← Back to Home

Privacy Policy

Effective Date: February 18, 2026 Last Updated: March 13, 2026

TL;DR

  • We store your STAR entries and career documentation so you can access them anytime. We never sell your data, and we never use your content to train AI models.
  • AI features send your content to Anthropic for processing only — not for training.
  • You can export all your data or delete your account at any time, no questions asked.
  • This policy explains the full details. If anything is unclear, email us: privacy@starlog.io.

1. Introduction

STARlog is a career documentation platform for mid-career professionals. You use it to capture accomplishments, build STAR entries, and generate reports that represent years of professional work. That content is personal and professionally sensitive — it is yours, and we treat it accordingly.

This Privacy Policy explains what information we collect when you use STARlog at https://starlog.io (the "Service"), why we collect it, how long we keep it, and what rights you have over it.

STARlog is operated by STARlog LLC, a limited liability company registered in Idaho.

Questions? Contact us at privacy@starlog.io.

2. Information We Collect

2.1 Information You Provide to Us

Account Information: When you create an account, we collect:

  • Email address (required to create an account and deliver service notifications)
  • Name (optional — used only for personalizing your experience)
  • Password (stored as a one-way hash; we cannot read it)

Consequence of not providing required data: An email address is required to create an account. Without it, we cannot provide the Service. Your name is optional and its absence has no effect on functionality.

Content You Create: When you use STARlog, we store:

  • STAR entries (Situation, Task, Action, Result documentation)
  • Tags and categories you create
  • Generated reports and exports
  • Any other content you choose to save in the platform

Your STAR entries are private to you. STARlog employees do not read your career content. Access to your entries is restricted by access controls, and we do not review individual users' STAR entries except when required to investigate a specific security incident or legal obligation, and only then with authorization from company leadership.

Payment Information: If you subscribe to Premium:

  • Payment information is processed by Lemon Squeezy (our Merchant of Record)
  • We do not store your credit card information
  • We receive confirmation of payment and subscription status

2.2 Information Automatically Collected

Usage Data and Analytics: We use Cloudflare Real User Measurements (RUM) to collect website performance analytics. This is cookieless — no cookies or local storage are used. Data collected includes: page load times, browser type and version, device type, pages visited, geographic region (country-level only), and IP address (automatically anonymized by Cloudflare before storage).

Analytics is disabled for all EU/EEA visitors. If you are located in the European Union or European Economic Area, Cloudflare RUM does not collect your usage data. US visitors may opt out via Privacy Settings or by sending a Global Privacy Control (GPC) signal. You can review Cloudflare's data handling practices at cloudflare.com/privacypolicy.

We also collect standard server-side logs (IP address, request path, timestamp, HTTP status) for security monitoring and error diagnosis. These logs are retained for 30 days.

Cookies: We use only essential cookies provided by Supabase for authentication and session management. These cannot be disabled as they are required for the Service to function. We do not use advertising, tracking, or third-party analytics cookies.

3. How We Use Your Information

For each purpose, we identify the legal basis we rely on (relevant to EU/EEA users under GDPR — see also Section 12).

Purpose What we use Legal basis
Provide the Service — account creation, storing STAR entries, generating exports and reports Account info, content you create Contract performance
Process Payments — handle Premium subscriptions and billing Email, subscription status from Lemon Squeezy Contract performance
AI Features — STAR extraction and report generation (Premium only) Content you choose to submit for AI processing Consent (withdrawable at any time — see Section 4)
Improve the Service — analyze usage patterns, fix bugs, develop new features Aggregated/anonymized usage data Legitimate interests — we have a legitimate interest in maintaining and improving the platform; this does not involve reading individual STAR entries
Security monitoring — detect and investigate fraud, abuse, or unauthorized access Server logs, usage data Legitimate interests — protecting the platform and its users; the privacy impact is limited because logs are retained briefly and reviewed only on specific suspicion
Communicate — account notifications, service updates, security alerts Email address Contract performance (transactional) / legitimate interests (security alerts)
Legal compliance — respond to lawful requests, enforce our Terms of Service As required by applicable law Legal obligation / legitimate interests

4. AI and Data Processing

AI Processing: Premium subscribers can use AI features (STAR extraction and report generation). When you use these features, your content is sent to Anthropic (Claude API) for processing.

Your content is never used to train AI models.

AI processing is performed solely to complete the function you requested. Based on our API configuration, Anthropic does not use API inputs and outputs to train its models. You can review Anthropic's current privacy practices at anthropic.com/legal/privacy.

Data Minimization: We send only the minimum content necessary to perform the requested function — no account metadata, no usage history.

Withdrawing Consent for AI Processing: AI processing is consent-based. You can withdraw consent at any time by disabling AI features in your account settings or by contacting privacy@starlog.io. Withdrawal does not affect the lawfulness of processing before withdrawal, but will prevent further AI processing of your content going forward.

Automated Decision-Making: STARlog does not make automated decisions about you that produce legal or similarly significant effects. AI features generate drafts and suggestions for your review — all outputs require your active use and are not applied to your account automatically.

5. How We Share Your Information

We do not sell your personal information.

Service Providers (Subprocessors): We share data with the following third parties who perform services on our behalf. Each is contractually bound to process data only as instructed.

  • Supabase — database hosting and authentication (USA; SCCs in place)
  • Cloudflare — hosting, CDN, and performance analytics (USA; SCCs in place; analytics disabled for EU/EEA)
  • Lemon Squeezy — payment processing, acts as Merchant of Record (USA; SCCs in place)
  • Anthropic — AI processing for Premium features (USA; SCCs in place)
  • Postmark — transactional email delivery (USA; SCCs in place)

We will notify users of material changes to our subprocessors by updating this Privacy Policy. EU/EEA users may request a current subprocessor list by contacting privacy@starlog.io.

Legal Requirements: We may disclose information when required by law or to comply with a legal process, protect our rights and property, prevent fraud or security issues, or protect the safety of our users.

Business Transfers: If STARlog LLC is involved in a merger, acquisition, or sale of assets, your information may be part of the transferred assets. We will notify affected users by email and/or a prominent notice on the Service at least 30 days before your data becomes subject to a different privacy policy, and you will have the option to delete your account before the transfer takes effect.

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Regular security audits
  • Access controls and authentication
  • Secure password hashing

No method of transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

7. Data Retention

We retain data only as long as necessary for the purposes described in this policy.

Account Data and STAR Entries: Retained while your account is active. If your account has been inactive (no logins, no API activity) for 24 consecutive months, we will email you at the address on file to notify you and provide an opportunity to log in or request deletion. If we do not hear from you within 30 days of that notice, we may delete the account and all associated data.

Payment Records: Transaction records are retained for 7 years from the date of the transaction, as required for tax and accounting compliance. These records are held by Lemon Squeezy (our Merchant of Record) and contain only transaction details — not your STAR entries or profile data.

Server Logs: Retained for 30 days, then permanently deleted.

Email Records: Transactional email logs (delivery confirmations, bounce records) are retained for 90 days.

Deletion: You can delete your account at any time from your Account Settings page. Upon deletion:

  1. Your account is immediately marked for deletion and you are signed out
  2. You receive a confirmation email with the deletion date (30 days from request)
  3. Your data remains accessible by contacting support during the 30-day period if you change your mind
  4. After 30 days, all your data is permanently deleted, including STAR entries, profile information, account settings, email preferences, and authentication credentials
  5. You receive a final confirmation email after deletion is complete

Backup Retention: Deleted data may remain in encrypted backups for up to 90 days before permanent deletion from all systems.

8. Your Rights

How you exercise your rights depends on where you are located. EU/EEA and UK users have statutory rights under GDPR (detailed in Section 12). California residents have rights under CCPA (Section 11). Users in other jurisdictions may also have applicable rights under local law.

Regardless of location, all STARlog users can:

  • Access your data: Download all your personal data from Account Settings at any time. The export includes your STAR entries, profile information, subscription details, and account metadata in machine-readable JSON format.
  • Correct your data: Update your account information directly in Account Settings.
  • Delete your account: Initiate account deletion from Account Settings (see Section 7 for the deletion process).
  • Opt out of marketing: Unsubscribe from any marketing emails via the unsubscribe link. Transactional account notifications (security alerts, billing receipts) cannot be disabled as they are part of the Service.
  • Withdraw AI consent: Disable AI features in Account Settings at any time (see Section 4).

To exercise any right or raise a privacy concern, contact us at privacy@starlog.io.

9. Children's Privacy

STARlog is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at privacy@starlog.io.

10. International Data Transfers

STARlog is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States and other countries where our subprocessors operate (see Section 5).

For EU/EEA users: Transfers to the United States and other third countries are made under Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46(2)(c). This applies to all our key subprocessors: Supabase, Cloudflare, Anthropic, Lemon Squeezy, and Postmark. To request a copy of the applicable transfer mechanisms, contact privacy@starlog.io.

11. California Privacy Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information
  • Right to opt-out of the sale of personal information — we do not sell your information
  • Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@starlog.io.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR.

Data Controller: STARlog LLC, 784 S. Clearwater Loop #4573, Post Falls, ID 83854, USA. Contact: privacy@starlog.io.

Data Protection Officer: STARlog LLC is not required to appoint a Data Protection Officer under GDPR Article 37, as we are not a public authority and our core activities do not consist of large-scale systematic monitoring or large-scale processing of special categories of data. Privacy inquiries are handled directly by our team at privacy@starlog.io.

Legal Basis: The legal basis for each processing purpose is identified in Section 3. In summary: we process your data on the basis of contract performance (providing the Service and handling payments), consent (AI features), and legitimate interests (improving the Service, security monitoring, and safety). Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override your rights, given the limited and proportionate nature of the processing involved.

Your GDPR Rights:

  • Right of access (Art. 15): Request confirmation of whether we process your data and receive a copy. You can self-serve this via the data export in Account Settings.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data. You can update most data directly in Account Settings.
  • Right to erasure (Art. 17): Request deletion of your personal data. Initiate this from Account Settings (see Section 7). Exceptions apply where retention is required by law (e.g., payment records for tax compliance).
  • Right to restriction of processing (Art. 18): You may request that we restrict processing of your data — meaning we retain it but pause active use — in specific circumstances: if you contest the accuracy of your data while we verify it; if processing is unlawful but you prefer restriction to erasure; if we no longer need the data but you need it for legal claims; or if you have objected to processing and are awaiting outcome of that objection. To request restriction, contact privacy@starlog.io.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. Use the data export in Account Settings for immediate self-service, or contact us to request a specific format.
  • Right to object (Art. 21): Object to processing based on legitimate interests. We will stop that processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (AI features), you may withdraw consent at any time without affecting prior processing (see Section 4).

Statutory and Contractual Requirements (Art. 13(2)(e)): Providing your email address is a contractual requirement for using STARlog — without it, we cannot create an account or deliver the Service. Your name is entirely optional. AI features are optional and require separate consent. All other data collection described in Section 2.2 is either automatic and technical (server logs), or limited to non-EU/EEA users (Cloudflare analytics).

Right to Lodge a Complaint: You have the right to lodge a complaint with the supervisory authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ico.org.uk). For a full list of EU supervisory authorities, see edpb.europa.eu. We would, however, welcome the opportunity to address your concern directly before you contact a supervisory authority.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated Privacy Policy on this page
  • Updating the "Last Updated" date at the top
  • Sending an email notification for significant changes

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Copyright © 2026 STARlog LLC. All rights reserved.