Privacy Policy

Effective date: 17 April 2026 · Last updated: 27 April 2026

This Privacy Policy explains how Starply (“we”, “us”, “Starply”) collects, uses, and protects personal data when you use the Starply service available at starply.eu.

Starply is operated by Mathys Seynaeve, acting as an individual based in Luxembourg. Contact: contact@starply.eu.

If you have any questions about this policy or want to exercise your rights under the GDPR, email us at contact@starply.eu and we will respond within 30 days.

1. Who we are (Data Controller)

The data controller for personal data processed through Starply is:

Mathys Seynaeve
Luxembourg
Email: contact@starply.eu

As a small business operator, Starply has no Data Protection Officer but treats contact@starply.eu as the single point of contact for all privacy matters.

2. What data we collect

2.1 Account data (provided by you)

When you are invited to Starply and create an account, we collect:

  • Your email address
  • Your name (if provided)
  • A hashed password (we never see your plain-text password; hashing is handled by Supabase Auth)
  • Optional profile settings such as your preferred brand voice and language

2.2 Google Business Profile data (collected via Google API, with your consent)

When you connect your Google Business Profile to Starply, we access:

  • Your business locations and basic profile information
  • Public reviews on your listings (reviewer name, star rating, review text, review date)
  • Existing owner replies

We do not access Gmail, Calendar, Drive, Contacts, or any other Google service. Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.3 Generated content

When Starply generates a suggested reply to a review, we store the review it refers to, the draft reply, your edits and whether the reply was approved, modified, or discarded.

2.4 Contact form submissions

When you submit the contact form at starply.eu/contact, we collect the information you provide: first and last name, work email, phone number (if provided), business name, job title, country, the nature of your request, your comment, and a timestamp. We also log the IP address and user-agent string of the request for abuse prevention.

We use this data only to reply to your enquiry. The legal basis is your consent (Art. 6(1)(a) GDPR), given by ticking the consent box on the form. You can withdraw it at any time by emailing contact@starply.eu. Submissions are kept in our inbox for up to 24 months and then deleted, unless they become part of an active customer record.

2.5 Technical data

When you use Starply we automatically collect:

  • Log data: IP address, browser, device, timestamps of requests
  • Authentication events: sign-in attempts, sign-out, password resets
  • Error and diagnostic data to debug issues

We do not use third-party advertising or tracking cookies. The only cookies Starply sets are strictly necessary for authentication (Supabase session cookies).

3. Why we process your data (purposes & legal bases)

Under the GDPR, we process personal data for the following purposes on the following legal bases:

PurposeLegal basis (GDPR Art. 6)
Provide you with the Starply service (account, reply generation, Google integration)Performance of a contract (Art. 6(1)(b))
Bill you and manage invoicingPerformance of a contract + legal obligation (Art. 6(1)(b), 6(1)(c))
Secure the service, prevent abuse, debug errorsLegitimate interest (Art. 6(1)(f))
Send you service-related emails (pending-reply digest, low-rating alerts)Performance of a contract (Art. 6(1)(b))
Respond to your support requestsPerformance of a contract / legitimate interest
Comply with legal obligations (accounting records)Legal obligation (Art. 6(1)(c))

We do not use your data for advertising, profiling, or training AI models. We do not sell data.

4. Who we share your data with (sub-processors)

We rely on a small number of carefully selected sub-processors to run Starply. We have contractual data protection terms in place with each of them.

Sub-processorPurposeLocationTransfer safeguards
Supabase (Supabase Inc.)Database, authentication, file storageEU (Frankfurt, eu-central-1)Data kept in EU
Vercel (Vercel Inc.)Application hosting and CDNEU & US regionsEU Standard Contractual Clauses (SCCs)
Anthropic PBCAI model used to generate suggested review replies (Claude)United StatesEU Standard Contractual Clauses (SCCs). Anthropic is contractually prohibited from training on your content.
ResendTransactional email deliveryEU & USEU Standard Contractual Clauses (SCCs)
Google LLCGoogle Business Profile API (you connect this yourself)GlobalSeparate relationship you authorize via Google OAuth

We will update this list if it changes materially.

5. International data transfers

Some sub-processors (Anthropic, Vercel, Resend) may process data in the United States. In each case we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) as the legal mechanism for transfer. Copies of the contractual terms are available on request.

6. How long we keep your data

  • Account data: for the duration of your subscription, plus 3 years after account closure.
  • Google Business Profile data: deleted within 30 days of disconnecting Google or closing your account.
  • Generated drafts and reply history: retained while your account is active, deleted within 30 days after closure.
  • Logs: 90 days.
  • Invoices and accounting records: 10 years, as required by Luxembourg law.

7. Your rights under the GDPR

You have the following rights. To exercise any of them, email contact@starply.eu from the email address associated with your account. We will respond within 30 days.

  • Access. Get a copy of the personal data we hold about you (Art. 15).
  • Rectification. Correct inaccurate or incomplete data (Art. 16).
  • Erasure. Ask us to delete your data (Art. 17).
  • Restriction. Limit how we process your data (Art. 18).
  • Portability. Receive your data in a structured, machine-readable format (Art. 20).
  • Objection. Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent. Where processing is based on consent, withdraw it at any time. Disconnecting Google revokes our access to your Google data immediately.
  • Complain. Lodge a complaint with the Luxembourg data protection authority (CNPD) at cnpd.public.lu.

8. Security

  • TLS encryption for all traffic
  • Encryption at rest for the database (Supabase)
  • Row-Level Security (RLS): every database query is scoped so one customer cannot see another customer's data
  • Secrets held in Vercel environment variables, never in source control
  • Invite-only access, no public sign-up

No system is perfectly secure. If we ever become aware of a data breach affecting your personal data, we will notify you and the CNPD without undue delay and within 72 hours where feasible, as required by GDPR Articles 33 and 34.

9. Children

Starply is a B2B service for business owners. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, please contact us and we will delete it.

10. Changes to this policy

We may update this policy to reflect changes in the service, legal requirements, or sub-processors. If changes are material, we will notify you by email at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

11. Contact

Questions, requests, or complaints:
contact@starply.eu

Mathys Seynaeve, Starply
Luxembourg