Privacy Policy
Effective date: March 31, 2026 · Last updated: March 31, 2026
Starch ("Starch," "we," "us," or "our") operates the Starch platform, accessible at starch.site (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.
By accessing or using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide Directly
- Account information: When you create an account, we collect your full name, email address, and password. If you sign in with Google, we receive your name, email address, and profile information from Google. During signup, we require you to confirm that you are at least 16 years old.
- Waitlist information: If you join our waitlist, we collect your email address.
- Project and workspace data: Names and settings for projects and workspaces you create.
- Team collaboration data: Email addresses of people you invite to collaborate on projects.
- Chat and query data: Messages, queries, and instructions you submit through the Service's AI chat interface. Your messages are processed by third-party AI providers (see Section 3.1).
- Files and documents: Documents you upload (PDF, CSV, XLSX, DOCX) for data extraction and analysis.
- Knowledge base content: Documentation and notes you create within the Service.
- Feedback and support data: Bug reports (including screenshots), feature requests, and ratings you provide on AI-generated responses.
1.2 Information Collected Through Integrations
When you connect third-party services to Starch, we receive data from those services based on the permissions you grant. This may include:
- Financial data: Bank account information, transaction details (amounts, dates, merchant names, categories), and account balances collected via Plaid. When you connect a bank account, we sync up to 24 months of historical transactions and receive ongoing updates via webhooks.
- Payment and subscription data: Billing information processed through Stripe, including subscription status and billing period.
- Business tool data: Data from connected services such as QuickBooks, Gmail, Notion, Slack, HubSpot, and others via integration platforms (Composio, Merge, Pipedream).
- HR and payroll data: If you connect HR integrations (e.g., Paylocity, ADP), we may receive employee and payroll information.
We only access data from third-party integrations that you explicitly authorize. You can disconnect integrations at any time through your account settings.
1.3 Information Collected Automatically
- Usage and analytics data: With your consent (via our cookie consent banner), we use PostHog to collect information about how you interact with the Service, including pages visited, features used, clicks, and session duration. PostHog session replay may record your interactions with the interface, with all form inputs masked to prevent capture of sensitive data. Analytics are not loaded unless you accept cookies.
- Device and browser information: Browser type, operating system, device type, screen resolution, and language preferences.
- Log data: IP address, access times, referring URLs, and error logs.
- Approximate location: When you use browser automation features, we derive your approximate geographic location (city, state, country) from your IP address. This is used solely to route automated browser sessions through a geographically appropriate proxy so that third-party services do not flag your activity as suspicious. This location data is stored as part of your connection configuration.
- Cookies and local storage: We use cookies, localStorage, and sessionStorage to maintain your session, remember your preferences (such as active project and sidebar state), and, with your consent, support analytics. See Section 7 for details.
1.4 Information Collected During Browser Automation
If you use Starch's browser automation features, the Service may capture screenshots of web pages visited during automated workflows. These screenshots are processed by our browser automation provider (Browserbase) and our AI providers to execute the actions you request. Screenshots may include content from third-party websites you are logged into (e.g., LinkedIn, Twitter, Gmail). These screenshots are used solely to complete the requested automation and are not retained beyond the duration of the automation session.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Provide and operate the Service: To create and manage your account, deliver the features you request, process your queries, execute automations, and generate dashboards and reports.
- AI processing: To process your queries, uploaded documents, and automation instructions using third-party AI models provided by Anthropic (Claude) and Google (Gemini). Data sent to AI providers is limited to what is necessary to fulfill your request (e.g., query text, relevant data collection schemas, and referenced business data). We do not send your full user profile or unrelated project data.
- Web search: When your queries require current information, search requests may be sent to our web search provider (Exa). Search queries may contain terms derived from your questions.
- Code execution: When the Service generates custom dashboards or tools, code may be executed in a sandboxed environment provided by E2B. The code and its inputs may contain references to your business data.
- Browser automation: When you use automated browser workflows, your instructions and website screenshots are processed by Browserbase (browser infrastructure) and AI providers to execute the requested actions.
- Billing and payments: To process subscription payments, manage trials, and handle billing inquiries via Stripe.
- Communication: To send transactional emails (account confirmation, password resets, automation results, project invitations) via our email provider, Resend. We do not send marketing emails.
- Improve the Service: To analyze usage patterns (with your consent), diagnose technical issues, and improve features and performance.
- Security: To detect, prevent, and address fraud, abuse, and security incidents.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
3. How We Share Your Information
We do not sell your personal information. We share your data only in the following circumstances:
3.1 Service Providers (Sub-Processors)
We share information with third-party service providers who process data on our behalf to operate the Service:
| Provider |
Purpose |
Data Shared |
| Supabase |
Database hosting, authentication, file storage, serverless functions |
All account and application data |
| Anthropic (Claude) |
AI query processing, document extraction, automation, browser automation |
User queries, document content, business data referenced in queries, browser screenshots |
| Google (Gemini) |
AI query processing |
User queries and referenced business data |
| Stripe |
Payment processing, subscription management |
Email, payment method, billing details |
| Plaid |
Bank account connections and financial data sync |
Bank credentials (tokenized), transaction data |
| Resend |
Transactional email delivery |
Email addresses, email content |
| PostHog |
Product analytics and session replay (consent required) |
Usage events, session recordings (all inputs masked), device info |
| Browserbase |
Browser automation infrastructure |
Website screenshots, automation session data, approximate user location for proxy routing |
| E2B |
Sandboxed code execution for custom dashboards and tools |
Generated code and data inputs referenced in dashboards |
| Exa |
Web search for current information |
Search queries derived from user questions |
| Composio |
Third-party app integrations (Gmail, QuickBooks, Notion, etc.) |
Data from connected services as authorized by you |
| Merge |
HRIS and accounting data integrations |
HR, payroll, and accounting data as authorized by you |
| Pipedream |
Workflow automation and app connections |
Data from connected services as authorized by you |
| Vercel |
Website and serverless function hosting |
Request logs, IP addresses |
3.2 Team Collaborators
If you use project sharing features, your project data will be accessible to team members you invite based on the role (owner or editor) you assign.
3.3 Shared Dashboards and Tools
If you create a shareable link for a dashboard or tool, anyone with that link can view the shared content. You can revoke shared links at any time through the Service.
3.4 Legal Requirements
We may disclose your information if required to do so by law, or in the good faith belief that such action is necessary to comply with a legal obligation, protect our rights or safety, or investigate potential violations.
3.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
4. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you the Service. Specifically:
- Account data: Retained until you delete your account.
- Project data, files, and tools: Retained until you delete them or delete your account. Deleting a project cascades deletion to all associated data (tools, automations, data records, connections, and related content).
- Chat histories: Retained until you clear them (available via the "Clear Chat History" option in the Service) or delete your account.
- Automation logs: Execution logs for your automations are retained for the lifetime of the automation or until you delete the associated project.
- Financial transaction data: Transaction records synced from your bank via Plaid are retained until you delete the associated project or your account.
- Application logs: Internal application logs are automatically deleted after 30 days.
- Waitlist data: Retained until you request removal or your email is no longer needed for its collected purpose.
- Analytics data: Retained according to our analytics provider's retention policies (PostHog), only if you have consented to analytics.
- Billing records: Retained as required by applicable tax and financial regulations.
- Browser automation data: Screenshots captured during browser automation sessions are not retained beyond the duration of the automation session.
5. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- All data is transmitted over HTTPS/TLS encryption.
- Database-level row-level security (RLS) policies ensure users can only access their own data and data shared with them.
- Sensitive credentials for third-party integrations are encrypted at rest using Supabase Vault.
- Authentication tokens are managed securely via Supabase Auth with JWT-based sessions.
- Passwords are required to be at least 8 characters and are hashed before storage.
- Webhook payloads (e.g., from Stripe and Plaid) are verified using cryptographic signatures (HMAC).
- Project data is isolated per-project with role-based access controls.
- Analytics session recordings mask all form inputs to prevent capture of sensitive data.
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
6. Your Rights and Choices
6.1 Access and Portability
You can access your personal data through the Service at any time. You can export all your data (profile, projects, tools, connections, chats, automations, knowledge pages, and data records) in machine-readable JSON format using the "Export My Data" feature in the Service.
6.2 Correction
You can update your account information (name, email) through the Service's settings, or by contacting us.
6.3 Deletion
You have the following deletion options:
- Individual projects: Delete specific projects and all associated data (tools, automations, connections, data records, chat histories) at any time through the Service.
- Chat histories: Clear all conversation history within a project using the "Clear Chat History" option.
- Account deletion: Permanently delete your entire account and all associated data using the "Delete Account" option in the Service. This action is irreversible and removes all your projects, data, files, and personal information.
6.4 Integration Disconnection
You can disconnect any third-party integration at any time through your account settings. Disconnecting an integration stops future data syncing from that service.
6.5 Analytics Consent
When you first use the Service, you will be presented with a cookie consent banner. Analytics and session replay (PostHog) are only activated if you choose to accept. You can decline, and the Service will function normally without analytics. You may also manage your cookie preferences through your browser settings.
6.6 Communication Preferences
All emails sent by the Service are transactional (such as password resets, account notifications, project invitations, and automation results). We do not send marketing emails.
7. Cookies and Tracking Technologies
We use the following cookies and storage mechanisms:
| Type |
Purpose |
Consent Required |
Duration |
| Session cookie (Supabase Auth) |
Maintains your authenticated session |
No (essential) |
Session / until logout |
| Cookie consent preference |
Remembers your analytics consent choice |
No (essential) |
Persistent until cleared |
| Analytics cookies (PostHog) |
Tracks usage patterns and product analytics; session replay with all inputs masked |
Yes |
1 year |
| localStorage |
Stores user preferences (active project, sidebar state, draft messages, AI disclosure acknowledgment) |
No (essential) |
Persistent until cleared |
| sessionStorage |
Temporary UI state (chat prompts, auto-send flags) |
No (essential) |
Browser session |
Disabling essential cookies may affect the functionality of the Service.
8. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers operate. These transfers are necessary to provide the Service and are carried out in accordance with applicable data protection laws. Where required, we rely on standard contractual clauses or other approved transfer mechanisms.
9. California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: You may request the categories and specific pieces of personal information we have collected about you.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at hello@starch.site. We will verify your identity before processing your request and respond within 45 days.
10. European Economic Area, United Kingdom, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, the following applies:
10.1 Legal Bases for Processing
- Contract: Processing necessary to provide the Service you signed up for (account management, AI processing, integrations, billing).
- Consent: Where you have given explicit consent, such as accepting analytics cookies or connecting third-party integrations. You may withdraw consent at any time.
- Legitimate interest: For security, fraud prevention, and essential service operation, where our interests do not override your rights.
- Legal obligation: Where we are required to process data by law (e.g., tax and billing records).
10.2 Your GDPR Rights
In addition to the rights listed in Section 6, you have the right to:
- Restrict or object to certain processing of your personal data.
- Withdraw consent at any time (where processing is based on consent), without affecting the lawfulness of prior processing.
- Lodge a complaint with your local data protection authority.
- Request data portability in a machine-readable format (available via the "Export My Data" feature).
To exercise these rights, contact us at hello@starch.site.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. We require age confirmation during account registration. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at hello@starch.site.
12. Third-Party Links and Services
The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you connect to or interact with through Starch.
13. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required by law, the relevant supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy, our data practices, or wish to exercise any of your rights, please contact us at:
Starch
Email: hello@starch.site