Trust and Safety at Compass

What We Collect and Why

We collect the data needed to run Compass and build your plan, and nothing we do not need:

• Your account details: email, a hashed password, your business name, country, and time zone.
• Your onboarding answers: what you tell Compass about your business, brand, audience, goals, and resources. These are the inputs that build your plan.
• What Compass generates for you: your 90 Day Growth Plan, Marketing Strategy, and daily tasks.
• Connector data: only the specific fields needed to power your dashboard, from tools you choose to connect and can disconnect at any time.
• Communications and technical data: your messages to us, and the standard telemetry (IP, device, errors) that keeps the service running.
• Billing data: your subscription details. Your card itself is held by Stripe and never seen by Compass.

We use this to run the service, improve it, send the emails you need (and marketing only if you opt in), meet our legal obligations, and protect the service. The full purposes and the lawful basis for each are in the Privacy Notice.

We do not want special category data (health, beliefs, biometrics, and the like). Please do not enter it into Compass.

How the AI Works, and Its Limits

Everything Compass generates is produced by AI, and we are upfront about that. The primary provider is Anthropic's Claude, with named supporting providers for fallback, image, voice, and video features (listed in the Sub-processor List).

The AI builds your plan, strategy, and tasks, summarises data from your connected tools, and drafts content on your request. It does not make legal, financial, or medical decisions for you, move money, hire or fire anyone, or make any decision that has a legal or similarly significant effect on you. Every output is advisory: you decide whether to accept, edit, or reject it before acting.

AI can be wrong, and can sound confident while being wrong, so treat each output as a strong starting point that needs your judgement, and get a human second opinion for significant decisions involving money, people, or legal exposure. If an output is ever harmful, seriously wrong, or biased, email feedback@starlighttech.ai. The full account, including your UK GDPR Article 22 rights, is in the AI Use and Automated Decisions Notice.

We Do Not Train AI on Your Data

We do not use your data, your inputs, or your plan outputs to train any AI model, ours or a provider's. Training is opt-out by default. If we ever offer an opt-in for anonymised content to improve the product, it will be granular, reversible, and clearly labelled at the point of choice.

How Your Data Is Protected

Our security measures include encryption in transit (TLS 1.2 or higher) and at rest (AES-256), tenant isolation enforced by row-level security, multi-factor authentication on administrative accounts, least-privilege access with no standing third-party access to production, daily encrypted backups with point-in-time recovery, and anomaly alerting. The database runs on Supabase in UK and EU regions; the product runs on Vercel. If a breach ever puts your rights at risk, we notify affected users and the Information Commissioner's Office within 72 hours of becoming aware. The full statement is in the Security Statement, and you can report a suspected vulnerability to security@starlighttech.ai.

A note on your side of security: use a unique, strong password and do not share it. User-facing multi-factor authentication is on our roadmap for the first months after launch; until it is available, a strong, unique password is your best protection.

Who We Share Data With

We share data only with the named sub-processors needed to run Compass, each under a written agreement no less protective than our own commitments. They cover our AI providers, our database and hosting, our payment processor, our email delivery, and the connector providers you choose to authorise. We do not sell your data, and we do not share it with advertisers. The current list, with locations and transfer protections, is on the Sub-processor List; we give at least 30 days' notice before adding a new one.

Some providers are outside the UK. Those transfers are protected by UK adequacy regulations where they apply, or by the UK International Data Transfer Addendum with the EU Standard Contractual Clauses.

Your Rights and Your Controls

Under UK GDPR you can access, correct, export, delete, and restrict your data, object to certain processing, and withdraw consent. You can act on most of this yourself in Settings → Data Rights:

• Export your data in a structured, machine-readable format.
• Delete your account. Deletion starts a 30-day window during which signing back in restores it, after which your live data is fully deleted. Some records are kept where the law requires (billing records for 7 years for HMRC, consent records for 7 years, security logs for 12 months, and backups until the rotation overwrites them within 90 days).
• Delete a single output from its own action menu, or disconnect a connector and delete its data in the Data Hub.

If you cannot sign in, or prefer to ask us, email privacy@starlighttech.ai; we respond within one calendar month. The step-by-step is in the Data Deletion Instructions, and your full rights are in the Privacy Notice. If you are ever unhappy with how we handle a request, you can email complaints@starlighttech.ai or complain to the Information Commissioner's Office at ico.org.uk.

Using Compass Responsibly

Compass is for marketing your own legitimate business. The Acceptable Use Policy sets out what you must not use it for (anything unlawful, deceptive, or harmful). Compass labels AI-generated images, voice, and video where the medium allows, and does not produce deepfake or face-swap content. Compass is not directed at anyone under 18.

The Legal Pages in Full

• Privacy Notice
• AI Use and Automated Decisions Notice
• Security Statement
• Sub-processor List
• Data Deletion Instructions
• Cookie Notice
• Acceptable Use Policy
• Terms of Service

For data questions, email privacy@starlighttech.ai. For anything else, see Contact.