Privacy Policy

1. Controller

The controller responsible for processing your personal data is:

Business website: gabriel-battlogg.com

The business address is published in the Legal Notice.

2. Scope

This Privacy Policy applies to starpolar.app, legacy domains that redirect to it, our contact and sign up forms, our newsletter, private beta programs including TestFlight and Google Play testing, and the Starpolar app including pre release versions and the Starpolar assistant.

To use the Starpolar app, acceptance of this Privacy Policy and the applicable Terms is mandatory. You can withdraw this acceptance at any time by deleting your account.

3. Data We Process

Depending on how you use Starpolar, we may process the following categories of data.

Website and forms
Name and email address
Platform preference and optional device information
Message content you submit in forms or surveys

App and account data processed on our servers
Account identifiers and account contact details such as email address, name, and a user identifier
Device related identifiers used for account security and app functionality
Subscription and entitlement information used to validate access to paid features
Firebase Device ID, in app User ID, and login timestamps for account security and abuse prevention

Nutrition and macro guideline data
Date of birth, weight, height, sex
Processed to calculate macro and guideline values
Stored in Firebase Firestore so your settings can currently be synchronized across your devices. You can disable this sync in the app settings and delete nutrition data there.

App content and files
Personal planning content such as schedules, routines, lists, settings, nutrition entries, and related app files may be stored on your device and in Firebase Firestore to support synchronization and app functionality. Data stored locally on your device is stored in encrypted form. App files may be synchronized across your devices through Filesync. Filesync is available only with Starpolar Plus. Filesync data is encrypted in transit and stored encrypted in Firebase Firestore. You may optionally set up end-to-end encryption; in that case, Filesync cloud data can only be decrypted by your trusted devices. In the app settings, you can delete nutrition data, remove or block Filesync devices, and remove all app files stored through the app, including Filesync cloud data. Complete deletion of account associated data requires account deletion.

Finance and recipe features
When using finance features (e.g. portfolio, price tracking), security identifiers such as ticker symbols and ISIN codes may be transmitted to external market data providers in order to retrieve current price and reference data.
When using recipe search, search queries and dietary preferences or food intolerances stored in your app profile may be transmitted to external recipe and translation services. Food intolerances may constitute health data within the meaning of Art. 9 GDPR; we process such data on the basis of your active use of the feature and, where legally required, your consent.
When using barcode scanning and product search (e.g. food items), search queries and barcodes may be transmitted to external product databases.

Location and GPS data (cardio training)
When you use cardio training features with GPS tracking, your device location is accessed to record your route, distance, speed, and pace. The GPS data processed includes coordinates (latitude and longitude), speed, accuracy, and timestamps. This data is stored locally on your device in encrypted form as part of your training session logs. If you use Filesync, training session data including GPS route data may be synchronized to Firebase Firestore as part of your app files in encrypted form. GPS route data is not transmitted to the assistant backend or to external AI services.

Assistant, voice, and interaction data
Text inputs you send to the Starpolar assistant
Assistant generated replies, suggestions, preview, confirmation and discard states, and assistant actions that are executed for you
Reduced context data from your current assistant session, such as your last message, the last assistant reply, last action, date, and a compact structured item where needed to process your request
Assistant settings such as enablement status, context memory, confirmation mode, and your selection regarding optional use of anonymized assistant samples
Assistant feedback such as thumbs up or thumbs down ratings on individual assistant replies
Recent assistant history stored locally in encrypted form on your device to continue your session and show the current chat

Voice input and transcripts
If you use assistant voice input, your operating system or the speech recognition service available on your device processes microphone input to generate a transcript
We process the resulting transcript like a normal assistant text input
Persistent storage of raw microphone audio by Starpolar for normal assistant use is not intended, but platform or device providers may process speech or diagnostic data under their own terms and settings

Technical and diagnostic data
Basic technical data needed to deliver and secure the website
Crash and performance diagnostics where available and enabled
Email delivery and unsubscribe events
Session storage entries used to remember temporary interface preferences during your current visit
Technical security headers and signals such as Firebase ID tokens and device risk signals where used to secure API requests

4. Purposes

We process personal data for the following purposes.

• Operate and secure the website and app
• Respond to inquiries and provide support
• Run beta programs including selection, invites, communication, and feedback collection
• Send newsletters and product updates when you subscribe
• Improve reliability, performance, and usability, including troubleshooting
• Validate subscriptions and feature access
• Provide Filesync for Starpolar Plus, including encrypted cloud synchronization, device management, and deletion of Filesync cloud data
• Track route, distance, speed, and pace during GPS-enabled cardio training sessions
• Verify eligibility and credit beta rewards to the correct account and prevent abuse
• Account security and abuse prevention, including login and device logging
• Provide the Starpolar assistant, including analyzing your inputs, generating replies, showing previews, and executing requested actions
• Convert voluntarily started voice input into text for assistant use
• Optionally use redacted and reduced assistant samples to improve intent recognition and response quality where you explicitly enable this

5. Legal Bases

Where required under applicable law, we rely on one or more of the following legal bases.

Contract or steps prior to entering a contract
For example beta participation, account services, and support

Consent
For example newsletters or non essential product communications

Legitimate interests
For example security, fraud prevention, service improvement

Specific allocations
Nutrition and macro guideline features: consent
Providing nutrition and macro data is optional. You can use core planning features without entering this information. You can withdraw consent at any time with future effect.
If you withdraw consent, we stop using this data for calculations. In the app settings, you can disable synchronization and delete nutrition data. You can also delete all app files there, while complete deletion of account associated data requires account deletion.
Assistant functionality and assistant context processing: contract or steps prior to entering a contract and/or legitimate interests in providing a secure and functional service
Voluntary voice input: your active use of the voice feature and, where required, consent or the device permissions you grant
GPS location access for cardio training: your active use of the GPS tracking feature and the device location permissions you grant
Optional use of anonymized assistant samples: consent
Login and security logs: legitimate interests
Newsletter: consent

Where we rely on consent, you can withdraw it at any time with future effect.

6. Website Hosting and Delivery

Our website is hosted and delivered via Netlify. Netlify processes technical data necessary to deliver the website, maintain security, and ensure performance.

Privacy-friendly website analytics
We use Cloudflare Web Analytics to understand how our website is used in aggregate, such as page views, referrers, and general device or country information. Cloudflare Web Analytics is privacy-first: it does not use cookies or other client-side storage, and it does not fingerprint or track individual visitors across websites or over time. No personal profiles are created, and no data is sold or used for advertising. This data is processed on our behalf by Cloudflare, Inc. The legal basis is our legitimate interest in operating, securing, and improving our website (Art. 6(1)(f) GDPR).

7. Forms and Contact Requests

When you contact us or apply for beta access using our forms, we process the information you submit to handle your request, communicate with you, and where applicable enroll you in the beta or newsletter. Form submissions are processed via Netlify Forms.

Spam protection (Cloudflare Turnstile)
To protect our forms against spam and automated abuse, we use Cloudflare Turnstile, a service provided by Cloudflare. Turnstile is privacy-friendly: it does not use cookies, does not track you across websites, and is not used for advertising. To assess whether a request is automated, it may process technical information such as your IP address and browser characteristics; this is handled on our behalf by Cloudflare, Inc. This processing is based on our legitimate interest in securing our forms and preventing abuse (Art. 6(1)(f) GDPR).

8. Newsletter and Email Delivery

If you subscribe to our newsletter, we process your email address and subscription status, including subscribe and unsubscribe events, and technical delivery information. We use Resend to manage contacts and send emails.

Unsubscribe
You can unsubscribe at any time via the unsubscribe link in each newsletter email. After you unsubscribe, we retain newsletter data for 6 months and then delete it completely.

9. Beta Programs and Reward Matching

If you apply for the private beta, we may process your email address, platform preference, optional device information, and your feedback.

For reward verification and to credit beta rewards to the correct account, we process matching identifiers, including the in app User ID and account email address. We recommend using the same email address for your beta application and your Starpolar in app account so the reward can be credited reliably. If these do not match, reward credit may be delayed or denied where we cannot verify the correct enrolled participant.

10. TestFlight and Apple Data

If you use an iOS beta via TestFlight, Apple may collect and provide us with beta related diagnostics and feedback information, including crash data, usage information, and feedback content. Apple may associate this information with your TestFlight account details.

11. Google Play Testing

For Android testing via Google Play, Google may process technical and diagnostic information under its own terms and your device settings. We receive information that Google makes available to developers for testing and diagnostics, depending on the testing setup.

12. Assistant and AI-assisted processing

If you use the Starpolar assistant, your assistant prompt together with limited compact context from your current assistant session is sent to Starpolar's assistant backend and may be processed with OpenAI so that your request can be analyzed, answered, and, where applicable, prepared as an app action or preview. This may include personal data you type or dictate, such as tasks, appointments, nutrition, finance, shopping, or training details. Local app files and full local app databases remain on your device and are not uploaded to the assistant backend or to OpenAI for normal assistant processing.

Data sent to the assistant backend and, where needed for AI processing, to OpenAI may include your prompt, language settings, timestamps, reduced compact assistant context, technical security information, and your choice regarding optional use of anonymized assistant samples. Starpolar does not upload your local app files or complete local app databases for assistant processing.

If you enable the optional training permission, redacted and reduced assistant samples as well as your positive or negative ratings on assistant replies may be used to improve intent quality and assistant performance. If this permission is disabled, we do not use your assistant content for that optional improvement purpose.

13. Recipients and Processors

Netlify processes data for website hosting and form handling. Cloudflare, Inc. processes aggregated, cookieless website analytics and provides Turnstile spam and abuse protection for our website forms. Resend processes newsletter delivery. Our production app APIs and assistant backend are operated on Hetzner servers located in Germany; beta environments may currently use OCI servers. Firebase is used for authentication, synchronization, and crash or diagnostic services where enabled. OpenAI may process assistant inputs and limited assistant context as a third-party AI processor or subprocessor for assistant interpretation and response generation. Apple processes data for TestFlight participation and may provide speech or beta diagnostics. Google processes data for Google Play testing and may also process speech or diagnostic data depending on your device and platform configuration. We use processors under appropriate data processing terms and safeguards where required, including data processing agreements where applicable. For recipe search, search queries and dietary preferences or food intolerances from your profile may be transmitted to Spoonacular (recipe API, USA); recipe queries may be translated via DeepL (translation API, Germany/EU); German recipes may be sourced through Gustar via RapidAPI (USA/Germany). For finance features, security identifiers (ticker symbols, ISINs) may be transmitted to Marketstack (market data API, USA) and OpenFIGI/Bloomberg (identifier mapping, USA). For product search and barcode scanning, search queries and barcodes may be transmitted to Open Food Facts (open product database, non-profit, France).

14. International Transfers

Some service providers may process data outside the EU or EEA. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses and provider data processing terms.

15. Retention

We retain personal data only as long as necessary for the purposes described.

Contact requests
We retain contact requests for 6 months. In specific cases, we may retain certain records for longer if they are reasonably necessary to establish, exercise, or defend legal claims, to investigate abuse, or to comply with legal obligations.

Beta applications
We retain beta applications for 6 months after submission and then delete them, unless limited retention is necessary for fraud prevention or legal defense.

Newsletter
We retain newsletter data until you unsubscribe and for 6 months after unsubscribing. After that period, we delete it completely.

Access logs
30 days.

Login and device logs
30 days.

Local assistant history on your device
Recent assistant history is stored in encrypted form locally on your device and is retained by default only for short session continuity. The currently implemented local retention period is up to 2 hours unless you clear the chat earlier.

Assistant context and assistant replies on our systems
We retain assistant content on our systems only as long as necessary to provide the service, maintain security, troubleshoot issues, prevent abuse, and support the purposes described in this policy. If you have not enabled the optional training permission, we do not use assistant content for the optional quality improvement purpose based on anonymized samples.

Optionally permitted anonymized assistant samples and feedback
If you enable the relevant permission, redacted and reduced samples and your assistant feedback are currently generally retained for up to 90 days during the ongoing beta and may be used for quality improvement and evaluation. After that, we delete or anonymize the data unless a shorter period applies or limited longer retention is strictly necessary for security, abuse prevention, or legal reasons. After withdrawal, we stop using new content for that purpose.

Account deletion and restore grace period
If you delete your Starpolar account, we keep account associated data for 30 days to allow account restoration. After this 30 day period, we permanently delete the remaining account data from our servers and synced Firebase storage, including subscription and entitlement information, unless limited retention is strictly necessary for legal obligations or the establishment, exercise, or defense of legal claims.

The 30 day timeline starts when we receive a verified deletion request.

Filesync after Starpolar Plus expires
If Starpolar Plus ends, Filesync is blocked immediately. You can no longer upload, download, list, or delete Filesync cloud data. Local data in the app remains unchanged. Filesync cloud data is not deleted immediately. It is generally fully removed from Firebase Firestore 30 days after the known Plus expiry date, including active files, deletion markers, sync metadata, and the Filesync user root document. This period applies regardless of whether optional end-to-end encryption was enabled. Decryption is not required for deletion. Automatic deletion only applies where we know an actual Plus expiry date; for accounts without a known expiry date, this automatic deletion rule is not applied to avoid accidental deletion.

Deletion in app settings
In the app settings, you can disable synchronization, delete nutrition data, and remove all app files stored through the app. You can also delete Filesync cloud data through a trusted device and remove or block Filesync devices. These actions affect the relevant app data and synced copies, but they do not by themselves delete your Starpolar account. Complete deletion of account associated data requires account deletion.

Server-side security logs are deleted independently after 30 days, unless an exception applies for abuse investigation or legal defense.

Limited retention for legal protection and abuse prevention
In exceptional cases, we may retain a limited subset of information beyond the periods above where it is reasonably necessary to establish, exercise, or defend legal claims, to investigate fraud or abuse, or to comply with legal obligations. Where possible, we will minimize what is retained and restrict access.

16. Your Rights

You have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on legitimate interests. Where we rely on consent, you can withdraw consent at any time with future effect.

If you are located in Austria, your supervisory authority is the Austrian Data Protection Authority (Datenschutzbehörde).

17. Security

We use reasonable technical and organizational measures to protect personal data, including encryption in transit and access controls.

Filesync data is stored encrypted in Firebase Firestore. If you enable optional end-to-end encryption, we cannot decrypt your Filesync content. At least one trusted device must remain connected for that feature. If you lose or remove all trusted E2E devices, we cannot restore access to the encrypted Filesync data.

18. Contact

For privacy requests, contact hello@starpolar.app.

Company website: gabriel-battlogg.com

To withdraw consent, a short message to hello@starpolar.app is sufficient.

For deleting nutrition data, removing all app files, clearing assistant chat, or disabling synchronization, use the options in the app settings.

For Filesync, use the app settings to remove or block Filesync devices and to delete Filesync cloud data through a trusted device. If you no longer have access to a suitable device or your account, contact us at hello@starpolar.app. We may require verification of account ownership before providing support or deleting data.

To request account deletion, use the in-app deletion option where available. If you cannot access the app, email hello@starpolar.app from the email address linked to your account.

We may need to verify your identity before fulfilling deletion requests. If you no longer have access to the linked email address, we may require alternative proof of account ownership. If verification is not possible, we may be unable to fulfill the request.

19. Changes

We may update this Privacy Policy to reflect changes in features, providers, or legal requirements. The date at the top indicates the current version.