Privacy Policy

Last updated: 2026-02-22

1. Data Controller

The data controller for your personal data is the operator of starcrew.link.

Contact email: [email protected]

2. Data We Collect

Account Data

When you create an account we collect:

  • Email address
  • Display name
  • Authentication credentials (password is hashed and never stored in plain text)

Profile Data

When you complete your profile we may additionally collect:

  • RSI (Roberts Space Industries) handle
  • Avatar image
  • RSI handle verification status
  • Referral code

Activity Data

When you use the platform we collect data related to your activity, including:

  • Messages sent through the platform
  • Friendship connections
  • Looking For Group (LFG) posts
  • Ship lending offers and requests
  • Ratings and reviews
  • Giveaway participation, including RSI handles submitted for giveaway entries
  • Screenshot and video proof files uploaded for giveaway creation and entry verification

Technical Data

We automatically collect certain technical information:

  • Authentication cookies (sb-*-auth-token) required for session management
  • LocalStorage preferences (e.g. cookie consent choice, UI settings)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b) GDPR) — processing is necessary to provide you with the platform's services, including account management, messaging, matchmaking, ship lending, and referral features.
  • Consent (Art. 6(1)(a) GDPR) — for storing and reading functional cookies and localStorage preferences on your device, and for loading analytics services (Umami and Microsoft Clarity) when you accept the analytics category. You may withdraw consent at any time via the cookie settings.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for maintaining platform security, preventing abuse, and ensuring the integrity of our services.

4. Cookie Usage & Analytics

We use cookies strictly necessary for authentication and optional functional cookies for your preferences. When you consent to the analytics category we also load:

  • Umami — a privacy-focused, open-source analytics tool hosted on our own infrastructure. Umami does not use cookies, does not collect personal data, and all data remains on our servers.
  • Microsoft Clarity — a session recording and heatmap service provided by Microsoft Corporation. We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies (_clck, _clsk) and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimisation, fraud/security purposes and advertising. Data is processed by Microsoft under their Privacy Statement. Clarity does not collect passwords, payment details, or keystrokes in sensitive fields.

We do not use our own advertising or marketing tracking cookies. However, Microsoft may use data collected through Clarity for advertising purposes as described in the Microsoft Privacy Statement.

For a detailed breakdown of all cookies used, please see our Cookie Policy.

5. Data Retention

We retain your personal data for as long as your account remains active and you continue to use our services.

If you request account deletion, we will erase your personal data within 30 days of the request. Certain data may be retained longer if required by law or to resolve disputes.

6. Your Rights

Under the GDPR you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected].

You also have the right to lodge a complaint with a supervisory authority. The competent authority in Poland is:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
https://uodo.gov.pl

7. Third-Party Services

Supabase (Data Processor)

We use Supabase as our backend infrastructure provider. Supabase acts as a data processor on our behalf and stores your account data, profile data, and activity data. Supabase is a US-based company and processes data under Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of data protection.

RSI Website (Public Data Scraping)

During RSI handle verification, our service accesses your publicly available citizen page on the Roberts Space Industries website to confirm the presence of a verification code you placed in your bio. We do not store any data from RSI beyond the verification result.

Discord (Webhook Integration)

We use Discord webhook integration for internal platform notifications. No personal user data is shared with Discord through these webhooks.

Microsoft Clarity & Microsoft Advertising (Analytics Processor)

When you consent to analytics, we partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimisation, fraud/security purposes and advertising. Microsoft acts as a data processor and processes data under its Privacy Statement and applicable Data Processing Addendum. No personal data such as passwords or payment details is captured.

8. International Data Transfers

Your personal data may be transferred to and processed in the United States through our use of Supabase infrastructure and Microsoft Clarity. These transfers are safeguarded by Standard Contractual Clauses (SCCs) in accordance with Art. 46(2)(c) GDPR, ensuring that your data receives an equivalent level of protection as under EU law.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All communications are encrypted via HTTPS/TLS.
  • Passwords are hashed using industry-standard algorithms and are never stored in plain text.
  • Authentication tokens are stored in httpOnly cookies to prevent client-side script access.
  • A Content Security Policy (CSP) is enforced to mitigate cross-site scripting and injection attacks.
  • Row Level Security (RLS) policies are applied at the database level to ensure users can only access data they are authorized to see.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting a prominent notice on the platform or by sending you a direct notification.

We encourage you to review this policy periodically. Your continued use of the platform after any changes constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy, please contact us at [email protected].