StarReply

Privacy Policy

Last updated: January 31, 2026

1. Overview

StarReply UG (haftungsbeschränkt) ("StarReply", "we", "us") operates the platform at starreply.ai. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.

2. Data Controller

StarReply UG (haftungsbeschränkt)
Email: privacy@starreply.ai

3. Data We Collect

3.1 Account Data

When you sign in with Google, we receive and store:

  • Your name and email address
  • Google account ID
  • Profile picture URL

3.2 Google Business Profile Data

With your explicit authorization, we access:

  • Your Google Business Profile location information (name, address, ID)
  • Reviews on your business locations (reviewer name, rating, text, date)
  • Existing review replies

We do not access your Gmail inbox, Google Drive, Google Contacts, or any other Google service beyond your Business Profile.

3.3 Usage Data

We collect standard usage data including:

  • Pages visited and features used
  • Browser type and device information
  • IP address (anonymized)
  • Timestamps of actions

3.4 AI-Generated Content

We store AI-generated reply drafts and posted replies associated with your account to provide the Service and improve reply quality.

4. How We Use Your Data

We use your data exclusively to:

  • Provide and operate the StarReply Service
  • Generate AI-powered review reply suggestions
  • Post approved replies to your Google Business Profile on your behalf
  • Display your reviews, locations, and analytics in the dashboard
  • Send transactional emails (e.g., account notifications, draft approvals)
  • Improve the Service and fix issues

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for
  • Consent (Art. 6(1)(a)): For accessing your Google Business Profile and enabling automated replies
  • Legitimate interest (Art. 6(1)(f)): For usage analytics and Service improvement

6. Google API Services Compliance

StarReply's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only request access to the Google Business Profile API scopes necessary to provide the Service
  • We do not use Google user data for advertising purposes
  • We do not transfer Google user data to third parties except as necessary to provide the Service (e.g., AI processing) or as required by law
  • We do not use Google user data to train general-purpose AI models
  • Users can revoke access at any time through Google Account settings or the StarReply dashboard

7. Consent for Automated Actions

StarReply will never post review replies without your prior, specific, and express consent.

Auto-reply is disabled by default. You must explicitly enable it per location and configure which reviews qualify for automatic posting. You can revoke consent at any time. See our Terms of Service (Section 3) for full details.

8. Third-Party Processors

We use the following third-party services to operate StarReply:

  • Vercel (USA) — Hosting and deployment
  • Supabase (USA/EU) — Database and authentication
  • OpenAI (USA) — AI reply generation
  • Google (USA) — Business Profile API

All processors are bound by data processing agreements. Where data is transferred outside the EU, appropriate safeguards (e.g., Standard Contractual Clauses) are in place.

9. Data Retention

  • Account data: Retained as long as your account is active. Deleted within 30 days of account deletion.
  • Review data and replies: Retained as long as your account is active and the location is connected.
  • Usage data: Retained in anonymized form for up to 12 months.
  • Google OAuth tokens: Stored encrypted. Deleted immediately upon disconnection or account deletion.

10. Your Rights (GDPR)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise your rights, contact us at privacy@starreply.ai. You also have the right to lodge a complaint with a supervisory authority.

11. Cookies

StarReply uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.

12. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted storage of OAuth tokens, HTTPS-only communication, and access controls. However, no method of transmission over the Internet is 100% secure.

13. Children

The Service is not intended for children under 16. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates the latest revision.

15. Contact

StarReply UG (haftungsbeschränkt)
Email: privacy@starreply.ai