Privacy Policy

STARLI INC. ("Starli", "we", "us", "our")
Contact: support@starli.family

1. Scope and Acceptance

This Privacy Policy governs your use of the Starli mobile application and related services. By creating an account, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, do not use Starli.

This Policy applies to users worldwide. Additional rights apply to EU/UK users (GDPR) and California residents (CCPA) — see Sections 8 and 8B.

2. Information We Collect

A. Information You Provide Directly:

• Account: email address, encrypted password, family display name
• Children's profiles: first name, date of birth, grade level, bedtime, color preference
• Health information (voluntary): allergies, medications, emergency contacts — entered solely by parents for use in the Emergency Card feature
• Schedule data: weekly activities, leave/return times, locations, notes
• Task data: daily routine tasks and completion records
• Star/reward data: daily star entries, consequence levels, reward preferences
• Caregiver data: names, roles, phone numbers of invited caregivers
• Photos: activity photos uploaded voluntarily by caregivers
• Messages: text messages sent through the in-app Family Chat feature
• Phone number (optional): if you choose to receive SMS notifications

B. Information Collected Automatically:

• App usage analytics: screens visited, features used, session duration
• Device information: device type, OS version, app version
• Error logs: crash reports (no personal data included)
• Push notification tokens (only if you enable notifications)

C. Information We Do NOT Collect:

• We do not collect precise GPS location (we only store addresses you manually enter)
• We do not access your phone contacts
• We do not collect financial or payment information (handled entirely by Apple/Google)
• We do not collect any information directly from children
• We do not use tracking pixels, web beacons, or third-party advertising trackers

3. Children's Privacy — COPPA Compliance

Starli complies fully with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. sections 6501-6506, and its implementing regulations, 16 C.F.R. Part 312.

Key Protections:

• Children under 13 do not create accounts. All accounts are created by parents or legal guardians (adults 18+).
• All information about children is entered exclusively by verified adult account holders.
• We do not knowingly collect personal information directly from children under 13.
• We do not use children's information for behavioral advertising, profiling, or any commercial purpose other than providing the Starli service.
• We do not disclose children's information to third parties except as described in Section 6.
• Health information (allergies, medications) is stored solely for the Emergency Card feature and is never used for any other purpose.

Parental Rights Under COPPA:

• Review all personal information collected about your child: email support@starli.family
• Correct inaccurate information: edit directly in the app under Settings → Manage Children
• Request deletion of your child's information: Settings → Account → Delete Account OR email support@starli.family
• Refuse further collection: delete your account at any time
• We will respond to verified parental requests within 30 days.

4. How We Use Your Information

We use collected information solely to:

• Provide, operate, and improve the Starli application
• Sync schedule and star data across authorized caregivers in real time
• Send push notifications you have enabled (star alerts, reminders)
• Respond to customer support requests
• Detect and prevent fraud, abuse, and security incidents
• Comply with applicable legal obligations

We DO NOT use your information for:

• Selling or renting data to any third party — ever
• Targeted or behavioral advertising
• Building user profiles for commercial sale
• Training AI models on your personal or children's data
• Any purpose not described in this Policy

5. Data Storage and Security

Storage Location: All user data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS) in the United States (us-east-1, Virginia).

Security Measures:

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.2 minimum, TLS 1.3 preferred
• Password storage: bcrypt hashing with salt
• Database access: Row Level Security (RLS)
• API keys: stored in encrypted vaults, never in application code
• Caregiver access: magic links expire automatically at midnight

Data Retention:

• Active account data: retained while account is active
• Star and schedule history: retained for 2 years, then automatically purged
• Deleted accounts: all data permanently deleted within 30 days
• Error logs: retained for 90 days, then deleted

6. Information Sharing

We share information ONLY with the following service providers, each bound by confidentiality agreements:

• Supabase, Inc. — Database, authentication, file storage (USA)
• Expo (Expo Inc.) — App distribution, push notifications (USA)
• RevenueCat, Inc. — Subscription management (USA)
• Apple Inc. — Payment processing, Apple Sign-In (USA)
• Google LLC — Payment processing, Google Sign-In, Google Calendar API (USA)
• EmailJS — Email delivery for weekly summaries (USA)
• Twilio, Inc. — SMS delivery for text alerts, if enabled by you (USA)

We NEVER sell personal information, share data with data brokers, or share children's data with advertisers.

7. Caregiver Access and Permissions

• You control who has access to your family data at all times
• Babysitters receive time-limited magic links that expire automatically at midnight
• All caregiver activity is attributed to that caregiver
• You can revoke any caregiver's access instantly from Settings → Caregivers

8. Your Privacy Rights

All Users:

• Access: request a copy of all personal data we hold about you
• Correction: correct inaccurate data directly in the app or by contacting us
• Deletion: delete your account and all associated data
• Portability: export your data in a structured format

California Residents (CCPA/CPRA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• To exercise: email support@starli.family with subject "California Privacy Request"

EU/UK Residents (GDPR):

• Legal basis for processing: performance of contract and legitimate interest
• Right to access, rectify, erase, restrict, and port your data
• Right to object to processing
• Right to lodge a complaint with your local data protection authority
• Data transfers: your data is stored in the US; we rely on Standard Contractual Clauses for EU-US transfers
• Data Protection Officer: support@starli.family

To exercise any rights: support@starli.family (response within 30 days)

8C. Family Chat and Messaging

• Messages sent through Family Chat are stored permanently and visible to all approved family members and caregivers.
• Messages are not end-to-end encrypted but are encrypted in transit (TLS) and at rest (AES-256).
• We do not read, analyze, or mine your messages for any purpose.
• If a caregiver is removed from a family, they lose access to all future and past messages for that family.
• Deleting your account permanently deletes all messages you sent within 30 days.

9. Google and Apple Calendar Integration

• We request access to read and write calendar events (Google Calendar "events" scope)
• We import event titles, times, and locations into your Starli schedule
• Activities you create in Starli may be synced back to your connected calendar
• OAuth access tokens are stored securely in our database; refresh tokens are encrypted
• You can disconnect your calendar and revoke access at any time in Settings → Import Calendar
• Revoking access deletes stored tokens immediately

10. Contact

Privacy Officer: Starli Inc.
Email: support@starli.family
COPPA requests: "COPPA Request" subject line
California requests: "California Privacy Request" subject line
Response time: within 30 days