Last updated: May 14, 2026
This policy explains what data we collect, why we collect it, how we use it, and what rights you have. We have written it to be read, not filed away.
This Privacy Policy describes how Northstar AI, Inc. ("Northstar," "we," "us," or "our") collects, uses, discloses, and safeguards information about you when you visit our website at northstar.ai (the "Site"), use our software-as-a-service platform (the "Platform"), or otherwise interact with us. Please read this policy carefully. If you disagree with any part of it, please discontinue use of our services.
We are committed to being transparent about how we handle your data. This document covers everything: what we collect and why, how long we keep it, who we may share it with, what rights you have, and how to exercise them. We have tried to write it in plain language rather than legalese — and where we use technical terms, we explain them.
This Privacy Policy applies to all users globally. Additional rights and disclosures apply to users in the European Economic Area ("EEA"), United Kingdom, Switzerland, and California — these are called out specifically in the sections below.
Northstar AI, Inc. is a Delaware corporation headquartered at 340 Pine Street, Suite 800, San Francisco, CA 94104. We operate an AI-powered outbound sales platform that helps sales and go-to-market teams discover leads, draft personalized outreach, and manage email deliverability through agentic automation.
For privacy-related inquiries, requests to exercise your rights, or complaints, you can reach our privacy team at: privacy@northstar.ai. We aim to respond to all privacy inquiries within 30 days.
If you are located in the EEA or UK, Northstar AI, Inc. acts as the data controller for personal data processed in connection with our services. We do not currently have a dedicated EU or UK representative but are reachable directly at the email address above.
Account registration: When you create an account — whether via email/password or Google OAuth — we collect your name, email address, and (if applicable) a hashed password. We never store plaintext passwords.
Onboarding data: During our onboarding flow, you tell us about your company, your ideal customer profile ("ICP"), your use case (sales, ad tech, investor, founder), and your outbound goals. This information is used to personalize your experience and configure your AI agents.
Billing information: When you subscribe to a paid plan, you provide payment card details. These are processed directly by Stripe, Inc., our payment processor. Northstar receives only a tokenized card reference and billing address — never your raw card number, CVV, or full PAN.
Communications: If you contact us via email, submit a support ticket, or respond to a survey, we collect the content of those communications and any contact information you include.
Voice call data: If you use our AI voice feature (Jarvis), voice sessions are processed in real time by our third-party voice infrastructure. Conversation transcripts are stored temporarily to power session memory and may be retained for service improvement subject to the retention limits in Section 07.
Usage data: We log actions you take within the Platform — pages visited, features used, buttons clicked, searches performed, agent runs triggered, and emails sent or received via our Gmail integration. This helps us understand how the product is used and identify areas for improvement.
Device and browser data: We automatically collect your IP address, browser type, operating system, referring URL, and device identifiers when you visit our Site or Platform. This information is used for security, fraud prevention, and aggregate analytics.
Cookies and similar technologies: We use cookies, local storage, and session tokens to maintain your login state, remember preferences, and collect analytics data. See Section 10 for our full cookies disclosure.
Error and performance data: We use Sentry for error monitoring. When errors occur in the application, Sentry automatically captures stack traces, browser context, and — where applicable — the state of the application at the time of the error. We configure Sentry to minimize the inclusion of personal data in error payloads.
Google: If you connect your Google account, we receive your name, email address, and (with your explicit consent) access to your Gmail inbox via OAuth scopes. We use Gmail access solely to send outbound emails on your behalf and to poll for replies. We do not read emails outside the threads initiated through our platform.
Search and enrichment providers: Our platform uses third-party web search APIs (including Serper and Brave) and web scraping tools (including Firecrawl) to discover publicly available information about companies and individuals you choose to prospect. This information is retrieved on your behalf and stored in your account.
Public web: Our AI agents may crawl and process publicly available web pages — company websites, LinkedIn profiles, press releases, news articles — to enrich the contact and company records in your workspace.
Providing and improving the Platform: We use your information to authenticate you, personalize your experience, run AI agents on your behalf, deliver emails, classify replies, and operate all other Platform features. Without this, we cannot provide the service.
AI model operations: Queries and context you submit to our AI features are sent to our large language model ("LLM") providers (currently Groq and OpenRouter, which route to models including Meta's LLaMA and Anthropic's Claude). These providers process your input to generate responses. We do not use your individual queries to train models without explicit consent.
Personalization: We use your ICP, use case, and onboarding data to tailor the signals we surface, the personas we suggest, and the tone of AI-generated drafts.
Analytics and product development: We analyze aggregated, de-identified usage patterns to understand which features are valuable, where users encounter friction, and how to prioritize our roadmap. We do not sell insights derived from individual user data.
Security and fraud prevention: We monitor usage patterns and log events to detect and prevent unauthorized access, abuse, spam, and other security threats.
Legal and compliance: We may process your information where required by law, to respond to lawful requests from public authorities, to enforce our Terms of Service, or to protect the rights, property, or safety of Northstar, our users, or the public.
Communications: We send transactional emails (account confirmation, password reset, billing receipts) and — with your consent — product updates, tips, and announcements. You can opt out of marketing communications at any time via the unsubscribe link in any email or by contacting us at privacy@northstar.ai.
If you are located in the EEA or UK, we are required under the GDPR (or UK GDPR) to have a valid legal basis for each type of personal data processing. Our legal bases are as follows:
Contract performance (Article 6(1)(b)): We process your name, email, billing information, onboarding data, and usage data to perform our contract with you — i.e., to deliver the Platform and its features.
Legitimate interests (Article 6(1)(f)): We rely on legitimate interests for security and fraud prevention, error monitoring, aggregate analytics, and product improvement. We have conducted balancing tests and determined these interests are not overridden by your interests or fundamental rights, given the limited privacy impact and clear benefit to both parties.
Legal obligation (Article 6(1)(c)): We process data as required by applicable law, including tax law, anti-fraud obligations, and responses to lawful legal process.
Consent (Article 6(1)(a)): We rely on consent for optional marketing communications and for any processing of special categories of data (which we do not intentionally collect). You may withdraw consent at any time without affecting the lawfulness of prior processing.
Northstar does not sell your personal data. We do not trade, rent, or exchange your personal information with third parties for their own marketing purposes.
Service providers: We share data with third-party vendors who process it on our behalf under written data processing agreements. These include: Stripe (payments), Google (OAuth and Gmail API), Sentry (error monitoring), Groq and OpenRouter (LLM inference), ElevenLabs (text-to-speech), Serper and Brave (web search), Firecrawl (web scraping), and our cloud hosting provider. Each vendor is contractually restricted to using data only for the services they provide to us.
Business transfers: If Northstar is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will notify you — via email and/or a prominent notice on the Site — before your personal data is transferred and becomes subject to a different privacy policy.
Legal disclosures: We may disclose your information if required by law, subpoena, court order, or governmental request; if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others; or to investigate fraud or respond to a government request.
With your consent: We may share your information for any other purpose with your prior explicit consent.
Aggregated or de-identified data: We may share aggregated, statistical information that does not identify individual users — for example, publishing that a certain percentage of users book meetings within the first week. This is not personal data.
We retain personal data for as long as your account is active or as needed to provide you with services. When you close your account, we begin a 30-day grace period during which your data is preserved to allow account recovery. After 30 days, we initiate deletion of your personal data from our primary databases, except where retention is required by law.
Billing and financial records: We retain invoices, payment records, and related billing data for seven years to comply with tax and accounting obligations.
Email logs: Metadata about emails sent through our platform (sender, recipient, timestamp, subject) is retained for 12 months. Email body content is not stored beyond what is needed for reply classification, and is deleted within 30 days of receipt.
Voice session transcripts: Session transcripts are retained for a maximum of 90 days to power the agent memory feature. You can delete individual session memories from within the Platform at any time.
Error logs: Error payloads captured by Sentry are retained for 90 days.
Aggregate analytics: Anonymized, aggregated usage data that cannot be linked back to individual users may be retained indefinitely for product analytics purposes.
Backups: Encrypted database backups may retain your data for up to 60 days beyond deletion from the primary database. These backups exist solely for disaster recovery purposes and are not used for any other processing.
Access: You can view and export your account data at any time from your workspace settings.
Correction: You can update your name, email, and profile information from your account settings. For other corrections, contact us at privacy@northstar.ai.
Deletion: You can delete your account at any time. See Section 07 for what is retained and why after deletion.
Opt-out of marketing: Every marketing email includes an unsubscribe link. You can also opt out by emailing privacy@northstar.ai.
Right to erasure ("right to be forgotten"): You may request deletion of your personal data beyond what is covered by standard account deletion. We will comply within 30 days unless a legal basis for retention applies.
Right to restriction: You may request that we restrict processing of your data while a dispute is pending.
Right to data portability: You may request a machine-readable export of your personal data that you have provided to us.
Right to object: You may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. In the UK, the relevant authority is the ICO (ico.org.uk).
Right to know: You have the right to know what categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it. This Privacy Policy serves as our CCPA disclosure.
Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completion of a transaction).
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale or sharing: Northstar does not sell or share your personal information for cross-context behavioral advertising. No opt-out mechanism is required, but you may contact us at privacy@northstar.ai with any concerns.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights — including by denying services, charging different prices, or providing a lower quality of service.
Sensitive personal information: We do not collect sensitive personal information as defined under the CPRA (e.g., Social Security numbers, precise geolocation, health data, financial account credentials, or biometric data) except as strictly necessary to provide services you explicitly request.
Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not make such disclosures.
We implement technical, organizational, and administrative security measures designed to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These include: TLS encryption in transit, AES-256 encryption at rest, access controls and role-based permissions, regular penetration testing, security logging and anomaly detection, and employee security training.
Our third-party service providers are selected in part based on their security practices and are required under our data processing agreements to maintain appropriate security measures.
No security system is impenetrable. In the event of a data breach that affects your personal data and creates a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law — generally within 72 hours of becoming aware of the breach.
You are responsible for maintaining the confidentiality of your account credentials. Do not share your password, and contact us immediately at privacy@northstar.ai if you suspect unauthorized access to your account.
We use the following categories of cookies and similar technologies on our Site and Platform:
Strictly necessary cookies: These are required for the Platform to function. They include session authentication tokens, CSRF protection tokens, and security cookies. You cannot opt out of these without effectively opting out of the service itself.
Functional cookies: These remember your preferences — such as your UI mode, language, and workspace settings. They improve your experience but are not strictly necessary.
Analytics cookies: We use privacy-respecting analytics tools to understand aggregate usage patterns — for example, which pages are most visited and how users navigate the funnel. Where possible, we configure these to anonymize IP addresses and avoid cross-site tracking.
We do not use third-party advertising or tracking cookies. We do not participate in cross-site behavioral advertising networks.
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking strictly necessary cookies will prevent you from logging in or using the Platform. You can also opt out of analytics tracking by contacting us at privacy@northstar.ai.
Northstar is headquartered in the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the U.S. and other countries where our service providers operate.
For transfers of personal data from the EEA, UK, or Switzerland to the United States or other third countries, we rely on the following transfer mechanisms: (a) Standard Contractual Clauses ("SCCs") approved by the European Commission for transfers to service providers; and (b) where applicable, the EU-U.S. Data Privacy Framework for service providers certified thereunder.
By using our services, you acknowledge that your information may be transferred to and processed in countries with different data protection standards than your home country. We implement appropriate safeguards to ensure your data is protected regardless of where it is processed.
Our services are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you are under 16, please do not use our services or submit any personal data.
If we learn that we have collected personal information from a child under 16 without verifiable parental consent, we will delete that information promptly. If you believe we may have collected information from or about a child, please contact us at privacy@northstar.ai.
Our Platform may contain links to third-party websites, or you may connect third-party integrations (such as your Gmail account or a CRM). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you connect.
When you connect a third-party integration, that third party may collect data according to their own policies. Northstar's access to third-party services is governed by OAuth scopes you authorize, and we only use the minimum permissions necessary to deliver our service.
Our Platform uses AI and machine learning to generate outreach drafts, score leads, classify replies, and surface signals. These are tools to assist human users — not to make legally significant decisions about individuals. Humans retain full control over what emails are sent and to whom.
We do not use automated decision-making that produces legal effects or similarly significant effects on individuals who are not your sales prospects (i.e., third-party contacts your team chooses to prospect). We are not the data controller for the personal data of your prospects — you are. We process that data as a data processor on your behalf, subject to your instructions and your own applicable legal obligations.
If you are a recipient of outreach generated using our platform and you wish to opt out of future contact or have your data removed, please contact the sender directly. If you cannot identify the sender, contact us at privacy@northstar.ai and we will work to assist you.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by: (a) posting the revised policy on this page with an updated "Last Updated" date; (b) sending an email to the address associated with your account; and (c) displaying an in-app banner when you next log in.
For non-material changes — such as clarifications, grammar corrections, or updated contact information — we will update the policy without individual notice, though the "Last Updated" date will always reflect the most recent revision.
Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with a material change, you may close your account and discontinue use before the effective date.
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
Email: privacy@northstar.ai
Mailing address: Northstar AI, Inc., 340 Pine Street, Suite 800, San Francisco, CA 94104
We take all privacy inquiries seriously and will respond within 30 days. For EEA or UK residents with unresolved complaints, you retain the right to contact your local supervisory authority at any time — this right exists independently of any response we provide.
If you have read this far and still have questions, we genuinely want to hear from you. Privacy is a continuous conversation, not a one-time disclosure. Reach us at privacy@northstar.ai.