Back to home

Privacy Policy

Your privacy matters. Here's exactly what we collect and how we protect it.

Last updated: May 23, 2026

1. Who We Are & Our Role

Starvo (“Starvo”, “we”, “us”) operates the review-management platform at starvo.app. Starvo is operated as a sole proprietorship by Shiva Kumar Esakki Pandiyan, based in Hyderabad, Telangana, India. See the Terms of Service, Section 0, for full legal-identity details.

Roles for the data we handle:

  • For an account-holder (a business owner using Starvo), we are the data controller / Data Fiduciary of your account data.
  • For the customer reviews your QR codes collect, the business owner is the controller / Data Fiduciary, and Starvo acts as a processor / Data Processor on the owner's behalf. This relationship is governed by our Data Processing Agreement, which forms part of these terms for every business owner subject to the GDPR, the UK GDPR, or the Indian Digital Personal Data Protection Act 2023.

Contact for privacy & grievance. Our Grievance Officer (Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, Rule 3(1)(a), and Digital Personal Data Protection Act 2023) is Shiva Kumar Esakki Pandiyan, contactable at grievance@starvo.app. General privacy enquiries: privacy@starvo.app. Complaints are acknowledged within 48 hours and resolved within 15 days under the IT Rules (30 days for data-principal requests under the DPDPA).

2. What Data We Collect

We only collect what is necessary to run the service. Specifically:

  • Account data — email address, hashed password (via Supabase Auth), and any name or profile detail you choose to add. For Google sign-in, the OAuth identifier and email returned by Google.
  • Business data — business name, type, Google review URL, optional logo, locations, team-member emails and roles, reply templates, and your declared country, timezone, and currency.
  • Customer review data — for each submission through your QR code: rating, optional free-text feedback, optional customer email address, a salted hash of the submitter's IP (for rate-limiting and duplicate detection only — we do not store raw IPs), and timestamps. Submitters can review anonymously by leaving the email field blank.
  • Synced Google reviews — when you connect Google Business Profile, we sync the public review text, rating, author display name as shown on Google, and our OAuth access and refresh tokens for your account.
  • Usage and operational logs — request logs, error logs, cron-job logs. These help us debug and operate the service; they are not used to profile you.
  • Consent records — a row recording that you accepted the Terms of Service version shown to you at onboarding, with timestamp, IP, and user-agent (required to prove valid consent if disputed).
  • Payment data — handled entirely by Dodo Payments, our Merchant of Record. Starvo never sees, processes, or stores card numbers, CVV, or other payment instrument data. We receive only the billing email, billing country, subscription status, and Dodo subscription / customer IDs.
  • WhatsApp message records — if you use the optional WhatsApp Cloud API channel, the content of messages sent (escalation alerts, follow-ups, owner notifications) and Meta's delivery-status callbacks are stored in your account's database (table whatsapp_messages) and visible to your Owner and Manager roles in the dashboard. Inbound messages your customers send to your WhatsApp number are also stored for the same window.
  • Cookies — strictly necessary cookies for authentication and session management (Supabase auth cookies). Starvo does not use advertising, marketing, or third-party tracking cookies.

3. Legal Basis for Processing (EU / UK / EEA)

If GDPR or UK GDPR applies to you, the legal bases we rely on are:

  • Contract (Art. 6(1)(b)) — to provide the Service you signed up for: hosting your account, displaying your dashboard, processing your subscription.
  • Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, rate limiting, IP-hash duplicate detection, and basic operational logging. We balance these interests against your rights.
  • Legal obligation (Art. 6(1)(c)) — to retain limited records required by tax, accounting, or anti-fraud law.
  • Consent (Art. 6(1)(a)) — for the optional Google Business Profile integration (you explicitly authorise via OAuth), the optional WhatsApp channel (you set up the number), and any future marketing emails (we will ask separately before sending any).

3A. Legal Basis for Processing (India — DPDPA 2023)

Starvo is operated from India and is a Data Fiduciary under India's Digital Personal Data Protection Act, 2023 (“DPDPA”) for the personal data of Indian Data Principals. Section 4 of the DPDPA permits processing for a lawful purpose for which the Data Principal has either given consent or for which consent is implied under one of the “certain legitimate uses” (Section 7).

For Indian Data Principals, our lawful bases are:

  • Consent (DPDPA Section 6) — for account creation, the optional Google Business Profile integration, the optional WhatsApp channel, and any future marketing emails. Consent is captured at the relevant opt-in point and can be withdrawn at any time, with the same effort as it was given.
  • Certain legitimate uses (DPDPA Section 7) — for processing necessary to perform the Service you signed up for, for compliance with law, and for prevention and investigation of fraud and abuse of the Service.

Rights of Indian Data Principals. Under the DPDPA you have the right to: access a summary of the personal data we process about you and the processing activities; correct, complete, or update inaccurate or incomplete personal data; erase personal data that is no longer necessary for the purpose for which it was collected; nominate another person to exercise your rights in the event of your death or incapacity; and grievance redressal. To exercise any of these rights, email our Grievance Officer at grievance@starvo.app. We respond within the time prescribed by the DPDPA (currently 30 days) and never within fewer than the timeframes prescribed by the IT Rules 2021 for related grievances (15 days).

Grievance escalation. If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted, or any other competent authority under Indian law.

4. How We Use Your Data

We use the data above only to:

  • Provide the Service: serve QR codes, run your dashboard, run reviews through analysis, generate AI reply drafts when you click Generate, sync Google reviews when you connect Google.
  • Notify you about activity (new reviews, weekly digest, monthly report) and operational matters (account, billing, security).
  • Send customer-facing emails on your behalf when you choose to (apology, discount, thank-you).
  • Process subscription payments through Dodo Payments.
  • Detect, investigate, and prevent abuse — rate limiting, duplicate detection, sanctions checks.
  • Comply with legal obligations and respond to lawful requests from authorities.

We do not sell, rent, or share your data with anyone for marketing or advertising. We do not train any AI model on your data. Our business model is your subscription — that's it.

5. Automated Decision-Making & AI

Starvo uses AI (Llama via Groq) for two things, both of which require your explicit click:

  • Reply drafts. When you click “Generate reply”, we send the review text, your business name, business type, and any active templates to the AI provider to produce a draft. You always edit and send manually — there is no auto-publication.
  • Sentiment & topic analysis. Reviews are run through a lightweight tagging step (positive/negative, topic categories) so you can sort and filter them.

No solely-automated decisions with legal or similarly significant effects are made about any individual. AI is a drafting and labelling aid; humans make every send/publish/resolve decision. Our current AI provider, Groq, processes Starvo's requests under its enterprise terms which, as of the date of this Policy, include a commitment not to retain request content for training. We do not use the content to train third-party models. If we change AI provider or those underlying terms change materially, we will update this Policy. For Groq's current terms see groq.com/privacy-policy.

6. Sharing Data with Third Parties (Sub-processors)

We rely on a small set of carefully chosen providers to run the Service. They each receive only the data they need to perform their function and are bound by their own privacy commitments.

  • Supabase — managed PostgreSQL database, authentication, file storage. Receives: all account, business, and review data.
  • Vercel — application hosting and CDN. Receives: HTTP requests; does not have direct database access.
  • Dodo Payments — Merchant of Record. Receives: billing email, billing country, subscription details. Card data is handled directly by Dodo under PCI-DSS; never transmitted to Starvo.
  • Groq — AI model inference. Receives: review text and business metadata only when you click “Generate reply” or when a review is analysed. Processes under its current enterprise terms, which we link in Section 5.
  • Resend — transactional email delivery. Receives: recipient email and message content for outbound emails (owner alerts, customer replies, invoices).
  • Google — Business Profile API. Used only if you explicitly connect via OAuth. Receives the OAuth scopes you approve, scoped to your Business Profile.
  • Meta (WhatsApp Cloud API) — optional. Used only if you provide WhatsApp credentials. Receives only the messages you choose to send through it.

Changes to our sub-processor list. We may add or replace sub-processors as the Service evolves. For business owners covered by our Data Processing Agreement, we will give at least 30 days' advance notice by email before a new sub-processor begins processing your personal data, and you may object during that window (see the DPA for the objection mechanism). For all other users, material changes are reflected on this page.

7. International Data Transfers

Starvo is operated from India. Several of our sub-processors are based in the United States or operate globally. This means your data may be transferred to and processed outside your country of residence, including outside the European Economic Area.

Where personal data of EEA / UK individuals is transferred to a country without an EU/UK adequacy decision, the transfer is protected by the relevant provider's Standard Contractual Clauses (SCCs) and supplementary measures, in line with the GDPR Chapter V requirements. The major sub-processors named above publish their SCCs and Data Processing Addenda on their websites.

8. Data Retention

We keep your data only as long as we need it:

  • Active account data — kept while your account is active.
  • Soft-deleted account data — kept for 48 hours after you (or an admin) initiate deletion, to allow recovery, then permanently deleted by a scheduled job.
  • Customer review data — kept while the owning business's account is active. Permanently deleted when the account is hard-deleted.
  • Billing records and invoices — retained by Dodo Payments under their own retention policy and applicable tax law (typically 6–10 years depending on jurisdiction). Starvo's copy of subscription metadata is kept while the account exists.
  • Consent records — kept for at least three years after the account closes, as evidence that valid consent was obtained.
  • Operational logs — typically rotated within 30 days; security logs may be kept longer where required to investigate abuse.

9. Data Storage & Security

  • Encryption in transit. HTTPS / TLS on every connection, HSTS preloaded.
  • Encryption at rest. Provided by our database and storage providers (Supabase, Vercel) at the infrastructure level.
  • Row-level security. Every table has database-level access policies so a service can only read or write the rows it owns. The OAuth token columns are additionally locked at the column level.
  • Server-enforced authorisation. Every API route verifies ownership; UI gating is defence in depth, not the gate.
  • Secrets. API keys and credentials are stored as environment variables; never in code, never in client bundles.
  • Webhooks. All incoming webhooks (Dodo, WhatsApp) are signature-verified before processing.
  • Account take-over protection. Email confirmation is required before an invite can be claimed.

10. Data Breach Notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, and where feasible within 72 hours of becoming aware (in line with GDPR Article 33).

Notice to you will be sent to the email address on your account and will include the nature of the breach, the categories of data affected, the measures we have taken, and any steps you can take to protect yourself.

10A. California Residents (CCPA / CPRA)

This section applies if you are a California resident and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA/CPRA”), applies to you. Starvo does not meet the CCPA's applicability thresholds today, but we honour these rights regardless for any California user.

  • Categories of personal information we collect — identifiers (email, account ID), commercial information (subscription / payment metadata via Dodo), internet activity (login, scan, reply events), and inferences (sentiment / topic tags on reviews). See Section 2 for the full inventory.
  • Sources — directly from you, automatically from your interactions with the Service, and from Google when you authorise the Google Business Profile integration.
  • Business purposes — providing and improving the Service, communicating with you, processing payments via our Merchant of Record, securing the Service, and complying with the law (the same purposes described in Section 4).
  • Sale of personal information. We do not sell your personal information as “sale” is defined under the CCPA/CPRA, and we have not sold personal information in the preceding 12 months.
  • Sharing for cross-context behavioural advertising. We do not share personal information for cross-context behavioural advertising as that term is defined under the CPRA. We do not have a “Do Not Sell or Share My Personal Information” link because there is nothing to opt out of.
  • Sensitive personal information. We do not use or disclose sensitive personal information (as defined by the CPRA) for purposes that would trigger a right to limit. Sensitive categories that we incidentally process (account credentials only) are used solely for the purpose of running the Service.
  • California “Shine the Light” (Cal. Civ. Code § 1798.83) — we do not share personal information with third parties for those third parties' own direct marketing purposes.
  • Your CCPA/CPRA rights — to know, to access, to delete, to correct, to opt out of sale or sharing (not applicable here), to limit use of sensitive personal information (not applicable here), and to non-discrimination for exercising any right. Exercise any of these by emailing privacy@starvo.app from the email on your account.
  • Authorised agents. You may designate an agent to make a request on your behalf; we require written, signed authorisation and may verify the request directly with you.

11. Your Rights

If you are located in the European Economic Area, the United Kingdom, India, or any other region with equivalent data-protection law, you have the rights below. We honour them globally where the underlying processing makes them applicable.

  • Access — Request a copy of the personal data we hold about you. Email privacy@starvo.app from the email on your account; we verify it is you, then send the export.
  • Portability — Your customer list is exportable yourself as CSV from your dashboard. For a full machine-readable account export, email us.
  • Rectification — Most fields (business name, type, Google link, settings) are editable directly in Dashboard → Settings. For anything you cannot self-serve, email us and we will correct it.
  • Erasure — Delete your account and all associated data yourself from Dashboard → Settings → Delete account (48-hour soft-delete window, then permanent removal), or request it by email.
  • Objection / Restriction — Email us to object to or restrict a specific processing activity. Some processing (e.g. invoice retention for tax law) must continue to meet legal obligations.
  • Withdraw consent — Where processing is based on consent (Google integration, WhatsApp, future marketing), you may withdraw it at any time without affecting processing already done before withdrawal.
  • Complain to a supervisory authority — You always have the right to lodge a complaint with your local data-protection authority. We'd rather you tell us first so we can fix it, but we will not penalise or retaliate for any complaint.

For any request you cannot self-serve, email privacy@starvo.app from your account email address. We verify the request comes from you (to protect your data from impersonation) and respond within 30 days — usually much sooner.

Data Protection Officer. Starvo does not engage in large-scale systematic monitoring of individuals, nor process special categories of data as a core activity, and is therefore not required to appoint a Data Protection Officer under Article 37 of the GDPR. The named Grievance Officer (grievance@starvo.app) and the privacy contact (privacy@starvo.app) handle all data-protection enquiries. We will appoint a DPO if the scope of processing later triggers that requirement.

12. Children & Age Thresholds

Starvo is not directed to children. The applicable minimum ages differ by context:

  • Account holders (people who sign up for Starvo to run a business) must be at least 18 years old, or the age of majority in their jurisdiction if higher. See Terms Section 1.
  • Customers submitting a review through a QR code are the business owner's end customers; Starvo does not knowingly collect personal data through this surface from anyone under 16 years of age (in the EEA/UK) or 13 years of age (in the United States, per COPPA). Review submission is optional and can be anonymous.

If you believe a child below the relevant threshold has provided personal data to us, email privacy@starvo.app and we will delete it without delay.

You must be at least 18 (or the age of majority in your jurisdiction, whichever is older) to create a Starvo account.

13. Cookies

Starvo uses only strictly necessary cookies — the session cookies that keep you logged in (issued by Supabase Auth). These are essential for the Service to function and do not require consent under GDPR / ePrivacy.

We do not use advertising cookies, marketing pixels, third-party analytics (such as Google Analytics), or cross-site tracking. If we ever add optional analytics, it will be opt-in.

14. Customer Reviews Submitted Through Your QR

When a customer of a Starvo user submits a review through a QR code, Starvo processes that data on behalf of the business owner, who is the controller of the review data. Starvo's role is processor.

Business owners are responsible for: providing their own privacy notice to their customers; responding to data-subject requests from their customers; and complying with applicable law for the collection and storage of customer feedback. Starvo will reasonably assist owners when notified at privacy@starvo.app.

15. Changes to This Policy

We may update this Policy. For material changes, we will notify you by email and post a banner in the dashboard at least 30 days before they take effect. The most recent update date is shown at the top of this page.

16. Contact

Questions, requests, or concerns about this policy or your personal data: privacy@starvo.app — read directly by the founder.