Privacy Policy | StarNestSocial

StarNestSocial ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what we collect, how we use it, how we protect it, and your rights.

0. Platform-Specific Privacy Practices

StarNestSocial is available as both a web application and native mobile app (iOS/Android). Data collection practices vary by platform:

Web: Cookies for authentication, preferences, analytics. LocalStorage/SessionStorage for caching and session management.
Mobile: No web cookies. Uses native device storage (iOS Keychain, Android SharedPreferences). Push notification tokens (FCM/APNs) collected. Device permissions managed via device settings.
Data Equivalence: Types of data collected are the same across platforms; only the storage mechanism differs.

1. Information We Collect

Account details: name, username, email, date of birth, password
User content: videos, images, posts, comments, messages
Direct messages: text, media, reactions, edit history, timestamps
Financial details: payout information via Stripe, ESC transactions
Technical data: IP address, device type, browser, cookies (web), native device identifiers (mobile), crash logs
Security data: device fingerprints, fraud signals, behavioral patterns, geographic anomalies
Ad interaction data: impressions, clicks, views, completion rates, ESC payouts, Nest-specific attribution
Mobile-specific: push notification tokens, device permissions, app/platform version

2. How We Use Information

Provide and improve StarNestSocial
Personalize your experience
Process ad revenue sharing
Verify age and eligibility
Prevent fraud and abuse through device fingerprinting, anomaly detection, and risk scoring
Provide customer support
Comply with legal requirements

2A. Legal Basis for Processing (GDPR)

Contractual necessity: Account creation, content hosting, transactional emails
Consent: Ad personalization, marketing emails (withdrawable anytime)
Legitimate interest: Fraud detection, security monitoring, analytics
Legal obligation: Tax records, law enforcement requests

3. Data Sharing

Service providers: Supabase (database, authentication, storage), Stripe (payments, identity verification), Cloudinary (media hosting), MailerSend (transactional email), NewsData.io (news aggregation), analytics providers
Advertisers and partners: to deliver ads and calculate revenue sharing
Legal authorities: where required by law
In mergers/acquisitions

We do not sell personal data.

3A. Profile Privacy & Content Visibility

Public Profiles (default): Visible to all authenticated users
Private Profiles: Only visible to mutual followers
Followers-Only Posts: Public profile users can restrict individual posts to mutual followers
Admins and moderators may access content for moderation, safety, and compliance

3A-1. Guest Posts & Nest Visibility

Guest posts inherit your profile's privacy settings. Only mutual followers can comment on posts on your nest. You can delete any guest post on your nest at any time.

3A-2. Gallery Posts

Gallery posts are references to original posts, not copies. Visibility and commenting follow the original post's privacy settings. Interactions affect the original post's metrics.

3B. Messaging Privacy

Storage: Supabase database with Cloudinary for media
Encryption: TLS in transit; not end-to-end encrypted. Encrypted at rest by Supabase.
Retention: Deleted messages soft-deleted, recoverable for 90 days. Account deletion purges messages after 90 days.
Access: Staff may access for moderation, legal compliance, or security
Voice Messages: Audio stored as .mp3 on Cloudinary

3C. Content Reporting & Moderation

Reporter identity is protected by default. Reports retained for 12 months after resolution. Moderation actions (warnings, suspensions, bans) logged with timestamps and moderator ID.

3D. Live Streaming Data

Stream metadata (title, duration, viewer count), viewer data (user IDs, join/leave times, chat messages), and chat logs collected. Streams may be cached 24-48 hours for moderation. Chat logs retained for 30 days.

3E. AI Content Detection

Post captions analyzed for AI-generated content
Detection results, behavior scores, appeal records, and warning history collected
Automated Decision-Making (GDPR Art. 22): Posts with 95%+ AI probability may be auto-removed. You may appeal and request human review.
Detection records retained 12 months; appeal records retained 24 months

3F. Blocking & Interaction Data

Block relationships, Double Downvote actions, and targeting patterns stored permanently unless manually removed. Blocked users are not notified.

3G. Third-Party Embeds

Embeds from YouTube (privacy-enhanced mode), TikTok, Vimeo, Instagram, Spotify, Apple Music, SoundCloud supported. Embeds only load on click (no autoplay). Your IP, browser info, and viewing behavior may be shared with the embed provider. Server-side link previews protect your privacy for URL cards.

3H. News Aggregation

Headlines aggregated via NewsData.io. Not personalized. Category preferences and shared articles tracked. Clicking "Read Full Article" redirects to the original publisher's site.

4. Age and Eligibility

StarNestSocial is for users 18+. Age verification required at signup. NSFW content strictly prohibited. Illegal content reported to authorities.

5. Retention & Security

Data kept only as long as needed. Account deletion purges most data within 90 days. Security data retained up to 2 years. Encryption in transit and at rest. Content deletion cascades to comments, gallery references, and message previews.

5A. Security & Fraud Prevention

Device fingerprinting, geographic monitoring, multi-device detection
Automated fraud detection for rapid device switching, geographic anomalies, unusual payout patterns
Identity Verification (optional): Via Stripe Identity for higher payout limits. Stripe collects and stores ID/biometric data; StarNestSocial only receives verification confirmation.
Manual review for first payouts, payouts over $200, and flagged accounts
Security data retained up to 2 years for fraud detection accuracy

6. Your Rights

Access: Request a copy of your personal data (Settings → Privacy → Download My Data or email us)
Rectification: Request correction of inaccurate data
Erasure: Request deletion (see Account Deletion Policy)
Portability: Receive data in machine-readable format (JSON)
Restrict Processing: Limit processing while complaints are resolved
Object: Object to processing based on legitimate interest
Withdraw Consent: Withdraw consent for ad personalization, marketing emails anytime
Automated Decisions: Request human review of automated decisions (see Section 10A)

Response Timeframes

GDPR: 30 days (extendable by 60 days with notice)
CCPA/CPRA: 45 days (extendable by 45 days with notice)
Other US state laws: 30–45 days per applicable law

Right to Lodge a Complaint: EU/EEA residents may contact their local supervisory authority at edpb.europa.eu. UK residents may contact the ICO.

7. Global Transfers

Your data may be transferred to the United States and other countries. We use the following safeguards:

EU-US Data Privacy Framework: Stripe is DPF-certified for payment data transfers
Standard Contractual Clauses (SCCs): Applied to transfers to Supabase, Cloudinary, and MailerSend
Supplementary Measures: Encryption, pseudonymization, and access controls supplement SCCs

Where Your Data Is Processed

Supabase — United States (AWS)
Stripe — United States (DPF certified)
Cloudinary — United States (AWS)
MailerSend — European Union
NewsData.io — United States

7A. Cookies & Tracking Technologies

Strictly Necessary: Authentication, session management, CSRF protection
Functional: Language, theme, notification preferences
Analytics: Usage patterns, feature adoption, error tracking (Sentry)
Advertising: Ad personalization and frequency capping (requires GDPR consent)

See our Cookie Policy for full details. Native mobile apps do not use web cookies.

7B. Data Breach Notification

GDPR: Supervisory authority notified within 72 hours (Article 33)
US State Laws: Notification within 30–60 days per applicable law
User Notification: Email, in-app notification, and website notice for high-risk breaches
Disclosure: Nature of breach, data categories involved, consequences, remedial measures, and steps you can take

8. Updates

We may update this Privacy Policy and will notify users of significant changes via email or in-app notification.

9. Advertising & Ad Partners

StarNestSocial monetizes through rewarded video ads. Primary partner: Google AdMob. Mediation partners may include ironSource, AppLovin, Unity Ads.

Data Shared with Ad Partners

Device info, advertising identifiers (IDFA/AAID), IP address, ad interaction data, app usage patterns
We do NOT share email, username, posts, messages, or payment info with ad networks

Your Choices

GDPR: Consent prompt via Google UMP. Manage in Settings → Privacy → Ad Choices
CCPA: "Do Not Sell or Share" toggle in Settings → Privacy → CCPA Settings
iOS ATT: Apple's App Tracking Transparency prompt
GPC: We honor Global Privacy Control browser signals

Advertiser Data Disclosures

Advertisers receive only aggregate campaign data (impressions, CTR, Attention Scores, device type distribution, placement breakdown). They cannot see usernames, emails, profile data, IP addresses, or any personally identifiable information.

10. Data Retention & Deletion

Account data: Retained while active; deleted 90 days after closure
Content: Retained unless deleted; soft-deleted content purged after 90 days
Ad session logs: 2 years
Security logs: 2 years
Financial records: 7 years (tax/accounting compliance)
Legal holds: Extended until matter resolved

Requesting Deletion

Request via Settings → Privacy → Delete Account. Your account enters a 90-day grace period during which it is deactivated. You may cancel via the email link. After 90 days, data is permanently purged. See our Account Deletion Policy.

GDPR Right to Erasure

EU/EEA/UK users may request erasure within 30 days. Email starnestsocial@gmail.com with subject "GDPR Erasure Request."

10A. Automated Decision-Making

Per GDPR Article 22, we disclose all automated decision-making systems:

AI Content Detection: Posts with 95%+ AI probability may be auto-removed (appealable)
Fraud Risk Scoring: Device fingerprints, geographic patterns, and behavioral signals generate risk scores that may trigger payout holds
OFAC Sanctions Screening: All payout recipients screened against the U.S. Treasury SDN list
Payout Flagging: First payouts, high-value payouts ($200+), and elevated-risk accounts flagged for manual review
Content Moderation: Automated systems flag potential policy violations for human review

No automated decision results in permanent account action without human review. You may request explanations and contest any automated decision by emailing starnestsocial@gmail.com.

11. US State Privacy Rights

StarNestSocial honors privacy rights under all 18 US states with comprehensive privacy laws (as of Feb 2026), including California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Minnesota, and Maryland.

We honor Global Privacy Control (GPC) signals as a universal opt-out. See US State Privacy Rights and California Privacy Rights for details.

Contact

For privacy inquiries: starnestsocial@gmail.com

Data Protection Officer: Not required under GDPR Article 37 at this time. All privacy inquiries handled via the email above. This determination will be reassessed as the platform scales.

StarNest LLC, Nevada, USA