Privacy Notice
This notice explains what personal data Starlight Tech Limited collects when you use Compass, why we collect it, how we look after it, and the rights you have over it. It is written to be read. If anything here is unclear, email us and we will explain.
1. Who We Are
Compass is provided by Starlight Tech Limited, a company registered in England and Wales. We are the data controller for the purposes of the UK General Data Protection Regulation and the Data Protection Act 2018.
- Company name: Starlight Tech Limited
- Company number: 17175089
- Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
- Contact for data protection enquiries: privacy@starlighttech.ai
In this notice, "Starlight Tech", "we", "us" and "our" mean Starlight Tech Limited. "You" and "your" mean the person who creates an account or uses Compass.
2. The Personal Data We Collect
When you use Compass, we collect the following categories of personal data.
Account data. Your email address, a hashed version of your password, the name of your business if you provide one, your country, and the time zone we infer at sign-up.
Onboarding answers. The answers you give Compass during business setup, brand setup, audience setup, channel setup, and any other onboarding stage. These are the inputs that allow Compass to build your growth plan.
Plan outputs. The 90 Day Growth Plan, the Marketing Strategy, the daily tasks, and any other content Compass generates for you on the basis of your inputs.
Connector data. Where you choose to connect a third-party platform, Compass receives only the data fields needed to power your dashboard. The full list of connectors and the data each one accesses is in Schedule 1 of our Data Processing Agreement, summarised on the Sub-processor List. You authorise every connector individually and may disconnect at any time in Settings.
Communications. Messages you send us, support tickets, and feedback you submit through the product.
Technical data. IP address, browser and device characteristics, pages loaded, errors encountered, and other product telemetry. Used to keep the service running and to spot bugs. We measure site usage with cookieless analytics (Ahrefs), which is aggregate and is not linked to your identity.
Form-protection data. When you use our contact, subscribe, or sign-up forms, Google reCAPTCHA receives technical information about your interaction to tell humans from bots. This is a fraud and security measure. Your use of reCAPTCHA is subject to Google's own Privacy Policy and Terms, as set out in the Cookie Notice.
Billing data. Where you subscribe to Compass Pro, your subscription metadata (plan, status, start date) is held by Compass. The payment instrument itself (card number, account details) is held by our payment processor, Stripe, and is never seen by Compass.
Waiting list and Beta Squad. Before launch, when you join our waiting list, we collect your email address and first name, your business type and business stage, and any other details you choose to give us (your business name, last name, town or city, country, and how and who you sell to). We use this to tell you when Compass opens and, where you have consented, to send you marketing. If you tick the Beta Squad box, we also use these details to consider your application and to pick a varied cohort. Your waiting-list details are held in our email platform, MailerLite. You can unsubscribe and ask us to delete them at any time.
We do not ask for and do not want special category data: information about your health, political opinions, religious or philosophical beliefs, biometrics, sexual orientation, racial or ethnic origin. Please do not enter such information into Compass.
3. Why We Collect Personal Data
We collect personal data for five purposes:
1. To run the service: provide your account, generate your plan, deliver the features you signed up for.
2. To improve the service: identify bugs, measure what works, fix what does not.
3. To stay in touch: send the transactional emails you need (receipts, password resets, security notices) and, where you have opted in, marketing emails about Compass.
4. To meet legal obligations: keep accurate financial records, respond to lawful requests from authorities, evidence consent where required.
5. To protect the service and other users: detect abuse, fraud, and security incidents.
4. Lawful Basis for Each Purpose
| Purpose | Lawful basis under UK GDPR | Notes |
|---|---|---|
| Provide the service you signed up for | Article 6(1)(b), contract | Includes account creation, plan generation, billing, transactional emails |
| Improve the service | Article 6(1)(f), legitimate interests | Documented in our internal Legitimate Interests Assessment |
| Marketing emails | Article 6(1)(a), consent | Captured when you join the pre-launch waiting list, at sign-up, on the blog subscribe form, and during onboarding; sent via MailerLite; withdrawable any time in Settings or via the unsubscribe link |
| Legal and regulatory compliance | Article 6(1)(c), legal obligation | Accounting records, tax, lawful requests |
| Protect the service | Article 6(1)(f), legitimate interests | Fraud and abuse prevention, including Google reCAPTCHA on our forms (which shares form-interaction data with Google) |
We do not rely on consent where another basis fits better. This keeps your rights clear and consistent.
5. AI Training
We do not use your personal data, your inputs, or your plan outputs to train any AI model, whether owned by us or operated by a sub-processor. AI training is opt-out by default. If we ever offer an opt-in for anonymised content to improve the product, that opt-in will be granular, reversible, and clearly labelled at the point of choice.
6. Who We Share Your Personal Data With
We share data only with the sub-processors listed at https://compassbystarlight.com/legal/sub-processors. Each is bound by a written agreement no less protective of your rights than this notice. The current list covers our AI provider, our database and hosting providers, our payment processor, our transactional email provider for account and security email (MailerSend), our website contact-form email provider (Resend), our marketing email provider where you have opted in (MailerLite), our cookieless website analytics (Ahrefs), our bot and fraud protection on forms (Google reCAPTCHA), and the connector providers you choose to authorise.
We do not sell your data. We do not share it with advertisers. We do not share it with any third party other than the sub-processors above, except where we are required to by law.
7. International Transfers
Some sub-processors are located outside the United Kingdom. Transfers to them are protected by one of the following mechanisms:
- the UK adequacy regulations for transfers to the European Economic Area, Switzerland, the Crown Dependencies, and other adequacy-listed jurisdictions; or
- the UK International Data Transfer Addendum combined with the European Commission Standard Contractual Clauses for transfers to the United States and other non-adequacy jurisdictions.
A full schedule of transfer routes and mechanisms is in Schedule 4 of our Data Processing Agreement, available on request from privacy@starlighttech.ai.
8. How Long We Keep Your Personal Data
| Data | Retention |
|---|---|
| Account data | For as long as your account is active. On deletion, 30 days in soft-delete, then full deletion. |
| Onboarding answers and plan outputs | For as long as your account is active. You can delete specific outputs in Settings. |
| Connector tokens and pulled data | Until you disconnect. On disconnect, 30 days in soft-delete, then full deletion. |
| Waiting-list and Beta Squad details | Until launch plus 12 months, or until you unsubscribe, whichever is sooner, then deletion. |
| Communications | 24 months. |
| Technical logs | 90 days. Authentication logs 12 months. |
| Billing records | 7 years from the end of the financial year in which the transaction occurred (HMRC requirement). |
| Consent records | 7 years from the most recent event on the consent record. |
Backups are deleted on the standard backup rotation and do not exceed 90 days.
9. Your Rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- correct data that is wrong or out of date;
- delete your data (the right to be forgotten);
- port your data to another provider in a structured, commonly used, and machine-readable format;
- restrict processing in certain circumstances;
- object to processing carried out under our legitimate interests;
- withdraw consent for any purpose where consent is the lawful basis;
- object to automated decision-making as set out in the AI Use and Automated Decisions Notice; and
- complain to the Information Commissioner's Office.
To exercise any of these rights, email privacy@starlighttech.ai or use the Data Rights controls in the product Settings. We respond within one calendar month. If we need longer we will tell you why within the first month.
To complain to the ICO: https://ico.org.uk/make-a-complaint/ or 0303 123 1113.
10. Cookies
Compass uses a small number of strictly necessary cookies to run the service (authentication, security, session state). These do not require consent under the Privacy and Electronic Communications Regulations 2003. Our website analytics is cookieless, so it sets no analytics cookie. Google reCAPTCHA sets a cookie when it loads on our forms, as a security measure, which we explain in the Cookie Notice. We do not use cookies for advertising or cross-site tracking, and we do not show a consent banner because there is no non-essential cookie to consent to. The full cookie list is in the Cookie Notice.
11. Children
Compass is not directed at children under 18 and is not intended for their use. An age gate runs at sign-up. If you believe a child has supplied personal data to Compass, email privacy@starlighttech.ai and we will delete it.
12. Automated Decision-Making
Compass uses AI to generate growth plans, daily tasks, and other coaching outputs based on the information you give it. These outputs are advisory and informational. They do not produce legal effects or significantly affect you in the sense of UK GDPR Article 22(1). You always decide whether to accept, edit, or reject any Compass output before acting on it.
A fuller account of the AI inside Compass, including its limits and the oversight we apply, is in the AI Use and Automated Decisions Notice.
13. Security
We follow security practice appropriate to a SaaS product of our size. The current measures are listed in our Security Statement and in Schedule 2 of our Data Processing Agreement. No system is perfectly secure. If we ever suffer a personal data breach that puts your rights at risk, we will tell you and the Information Commissioner's Office within 72 hours of becoming aware.
14. Changes to This Notice
If we change how we handle your personal data, we update this notice and email you at least 14 days before the change takes effect. The current version is always at https://compassbystarlight.com/legal/privacy. The change log sits at the bottom of this page.
15. Contact
For data protection enquiries, email privacy@starlighttech.ai.
For general enquiries, email hello@starlighttech.ai.
Change Log
- v1.0, 10 June 2026. First publication.
Starlight Tech Limited, company number 17175089, registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, registered in England and Wales.