Privacy Policy & GDPR

Last updated: August 4, 2025

Privacy First: Your privacy is our top priority. We collect minimal data, use end-to-end encryption when possible, and never sell your information to third parties.

1. Information We Collect

1.1 Waitlist Information

When you join our waitlist, we collect:

  • Email Address: Required for communication and service access
  • Name: Optional, used for personalization in emails and communications
  • Registration Date: When you joined the waitlist
  • Confirmation Status: Whether you've confirmed your email address

1.2 Technical Information

We automatically collect certain technical information:

  • IP address (for security and fraud prevention)
  • Browser type and version
  • Device information
  • Access times and dates

1.3 Future Service Data

When the full service launches, we will collect:

  • Account Information: Username, encrypted authentication data
  • Content Data: Your notes, documents, and files (end-to-end encrypted)
  • Usage Data: How you interact with the service (anonymized)

2. How We Use Your Information

2.1 Waitlist Phase

We use your information to:

  • Send you updates about Starpaste development
  • Notify you when access becomes available
  • Provide customer support
  • Prevent fraud and abuse

2.2 Service Operation

When the service launches, we will use your information to:

  • Provide and maintain the service
  • Process your requests and transactions
  • Send important service notifications
  • Improve service functionality and user experience
  • Ensure security and prevent unauthorized access

3. End-to-End Encryption

Zero-Knowledge Architecture: When the service launches, your content will be encrypted on your device before transmission. We cannot read, access, or decrypt your private content.

3.1 What Is Encrypted

  • All document content and notes
  • File attachments and media
  • Comments and collaboration data
  • Document titles and metadata

3.2 What Is Not Encrypted

  • Your email address and account information
  • Service usage analytics (anonymized)
  • Technical logs for service operation

4. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in these limited circumstances:

4.1 Service Providers

We work with trusted service providers who help us operate the service:

  • Email Service: Resend (for sending confirmation and notification emails)
  • Hosting: Cloud infrastructure providers for service hosting
  • Analytics: Privacy-focused analytics tools (data anonymized)

4.2 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal processes or government requests
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users
  • Prevent fraud or security threats

5. Data Storage and Security

5.1 Security Measures

We implement industry-standard security measures:

  • Encryption in transit (HTTPS/TLS)
  • Secure database storage
  • Regular security audits and updates
  • Access controls and authentication
  • Monitoring for suspicious activity

5.2 Data Location

Your data is stored on secure servers within the European Union to ensure GDPR compliance.

6. Your Rights

You have the following rights regarding your personal information:

6.1 Access and Portability

  • Request a copy of your personal data
  • Export your content and data

6.2 Correction and Deletion

  • Update or correct your information
  • Request deletion of your account and data

6.3 Control and Consent

  • Withdraw consent for data processing
  • Object to certain types of data processing
  • Restrict how we process your data

7. Cookies and Tracking

We use minimal cookies and tracking technologies. See our Cookie Policy for detailed information.

7.1 Essential Cookies

We use essential cookies for:

  • Authentication and session management
  • Security and fraud prevention
  • Basic functionality

7.2 Analytics

We use privacy-focused analytics to understand how users interact with our service, but this data is anonymized and cannot be linked to individual users.

8. Data Retention

8.1 Waitlist Data

We retain waitlist information until:

  • You request deletion
  • You create a full account (data is migrated)
  • 2 years after service launch (if no account is created)

8.2 Service Data

When the service launches:

  • Your content is retained as long as your account is active
  • Account data is deleted within 30 days of account closure
  • Backup data is securely deleted within 90 days

9. International Transfers

Your data is primarily stored within the European Union. If we need to transfer data internationally, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other appropriate safeguards under GDPR

10. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Sending an email to your registered address
  • Posting a notice on our website
  • Requiring acceptance of updated terms in the service

12. Your GDPR Rights

GDPR Commitment: Starpaste is fully committed to GDPR compliance. We respect your privacy rights and provide transparent, easy-to-use tools for managing your personal data.

12.1 What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It gives individuals in the European Union enhanced rights over their personal data and requires organizations to be transparent about how they collect, use, and protect personal information.

12.2 Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

Right to Information

You have the right to know what personal data we collect, why we collect it, and how we use it.

Right of Access

You can request a copy of all personal data we hold about you, free of charge.

Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data.

Right to Restrict Processing

You can ask us to limit how we process your personal data in certain circumstances.

Right to Data Portability

You can request your data in a structured, machine-readable format to transfer to another service.

Right to Object

You can object to certain types of processing, including direct marketing and profiling.

Rights Related to Automated Decision Making

You have rights regarding automated decision-making and profiling that affects you.

12.3 How We Comply with GDPR

Lawful Basis for Processing

We process your personal data based on the following lawful bases:

  • Consent: For waitlist registration and marketing communications
  • Contract: To provide the service when you create an account
  • Legitimate Interest: For security, fraud prevention, and service improvement
  • Legal Obligation: To comply with applicable laws and regulations

Data Minimization

We collect only the minimum amount of personal data necessary to provide our service:

  • Email address (required for account creation and communication)
  • Name (optional, for personalization)
  • Technical data (for security and service operation)

Privacy by Design

Our service is built with privacy as a core principle:

  • End-to-end encryption for all user content
  • Zero-knowledge architecture
  • Minimal data collection
  • Regular security audits and updates

12.4 Data Processing Activities

Waitlist Phase

  • Data Collected: Email address, name (optional), registration timestamp
  • Purpose: Communication about service availability
  • Legal Basis: Consent
  • Retention: Until service launch + 2 years or until deletion requested

Service Operation

  • Data Collected: Account information, encrypted content, usage analytics
  • Purpose: Service provision, security, improvement
  • Legal Basis: Contract, legitimate interest
  • Retention: Duration of account + 30 days for deletion

12.5 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Inform affected individuals without undue delay
  • Provide clear information about the breach and our response
  • Take immediate steps to contain and remedy the breach

12.6 Exercise Your GDPR Rights

You can exercise your GDPR rights by contacting us via email. We will respond to your request within one month (extendable to three months for complex requests).

How to Submit a GDPR Request

To exercise any of your GDPR rights, please send an email to legal@we.starpaste.eu using the template below:

Subject: GDPR Request

Body:

[IMPORTANT: Please do not change the subject of this message — it helps us process your request faster]

Type of Request: [Select one: Data Access, Data Correction, Data Deletion, Data Portability, Restrict Processing, Object to Processing, Withdraw Consent, Other]

Your Email Address: [Enter the email address associated with your account]

Full Name: [Your full name for verification]

Request Description:
[Please describe your request in detail...]

Identity Verification:
[To protect your privacy, please provide additional information to verify your identity (e.g., approximate registration date, last login, etc.)]

Note: The "GDPR Request" part of the subject helps us automatically filter and prioritize your request. Please do not remove or modify this line.

12.7 Children's Data

We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have collected such data, we will delete it promptly and notify the relevant supervisory authority if required.

12.8 Automated Decision Making

We do not use automated decision-making or profiling that would significantly affect you. Any automated processing we use (such as spam detection) is limited to technical functionality and does not impact your rights or legal status.

12.9 Regular Reviews

We regularly review our GDPR compliance measures, including:

  • Annual privacy impact assessments
  • Regular staff training on data protection
  • Updates to policies and procedures
  • Technical security reviews and improvements

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

14. Supervisory Authority

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority. For users in Poland, this is:

  • Authority: Urząd Ochrony Danych Osobowych (UODO)
  • Website: uodo.gov.pl
  • Email: kancelaria@uodo.gov.pl
Back to Homepage