Privacy Policy

1. Introduction

Starply ("Starply," "we," "our," or "us") provides AI-powered Google Business Profile review management tools for local businesses. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data.

By using Starply, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with any part of this policy, please do not use our Service.

2. Information We Collect

2.1 Account Information

• Email address (for authentication and communication)
• Full name (if provided)
• Business name, type, and address (if provided)
• Password hash (we never store plaintext passwords)
• Billing information (processed directly by Stripe; we never see or store full card numbers)

2.2 Google User Data

When you connect your Google Business Profile account to Starply, we request the following scope:

https://www.googleapis.com/auth/business.manage

Using this scope, we access and store the following Google user data, and nothing else:

• Google account email of the connected user (to identify which account authorized the integration)
• Business Profile location data: business name, address, phone number, categories, and Google Place ID
• Customer reviews: star rating, review text, reviewer display name, and review timestamp
• Existing review replies: any reply text and reply timestamp already posted to a review
• OAuth access and refresh tokens: stored encrypted at rest so we can maintain the connection on your behalf

We do not access your Gmail, Google Drive, Google Calendar, Google Contacts, Google Photos, YouTube, Google Analytics, or any other Google product or data outside of the Google Business Profile scope listed above.

2.3 Usage Data

• Log data (IP address, browser type, pages visited, timestamps)
• Feature usage patterns (which buttons you click, how often you use each feature)
• AI-generated draft history (drafts you approved, edited, or rejected, used to improve your personalized results)
• Error and performance data

2.4 Cookies

We use essential cookies for authentication and session management, and functional cookies to remember your preferences (theme, active tab). We do not use advertising cookies or third-party tracking cookies. Analytics cookies, if any, are used only with your explicit consent.

3. How We Use Your Information

We use the information we collect for the following purposes and no others:

• To provide, maintain, and operate the Starply Service
• To read reviews from your connected Google Business Profile and display them to you in your dashboard
• To generate AI-powered reply drafts that you can review, edit, and approve
• To post approved replies back to Google Business Profile on your behalf
• To provide analytics, insights, and reports about your review activity
• To process payments and manage subscriptions through Stripe
• To send transactional emails (account confirmations, billing receipts, security alerts)
• To send optional product update emails (you can opt out)
• To detect, investigate, and prevent fraud, abuse, and security incidents
• To comply with legal obligations

4. Google API Services User Data Policy — Limited Use Disclosure

Specifically, we commit to the following regarding Google user data:

• Allowed use only: We use Google user data solely to provide and improve the user-facing features of Starply that are prominent in the user interface: reading reviews, generating reply drafts, posting approved replies, and displaying analytics.
• No advertising: We do not use Google user data to serve advertisements of any kind, and we do not sell, license, or share Google user data with advertising networks, data brokers, or information resellers.
• No training of generalized AI/ML models: We do not use Google user data to train, improve, or develop generalized or non-personalized artificial intelligence or machine learning models. Reply drafts are generated by third-party large language model APIs (see Section 5) which, per their published API terms, do not use the data we send them to train their models. (Providers may retain API data for a short period for abuse monitoring; see Section 5.2 for details.)
• Human access is restricted: No Starply employee, contractor, or third party reads your Google user data except (a) with your explicit consent (for example, when you request technical support), (b) when necessary for security investigations in response to suspected abuse or fraud, or (c) when legally required to do so.
• No transfer to third parties except as strictly necessary to provide the Service (see Section 5), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.

5. How We Share Information

We do not sell your personal information. We share data only with the following categories of service providers, strictly as necessary to operate the Service:

5.1 Sub-processors

• Supabase — database hosting, authentication, and Row-Level Security. All data, including encrypted Google OAuth tokens, is stored here.
• Vercel — web application and API hosting, CDN, and edge compute.
• Stripe — payment processing and subscription management. We never see or store full card numbers.
• Resend — transactional email delivery (account confirmations, billing receipts, review notifications).
• Twilio — optional SMS delivery when you choose to send review request SMS campaigns through Starply.
• Google LLC — Google Business Profile API (the source of the Google user data you authorize us to access).

5.2 AI Providers (Large Language Models)

To generate reply drafts, we send review text and a small amount of business context (brand voice, responder name, business knowledge you've configured) to one of the following third-party large language model providers:

• OpenAI — per OpenAI's API data usage policy, data submitted via the API is not used to train OpenAI's models. OpenAI may retain API data for up to 30 days for abuse and misuse monitoring before deletion (zero-retention is available to enterprise customers on request).
• Google Gemini — per Google's Gemini API terms for paid services, data submitted via the API is not used to train Google's models or retained beyond what is needed to provide the response.

Reviewer display names may be passed to the AI provider to enable personalized replies (for example, “Thanks, Sarah!”) but are not stored by the AI provider after the response is generated. We never send billing data, account passwords, or any other sensitive data to AI providers.

5.3 Legal and Safety Disclosures

We may disclose your information if required to do so by law, legal process, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to (a) comply with a legal obligation, (b) protect the rights, property, or safety of Starply, our users, or the public, (c) detect, prevent, or address fraud, security, or technical issues, or (d) enforce our Terms of Service. We will notify you of such requests when legally permitted to do so.

6. Data Security

We implement industry-standard security measures to protect your data, including:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption at rest for stored data
• Encrypted OAuth refresh tokens (never stored in plaintext)
• Row-Level Security (RLS) policies in the database to enforce tenant isolation — one organization can never access another organization's data
• Principle of least privilege for employee access (no employee has routine access to user data)
• Rate limiting and abuse detection on all API endpoints
• Regular security audits and dependency monitoring
• Secure software development practices and code review before deployment

No system is 100% secure. If we discover a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR and applicable state laws, and we will describe the nature of the breach, the data involved, and the steps we are taking in response.

7. Data Retention and Deletion

We retain your data for as long as your account is active and as necessary to provide the Service. Specific retention periods:

• Account information: retained while your account is active. Deleted within 30 days of account deletion.
• Google user data (reviews, business profile data): retained while your Google Business Profile is connected. Deleted within 30 days of disconnection or account deletion.
• OAuth tokens: revoked and deleted immediately when you disconnect your Google Business Profile or delete your account.
• Billing records: retained for 7 years as required by tax and financial regulations, even after account deletion.
• Anonymized analytics: aggregated usage metrics (with no personal identifiers) may be retained indefinitely for product improvement.

7.1 How to Revoke Access or Delete Your Data

You can revoke Starply's access to your Google Business Profile at any time via any of the following methods:

• From within Starply: go to Settings → Integrations → Disconnect Google Business Profile
• From your Google account: visit https://myaccount.google.com/permissions, find “Starply,” and click Remove access.
• By emailing privacy@starply.ai — we will process your request within 30 days.

When you disconnect, we immediately revoke the OAuth tokens on Google's side and delete them from our database. Cached review data is deleted within 30 days of disconnection, or immediately upon explicit request.

8. Your Rights

8.1 General Rights

Regardless of where you live, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated data
• Export your data in a portable format
• Opt out of non-essential marketing communications

8.2 GDPR Rights (European Economic Area, UK, Switzerland)

If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:

• The right of access to your personal data
• The right to rectification of inaccurate data
• The right to erasure (“right to be forgotten”)
• The right to restriction of processing
• The right to data portability
• The right to object to processing
• The right to withdraw consent at any time, where consent is the legal basis for processing
• The right to lodge a complaint with a supervisory authority in your country of residence

Our legal basis for processing is (a) performance of a contract (providing the Service you signed up for), (b) legitimate interests (operating and improving the Service, detecting abuse), and (c) consent (for optional marketing emails and cookies).

8.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• The right to know what personal information we collect and how it is used
• The right to delete your personal information
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information — we do not sell or share personal information, so this right is not applicable to our practices
• The right to limit the use of sensitive personal information
• The right to non-discrimination for exercising your privacy rights

8.4 How to Exercise Your Rights

To exercise any of these rights, email us at privacy@starply.ai. We will respond within 30 days. We may need to verify your identity before processing certain requests.

9. Children's Privacy

Starply is intended for use by business owners and is not designed for or marketed to individuals under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@starply.ai and we will delete it immediately.

10. International Data Transfers

Starply is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to such transfers. Where required by law (for example, for EU users), we rely on appropriate safeguards such as Standard Contractual Clauses for international data transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by (a) updating the “Last updated” date at the top of this page, (b) sending an email to the address associated with your account, and (c) posting a notice in the Starply dashboard. Continued use of the Service after notification constitutes acceptance of the updated policy. If you do not agree to the changes, you may delete your account at any time.

12. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions. Any disputes arising from this Privacy Policy will be resolved in the state or federal courts located in Delaware.

13. Contact Us

For privacy-related inquiries, data subject requests, or any questions about this Privacy Policy, contact us at:

Email: privacy@starply.ai

Data Protection Officer: privacy@starply.ai

We aim to respond to all inquiries within 48 hours, and to formal data subject requests within 30 days.