Skip to content

Legal

Privacy Policy

Last updated: April 11, 2026

NorthStar ("NorthStar," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard information when you access or use our website at northstar.dev (the "Site") and our AI-native product discovery platform, including all related applications, APIs, and services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use of the Service immediately.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, device identifiers, and usage data.
  • "Customer Data" means any data, content, or materials that you or your authorized users upload, submit, or transmit to the Service, including signals, interview transcripts, survey responses, support tickets, analytics data, and any artifacts generated therefrom.
  • "Workspace" means the organizational account under which you and your team access the Service.
  • "Sub-processor" means any third-party entity engaged by NorthStar to process Personal Data or Customer Data on our behalf.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, password (hashed), organization name, role, and billing details when you create an account or subscribe to a plan.
  • Customer Data: Signals, documents, transcripts, feedback, and any other content you ingest into the Service.
  • Communications: Information you provide when contacting support, submitting feedback, or participating in surveys.
  • Integration credentials: OAuth tokens or API keys for third-party services you connect (e.g., Slack, Jira, GitHub, Notion). These are encrypted at rest and used solely to facilitate the integrations you authorize.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, clicks, session duration, referral source, and interaction patterns within the Service.
  • Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preference.
  • Log data: Server logs including timestamps, request URLs, response codes, and error messages.
  • Cookies and similar technologies: We use strictly necessary cookies for authentication and session management, and optional analytics cookies with your consent. See Section 10 for details.

2.3 Information from Third Parties

  • Integration data: When you connect third-party services, we receive data from those services as authorized by your integration settings (e.g., Slack messages from a designated channel, Jira tickets from a specific project).
  • Authentication providers: If you sign in via SSO or a social login provider, we receive your name, email, and profile information as provided by that service.

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis (GDPR)
Provide, operate, and maintain the ServicePerformance of contract
Process payments and manage subscriptionsPerformance of contract
Generate AI-powered insights, specs, and artifacts from your Customer DataPerformance of contract
Send transactional communications (account confirmations, security alerts, billing receipts)Performance of contract
Improve, personalize, and develop new features for the ServiceLegitimate interest
Analyze usage trends and monitor the performance and security of the ServiceLegitimate interest
Send marketing communications (only with your opt-in consent)Consent
Comply with legal obligations, enforce our terms, and protect our rightsLegal obligation / Legitimate interest

4. AI Processing and Customer Data

NorthStar uses artificial intelligence and machine learning to analyze your Customer Data and generate insights, specifications, and other artifacts. The following commitments apply:

  • No training on your data: We do not use your Customer Data to train, fine-tune, or improve general-purpose AI or machine learning models. Your data is processed solely to provide the Service to you.
  • Data isolation: Customer Data is logically isolated per Workspace. AI processing occurs within the context of your Workspace only and is never commingled with data from other customers.
  • Sub-processor AI services: We may use third-party AI model providers (e.g., OpenAI, Anthropic) to process Customer Data. These providers are contractually prohibited from retaining, logging, or using your data for any purpose other than performing the requested inference. We maintain a zero-data-retention agreement with all AI sub-processors.
  • Transparency: AI-generated outputs (insights, specs, recommendations) are clearly identified as such within the Service. We do not represent AI-generated content as human authored.

5. How We Share Your Information

We do not sell, rent, or trade your Personal Data or Customer Data. We share information only in the following circumstances:

  • Within your Workspace: Customer Data and artifacts are accessible to authorized members of your Workspace based on the permissions you configure.
  • Sub-processors: We engage trusted third-party service providers to help operate the Service, including cloud infrastructure (e.g., AWS), payment processing (e.g., Stripe), email delivery, and AI model inference. All sub-processors are bound by data processing agreements and are required to protect your data to a standard no less protective than this Policy.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of NorthStar, our users, or the public.
  • Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email or prominent notice on the Site before your information becomes subject to a different privacy policy.
  • With your consent: We may share information for any other purpose with your explicit, informed consent.

6. Data Retention

  • Account data: Retained for the duration of your active account and for up to 30 days following account deletion to allow for recovery. After 30 days, account data is permanently deleted.
  • Customer Data: Retained according to the retention limits of your plan (e.g., 7 days for Starter, 90 days for Pro, unlimited for Scale and Enterprise). You may delete Customer Data at any time through the Service. Upon account termination, all Customer Data is permanently deleted within 30 days.
  • Usage and log data: Retained for up to 12 months for analytics and security purposes, then anonymized or deleted.
  • Backups: Encrypted backups may retain data for up to 90 days after deletion from the production environment, after which they are purged in accordance with our backup rotation policy.

7. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

  • Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
  • Application-level access controls with role-based permissions
  • Regular security assessments, penetration testing, and vulnerability scanning
  • SOC 2 Type II compliance (certification details available upon request)
  • Incident response procedures with notification within 72 hours of a confirmed breach affecting your data
  • Employee access to Customer Data is limited to personnel who require it to provide support and operate the Service, and is subject to strict access controls and audit logging

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

8. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your Personal Data:

  • Access: Request a copy of the Personal Data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete Personal Data.
  • Erasure: Request deletion of your Personal Data, subject to legal retention obligations.
  • Restriction: Request that we restrict processing of your Personal Data under certain circumstances.
  • Data portability: Request your Personal Data in a structured, commonly used, machine-readable format.
  • Objection: Object to processing of your Personal Data based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@northstar.dev. We will respond within 30 days, or within the timeframe required by applicable law.

9. International Data Transfers

NorthStar is based in and primarily processes data in the United States. If you are located outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our sub-processors operate.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Additional supplementary measures as required by applicable law

Enterprise customers may select a preferred data residency region. Contact sales for details.

10. Cookies and Tracking Technologies

We use the following categories of cookies:

  • Strictly necessary: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics: Help us understand how visitors interact with the Site and Service. These are only set with your consent.

We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings or through the cookie consent banner displayed on first visit.

11. Third-Party Links and Integrations

The Service may contain links to third-party websites or enable integrations with third-party services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service before providing information to them or enabling an integration.

When you connect a third-party integration, you authorize NorthStar to access and process data from that service as described in the integration setup. You may revoke access at any time through the Service's integration settings.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected Personal Data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with Personal Data, please contact us at privacy@northstar.dev.

13. U.S. State Privacy Rights

13.1 California (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what Personal Data we collect, use, and disclose about you
  • Request deletion of your Personal Data
  • Opt out of the sale or sharing of your Personal Data (we do not sell or share Personal Data)
  • Non-discrimination for exercising your privacy rights
  • Correct inaccurate Personal Data
  • Limit use and disclosure of sensitive Personal Data

We do not sell Personal Data. We do not use or disclose sensitive Personal Data for purposes other than those permitted under the CPRA.

13.2 Other U.S. States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with consumer privacy laws may have similar rights. To exercise your rights under any applicable state law, contact us at privacy@northstar.dev.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Post the updated policy on this page with a revised "Last updated" date
  • Notify you via email or in-app notification at least 30 days before the changes take effect
  • Where required by law, obtain your consent to material changes

Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

For EEA, UK, or Swiss residents, if you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.