Data Processing Agreement
The contract under which Starvo processes personal data on your behalf, in line with GDPR Article 28, UK GDPR, and India's DPDPA 2023.
Version 2026-05-23.4 · Last updated: May 23, 2026
Overview & Acceptance
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (the “Customer”) and Starvo (operated as a sole proprietorship by Shiva Kumar Esakki Pandiyan in Hyderabad, Telangana, India; the “Processor”). It applies whenever Starvo, in providing the Service, processes Personal Data on behalf of the Customer that is subject to the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, India's Digital Personal Data Protection Act, 2023 (“DPDPA”), or any other data-protection law that requires a written processor agreement.
By accepting the Terms of Service at onboarding, you accept this DPA on behalf of yourself and any business you are authorised to bind. No counter-signature is required. If you need a signed copy for your records or for a regulator, email privacy@starvo.app.
1. Definitions
Capitalised terms not defined here have the meaning given to them in the GDPR or, where the DPDPA applies, in that Act.
- “Personal Data” — any information relating to an identified or identifiable natural person, as processed by Starvo on the Customer's behalf in the course of providing the Service.
- “Customer Personal Data” — Personal Data that the Customer (or the Customer's end customers, via the Service) provides to Starvo in connection with the Service.
- “Data Subject” — the identified or identifiable individual to whom Personal Data relates (e.g., a customer of the Customer's business who submits a review).
- “Sub-processor” — any third party engaged by Starvo to process Customer Personal Data on its behalf.
- “Data Protection Laws” — the GDPR, the UK GDPR, the DPDPA, and any other applicable law governing the processing of Personal Data.
2. Scope & Roles
For Customer Personal Data, the parties' roles are:
- Customer = Controller (under GDPR / UK GDPR) and Data Fiduciary (under DPDPA). The Customer decides why and how Customer Personal Data is processed.
- Starvo = Processor (under GDPR / UK GDPR) and Data Processor (under DPDPA). Starvo processes Customer Personal Data on behalf of the Customer and on the Customer's documented instructions.
Starvo acts as a Controller, not a Processor, with respect to the Customer's own account data (the Customer's sign-up email, business profile, billing metadata). The processing of that account data is governed by the Privacy Policy, not this DPA.
3. Duration & Termination
This DPA takes effect on the date the Customer accepts the Terms of Service and remains in force until the Customer's account is closed and all Customer Personal Data has been deleted in accordance with Section 14. Provisions intended to survive (in particular Sections 8 (Confidentiality), 14 (Deletion), and 15 (Liability)) survive termination.
4. Annex I — Categories of Data & Data Subjects
Categories of Data Subjects whose Personal Data may be processed by Starvo on the Customer's behalf:
- The Customer's end customers who submit a review through a QR code or via the public review URL.
- The Customer's team members invited as Managers or Staff (where their access activity is logged).
- Authors of public Google reviews synced into the Customer's dashboard (where the Customer has connected Google Business Profile).
Categories of Customer Personal Data that may be processed:
- Identifiers — optional email address voluntarily provided by a reviewer; team-member email and assigned role; reviewer display name as shown on Google (for synced Google reviews only).
- Feedback content — the free-text review or feedback submitted by the reviewer, the star rating, and any reply the Customer chooses to send.
- Technical identifiers — a salted hash of the reviewer's IP address (raw IPs are never stored), browser user-agent string at submission, and timestamps.
- Communication content — content of WhatsApp messages sent and received through the optional WhatsApp Cloud API channel, and Meta's delivery-status callbacks.
- Derived data — sentiment label, topic tags, and priority assigned by Starvo's analyser to each review.
Special categories of data (Article 9 GDPR) and data of a sensitive nature under the DPDPA are not intentionally processed by the Service. The Customer is responsible for not soliciting or storing such data through the Service.
5. Nature & Purpose of Processing
Starvo processes Customer Personal Data solely to provide the Service to the Customer as described in the Terms of Service and configured by the Customer. The processing operations include: storing reviews and replies; displaying them in the Customer's dashboard; running AI-assisted reply drafting and sentiment / topic analysis when triggered by the Customer; sending owner notifications, weekly digests, and customer-facing apology / discount / thank-you emails on the Customer's behalf; syncing and replying to Google reviews where the Customer has authorised the integration; and sending WhatsApp messages where the Customer has configured the channel.
6. Customer Instructions
Starvo processes Customer Personal Data only on the Customer's documented instructions. The Terms of Service, this DPA, the configuration of the Service (settings, role assignments, integrations enabled by the Customer), and any written request the Customer sends to privacy@starvo.app together constitute the Customer's documented instructions.
Starvo will immediately inform the Customer if, in Starvo's opinion, an instruction infringes the GDPR, the UK GDPR, the DPDPA, or other applicable Data Protection Laws.
7. Annex II — Sub-processors & Objection Right
The Customer authorises Starvo to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Managed PostgreSQL, authentication, file storage | United States / Singapore (region depends on project) |
| Vercel | Application hosting, edge CDN | Global edge network |
| Dodo Payments | Merchant of Record for subscriptions | Global |
| Groq | AI model inference for reply drafts & analysis | United States |
| Resend | Transactional email delivery | United States |
| Google Business Profile API (only when Customer authorises via OAuth) | Global | |
| Meta (WhatsApp Cloud API) | WhatsApp message delivery (only when Customer configures the channel) | Global |
Starvo imposes data-protection obligations on each Sub-processor that are no less protective than this DPA, in accordance with GDPR Article 28(4). Starvo remains responsible to the Customer for each Sub-processor's performance.
Notice of new Sub-processors. Starvo will give the Customer at least 30 days' advance notice by email before a new Sub-processor begins processing Customer Personal Data. Notices are sent to the email address on the Customer's account. The Customer may, within that 30-day window, object on reasonable data-protection grounds by emailing privacy@starvo.app. If the parties cannot resolve the objection in good faith, the Customer's sole remedy is to terminate the affected portion of the Service (and the related subscription, on a pro-rata refund of any pre-paid unused fees, notwithstanding the “no refunds” clause in the Terms of Service).
8. Confidentiality
Starvo keeps Customer Personal Data confidential and ensures that anyone authorised to process Customer Personal Data (currently: the proprietor named in Section 0 of the Terms) is committed to confidentiality.
9. Annex III — Technical & Organisational Security Measures
Starvo implements appropriate technical and organisational measures to protect Customer Personal Data, having regard to the state of the art and the risks of processing (GDPR Article 32). The measures include:
- Encryption in transit — HTTPS / TLS on every connection; HSTS preloaded.
- Encryption at rest — provided by Supabase and Vercel at the infrastructure layer.
- Row-level security on every database table that holds Customer Personal Data; column-level access controls on sensitive fields (Google OAuth tokens).
- Server-enforced authorisation — every API route verifies that the calling user has the right to access the requested record; UI gating is defence in depth, not the gate.
- Webhook integrity — every incoming webhook (Dodo, WhatsApp) is signature-verified before processing.
- Idempotent event handling — webhook events are deduplicated on event ID to prevent replay.
- Secret management — credentials are stored as environment variables, never in code or client bundles.
- Email-confirmation gating on invite claims so team-member access cannot be hijacked via an unverified email.
- Soft delete + scheduled hard delete — account deletion runs through a 48-hour recovery window then a permanent purge cron.
- Audit logging — administrative actions are logged with admin id, action, target, timestamp, and IP.
- Vulnerability disclosure — security researchers can contact us at security@starvo.app.
These measures may evolve over time provided the overall level of protection is not reduced.
10. International Data Transfers
Starvo is operated from India. Several Sub-processors are based in the United States or operate globally. Where Customer Personal Data of individuals in the European Economic Area or the United Kingdom is transferred to a country that does not have an adequacy decision under the GDPR or UK GDPR, the transfer is protected by the relevant Sub-processor's Standard Contractual Clauses (SCCs) and any supplementary measures required by Chapter V of the GDPR. The published SCCs and Data Processing Addenda of each Sub-processor are available on their respective websites.
11. Assistance to the Customer
Taking into account the nature of the processing and the information available to Starvo, the Processor will assist the Customer by appropriate technical and organisational measures to:
- Respond to Data Subject requests for access, rectification, erasure, restriction of processing, portability, or objection (GDPR Articles 12–22). Most of these can be self-served by the Customer through the dashboard (CSV export, delete-account).
- Comply with the Customer's obligations under GDPR Articles 32–36 (security of processing, breach notification, data-protection impact assessments, and prior consultation), to the extent Starvo reasonably can.
- Provide reasonable information necessary to demonstrate the Customer's compliance with the GDPR or the DPDPA, on written request to privacy@starvo.app.
Where Starvo receives a Data Subject request that relates to Customer Personal Data, Starvo will, unless legally prohibited, promptly forward the request to the Customer rather than respond directly.
12. Personal Data Breach Notification
Starvo will notify the Customer without undue delay, and where feasible within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notice will, to the extent known, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures Starvo has taken or proposes to take to address it.
13. Audits
Starvo will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, in accordance with the conditions below:
- The Customer will give at least 30 days' advance written notice of a requested audit.
- Audits will be conducted at the Customer's expense during normal working hours, in a way that does not unreasonably interfere with Starvo's business or compromise the confidentiality of other customers' data.
- Where an audit by a recognised third party (e.g., a SOC 2 or ISO 27001 report by a Sub-processor) is reasonably sufficient to demonstrate compliance for the scope in question, the Customer agrees to accept it instead of an on-site inspection.
- Audits do not extend to Starvo's commercially sensitive information or to the systems of other customers.
14. Deletion or Return of Customer Personal Data on Termination
On termination of the Customer's subscription or this DPA:
- The Customer may export their data at any time before deletion using the CSV export in the dashboard, or by request to privacy@starvo.app for a fuller machine-readable export.
- Following account deletion, Customer Personal Data is held for a 48-hour recovery window, then permanently and irreversibly removed by a scheduled job.
- Starvo retains only such Customer Personal Data, and only for so long, as required by applicable law (e.g., limited billing records held by Dodo Payments for tax law) or as needed to defend itself in a legal claim.
15. Liability
The liability of each party under or in connection with this DPA is governed by, and subject to, the limitations and exclusions in Section 14 (Limitation of Liability) of the Terms of Service, except where a limitation cannot be applied as a matter of Data Protection Law.
16. Governing Law & Jurisdiction
This DPA is governed by the same law and is subject to the same jurisdiction as the Terms of Service (Section 18 of the Terms), without prejudice to any non-waivable rights a Data Subject or supervisory authority has under the Data Protection Laws.
17. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service or the Privacy Policy, this DPA controls with respect to the processing of Customer Personal Data covered by it.
Contact
For data-processing enquiries: privacy@starvo.app. For Grievance Officer / Data Principal grievance: Shiva Kumar Esakki Pandiyan at grievance@starvo.app. Other contract enquiries: support@starvo.app.