Privacy Policy
Effective date:
Last updated:
1. About this policy
This Privacy Policy explains how NorthStar collects, uses, stores and protects personal information when you use the NorthStar website, application and related services.
NorthStar is operated by:
Coal Face AI LtdRegistered in England and Wales, company number 16337494
Registered office:
Mexborough Business Centre
College Road
Mexborough
South Yorkshire
United Kingdom
S64 9JP
Email: support@northstarlife.app
For the purposes of UK data protection law, Coal Face AI Ltd is the data controller for the personal information described in this policy.
NorthStar is currently being made available as a closed-alpha product. Some features may change as the service is developed and tested.
2. The information we collect
Depending on how you use NorthStar, we may collect the following categories of information.
2.1 Account and profile information
This may include:
- Your name
- Email address
- Authentication and account identifiers
- Profile preferences
- Time zone and scheduling preferences
- Subscription, access cohort and product-tier information
- Account status and administrative records
We do not normally receive or store your password directly where authentication is provided through a secure third-party authentication service.
2.2 Information you add to NorthStar
NorthStar is designed to help you organise and reflect on different areas of your life. Information you choose to add may include:
- Dreams, ambitions and focus areas
- Goals and milestones
- Habits and habit records
- To-dos, reminders and notes
- Journal entries and reflections
- Countdowns and important dates
- Planning context and priorities
- Information linked to calendar events
- Responses supplied during onboarding
- Instructions and context supplied to AI-powered features
Some of this information may be personal or sensitive in nature. You control what you choose to enter into NorthStar and should avoid adding information that you do not want stored within the service.
2.3 Connected calendar information
Where you choose to connect a supported external calendar, such as Google Calendar, NorthStar may access and store calendar information including:
- Calendar names and identifiers
- Event titles and descriptions
- Event start and end times
- Locations
- Attendee information
- Recurrence information
- Event status
- Conference or meeting links
- Calendar and event metadata
NorthStar requests read-only access to Google Calendar. NorthStar does not use this connection to edit, delete or create events in your source Google Calendar.
Information you add within NorthStar to enrich a calendar event, such as notes, linked goals, to-dos, reminders or reflections, is stored as NorthStar data and is not written back to Google Calendar.
2.4 Technical and usage information
We may collect technical information required to operate, secure and improve the service, including:
- IP address
- Browser and device type
- Operating system
- Login timestamps
- Error and diagnostic information
- Security and audit records
- Feature usage
- AI usage, token and cost information
- Synchronisation timestamps and status
- General interaction and performance information
We do not store raw AI prompts or private planning context in administrative AI usage records unless this is specifically required to provide the feature and is clearly disclosed.
2.5 Communications and support information
If you contact us, we may collect:
- Your name and email address
- The content of your enquiry
- Support correspondence
- Information required to investigate or resolve an issue
2.6 Payment information
NorthStar does not currently process paid subscriptions during closed alpha.
Where paid services are introduced, payments may be processed by a specialist payment provider. NorthStar would not normally store complete payment-card information itself. This policy will be updated before paid subscriptions are introduced.
3. How we use your information
We use personal information to:
- Create and manage your NorthStar account
- Provide the features and services you request
- Display and organise your planning information
- Synchronise connected calendar information
- Link calendar commitments to NorthStar goals, habits, notes, tasks and reflections
- Generate requested AI-powered briefs, suggestions and planning support
- Remember your preferences
- Provide customer support
- Monitor reliability, security and performance
- Diagnose errors and technical problems
- Prevent abuse, fraud or unauthorised access
- Manage closed-alpha access
- Understand how features are used
- Improve NorthStar
- Meet legal, regulatory and accounting obligations
- Communicate important service or policy changes
We do not sell your personal information.
We do not use Google Calendar data for advertising.
We do not use Google Calendar data to build or train a general-purpose artificial intelligence or machine-learning model.
4. Google Calendar and Google API data
NorthStar accesses Google Calendar information only after you actively choose to connect your Google account and grant the requested permissions.
NorthStar uses information obtained through Google Calendar APIs to:
- Retrieve calendars and calendar metadata
- Retrieve calendar events
- Display those events within NorthStar
- Help you plan around your real-world commitments
- Allow you to associate NorthStar-owned notes, tasks, goals, habits, reminders, milestones and reflections with those events
- Provide user-facing planning and briefing features that you request
Google Calendar access is read-only. NorthStar does not use the integration to create, change or delete events in Google Calendar.
OAuth access credentials are stored separately from ordinary connection metadata and are protected using encryption. They are used only to maintain the calendar connection and synchronise information that the user has authorised NorthStar to access.
NorthStar does not sell Google user data, use it for advertising or transfer it to data brokers.
Human access to Google user data is not permitted unless:
- You have given explicit permission for support or troubleshooting
- Access is necessary to investigate security, fraud or abuse
- Access is required by law
- The information has been aggregated and anonymised for legitimate internal service operations
NorthStar’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
5. Our lawful bases for processing
Under the UK GDPR, we rely on one or more of the following lawful bases.
5.1 Performance of a contract
We process information where it is necessary to provide the NorthStar service you have requested, including:
- Managing your account
- Storing your NorthStar content
- Synchronising a calendar you have connected
- Providing requested planning and AI features
- Responding to service-related requests
5.2 Consent
We rely on consent where appropriate, including:
- When you choose to connect an external calendar
- Where you opt into optional features that require additional data
- Where consent is required for non-essential cookies or electronic marketing
You can withdraw consent at any time. Disconnecting a calendar will stop future access through that connection.
5.3 Legitimate interests
We may process limited information where necessary for our legitimate interests, provided those interests are not overridden by your rights. These interests include:
- Securing the service
- Preventing fraud and misuse
- Diagnosing technical problems
- Maintaining service reliability
- Understanding general feature performance
- Improving NorthStar
- Managing and evaluating the closed-alpha programme
- Establishing, exercising or defending legal claims
5.4 Legal obligation
We may process information where necessary to comply with legal, regulatory, tax, accounting or law-enforcement obligations.
6. AI-powered features
Some NorthStar features may use artificial intelligence to generate briefs, suggestions, summaries, next actions or planning support.
When you use an AI-powered feature:
- Relevant information may be sent securely to an AI service provider to generate the requested output
- Only information reasonably required for that feature should be supplied
- AI outputs may be incomplete, inaccurate or unsuitable
- AI-generated content should be treated as support rather than professional advice
- NorthStar administrators may record usage volumes, token counts and estimated costs without storing raw prompts in administrative usage records
- Google Calendar data will not be used to train or improve a general-purpose AI model
- Google Calendar data will only be used within AI features where this is necessary to provide a clear user-facing NorthStar feature and is consistent with the permissions and disclosures presented to the user
NorthStar may introduce more detailed controls before AI features process particularly sensitive categories of personal information.
7. Who we share information with
We may use carefully selected service providers to operate NorthStar. These may include providers of:
- Cloud hosting
- Database and authentication infrastructure
- Email delivery
- Error monitoring and diagnostics
- AI processing
- Payment processing
- Security and fraud prevention
- Customer support
These providers may process information only as necessary to provide their contracted services and are subject to appropriate contractual and security requirements.
Current or anticipated infrastructure providers may include:
- Supabase, for database, authentication and backend services
- Vercel, for application hosting and delivery
- Google, where you connect Google Calendar
- Approved AI service providers, where you actively use an AI-powered feature
This list may be updated if the production providers change.
We may also disclose information:
- Where required by law, court order or a competent authority
- To investigate or prevent fraud, abuse or security incidents
- To protect the rights, safety or property of NorthStar, its users or others
- In connection with a corporate restructuring, merger, acquisition or sale, subject to appropriate safeguards and notice
We do not sell personal information or Google user data.
8. International data transfers
Some service providers may process information outside the United Kingdom.
Where personal information is transferred internationally, we will use an appropriate legal safeguard, such as:
- A UK adequacy regulation
- The UK International Data Transfer Agreement
- The UK Addendum to the EU Standard Contractual Clauses
- Another lawful transfer mechanism
You may contact us for further information about the safeguards applied to relevant transfers.
9. How long we keep information
We retain personal information only for as long as it is reasonably required for the purposes described in this policy.
In general:
- Account information is retained while your account remains active
- NorthStar content is retained until you delete it, delete your account or request its deletion, subject to limited backup and legal-retention periods
- Connected calendar data is retained while the calendar connection remains active and as needed to provide NorthStar’s calendar features
- OAuth credentials are retained until the connection is revoked, disconnected or otherwise becomes invalid
- Support correspondence may be retained for up to 24 months after the matter is closed
- Security, audit and diagnostic logs may be retained for up to 12 months unless a longer period is required to investigate an incident
- Financial and transaction records may be retained for the period required by law
- Backups may persist for a limited period after deletion before being overwritten through normal backup cycles
Before public launch, NorthStar will finalise and document a detailed retention schedule.
10. Disconnecting Google Calendar
You can disconnect Google Calendar through NorthStar’s settings.
Disconnecting will:
- Stop NorthStar from making future Google Calendar API requests through that connection
- Revoke or remove the stored NorthStar connection credentials, where supported
- Stop future calendar synchronisation
Disconnecting does not necessarily delete calendar events that have already been synchronised into NorthStar or NorthStar content linked to those events.
You may request deletion of previously synchronised calendar data by contacting:
You may also revoke NorthStar’s access through the security and connected-app settings in your Google Account.
11. Account deletion
You may request deletion of your NorthStar account and associated personal information by contacting:
We will delete or anonymise information unless we need to retain it:
- To comply with a legal obligation
- To resolve a dispute
- To enforce our agreements
- To investigate fraud or security incidents
- Within temporary backups that are overwritten through ordinary backup processes
A self-service account deletion feature may be introduced before public launch.
12. Security
We use reasonable technical and organisational measures designed to protect personal information, including:
- HTTPS encryption in transit
- Encryption of external-provider credentials
- Separation of OAuth credentials from normal application data
- Access controls
- Row-level database security
- Authentication controls
- Logging and monitoring
- Restricted administrative access
- Secure environment-variable management
- Software dependency and vulnerability management
No online service can guarantee absolute security. You are responsible for keeping your login credentials secure and for notifying us if you suspect unauthorised access.
13. Your data-protection rights
Depending on the circumstances, you may have the right to:
- Be informed about how your information is used
- Request access to your personal information
- Ask us to correct inaccurate or incomplete information
- Ask us to delete your information
- Ask us to restrict processing
- Object to certain processing
- Receive certain information in a portable format
- Withdraw consent at any time where processing is based on consent
- Complain to a supervisory authority
These rights are not absolute and may depend on the lawful basis and circumstances of the processing.
To exercise a right, email:
We may need to verify your identity before acting on a request.
14. Your right to object
You have the right to object to processing based on our legitimate interests.
You also have an absolute right to object to the use of your personal information for direct marketing.
To object, contact:
15. Complaints
Please contact us first so that we can try to resolve your concern.
You also have the right to complain to the UK Information Commissioner’s Office.
Current information about making a complaint is available through the Information Commissioner’s Office website.
16. Children
NorthStar is not currently intended for children under 18 during its closed-alpha phase.
We do not knowingly allow children to create closed-alpha accounts. If we learn that we have collected personal information from a child without an appropriate legal basis, we will take steps to delete it.
Any future child or parent-supported functionality will be subject to a separate privacy, safeguarding and age-appropriate design review before release.
17. Cookies and similar technologies
NorthStar may use essential cookies or local storage required for:
- Authentication
- Security
- Session management
- Preferences
- Core application functionality
Non-essential analytics, advertising or marketing cookies will not be used without an appropriate consent mechanism where consent is legally required.
A separate cookie notice may be introduced if NorthStar begins using non-essential cookies or analytics technologies.
18. Third-party services and links
NorthStar may contain links to or integrations with third-party services. Those services operate under their own terms and privacy policies.
NorthStar is not responsible for the privacy practices of third-party websites or services that it does not control.
19. Changes to this policy
We may update this Privacy Policy as NorthStar develops, when providers change or where legal requirements change.
Material changes will be communicated through the service, by email or through another appropriate notice.
The latest version will always be available at:
20. Contact us
Questions, requests or concerns about this policy should be sent to:
Coal Face AI LtdRegistered in England and Wales, company number 16337494
Registered office:
Mexborough Business Centre
College Road
Mexborough
South Yorkshire
United Kingdom
S64 9JP