Privacy Policy

This Privacy Policy explains what data Starscoo collects, why we collect it, and how you can control it. We aim to collect as little as possible while still operating a reliable service.

What we collect

• Account data: email, name, hashed password, role.
• Authentication: session cookies, IP at sign-in.
• API usage: request metadata (model, tokens, status, latency, cost). Prompt bodies and responses may be stored in encrypted form for up to 30 days for abuse detection and billing audits, then automatically purged.
• Billing: plan, invoice history, last four digits of payment method (Stripe handles full card data).

What we don't do

• We do not sell personal data.
• We do not use your prompts or completions to train models.
• We do not run trackers or third-party analytics on the dashboard.

How we use data

To operate the gateway, prevent abuse, bill correctly, and improve reliability. Aggregated, de-identified metrics may be used to publish status or performance benchmarks.

Subprocessors

• Supabase — auth, database, storage (EU region).
• Vercel — hosting, edge CDN.
• Stripe — payments (when enabled).
• Cloudflare — DNS, DDoS protection, Turnstile bot detection.
• Model providers — OpenAI, Anthropic, and any provider you explicitly route through. Your prompts pass through them when you call those models.

Your rights

You can export your account data or request deletion at any time by emailing privacy@starscoo.space. EU/UK users have rights under the GDPR including access, rectification, erasure, and objection.

Retention

Account data: until you delete the account. Request bodies/responses: 30 days. Request metadata (tokens, cost, status): 24 months. Audit logs: 12 months.

Security

All traffic is encrypted in transit (TLS 1.2+). Provider keys and any prompt payloads at rest are AES-256 encrypted using a pepper held in our deployment secrets. Internal access requires SSO and is logged. See /security for details.

Contact

For privacy questions, email privacy@starscoo.space.