Privacy Policy

1. Who We Are — Data Controller

For the purposes of the GDPR and UK GDPR, the controller of your personal data is:

EU and UK Article 27 representatives. StarPass does not currently target the EU or UK market at a scale that requires a designated Article 27 representative. Before we begin offering services at scale to data subjects in the European Economic Area or the United Kingdom, we will appoint a local representative and update this Policy with their name and contact details. In the meantime, EU and UK residents may exercise their rights by contacting our Privacy Officer at privacy@starpass.site, and we will respond within the statutory timeframe.

2. Information We Collect

2.1 Information you provide

• Contact information: full name, email address, and phone number supplied in the request form.
• Request content: the message you write, the celebrity and experience you select, any preferred date, and any budget range you share.
• Correspondence: any emails, chat transcripts, or other messages exchanged with our concierge team.
• Payment and billing data (only if a booking is confirmed and you pay): limited information passed to our payment processor; full card data is handled by the processor and is not stored by us.

2.2 Information collected automatically

• Technical data: standard server-log data needed to operate the Services, such as device type, browser type, operating system, pages visited, and date/time of access. IP addresses may be transiently processed by hosting and security providers; where StarPass stores rate-limit data, we store a hashed IP-derived key rather than the raw IP address.
• Cookies and similar technologies: see our Cookie Policy.
• Security logs: records used for rate limiting, abuse prevention, and incident response.

2.3 Information from third parties

We may receive limited information from service providers (for example, email delivery status from Brevo, or authentication events from Supabase) and, where relevant, from representatives of the celebrities you request.

3. How We Use Information

• to receive, review, and respond to your request;
• to communicate with you, including sending confirmation and status emails;
• to operate, maintain, secure, and improve the Services;
• to detect, investigate, and prevent fraud, abuse, or unlawful activity;
• to enforce our Terms of Service and defend legal claims;
• to comply with legal, regulatory, tax, or audit obligations;
• with your consent, for other purposes disclosed at the point of collection — you can withdraw consent at any time without affecting the lawfulness of prior processing.

4. Legal Bases (EU / UK)

5. How We Share Information

We share personal information only as described below.

5.1 Processors and service providers

• Supabase— database, authentication, and storage (data may be processed in the United States and other regions).
• Brevo (Sendinblue)— transactional email delivery for confirmations and admin notifications.
• Vercel— hosting and edge infrastructure.
• Cloudflare Turnstile— bot and abuse protection for request forms.
• Payment processor— if and when you make a payment, limited payment data is passed to Stripe or another PCI-DSS-compliant processor disclosed to you at checkout.

Each processor is bound by a written agreement requiring it to process personal data only on our instructions and with appropriate safeguards.

5.2 Celebrity representatives

When it is necessary to fulfil your request, we share the minimum information needed (typically your name, the nature of the request, and preferred date) with the relevant representative or agency. We ask each recipient to treat the information confidentially.

5.3 Legal and safety

We may disclose information to respond to a lawful request by public authorities, to comply with a subpoena or court order, to enforce our rights, to protect our users or the public from harm, or to investigate suspected fraud.

5.4 Business transfers

If StarPass is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, personal information may be transferred to the successor entity, subject to commitments consistent with this Policy.

5.5 With your consent

We may share information for any other purpose with your explicit consent.

We do not “sell” personal information as that term is defined under U.S. state privacy laws, and we do not share personal information for cross-context behavioural advertising.

6. International Transfers

StarPass is based in the United States. If you are located outside the United States, your information will be transferred to, processed in, and stored in the United States and other countries where our processors operate. These countries may have data-protection laws different from your own.

Where required, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Agreement or Addendum, and equivalent safeguards under other laws. A copy of the relevant safeguards is available on request to privacy@starpass.site.

7. How Long We Keep Your Data

When the retention period ends, we delete the data or anonymise it so that it can no longer be linked to you.

8. Your Rights (EU / UK / Switzerland)

If the GDPR or UK GDPR applies, you have the following rights, subject to limited exceptions:

• Access — a copy of the personal data we hold about you;
• Rectification — correction of inaccurate or incomplete data;
• Erasure — deletion of your data in certain circumstances;
• Restriction — restricting our processing in certain circumstances;
• Portability — a machine-readable copy of data you provided to us;
• Objection— to processing based on legitimate interests or for direct marketing;
• Withdrawal of consent — where processing is based on consent;
• Right not to be subject to solely automated decisionsthat produce legal or similarly significant effects — we do not currently engage in such processing;
• Right to lodge a complaintwith your local supervisory authority. In the UK this is the Information Commissioner’s Office (ico.org.uk). In Ireland this is the Data Protection Commission (dataprotection.ie).

To exercise any right, email privacy@starpass.site. We will respond within one month (extendable by two additional months for complex requests).

9. Your Rights (California & Other U.S. States)

If you are a California resident, the CCPA as amended by the CPRA gives you the following rights:

• the right to know what personal information we collect, use, disclose, and share;
• the right to access a copy of the specific pieces of personal information we have collected;
• the right to correct inaccurate personal information;
• the right to delete personal information, subject to exceptions;
• the right to opt out of the “sale” or “sharing” of personal information — we do not sell or share personal information, so there is nothing to opt out of;
• the right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond those permitted under CPRA § 1798.121;
• the right not to be discriminated against for exercising any of these rights.

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy laws enjoy analogous rights. To exercise any of them, email privacy@starpass.sitewith “Privacy Request” in the subject line. We will verify your identity using information already in our records before responding.

You may designate an authorised agent to make a request on your behalf. We will require the agent to prove written permission and may ask you to verify the request directly.

Shine the Light (California Civil Code § 1798.83): California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not make such disclosures.

10. Canadian Residents (PIPEDA / Quebec Law 25)

Canadian residents may request access to their personal information, challenge its accuracy, and withdraw consent, subject to reasonable notice. The office responsible for privacy at StarPass is the Privacy Officer at privacy@starpass.site. Quebec residents have additional rights under Law 25, including the right to de-indexation and to be informed of automated decision-making.

11. Security

We use appropriate technical and organisational measures to protect personal information, including encryption in transit (TLS), encryption at rest where supported by our processors, access controls, least-privilege service-role keys, Row Level Security on our database, audit logging, and periodic review of third-party sub-processors.

No method of transmission or storage is 100% secure. If we become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority as required by law.

12. Children

The Services are not directed to children under the age of 16, and we do not knowingly collect personal information from anyone under 16. Children under 13 are prohibited from using the Services under the U.S. Children’s Online Privacy Protection Act (COPPA). If you believe a child has provided us with personal information, please contact privacy@starpass.site and we will delete it.

13. Do Not Track and Global Privacy Control

Because there is no common definition of “Do Not Track,” we do not respond to browser DNT signals generally. We honour the Global Privacy Control (GPC) signal as an opt-out of sale or sharing for users whose laws require it.

14. Links to Third-Party Sites

The Services may contain links to third-party websites. We are not responsible for their privacy practices. Read their policies before providing information.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be indicated by updating the “Last updated” date at the top of this page and, where required by law, by providing more prominent notice. We encourage you to review this Policy periodically.

16. Contact Us

If you have questions about this Policy or our data practices, contact our Privacy Officer: