Privacy Policy
This document explains what data we hold about you in Lodestar, why we hold it, and how we handle it. We've tried to write it without legal fluff — the way we'd say it to you in person.
1. Who we are
Lodestar is operated by KONGERA s.r.o., the controller of your personal data under the GDPR. Got a question? Write to us at privacy@lodestar.app.
2. What data we hold
- Account: your email and a hashed password (managed by Supabase Auth).
- Profile: your name and settings (timezone, push opt-in).
- Content: organizations, projects, tasks, vision (text and images), AI briefing.
- Subscription: subscription status (trial / active / cancelled), Stripe customer ID and subscription ID — no card numbers (those stay with Stripe).
- AI usage: the number of AI calls per month (for the fair-use limit) — function type and time; no prompt content.
- Push tokens: the Expo push token of your devices (if you allow notifications).
3. Why we hold it
To provide the service — the legal basis here is performance of a contract (Art. 6(1)(b) GDPR). We keep security logs on the basis of our legitimate interest (Art. 6(1)(f)). The AI advisor runs as part of your subscription — Anthropic is a sub-processor of KONGERA (prompts contain your content and are routed via our API account).
Providing an email is a contractual requirement for creating an account — without it we can't provide the service to you.
4. Who we share it with
The following sub-processors process data on our behalf. We don't sell your data to any other vendor or ad network.
- Supabase (Frankfurt, EU) — database, auth, file storage.
- Vercel (USA) — web and edge function hosting.
- Anthropic (USA) — the AI advisor sends your content to
api.anthropic.comas part of providing the service. - Stripe (USA/Ireland) — processing payments and invoices for your subscription. It receives your name, email, billing address (if you provide one) and payment metadata; it has no access to your content.
- Expo (USA) — push notifications (if you allow them).
For transfers of personal data to the USA (Vercel, Anthropic, Stripe, Expo) we use Standard Contractual Clauses (Art. 46(2)(c) GDPR), or the transfer takes place under the Data Privacy Framework where applicable.
5. How long we hold it
As long as your account exists. After you delete it, everything is gone within 30 days — including backups.
6. Your rights
You have the right to access, rectification, erasure, portability, objection and restriction of processing (Art. 15–21 GDPR). Here's how you exercise them:
- Access: you can see your data directly in the app.
- Rectification: edit your data directly in the app.
- Portability: download a JSON export in Settings.
- Erasure: delete your account in Settings.
- Objection / restriction: write to privacy@lodestar.app.
7. Automated decision-making
The AI advisor in Lodestar gives you suggestions and ideas — it doesn't make binding decisions that have a legal or similarly significant effect on you. So this isn't automated decision-making within the meaning of Art. 22 GDPR.
8. Cookies
We use only essential cookies: a session cookie (Supabase Auth) and pb_active_org (which remembers your active organization). No marketing or analytics cookies.
9. Age
Lodestar isn't intended for people under 16. If you're younger, please don't register.
10. Complaint
Think we're handling your data badly? Write to us — we'll be glad to put it right. You can also contact the Slovak Data Protection Authority directly at uoou.sk.
11. Fair-use AI
To keep Lodestar available and stable, the AI advisor has a fair limit of 500 calls per month per user. For our records we store metadata (call count, time, function type) — we store nothing beyond the data we already hold for you.
12. Changes to this policy
For any material changes we'll notify you by email at least 14 days in advance.