consent to publish it publicly while it remains posted; you can withdraw that consent at any time by deleting it or asking us to remove it (see “Your rights” below).
Technical
- Analytics: our own cookieless analytics — a random session id kept in your browser tab (sessionStorage), page views, and events. Your IP address is one-way hashed with a salt on our server; we keep derived country and device type, not the raw address. We honour Do Not Track and Global Privacy Control signals.
- Security & pricing: your IP address is checked server-side (via ipapi.is) to detect fraud/VPN anomalies and set regional pricing. Form submissions are protected by Cloudflare Turnstile.
What we don’t collect: exact member home addresses, payment card numbers, copies of ID documents, advertising profiles, or third-party ad-tracking cookies. We do not sell personal information, and we do not use your data to train AI models.
3. How we use information
- Operate the directory: publish your listing, place it on the map, and serve your public profile page.
- Process memberships, apply tier benefits, and show verification badges.
- Relay enquiries between visitors and members without exposing email addresses.
- Verify and moderate reviews, links, and community content.
- Detect fraud and abuse (including pricing-region anomalies) and secure the service.
- Send transactional email — account confirmations, review links, enquiry relays, billing notices. We don’t send marketing email without a separate opt-in.
- Understand aggregate usage through our privacy-first analytics.
Under the GDPR our legal bases are: performance of a contract (running your account and listing), legitimate interests (security, fraud prevention, aggregate analytics), consent (optional features like ID verification and the Telegram community), and legal obligation (tax and accounting records via our merchant of record).
5. Third-party services we rely on
These providers process data on our behalf or as independent services. Each link goes to that provider’s own privacy policy:
| Provider | Role | Data involved | Policy |
|---|---|---|---|
| Supabase | Database, authentication & file storage | Account email, hashed password, listing data, uploaded images | View |
| Vercel | Website hosting | Standard web server logs (IP address, user agent) | View |
| Lemon Squeezy | Payments (merchant of record) | Name, email, billing address, payment card details (we never receive card numbers) | View |
| Stripe | Identity verification (paid members, optional) | Government ID images and selfie, captured and held by Stripe — we store only the pass/fail status | View |
| Resend | Transactional email delivery | Email address, message content | View |
| Cloudflare Turnstile | Bot protection on forms | IP address, browser signals (no tracking cookies for advertising) | View |
| ipapi.is | IP-based country lookup for regional pricing & fraud checks | IP address (server-side only) | View |
| Photon (Komoot) & Nominatim (OpenStreetMap) | Address search / suburb autocomplete | The address text you type while choosing a location | View |
| OpenFreeMap & Esri | Map tiles (street & satellite imagery) | IP address and map area requested, as with any map service | View |
| Google Fonts | Web fonts on our marketing pages | IP address and browser details when fonts load | View |
| Telegram | Optional community group for members | Your Telegram handle, only if you choose to join | View |
6. How long we keep information
- Account & listing: for as long as your account exists. Deleting your account removes your listing and profile from the directory.
- Reviews: retained while the reviewed listing exists, to keep review history honest. Reviewer emails are kept only for verification and dispute handling.
- Field Notes posts & photos: kept while posted. When you delete a post/photo (or your account) it stops being served publicly; a removed or rejected item may be retained briefly for moderation and abuse-prevention records, and short-lived copies can persist in backups before they cycle out.
- Enquiry relays: kept briefly for delivery and abuse prevention, then removed from active systems.
- Billing records: retained by us and Lemon Squeezy as required by tax law (typically 7 years in New Zealand).
- ID verification: we keep only the outcome and session reference; document retention is governed by Stripe’s policy.
- Analytics & logs: aggregate, IP-hashed data; raw server logs rotate on short cycles.
7. Your rights
Everyone: you can access and correct your information (New Zealand Privacy Act 2020, principles 6 and 7) — most of it directly from your profile — and you can delete your account, which removes your public listing.
Removing specific content & photos: you don’t have to delete your whole account to take something down. You can delete your own profile photos and Field Notes posts directly from your profile at any time. If you can’t remove something yourself — including a photo, post, or review that features you or your property and was posted without permission — email privacy@localmetaldetector.com or support@localmetaldetector.com and we’ll review and, where appropriate, remove it. Because uploading content is how you consent to publishing it, withdrawing consent is as simple as deleting it or asking us to. Once removed it stops being served publicly; limited copies may remain in backups or moderation/legal records as set out in section 6.
EEA & UK (GDPR)
You additionally have the rights of erasure, restriction, portability, and objection (Articles 15–22), and the right to withdraw consent at any time. You may complain to your local supervisory authority. New Zealand holds a European Commission adequacy decision, so transfers of EU data to us are recognised as adequately protected; our sub-processors in the United States rely on their own safeguards (Standard Contractual Clauses or the EU–US Data Privacy Framework — see their policies above).
California & other US states
You have the rights to know, delete, and correct. We do not sell or share personal information as defined by the CCPA/CPRA, and we honour Global Privacy Control as a valid opt-out signal. We do not use sensitive personal information beyond what is necessary to provide the service.
To exercise any right, email privacy@localmetaldetector.com. We respond within 20 working days (NZ) or one month (GDPR).
8. International transfers
We operate from New Zealand and our infrastructure providers are primarily in the United States. Where we disclose personal information overseas, we take reasonable steps to ensure it is subject to comparable safeguards, as required by IPP 12 of the Privacy Act 2020 — principally through the contractual commitments and certifications of the processors listed in section 5.
9. Children
The service is not directed at children. You must be at least 16 to create an account, and at least 18 to purchase a paid membership or complete ID verification. We delete accounts we discover to be under these ages.
10. Security
Passwords are hashed by our authentication provider, IP addresses used in analytics are salted and hashed, ID documents never touch our servers, member coordinates are coarsened before storage, and admin actions are restricted and reviewed. No online service can promise perfect security, but we design so that a breach exposes as little as possible.
11. If something goes wrong
If a privacy breach is likely to cause serious harm, we will notify the New Zealand Office of the Privacy Commissioner and affected people as required by the Privacy Act 2020 — and, where the GDPR applies, the relevant supervisory authority within 72 hours.
12. Changes to this policy
We’ll post any changes here with a new “Last updated” date, and email account holders about material changes. Continued use of the service after changes take effect means the updated policy applies.
13. Contact & complaints
Privacy questions: privacy@localmetaldetector.com · General support: support@localmetaldetector.com
If you’re not satisfied with our response, you can complain to the New Zealand Office of the Privacy Commissioner (privacy.org.nz) or, in the EEA/UK, to your local data protection authority.
See also our Terms of Service and Refund Policy.