Privacy Policy

Effective date: June 7, 2026

This Privacy Policy explains how FiveStarKit, LLC (“FiveStarKit,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use our website and our SMS review-request and AI response platform (the “Service”).

1. Who we are

FiveStarKit is operated by FiveStarKit, LLC. With respect to information about you as our customer (the contractor or business operator using the Service), we are the data controller. With respect to information about your end customers that you upload or that we receive on your behalf (such as your customers’ phone numbers), we act as your service provider / processor; you are the controller of that data and are responsible for its lawful collection and use.

2. Information we collect

From you, the account holder

• Account profile: name, business name, trade (e.g., plumbing, HVAC), email address, business phone number, password hash.
• Billing information: subscription plan, status, and customer ID. Payment is processed by Polar, our payment processor. We do not receive or store your full card number.
• Connected-account credentials: Google OAuth access and refresh tokens issued when you connect your Google Business Profile. These tokens are encrypted at rest.
• Communications: messages you send us at support@fivestarkit.app or through in-app support.

About your end customers (uploaded by or on behalf of you)

• Phone number (in E.164 format) and, optionally, customer name.
• SMS delivery status: queued, sent, delivered, failed, clicked, opted-out.
• Private feedback text submitted by customers who indicated a low-star experience through our private-feedback flow.

From Google, with your authorization

• Your business locations, reviews of your business, reviewer display name as published by Google, star rating, and review text, retrieved through the Google Business Profile API.

Automatically

• Device and connection data: IP address, user agent, approximate location derived from IP, pages viewed, and timestamps.
• Product analytics events (such as feature usage) and rate-limit counters used to detect abuse.
• Cookies and similar technologies, as described in section 9.

3. How we use information

• Provide, operate, and maintain the Service.
• Send SMS review requests on your behalf and track delivery and opt-outs.
• Generate AI-drafted response suggestions for the reviews of your business.
• Process subscription payments, send invoices, and manage your plan.
• Send transactional email (welcome, weekly digest, review alerts, billing notices) through our email provider.
• Monitor, prevent, and investigate abuse, fraud, and security incidents, including TCPA compliance.
• Comply with legal obligations and enforce our Terms.
• Improve the Service, including evaluating AI model quality over time.

4. Legal bases for processing (EU/UK users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases: performance of a contract (to provide the Service you signed up for), legitimate interests (to secure, improve, and operate the Service), consent (where required, such as for non-essential cookies), and compliance with legal obligations.

5. AI processing disclosure

When you generate a draft response, we send the following to our AI provider (currently Anthropic): the review text, the reviewer’s display name as shown on Google, your business name, your trade, and your selected response tone. Anthropic does not train its models on data submitted through its API by default. We do not send your end customers’ phone numbers or any non-review private feedback to any AI provider. We store the AI model identifier used for each draft (for example, claude-haiku-4-5) so we can compare draft quality over time.

6. Sub-processors

We share information with the following sub-processors, each of which is contractually obligated to protect the information they handle on our behalf:

• Supabase — database, authentication, and storage. Privacy policy.
• SignalWire — SMS delivery via the Compatibility API. Privacy policy.
• Polar — subscription billing and checkout. Privacy policy.
• Anthropic — AI draft generation. Privacy policy.
• Google LLC — Google Business Profile API access. Privacy policy.
• Resend — transactional email delivery. Privacy policy.
• Upstash — Redis-based rate limiting. Privacy policy.
• Vercel — application hosting, if the Service is deployed on Vercel. Privacy policy.

7. SMS messaging and TCPA

FiveStarKit sends SMS messages on behalf of our customers (contractors and small businesses). The contractor is responsible for obtaining prior express consent from each phone number before any message is sent and for complying with the Telephone Consumer Protection Act (TCPA), CAN-SPAM, CTIA messaging guidelines, A2P 10DLC requirements, and other applicable law. Messages may include a description of the sender, a clear opt-out instruction (typically “Reply STOP to unsubscribe”), and a help instruction (“Reply HELP for help”). Message and data rates may apply. Message frequency varies based on the contractor’s use of the Service.

We maintain a platform-wide suppression list of any phone number that replies STOP or otherwise opts out. Opted-out numbers will not receive further messages from any FiveStarKit account.

8. Google API Services User Data Policy

FiveStarKit’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we request only the https://www.googleapis.com/auth/business.manage scope and use the data we receive solely to display your reviews to you within the Service, to generate response drafts you request, and to post responses you explicitly approve. We do not transfer Google user data to third parties except as necessary to operate the Service, do not use Google user data for advertising, and do not allow humans to read Google user data except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data is aggregated and anonymized for internal operations.

9. Cookies and similar technologies

We use a small set of strictly necessary cookies to keep you signed in (issued by our authentication provider, Supabase) and to remember basic preferences. We do not use third-party advertising cookies or cross-site tracking pixels.

10. Data retention

• Account data: retained for the lifetime of your account, plus 90 days after account closure, to handle reactivation and disputes.
• End-customer phone numbers and request history: retained for the lifetime of your subscription, or until you delete them, plus a short backup window.
• Opt-out records: retained indefinitely so that opted-out numbers are never re-messaged.
• Billing records: retained for at least seven (7) years to meet tax and accounting obligations.
• AI draft history: retained, including the model identifier used, so we can evaluate draft quality over time.
• Application logs: retained for up to 30 days for operational and security purposes.

11. Security

We protect your information with industry-standard safeguards, including TLS encryption in transit, encryption of Google OAuth tokens at rest, row-level security on every database table, application-layer rate limiting, and strict separation between public and administrative database credentials. No system is perfectly secure; if we become aware of a breach affecting your information, we will notify you in accordance with applicable law.

12. Your rights

Depending on where you live, you may have the right to access, correct, delete, export, or restrict our processing of your personal information, and to withdraw consent where processing is based on consent. To exercise these rights, contact us at support@fivestarkit.app. We will respond within the time frame required by applicable law.

If you are an end customer of one of our contractor users (for example, you received an SMS review request from a plumber), please contact that business directly to exercise your rights with respect to your information; we will assist them in responding.

13. California residents (CCPA / CPRA)

In the past twelve (12) months we have collected the categories of personal information described in section 2, including identifiers, commercial information, internet or other electronic activity information, and inferences. We collect this information for the purposes described in section 3, and we share it only with the sub-processors listed in section 6. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

California residents may exercise rights to know, correct, delete, and limit the use of sensitive personal information by contacting support@fivestarkit.app. We will not discriminate against you for exercising these rights.

14. Children

The Service is not directed to children under 18 and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

15. International transfers

FiveStarKit is operated from the United States and your information will be processed in the United States. Our sub-processors may process information in other countries. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

16. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-app notice. The “Effective date” at the top of this page reflects the most recent revision.

17. Contact

FiveStarKit, LLC
support@fivestarkit.app