Back to app

Privacy Policy

Last updated: April 11, 2026

1. Introduction

Starlight Software LLC, a California limited liability company ("Starlight", "we", "us", or "our"), operates the Starlight platform at joinstarlight.com. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.

This policy covers two categories of people: (a) Starlight customers and users who sign into the Service ("you"), and (b) prospects and leads whose business contact information is processed through the Service on behalf of our customers. Starlight acts as a data controller for the personal data of its customers and users, and as a data processor acting on customer instructions for prospect data handled through outreach features.

2. Information We Collect

Account Information

  • Authentication data: name, email address, and profile photo from Google OAuth or email magic link sign-in
  • Billing information: payment details are processed and stored by Stripe — we do not store credit card numbers

Usage Data

  • Search queries and lead interactions
  • Messages composed and sent through the platform
  • Feature usage and credit consumption
  • Sequence enrollment and email delivery status

Technical Data

  • IP address, browser and device type, operating system, and referrer URL
  • Timestamps and platform access logs collected by our hosting provider (Vercel)
  • Aggregated, cookieless page analytics via Vercel Analytics

Integration Data

  • Email (Gmail/Outlook): we access only email threads initiated through Starlight. We do not read or scan your personal inbox
  • Calendar: meeting data from connected calendar services for scheduling features
  • CRM (HubSpot): contact data synced between Starlight and your CRM

Prospect and Lead Data

When you use Starlight to research or contact prospects, we process business contact information including name, business email address, job title, employer, LinkedIn URL, and company firmographics. This data is sourced from Apollo.io and other publicly available business directories, and is processed on your behalf for B2B outreach purposes.

Email Engagement Data

  • Delivery status, open events, click events, and reply events for outreach sent through the platform
  • AI-generated message drafts and revisions stored in your account

3. How We Use Your Information

For customers and users located in the European Economic Area (EEA) or United Kingdom, we identify the legal basis under the GDPR for each purpose below.

  • To provide and maintain the Service, including lead search, AI message generation, and email automation — contract (GDPR Art. 6(1)(b))
  • To process billing and manage your subscription — contract and legal obligation (Art. 6(1)(b) and (c))
  • To send transactional emails such as account verification, billing receipts, and security alerts — contract (Art. 6(1)(b))
  • To improve the Service based on aggregated usage patterns — legitimate interest (Art. 6(1)(f))
  • To enforce our Terms of Service and prevent abuse — legitimate interest (Art. 6(1)(f))
  • To process prospect business contact data for B2B outreach on behalf of customers — legitimate interest (Art. 6(1)(f)), subject to the prospect's right to object

4. AI and Data Processing

Starlight uses AI to generate personalized outreach messages, analyze leads, and provide sales coaching. We use multiple AI providers (listed in the sub-processors table below) to generate outputs and provide fallbacks. When using AI features:

  • Lead data and your AI configuration settings are sent to the relevant AI provider for processing
  • AI-generated content is stored in your account
  • We do not grant AI providers the right to train models on your data. Where our provider agreements offer zero-data-retention terms, we enable them
  • AI may use web search to gather publicly available information about prospects
  • AI-generated lead scores, match assessments, and coaching recommendations are advisory. They are not used to make decisions that produce legal or similarly significant effects about any individual without human review

5. Third-Party Services and Sub-Processors

We share data with the following sub-processors as necessary to operate the platform:

ServicePurposeData Shared
Apollo.ioLead search and enrichmentSearch queries
xAI (Grok)AI message generation and analysisLead data, AI settings
Google (Gemini)AI fallback for message generationLead data, AI settings
Anthropic (Claude)AI message generationLead data, research context
PerplexityProspect pre-researchProspect name and employer
StripePayment processingBilling information
Gmail / OutlookEmail sending and trackingOutreach messages
Google CalendarCalendar integrationMeeting data
HubSpotCRM synchronizationContact information
SupabaseAuthentication and database hostingAccount and application data
VercelApplication hosting and platform analyticsApplication logs, technical data

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). This list of sub-processors is maintained on this page and updated when material changes occur.

6. Data Security

Encryption

  • OAuth tokens (Gmail, Outlook, Google Calendar, HubSpot) are encrypted with AES-256-GCM before storage
  • All data in transit is encrypted via TLS
  • Database connections use TLS encryption

Authentication

Starlight uses passwordless authentication exclusively (Google OAuth and magic links). No passwords are stored in our system.

Access Controls

  • Your data is isolated to your company account
  • Team members can only access data within their shared company
  • Internal access to production data follows the principle of least privilege
  • Application dependencies are kept current and monitored for known vulnerabilities
  • You can terminate all active sessions from Settings at any time

Hosting

Production infrastructure is hosted in the United States on Vercel and on Supabase (AWS us-east-2).

7. Data Retention

  • Account data is retained for as long as your account is active
  • Deleting your account permanently removes all associated data, including outreach message content and integration tokens
  • Prospect and lead data is retained for the duration of customer use and is removed on account deletion or upon a verified prospect deletion request
  • Blacklisted email addresses are retained indefinitely to honor opt-outs and prevent future outreach to opted-out contacts
  • Billing records are retained as required by applicable tax and accounting laws

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your personal data (account deletion)
  • Export your data in a portable format
  • Object to processing of your personal data
  • Revoke third-party integration access at any time
  • Lodge a complaint with your local data protection authority. EU residents can find contact details for supervisory authorities at edpb.europa.eu

To exercise these rights, contact us at spencer@joinstarlight.com. We respond to verified requests within 30 days, as required by GDPR and CCPA. We do not discriminate against you for exercising your privacy rights.

Rights of Prospects

If you are a prospect who received outreach from a Starlight customer, you may:

  • Click the unsubscribe link included in any outreach message
  • Email spencer@joinstarlight.com to request deletion of your contact information from our systems
  • Contact the customer who reached out to you directly

We will honor verified requests within 30 days and add the requesting email address to our permanent suppression list so it is not contacted again through the Service.

9. Cookies

Starlight uses only strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies, and we do not use cookies for behavioral profiling.

  • Supabase auth session cookies (sb-<project-ref>-auth-token) — keep you signed in; required for the Service to function
  • Session and CSRF cookies — prevent cross-site request forgery and maintain request context

Vercel Analytics is cookieless and does not set any identifier in your browser. Under the EU ePrivacy Directive, strictly necessary cookies do not require prior consent.

10. Children's Privacy

The Service is not directed to or intended for use by individuals under 18 years of age, and we do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For privacy-related questions or requests, contact us at spencer@joinstarlight.com. We aim to respond to privacy-related requests within 30 days.

13. International Data Transfers

Starlight's production infrastructure is hosted in the United States. If you access the Service from the European Economic Area, United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. Several of our sub-processors (including Vercel and Google) are also self-certified under the EU-U.S. Data Privacy Framework.

Enterprise customers may request a Data Processing Addendum (DPA) by contacting spencer@joinstarlight.com.

14. Google API Services and Microsoft Graph

Starlight's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We only access Gmail and Google Calendar data that is necessary to provide the features you have connected, and we do not use Google user data to train generalized AI or machine learning models.

Similarly, our use of data obtained from Microsoft Graph (Outlook and Microsoft 365 Calendar) is limited to providing the features you have connected. We do not transfer, sell, or use Microsoft Graph data for advertising, and we do not use it to train generalized AI models.

15. Security Incident Notification

In the event of a personal data breach, we will notify affected users and, where required by law, the relevant supervisory authorities without undue delay and in any event within 72 hours of becoming aware of the incident, in accordance with GDPR Art. 33 and applicable US state notification laws.