Privacy & Data
How we handle your data
Plain-English version of our privacy practices. We collect the minimum we need to run our tools and consultancy, we don't sell data, and you can ask us to delete yours at any time.
Effective: May 22, 2026
In short
- ✓ We collect your name, work email, company and the answers you give to our free tools.
- ✓ We use it to generate your report, follow up, and improve our tools.
- ✓ We never sell your data and we don't share it with third parties for advertising.
- ✓ You can ask us to delete your account and all related data by emailing info@starnovai.com.
1. What we collect
When you use a Star AI Consulting tool (AI Readiness Assessment, ROI Lab, Microsoft AI Blueprint) or contact us, we collect:
- Identity & contact info — name, work email, company name, and (optionally) phone.
- Assessment inputs — the answers you provide in our tools (industry, company size, current AI usage, pain points, etc.).
- Generated outputs — the reports, recommendations, and scores our tools produce from your inputs.
- Account data — if you sign up, the email tied to your account, your sign-in provider (email, Google, magic-link), and basic profile metadata.
- Usage telemetry — anonymized page views, button clicks, and error logs so we can fix bugs and improve UX.
2. Why we collect it (purpose)
- To deliver the tool you asked for — generate your report, email it to you, save it in your account for later access.
- To follow up — if you opt in to a strategy session or request the gallery, we'll reach out.
- To improve our tools — aggregate, de-identified analysis of which questions cause friction, which recommendations resonate, etc.
- To comply with the law — invoicing, tax records, and responding to lawful requests.
We do not use your business data to train public foundation models. We do not run advertising and we do not embed third-party advertising trackers.
3. How we store & protect it
- All data is stored in managed cloud services (Supabase / PostgreSQL on AWS; Azure Static Web Apps) with encryption at rest and in transit (TLS 1.2+).
- Access is restricted to a small set of authorized personnel with role-based credentials and 2-factor authentication.
- We retain assessment data for as long as your account is active. If you delete an individual report from /account, it's removed from our primary database within minutes (backups are purged on a rolling 30-day cycle).
- If you delete your account, all associated data is removed within 30 days.
4. Who we share data with
We use a small set of trusted sub-processors to operate the service. We do not sell or rent your data, and we don't share it for advertising.
- Supabase — auth, database, file storage.
- Microsoft Azure — hosting (Static Web Apps + serverless functions).
- Resend — transactional email delivery (your reports, sign-in links).
- OpenAI / Anthropic / Microsoft Azure OpenAI — generating the AI Executive Briefing and recommendation copy in your report. Inputs sent to these providers are governed by their enterprise / API terms, which prohibit training on customer data.
- Google (Gemini API) — powers the Skills-Gap Auditor and Prompt Playground. Free-tier inference only; do not paste confidential content into these tools.
- Cloudflare Turnstile — bot challenge on the Playground, Skills-Gap Auditor, and other free tools. Receives a token derived from your interaction with the challenge widget; no profile data.
- Upstash — per-IP / per-month rate-limit counters for free AI tools. Stores only IP + counter value with a TTL of at most 30 days.
- Google — only if you choose to sign in with Google (we receive your verified email + name).
Sub-processors are contractually required to handle your data with at least the same care we do, and only for the limited purpose of providing their service.
Training-center email captures. When you join a cohort waitlist, download a training lead-magnet, or submit a quote / boutique / consulting inquiry, your email and the few details you provided are stored in our Supabase database and trigger a single transactional notification email via Resend to our ops inbox. We do not enroll you in any marketing sequence — you receive at most one transactional email per opening event (e.g. when the cohort you waitlisted for opens).
Open Badges 3.0 credentials. When you complete a free course and submit your take-home artifact, we issue a Verifiable Credential (Open Badges 3.0) signed with our Ed25519 issuer key. The credential payload contains your email as the subject identifier (as mailto:), your name if you provided it, the badge metadata, and any evidence URL you submitted. The credential is publicly verifiable: anyone with the credential id can retrieve the verify page, download the signed payload, and validate it against the public JWK we publish at /.well-known/openbadges-issuer/jwks.json. If you want the credential revoked, email us — revocation is recorded in our database and surfaced on the verify page (the signature remains valid; the credential is marked “revoked”).
Free in-browser AI tools (Prompt Playground, Prompt Diff Coach, Skills-Gap Auditor). When you run a prompt or audit through these tools, your input is sent to Google Gemini Flash (Generative Language API) for inference, then immediately returned to your browser. We do not store your prompts, outputs, or audit inputs in our own database, and we do not attach them to a user profile. Google’s terms for the free tier permit use of submitted content to improve their models; do not paste confidential, regulated, or personally identifying data into these tools. Rate-limit counters (per-IP / day, per-tool / month) are kept in our Upstash key-value store with a TTL of at most 30 days and contain only the visitor’s IP address and a running call count — no prompt content.
5. Cookies & local storage
We use a minimal set of cookies and browser localStorage entries:
- Auth session — required to keep you signed in.
- UI preferences — language selection, persona / view-mode of your report.
- CSRF protection — to prevent cross-site forgery on form submissions.
We do not use third-party advertising cookies. We do not use any cross-site tracking pixels.
6. Your rights
Wherever you live, you can:
- Access — get a copy of the data we hold about you.
- Correct — fix anything that's inaccurate.
- Delete — remove specific reports from /account, or ask us to delete your entire account by email.
- Port — receive your data in a portable format (JSON / PDF).
- Object — tell us to stop using your data for any optional purpose (e.g. inclusion in our Client Gallery).
EEA & UK residents additionally have rights under GDPR (Articles 15–22). California residents have rights under CCPA / CPRA. To exercise any right, email info@starnovai.com and we'll respond within 30 days.
7. Children
Our services are intended for business use by adults. We don't knowingly collect data from anyone under 16. If you believe a child has provided us data, please contact us and we'll delete it.
8. Changes to this policy
If we make material changes, we'll update the “Effective” date above and — for account holders — email a summary of what changed. Continued use of the service after a change means you accept the updated terms.
9. Contact us
Privacy questions, data requests, or anything that looks off:
Star AI Consulting acts as data controller for the information described above.
This page summarizes our practices in plain English. If you need a formal Data Processing Addendum (DPA) for a procurement review, email us — we're happy to provide one.