StarFinder

Privacy Policy

Last updated: 30/03/2026

1. Introduction

This Privacy Policy explains how Starfinder ("we", "us", or "our") collects, uses, and protects personal data when you use our website and services (the "Service").

2. Data We Collect

When you use the Service, we may collect the following categories of personal data:

  • Account information you provide directly, such as your name, email address, and any content you submit through the platform.
  • Usage data generated through your interaction with the Service, including pages visited, features used, and actions performed.
  • Technical data collected automatically, such as IP address, browser type, operating system, and device information.

3. How We Use Data

We process personal data strictly for the following purposes:

  • To provide, operate, and deliver the core functionality of the Service.
  • To monitor, maintain, and improve the performance and reliability of the platform.
  • To communicate with you regarding your account, service updates, or support requests.
  • To protect the security and integrity of the Service and prevent unauthorized access or misuse.

4. Legal Basis (GDPR)

We process personal data based on:

  • Performance of a contract (providing the Service)
  • Legitimate interests (improving and securing the Service)
  • Consent, where required (e.g. for certain cookies or communications)

5. Data Sharing

We do not sell, rent, or trade your personal data to third parties.

We may share personal data only in the following limited circumstances:

  • With trusted service providers who assist us in operating the platform (e.g. cloud hosting, database infrastructure, email delivery), under contractual obligations to protect your data.
  • With public authorities or regulatory bodies, where disclosure is required by applicable law or in response to a valid legal request.

6. Data Retention

We retain personal data only for as long as it is necessary to fulfill the purposes described in this Policy, or as required by applicable law or regulation.

When personal data is no longer needed, or when you exercise your right to deletion, we delete or anonymize it in accordance with our internal procedures and applicable legal obligations.

7. Your Rights

Under applicable law (including GDPR), you have the right to:

  • Access your personal data
  • Request correction or deletion
  • Object to processing
  • Request data portability
  • Withdraw consent at any time (where applicable)

To exercise your rights, contact us at the email below.

8. Security

We implement multiple layers of security to protect your personal data throughout the platform:

Authentication & Access Control

  • Sign-in is available via Google OAuth 2.0 or email/password credentials, with JWT-based session management.
  • Passwords are never stored in plaintext — they are hashed using bcrypt before being saved.
  • Protected areas of the application require a valid session; unauthenticated requests are automatically redirected.

Secure Communication Between Services

  • All browser requests to our backend are routed through a same-origin proxy, preventing direct exposure of backend endpoints and avoiding cross-origin data leaks.
  • The proxy mints short-lived, signed identity tokens for each authenticated request, ensuring that backend access is continuously re-validated.
  • Cross-Origin Resource Sharing (CORS) is restricted to an explicit allowlist of production domains.

Backend & Data Protection

  • Every API endpoint that handles user data validates the caller's identity via cryptographically signed tokens before processing the request.
  • All database queries use parameterized statements through an ORM layer, preventing SQL injection.
  • Rate limiting is enforced on sensitive operations such as password reset and email verification to prevent abuse.
  • Password reset and email verification flows use single-use, time-limited tokens and are designed to prevent email enumeration.

Integration Security

  • Third-party integration tokens (e.g. Gmail) are managed with cryptographic signing and automatic expiry. Users can revoke access at any time.
  • API extension tokens follow an industry-standard pattern: only a cryptographic hash is stored — the raw token is never retained on our servers.

No system can guarantee absolute security. If you believe your account has been compromised, please contact us immediately at the address below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page.

10. Third-Party Integrations and Google Services

You can learn more about how Google collects and processes data in Google's Privacy Policy. Additional information on Google services is available in Google's Terms of Service.

10.1 Gmail Integration

If you choose to connect your Gmail account to StarFinder, you will be asked to grant access to certain information from your Google account in order to enable email-related features within the Service.

By using the Gmail integration, you grant StarFinder access to limited data associated with your Gmail account, strictly for the purpose of supporting your communication workflows with business leads.

Specifically:

  • StarFinder accesses email threads only when the user views a specific lead's profile, and queries are limited to communications between the user and that lead's email address.
  • StarFinder retrieves thread-level metadata such as subject, sender, recipient, timestamps, message count, and Gmail-generated snippets. This information is stored as activity logs within the CRM to provide a timeline of interactions.
  • Full email message bodies are not stored or persisted on StarFinder's servers. They are fetched from Gmail only when explicitly requested by the user (e.g., when opening a message) and are displayed transiently in the user's browser.
  • StarFinder may analyze basic thread information (such as message count or direction) to support features like reply detection and follow-up management. This is done without processing or storing email content.

In addition, StarFinder allows users to compose and send emails directly from within the platform:

  • Emails are written by the user and sent via the Gmail API on their behalf.
  • Sent emails appear in the user's Gmail account as standard outgoing messages.
  • StarFinder stores only minimal send-related metadata (such as recipient, subject, and message identifiers) for CRM tracking purposes. Email body content is not retained after sending.

StarFinder does not access the user's full mailbox and does not access Gmail labels, drafts, or account settings.

10.2 Google API Data Usage Compliance

StarFinder's use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

  • Google user data is used exclusively to provide user-requested functionality within the Service.
  • Google user data is not used for advertising purposes.
  • Google user data is not sold, rented, or transferred to third parties.
  • Google user data is not used to train machine learning models.
  • Access to data is limited to the minimum necessary to provide the described features.

10.3 Revoking Access

Users can revoke StarFinder's access to their Google account at any time through their Google account settings or directly within the Service via the Integrations menu. When an integration is disconnected, all associated data (synced activities, sent email metadata, and tracking data) is permanently deleted from StarFinder's servers.