Privacy Notice

Please read this document carefully before accessing or using this service!

1. Introduction
1.1 English, Not Legalese

Most Terms of Use and Privacy Policy documents are unreadable. They are written by lawyers and for lawyers, and in our opinion are not very effective.

Data privacy is important, and we want you to understand the issues involved.
For that reason we decided to use plain English instead as much as possible, to make our terms as clear as possible. Some sections still have room for improvements
We plan to tackle these over time.

When you read ‘Starase’ or ‘the Service’ below, it refers to the services made available at starase.com and its subdomains which store your account, provides services such as hosting and its derivates like ftp, email and web services as well via Starase’s ecosystem. Where you read ‘Starase’ or ‘we’ or ‘us’ below, it refers to the Company created in October 2018 to hire the Starase core team and support Starase’s development and so run the Starase’s Infrastructure and their agents. If this agreement is not acceptable, please feel free to use another service around the Internet server provided by someone else! Starase and its person are the Data Controller for the Service.

We can be contacted as per the details below:
Email: privacy@starase.com

Postal address:
Starase
51 Henley Drive
London, United Kingdom
SE1 3AR

Should you have other questions or concerns about this document, please send us an email at privacy@starase.com

1.2 Using The Service Means Accepting These Terms

By accessing or using the Service in any way, whether you have created a Starase account on the Starase’s ecosystem, or whether you are accessing contents such your website, emails and files, you agree to and are bound by the terms and conditions written in this document. If you do not agree to all of the terms and conditions contained in this document, please use a Starase’s Infrastructure provided by someone else and refrain from accessing content in this server.

1.3 This Is a Living Document

This is a living document. With your help, we want to make it the best in the industry. If you read something that rubs you the wrong way, or if you think of something that should be added, please get in touch! We’re all ears!

Email: privacy@starase.com and we’ll chat.

We don’t amend this document for any specific users or use case, but if your proposed changes apply to all of our users, we’ll be happy to update it for everyone. Scroll to the bottom to see the history so far. We will likely improve this document over time. By continuing to use the Service, you will implicitly accept the changes we make. Your access and use of the Service is always subject to the most current version of this document.

2. Access to Your Data / Privacy Policy

2.1 What is the legal basis for processing my data and how does this affect my rights under GDPR (General Data Protection Regulation)?
2.1.1 Legal Basis for Processing

Starase processes your data under Legitimate Interest. This means that we process your data only as necessary to deliver the Service, and in a manner that you understand and expect. The Legitimate Interest of our Service is the provision, openly and (optionally) end-to-end encrypted communication services. The processing of user data we undertake is necessary to provide the Service. The nature of the Service and its implementation results in some caveats concerning this processing, particularly in terms of GDPR Article 17 Right to Erasure (Right to be Forgotten). We believe these caveats (discussed in the section below in detail) are in line with the broader societal interests served by providing the Service. In situations where the interests of the individual appear to be in conflict with the broader societal interests, we will seek to reconcile those differences guided by our policy.

2.1.2 Right to Erasure

You can request that we forget your copy of messages, website(s), files by instructing us to deactivate your account sending us an encrypted email to security@starase.com and instructing us what we need to forget. Any messages or files that were only accessible by your account will be deleted from our servers within 30 days. Apart from state events (see below), these messages and files will not be shared with anybody when we have processed your request to be forgotten. State events are processed in the same way as to non-state events. We, therefore, share state events sent by your account with all non-essential data removed (‘redacted’), even after we have processed your request to be forgotten. If this is not acceptable to you, please do not use the Service.

2.1.3 Data Portability Under GDPR

You have a right to request a copy of your data in a commonly-accepted format. If you would like a copy of your data, please send a request over Starase to privacy@starase.com with this specific Subject: GDPR – request a copy.

In the future, we will provide a better interface for this!

2.1.4 Your Rights as Data Subject

You have rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances. Some of these rights are explored in more detail elsewhere in this document. For completeness, your rights under GDPR are:

  1. The right to be informed

  2. The right of access

  3. The right to rectification

  4. The right to erasure

  5. The right to restrict processing

  6. The right to data portability

  7. The right to object

  8. Rights in relation to automated decision making and profiling.

For more details about these rights, please see the guidance provided by the ICO. If you have any questions or are unsure how to exercise your rights, please contact us at privacy@starase.com.

2.2 What Information Do You Collect About Me and Why?

The information we collect is purely for the purpose of providing your communication service via Starase. We do **not** profile users or their data on the Service.

Be aware that while we do not profile users on the Service, external clients used to benefit about Starase’s Service may gather usage data.

2.2.1 Information you provide to us

We collect information about you when you input it into the Service or otherwise provide it directly to us.

Account and Profile Information

In the next future, we will collect information about you when you register for an account. At this time the document is ready to be used and this information is kept to a minimum on purpose and is restricted to:

  • Username

  • Password

  • Display Name

  • Your email address

Your username and password are used to authenticate your access to the Service and to uniquely identify you within the Service. Your email address it will be used to get any technical or sales support if you already have a service in place or if you are planning to. We will also use your email address to let you reset your password if you forget it and we may also send you infrequent urgent messages about platform updates, planned maintenance, platform issues, attacks.

Content you provide through using the Service

We store and distribute emails, websites, files as described by the Starase protocol and according to the access rules configured within the system. Storing and sharing this content is the reason the Service exists. This content includes any information about yourself that you choose to share.

2.2.2 Information we collect automatically as you use the service
Device and Connection Information

Each device you use to access the Service is allocated a (user-configurable) identifier. When you access the Service, we record the device identifier, the IP address it used to connect, user agent, and the time at which it last connected to the service. Currently, we log the IP addresses of everyone who accesses the Service. This data is used in order to mitigate abuse, debug operational issues, monitoring platforms, systems, and monitor traffic patterns. Our logs are kept for not longer than 365 days. Once Starase is officially out we will consider implementing log minimisation up to 180 days.

2.3 What Information is Shared With Third Parties and Why?
2.3.1 Sharing Data with Connected Services

We do not usually share any information with third parties unless the owner of that domain will decide to do it but is completely out of our control and Starase does not assume any responsibility about it

We recommend the use of end-to-end encryption to protect your email messages, and in future we intend to enable end-to-end encryption by default. If the way in which data is shared is not acceptable to you, please use a different server or service.

2.4 Sharing Data in Compliance with Enforcement Requests and Applicable Laws: Enforcement of Our Rights

In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to

(a) comply with any applicable law, regulation, legal process or governmental request,
(b) protect the security or integrity of our products and services (e.g. for a security audit),
(c) protect Starase and our users from harm or illegal activities, or
(d) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the serious bodily harm of any person.

2.5 How Do You Handle Passwords?

We do not store password data in plain text; instead, they are stored hashed with at least 12 characters as per best practice

Passwords sent to the server are encrypted using SSL. It is your sole responsibility to keep your user name, password and other sensitive information confidential. It also your responsibility change the complexity of your password following the standard described in here. Accordingly to Wikipedia you should change your password periodically, often every 90 or 180 days.

Actions taken using your credentials shall be deemed to be actions taken by you, with all consequences including service termination, civil and criminal penalties. If you become aware of any unauthorized use of your account or any other breach of security, you must notify us immediately by sending an email to abuse@starase.com. The users should manage good password hygiene (e.g. using a password manager) and change their password if they believe their account is compromised. If you forget your password (and you have registered an email address) you can use the password reset facility to reset it. Some service are not linked and you will always be able to recover your password using support@starase.com or raising a new ticket (we are already working on it)

We will never change a password for you.

2.6 Our Commitment to Children’s Privacy

We never knowingly collect or maintain information in the Service from those we know are under 16, and no part of the Service is structured to attract anyone under 16.
If you are under 16, please do not use the Service.

2.7 How Can I Access or Correct My Information?

You can access all your personally identifiable information that we collect by using any compatible Browser (Google Chrome, Firefox, Internet Explorer, Safari, Opera or Tor browser) and managing your User Settings when Starase is gonna be officially out. You can download a copy of all your data as per section 2.1.3.

2.8 Who Can See My Messages and Files?

This data is stored in the format it was received on our servers, and can be viewed by Starase engineers (employees and contractors) under the conditions outlined below. Mostly our websites working through a database when the data is stored. At the moment, end-to-end encrypted messaging data is up to you and we recommend to use PGP to guarantee your privacy.

2.9 What Are the Guidelines Starase Follows When Accessing My Data?

  • We restrict who at Starase (employees or contractors) can access user data to roles which require access in order to maintain the health of the Service.

  • We never share what we see with other users or the general public.

2.10 Who Else Has Access to My Data?

We host the majority of the Service in Contabo, Aruba and Tiktalik data centres. Here’s Contabo’s privacy policy, Aruba’s privacy policy and Tiktalik’s privacy policy.
Contabo, Aruba and Tiktalik controls physical access to their locations. We use Cloudflare to mitigate the risk of DDoS attacks and manage some DNS records associated with Starase’s domain. Here’s CloudFlare’s privacy policy.

We use secure private keys when accessing servers via SSH by 4096 bit.
We log application data (username, user IP and user agent).
We keep logs for no longer than 365 days.
We monitor our Infrastructure 24/7/365

2.11 What happens if Starase is sold?
In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If we or substantially all of our assets are acquired by a third party, personal data held by us about our users will be one of the transferred assets.

2.12 How Is My Data Protected from Another User’s Data?

All of our users’ data for the Service currently resides in different nodes. We use software best practices to guarantee that only people who you designate as viewers of your data can access it. In other words, we segment our user data via software. We do our best and are very confident we’re doing a good job at it, but, like every other service that hosts their user data on the same database, we cannot guarantee that it is immune to a sophisticated attack.

2.13 What Should I Do If I Find a Security Vulnerability in the Service?

If you have discovered a security concern, please email us at security@starase.com. We’ll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to security@starase.com our highest priority and work to address any issues that arise as quickly as possible. Please act in good faith towards our users’ privacy and data during your disclosure. White hat security researchers are always appreciated.

If you are sending sensitive information you can encrypt your communications to Starase, or verify signed messages you receive from Starase using the PGP key below:

  • Key ID: 4703B15E

  • Key type: RSA

  • Key size: 4096

  • User ID: security@starase.com

  • Fingerprint: 1070 8C69 1083 E1C2 56CA D8EA C76C 44E8 4703 B15E

3. Making a Complaint

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention at privacy@ starase.com if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. If you want to make a complaint about the way we have processed your personal information to the supervisory authority, you can contact the ICO (the statutory body which oversees data protection law) at https://www.ico.org.uk/concerns.

4. Document History

  • 2019, April 18: created.

  • 2020, May 13: updated

A note to other startups: this document was heavily inspired by Matrix and Balsamiq’s plain English ToS document. We were impressed by their championing of plain English and wanted to reproduce that as much as possible in our own legal documentation. Feel free to use it accordingly by your business.