Privacy Policy
Last updated: March 13, 2026
Article 1 – Data Collected
This privacy policy (hereinafter the "Policy") describes how Starfruit SAS (hereinafter "Starfruit", "we" or "our") collects, uses, and protects the personal data of users of the Starkado.com website (hereinafter the "Site").
Starfruit is the data controller within the meaning of the General Data Protection Regulation (GDPR – EU 2016/679) and French Act No. 78-17 of 6 January 1978 as amended (the "Data Protection Act").
1.1. Data provided directly by the User
Account data: last name, first name, email address, password (stored in hashed form).
Profile data: profile photo, username, date of birth (optional).
User Content: lists, list titles, URL links, comments, uploaded images.
Communications: messages sent to Starfruit (support, reporting, etc.).
1.2. Automatically collected data
Connection data: IP address, browser type, operating system, language, pages visited, date and time of visit, session duration.
Technical data: session identifiers, cookie identifiers, authentication token.
Usage data: features used, interface interactions, aggregated usage statistics.
1.3. Data from third parties
If the User chooses to log in via a third-party service (e.g. Google, Facebook), Starfruit may receive basic profile data (name, email, photo) from that service, in accordance with the authorisations granted by the User to that third party.
Starfruit is the data controller within the meaning of the General Data Protection Regulation (GDPR – EU 2016/679) and French Act No. 78-17 of 6 January 1978 as amended (the "Data Protection Act").
1.1. Data provided directly by the User
Account data: last name, first name, email address, password (stored in hashed form).
Profile data: profile photo, username, date of birth (optional).
User Content: lists, list titles, URL links, comments, uploaded images.
Communications: messages sent to Starfruit (support, reporting, etc.).
1.2. Automatically collected data
Connection data: IP address, browser type, operating system, language, pages visited, date and time of visit, session duration.
Technical data: session identifiers, cookie identifiers, authentication token.
Usage data: features used, interface interactions, aggregated usage statistics.
1.3. Data from third parties
If the User chooses to log in via a third-party service (e.g. Google, Facebook), Starfruit may receive basic profile data (name, email, photo) from that service, in accordance with the authorisations granted by the User to that third party.
Article 2 – Purposes and Legal Bases of Processing
Starfruit processes Users' personal data for the following purposes and on the following legal bases:
Creation and management of User accounts | Performance of contract (Art. 6.1.b GDPR)
Provision of the Service (lists, sharing, etc.) | Performance of contract (Art. 6.1.b GDPR)
Sending transactional emails (confirmation, password reset) | Performance of contract (Art. 6.1.b GDPR)
Sending marketing communications and newsletters | User consent (Art. 6.1.a GDPR)
Service improvement and statistical analysis | Starfruit's legitimate interest (Art. 6.1.f GDPR)
Fraud prevention and Service security | Starfruit's legitimate interest (Art. 6.1.f GDPR)
Compliance with legal obligations (tax retention, etc.) | Legal obligation (Art. 6.1.c GDPR)
Handling requests to exercise rights | Legal obligation (Art. 6.1.c GDPR)
Creation and management of User accounts | Performance of contract (Art. 6.1.b GDPR)
Provision of the Service (lists, sharing, etc.) | Performance of contract (Art. 6.1.b GDPR)
Sending transactional emails (confirmation, password reset) | Performance of contract (Art. 6.1.b GDPR)
Sending marketing communications and newsletters | User consent (Art. 6.1.a GDPR)
Service improvement and statistical analysis | Starfruit's legitimate interest (Art. 6.1.f GDPR)
Fraud prevention and Service security | Starfruit's legitimate interest (Art. 6.1.f GDPR)
Compliance with legal obligations (tax retention, etc.) | Legal obligation (Art. 6.1.c GDPR)
Handling requests to exercise rights | Legal obligation (Art. 6.1.c GDPR)
Article 3 – Retention Periods
Account data: for the duration of the contractual relationship, then 3 years from account closure for evidentiary purposes.
Content data (lists): retained during account activity, deleted within 30 days following closure.
Connection data (logs): 12 months in accordance with legal obligations applicable to hosting providers.
Cookie data: see Article 7.
Accounting and tax data: 10 years in accordance with legal obligations.
Support communication data: 3 years from the last exchange.
At the end of the above periods, data is irreversibly deleted or anonymised.
Content data (lists): retained during account activity, deleted within 30 days following closure.
Connection data (logs): 12 months in accordance with legal obligations applicable to hosting providers.
Cookie data: see Article 7.
Accounting and tax data: 10 years in accordance with legal obligations.
Support communication data: 3 years from the last exchange.
At the end of the above periods, data is irreversibly deleted or anonymised.
Article 4 – Data Recipients
4.1. Within Starfruit
Personal data is accessible only to Starfruit team members who need it in the course of their duties (development, support, administration).
4.2. Sub-processors
Starfruit may engage service providers acting as sub-processors (hosting provider, emailing service, analytics tool, etc.). These sub-processors are contractually required to comply with the GDPR and process data only for purposes defined by Starfruit.
Main sub-processors used (list subject to change):
Amazon Web Services EMEA SARL – Data hosting – Luxembourg / European Union
4.3. Third parties
Starfruit does not sell Users' personal data to third parties. Data may be disclosed to third parties only:
with the User's express consent;
to comply with a legal obligation or court order;
in the event of a transfer, merger, or acquisition of Starfruit, subject to prior notification to the User.
Personal data is accessible only to Starfruit team members who need it in the course of their duties (development, support, administration).
4.2. Sub-processors
Starfruit may engage service providers acting as sub-processors (hosting provider, emailing service, analytics tool, etc.). These sub-processors are contractually required to comply with the GDPR and process data only for purposes defined by Starfruit.
Main sub-processors used (list subject to change):
Amazon Web Services EMEA SARL – Data hosting – Luxembourg / European Union
4.3. Third parties
Starfruit does not sell Users' personal data to third parties. Data may be disclosed to third parties only:
with the User's express consent;
to comply with a legal obligation or court order;
in the event of a transfer, merger, or acquisition of Starfruit, subject to prior notification to the User.
Article 5 – Transfers Outside the EU
Starfruit endeavours to have personal data hosted and processed within the European Economic Area (EEA).
In cases where certain sub-processors are established outside the EEA in a country not subject to an adequacy decision by the European Commission, Starfruit ensures that appropriate safeguards are in place, including:
standard contractual clauses (SCCs) approved by the European Commission;
applicable certifications (e.g. EU-US Data Privacy Framework, where applicable).
The User may obtain information about these safeguards by contacting Starfruit at the address indicated in Article 9.
In cases where certain sub-processors are established outside the EEA in a country not subject to an adequacy decision by the European Commission, Starfruit ensures that appropriate safeguards are in place, including:
standard contractual clauses (SCCs) approved by the European Commission;
applicable certifications (e.g. EU-US Data Privacy Framework, where applicable).
The User may obtain information about these safeguards by contacting Starfruit at the address indicated in Article 9.
Article 6 – Data Security
Starfruit implements reasonable and appropriate technical and organisational measures in light of the risks, in order to protect personal data against destruction, loss, alteration, disclosure, or unauthorised access.
These measures include in particular: encryption of data in transit (HTTPS/TLS), password hashing, role-based access management, access logging, regular backups.
The User acknowledges, however, that no information system is entirely secure and that the transmission of data over the Internet involves residual risks.
To the extent permitted by applicable law, Starfruit shall not be held liable for the consequences of:
a failure of the User's equipment, connection, or configuration;
negligence by the User (disclosure of credentials to third parties, failure to lock devices, etc.);
an attack or vulnerability affecting third-party services over which Starfruit does not exercise reasonable control.
These limitations do not apply in cases of intentional misconduct or gross negligence by Starfruit.
These measures include in particular: encryption of data in transit (HTTPS/TLS), password hashing, role-based access management, access logging, regular backups.
The User acknowledges, however, that no information system is entirely secure and that the transmission of data over the Internet involves residual risks.
To the extent permitted by applicable law, Starfruit shall not be held liable for the consequences of:
a failure of the User's equipment, connection, or configuration;
negligence by the User (disclosure of credentials to third parties, failure to lock devices, etc.);
an attack or vulnerability affecting third-party services over which Starfruit does not exercise reasonable control.
These limitations do not apply in cases of intentional misconduct or gross negligence by Starfruit.
Article 7 – Cookies and Trackers
7.1. Definition and types
A cookie is a small text file placed on the User's device when visiting the Site. Starfruit uses the following types of trackers:
Strictly necessary cookies: essential for the operation of the Site (session, authentication, basket). They cannot be disabled. Legal basis: legitimate interest / contract.
Performance/analytics cookies: used to measure audience and improve the Service (e.g. Google Analytics or equivalent, in anonymised mode where possible). Legal basis: consent.
Functionality cookies: used to remember User preferences. Legal basis: consent.
Third-party cookies: placed by third-party partners (social networks, affiliate platforms, etc.). Legal basis: consent.
7.2. Retention period
Cookies have a maximum lifespan of 13 months from the date they are placed, in accordance with the recommendations of the CNIL (French Data Protection Authority).
7.3. Cookie management
On the first visit to the Site, an information banner allows the User to accept or decline non-essential cookies. This choice can be modified at any time via the cookie manager accessible in the Site's footer.
The User may also configure their browser to refuse or delete cookies, in accordance with the relevant browser's instructions. Certain features of the Site may be degraded if necessary cookies are refused.
A cookie is a small text file placed on the User's device when visiting the Site. Starfruit uses the following types of trackers:
Strictly necessary cookies: essential for the operation of the Site (session, authentication, basket). They cannot be disabled. Legal basis: legitimate interest / contract.
Performance/analytics cookies: used to measure audience and improve the Service (e.g. Google Analytics or equivalent, in anonymised mode where possible). Legal basis: consent.
Functionality cookies: used to remember User preferences. Legal basis: consent.
Third-party cookies: placed by third-party partners (social networks, affiliate platforms, etc.). Legal basis: consent.
7.2. Retention period
Cookies have a maximum lifespan of 13 months from the date they are placed, in accordance with the recommendations of the CNIL (French Data Protection Authority).
7.3. Cookie management
On the first visit to the Site, an information banner allows the User to accept or decline non-essential cookies. This choice can be modified at any time via the cookie manager accessible in the Site's footer.
The User may also configure their browser to refuse or delete cookies, in accordance with the relevant browser's instructions. Certain features of the Site may be degraded if necessary cookies are refused.
Article 8 – Rights of Data Subjects
In accordance with the GDPR and the French Data Protection Act, the User has the following rights:
Right of access (Art. 15 GDPR): obtain confirmation of the processing of their data and receive a copy.
Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
Right to erasure (Art. 17 GDPR): request deletion of their data in the cases provided for by law.
Right to restriction (Art. 18 GDPR): obtain restriction of processing in certain cases.
Right to data portability (Art. 20 GDPR): receive their data in a structured, machine-readable format.
Right to object (Art. 21 GDPR): object to processing based on legitimate interest or for direct marketing purposes.
Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
Right to define post-mortem instructions: define instructions regarding the fate of data after death.
8.1. How to exercise rights
These rights may be exercised by email at: , or by post to the registered office address (see Legal Notice), attaching a copy of proof of identity if required.
Starfruit undertakes to respond within a maximum of one (1) month from receipt of the request, which may be extended to three (3) months for complex requests.
8.2. Right to lodge a complaint
If the User disagrees with how their data is being processed, they may lodge a complaint with the competent supervisory authority in France:
CNIL (French Data Protection Authority) – 3 place de Fontenoy, 75007 Paris – www.cnil.fr
Right of access (Art. 15 GDPR): obtain confirmation of the processing of their data and receive a copy.
Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
Right to erasure (Art. 17 GDPR): request deletion of their data in the cases provided for by law.
Right to restriction (Art. 18 GDPR): obtain restriction of processing in certain cases.
Right to data portability (Art. 20 GDPR): receive their data in a structured, machine-readable format.
Right to object (Art. 21 GDPR): object to processing based on legitimate interest or for direct marketing purposes.
Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
Right to define post-mortem instructions: define instructions regarding the fate of data after death.
8.1. How to exercise rights
These rights may be exercised by email at: , or by post to the registered office address (see Legal Notice), attaching a copy of proof of identity if required.
Starfruit undertakes to respond within a maximum of one (1) month from receipt of the request, which may be extended to three (3) months for complex requests.
8.2. Right to lodge a complaint
If the User disagrees with how their data is being processed, they may lodge a complaint with the competent supervisory authority in France:
CNIL (French Data Protection Authority) – 3 place de Fontenoy, 75007 Paris – www.cnil.fr
Article 9 – Contact – Data Protection Officer
For any questions regarding this Policy or the exercise of your rights, you may contact Starfruit:
By email:
By post: Starfruit SAS,
Starfruit does not currently have a designated Data Protection Officer (DPO), as this obligation does not apply to an organisation of this size and nature of activity. Any requests relating to personal data may be sent directly to .
By email:
By post: Starfruit SAS,
Starfruit does not currently have a designated Data Protection Officer (DPO), as this obligation does not apply to an organisation of this size and nature of activity. Any requests relating to personal data may be sent directly to .
Article 10 – Changes to the Policy
Starfruit reserves the right to amend this Policy at any time, in particular to comply with changes in law or the Service.
In the event of a material change, the User will be informed by email or by notification on the Site at least 30 days before the changes take effect. The date of the last update appears at the top of this document.
The version of the Policy in force is the one available on the Site at the time of consultation.
In the event of a material change, the User will be informed by email or by notification on the Site at least 30 days before the changes take effect. The date of the last update appears at the top of this document.
The version of the Policy in force is the one available on the Site at the time of consultation.