Privacy Policy

Last updated: March 2026

GimmeStar ("we", "us", "our") respects your privacy. This Privacy Policy explains what data we collect, why we collect it, and how we protect it.

1. What We Collect

From business owners (account holders)

• Account information: name, email address, password (hashed, never stored in plain text)
• Business information: business name, Google Business Profile URL, logo (if uploaded), brand color preference
• Usage data: login activity, dashboard interactions, feature usage
• Payment information: processed by Stripe. We do not store credit card numbers.

From customers who scan a QR code

• Scan data: IP address (anonymized), browser user agent, referrer, timestamp
• Rating: the star rating selected (1-5)
• Private feedback: message text and email address (if voluntarily provided)

We do not require customers to create an account, provide their name, or identify themselves in any way. The email field on the feedback form is optional.

2. How We Use Your Data

• To provide the Service: generating review pages, QR codes, routing feedback, displaying analytics
• To send transactional emails: account confirmation, password resets, feedback notifications
• To improve the Service: understanding usage patterns, fixing bugs, developing features
• To communicate with you: service updates, changes to terms or pricing (account holders only)

We do not sell your data to third parties. We do not use your data for advertising. We do not share customer feedback data with anyone other than the business owner it was submitted to.

3. Data Storage and Security

All data is stored on secure servers with encryption at rest and in transit (TLS). Passwords are hashed using bcrypt. Sessions are stored in the database with secure tokens.

We retain account data for as long as your account is active. If you delete your account, your data is permanently removed within 30 days.

Customer scan and feedback data is retained for as long as the associated business account is active.

4. Third-Party Services

We use the following third-party services:

• Maileroo: for sending transactional emails (confirmation, password reset, notifications)
• Stripe: for payment processing (when paid plans are introduced)
• Google: customers are redirected to Google Reviews to write their review. We do not send any personal data to Google - the redirect is a simple URL navigation initiated by the customer's browser.

Each third-party service has its own privacy policy. We encourage you to review them.

5. Cookies

We use essential cookies only:

• Session cookie: to keep you logged in. Expires when you log out or after inactivity.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking tools.

6. Customer-Facing Review Pages

When a customer scans a QR code and visits a review page (e.g., gimmestar.com/r/your-business), we record the scan for analytics purposes. The data collected is limited to: IP address (for duplicate detection and geographic insight), browser user agent, referrer, and timestamp.

If the customer submits private feedback, we store their message and email address (if provided). This data is visible only to the business owner and GimmeStar administrators for support purposes.

We do not track customers across websites, build profiles, or use their data for any purpose other than delivering the feedback to the business owner and displaying aggregate analytics.

7. Your Rights

You have the right to:

• Access your data - request a copy of the data we hold about you
• Correct your data - update inaccurate information via your account settings
• Delete your data - delete your account and all associated data
• Export your data - request a machine-readable export of your data
• Object to processing - contact us if you believe we're processing your data unlawfully

To exercise any of these rights, contact us at [email protected].

8. GDPR (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your data is:

• Contract performance: processing necessary to provide the Service you signed up for
• Legitimate interest: improving the Service, preventing fraud, ensuring security
• Consent: where explicitly given (e.g., enabling Smart Routing)

For GDPR-related inquiries or complaints, contact us at [email protected].

9. Children

GimmeStar is not intended for use by individuals under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Questions or concerns about your privacy? Contact us at [email protected].