Privacy Policy
Last updated: 7 July 2026
What we collect
Account details (name, email, role), the content your organisation creates in its workspaces
(messages, notes, tasks, files), and soft presence check-ins (“I’m in / I’m out”). Presence is
attendance-style status — we do not track activity, keystrokes, screenshots or time.
What we don’t do
This marketing site sets no cookies and runs no analytics or advertising trackers. The application
uses only the session cookies required to keep you signed in. We do not sell or rent personal data —
to anyone, ever.
Who can see what
Visibility is enforced at the database layer. Staff see the spaces they are seated on; managers and
owners see their organisation; a guest sees only the single space they were invited to — its guest
channel and shared board — and never an organisation’s internal conversations, other clients, or staff
structure.
Processors we use
We use a small number of infrastructure providers to run the service: Supabase (application database
and authentication), Postmark (transactional email — invitations, password resets), Cloudflare (DNS and
network) and, from public launch, a merchant of record for payments (they receive billing details; we
never see your card number). Each processes data only on our instructions.
Where data lives
Application data is hosted with Supabase; the hosting region will be published at public launch and
pinned per organisation thereafter.
Your rights
Your organisation’s owner can export its data or request deletion of the organisation and all its
content at any time. Individuals may contact us directly about access, correction or erasure of their
personal data: hello@starfi.sh. We answer within 30 days.
Contact
Privacy questions: hello@starfi.sh — Starfish, Republic of the Philippines.