Privacy Policy

Last updated: August 9, 2025

StartingIt, Inc. ("StartingIt," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform.

1. Scope; Roles

This Privacy Policy applies to personal information we process as a controller when you visit, register for, or use the Platform, or otherwise interact with us.

For enterprise customers where we process data under a separate agreement, we act as a processor/service provider and the applicable Data Processing Addendum (DPA) will govern.

2. Information We Collect

2.1 Information You Provide

  • Name, email, password (hashed), profile details, subscription tier, credit balance
  • Advisory scheduling details, custom plan request details, community/chat messages, support communications, survey responses
  • Files you upload (e.g., inputs for business plans)
  • Payment details are processed by Stripe; we do not store full card numbers

2.2 Automatically Collected Information

  • Device identifiers, IP address, browser and OS type
  • Cookie identifiers, approximate location (derived from IP)
  • Referring/exit pages, feature usage (ideas viewed, plan downloads, credit transactions)
  • Timestamps, crash logs, diagnostics, security signals

2.3 Generated/Derived Data

  • AI-generated outputs, engagement metrics (e.g., views/likes/saves in Inspiration Hub, tutorial progress)
  • In-product analytics

2.4 From Third Parties

  • Authentication providers (e.g., Google OAuth via NextAuth)
  • Analytics services, fraud prevention tools, and publicly available sources

3. How We Use Information

We use personal information to:

  1. Provide and secure the Platform (including authentication, credit tracking, plan generation, file storage, and delivery)
  2. Process payments and one-time purchases
  3. Provide customer support and operate the community
  4. Analyze and improve performance and features
  5. Communicate about updates, security alerts, and marketing (you may opt out of marketing)
  6. Comply with laws and enforce terms
  7. Prevent, detect, and address fraud, abuse, and misuse

We may use de-identified/aggregated data for analytics, research, and service improvement.

4. Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, our processing bases include:

  • Contract (to provide the Platform)
  • Legitimate interests (security, improvement, analytics, anti-fraud)
  • Consent (where required, e.g., for certain cookies/marketing)
  • Legal obligation

5. Sharing of Information

We do not sell personal information. We may share:

  • With service providers/processors (e.g., Stripe, Supabase, Vercel, OpenAI/Anthropic, analytics providers, email delivery services) under appropriate contracts
  • With law enforcement or regulators where required
  • To protect rights, safety, and property
  • In connection with corporate transactions (merger, acquisition, financing)
  • With your direction or consent

6. International Transfers

We are U.S.-based and may transfer personal information to the United States and other countries that may not provide the same level of protection. Where required, we use safeguards such as Standard Contractual Clauses.

7. Data Retention

We retain personal information as long as necessary to provide the Platform, comply with legal obligations, resolve disputes, and enforce agreements.

Retention periods vary by data category and context. We may retain de-identified or aggregated data longer.

8. Security

We employ administrative, technical, and physical measures intended to protect personal information, including:

  • Encryption in transit
  • Access controls
  • Row Level Security in our database
  • Signed URLs for file access
  • Webhook signature verification

However, no method of transmission or storage is 100% secure.

9. Your Rights & Choices

Depending on your location, you may have rights to access, correct, delete, or port your personal information; to object or restrict certain processing; and to withdraw consent where processing is based on consent.

Manage marketing preferences via unsubscribe links.

To exercise rights, contact support@startingit.ai. We may verify your request and deny it where permitted by law.

10. Cookies & Similar Technologies

We use cookies and similar technologies for authentication, preferences, analytics, and security.

Where required, we present a consent banner and honor your choices.

You can control cookies in your browser settings; some features may not function if disabled.

11. Children's Privacy

The Platform is not directed to children under 13, and we do not knowingly collect personal information from them.

In the EEA/UK, we do not knowingly process data of children under the applicable age of digital consent.

12. U.S. State Disclosures (e.g., California)

For U.S. state laws including CCPA/CPRA, we act as a business/service provider.

We do not "sell" or "share" personal information for cross-context behavioral advertising as defined by those laws.

California residents may exercise the rights described in Section 9 and may designate an authorized agent.

We honor Global Privacy Control (GPC) signals where applicable.

13. Model Training; Opt-In

We will not use your non-public inputs or outputs to train our or third-party models unless you opt in (where available) or agree separately in writing.

You may change your preference in account settings (when available) or by contacting us.

14. Third-Party Links & Services

The Platform may link to third-party websites or services we do not control. Their privacy policies govern those services.

15. Changes to this Policy

We may update this Privacy Policy from time to time.

We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice.

Your continued use constitutes acceptance.

16. Contact Us

support@startingit.ai

Annex: Subprocessors (Representative List)

  • Stripe – payments processing
  • Supabase – database, authentication, file storage, real-time features
  • Vercel – hosting and deployment
  • OpenAI; Anthropic – AI model providers
  • Email & Analytics Providers – transactional email, product analytics (varies by configuration)

A full, current list is available upon request and may be updated from time to time.

Annex: Data Processing Addendum (Summary)

For enterprise customers, a DPA is available upon request and includes: roles; subject matter/duration; nature/purpose; categories of data and data subjects; confidentiality; security measures; sub-processor terms and notice; international transfer mechanisms (SCCs); audit and assistance; incident/breach notification; and deletion/return at termination.