1. Introduction

Welcome to StarsTalk ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services.

2. Information We Collect

2.1 Information You Provide

• Account Information: When you create an account, we collect:
  • Email address (for email/password authentication) or Google account information (for OAuth)
  • User ID (circle user ID) and display name
  • Profile image (optional)
  • Device token (for push notifications)
• Content You Create:
  • Messages (end-to-end encrypted)
  • Event details (end-to-end encrypted descriptions)
  • Photos and media (encrypted when uploaded)
  • Circle names and invitations
• Contacts: Information about users you add to your circles or contact list

2.2 Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers
• Usage Information: App features used, timestamps, interaction patterns
• Log Data: IP addresses, request timestamps, error logs

2.3 Information We Do NOT Collect

• We cannot read your encrypted messages
• We cannot access encrypted event descriptions
• We cannot view your encrypted photos
• We do not sell your data to third parties
• We do not use your data for advertising

3. How We Use Your Information

We use the information we collect to:

• Provide and Maintain Services: Deliver messages, manage circles, coordinate events
• Authentication: Verify your identity using Google OAuth or email/password
• Send Notifications: Push notifications for messages, events, and invitations
• Improve Services: Analyze usage patterns to enhance app functionality
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Comply with applicable laws and legal processes

4. End-to-End Encryption

StarsTalk uses the Signal Protocol for end-to-end encryption:

• Messages are encrypted on your device before being sent
• Only the intended recipient can decrypt and read messages
• Event descriptions and photos are encrypted per recipient
• We store encrypted content but cannot decrypt it
• Encryption keys are managed locally on your device

5. Data Storage and Security

5.1 Where We Store Data

• Database: PostgreSQL database for user accounts, circle memberships, metadata
• Object Storage: MinIO (self-hosted) or AWS S3 for encrypted media files
• Secrets Management: HashiCorp Vault for secure credential storage

5.2 Security Measures

• End-to-end encryption using Signal Protocol
• TLS/SSL encryption for data in transit
• Hashed passwords using bcrypt (for email/password accounts)
• Secure token-based authentication (JWT)
• Regular security audits and updates
• Access controls and permission management

6. Data Sharing and Disclosure

6.1 We Share Data With:

• Other Users: When you send messages, create events, or invite users to circles
• Service Providers:
  • Apple Push Notification Service (APNs) for push notifications
  • Google OAuth for authentication (if you choose Google login)
  • Brevo (email service) for verification codes and password resets
  • Stripe for payment processing (subscriptions)

6.2 We Do NOT Share:

• Encrypted message content (we cannot decrypt it)
• Your data for advertising or marketing purposes
• Your information with data brokers

6.3 Legal Disclosures

We may disclose information if required by law, subpoena, or legal process. However, due to end-to-end encryption, we cannot provide access to encrypted message content.

7. Your Rights and Choices

7.1 Access and Control

• Access: View your profile and account information in the app
• Update: Modify your profile, display name, and settings
• Delete: Remove contacts, leave circles, delete messages locally
• Account Deletion: Request full account deletion by contacting support

7.2 Communication Preferences

• Control push notifications in your device settings
• Opt-out of promotional emails (if any) by following unsubscribe links

8. Data Retention

• Active Accounts: Data retained as long as your account is active
• Account Deletion: Data deleted within 30 days of deletion request
• Encrypted Content: Encrypted messages and media stored until manually deleted or account removed
• Log Data: Stored for security and debugging purposes, typically 90 days

9. Children's Privacy

StarsTalk is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will delete it immediately.

10. International Data Transfers

If you are accessing StarsTalk from outside the United States, your information may be transferred to, stored, and processed in the United States where our servers are located. By using our services, you consent to this transfer.

11. Third-Party Services

11.1 Google OAuth

If you sign in using Google, your authentication is handled by Google OAuth 2.0. We receive only basic profile information (email, name) as permitted by Google's policies. Google's Privacy Policy applies: https://policies.google.com/privacy

11.2 Stripe (Payment Processing)

Subscription payments are processed by Stripe. We do not store your credit card information. Stripe's Privacy Policy applies: https://stripe.com/privacy

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an in-app notification or email (for material changes)

Your continued use of StarsTalk after changes indicates acceptance of the updated policy.

13. Regional Privacy Rights

13.1 California Residents (CCPA)

California residents have the right to:

• Know what personal information is collected
• Know whether personal information is sold or disclosed
• Opt-out of the sale of personal information (we do not sell data)
• Request deletion of personal information
• Non-discrimination for exercising privacy rights

13.2 European Union (GDPR)

EU residents have the right to:

• Access, rectify, or erase personal data
• Restrict or object to processing
• Data portability
• Withdraw consent
• Lodge a complaint with a supervisory authority

← Back to Home