Privacy Policy | Northstar Data Services

This Privacy Policy explains what personal information Northstar Data Services Inc. collects, why we collect it, how we use it, and the choices you have. It applies to the marketing website at northstardata.com and to the Northstar Business platform hosted on subdomains of northstardata.com, including (today) app.northstardata.com, admin.northstardata.com, and tenant blog subdomains.

Who we are and what this covers

Northstar Data Services Inc. ("Northstar", "we", "our", "us") is a Minnesota corporation. We operate two related services under the same company:

Consulting. Pick/MultiValue programming, integration, and modernization services for clients running UniVerse, UniData, D3, mvBASE, jBASE, and related platforms. The marketing site at northstardata.com is the public face of this work.
Northstar Business. A multi-tenant SaaS platform that helps local service businesses measure and improve their online presence, including AI-assisted content authoring and cross-channel publishing. The platform is hosted on app.northstardata.com, admin.northstardata.com, and tenant-specific subdomains of northstardata.com.

This policy covers both. Where a section applies only to one of them, we say so.

Information we collect

From visitors to the marketing site

Analytics data via Google Analytics 4: page views, referrers, device type, approximate location (city-level, derived from IP), and similar standard web analytics. Google's GA4 anonymizes IP addresses by default. See our Cookie Policy for details.
Server logs: IP address, user agent, request path, and timestamp. Retained for operational and security purposes.
Contact information you provide if you reach out by email or phone — we keep what you sent us so we can respond.

From Northstar Business tenants and their users

Account information: name, email address, business name, role, and authentication credentials.
Business information you provide to the platform: business description, service areas, hours, contact details, social profile URLs, credentials, photos.
Connected-account data you authorize: Google Search Console metrics, Google Business Profile data, Google Analytics, Facebook Pages, and (when integrations go live) LinkedIn, Bing. We receive only what those platforms expose to the OAuth scope you grant.
Content you author or upload on the platform: drafts, posts, photos, comments, notes.
Usage data: what pages you view inside the application, what actions you take, when AI features are invoked, and for what.
Server logs as above.

What we do not collect

We do not knowingly collect government-issued identifiers, financial account numbers beyond what's needed to process a payment, biometric data, or precise GPS location. We do not buy contact lists. We do not run third-party advertising trackers on our properties.

How we use information

We use the information we collect to:

Provide, operate, and improve the marketing site and the Northstar Business platform.
Authenticate users and protect accounts.
Generate the measurements, analyses, narratives, and content that Northstar Business produces for tenants — this includes sending some tenant-provided data to AI providers (see AI processing).
Communicate with you about the service: account notices, security alerts, product updates, and responses to questions.
Detect, prevent, and respond to fraud, abuse, and security incidents.
Comply with legal obligations and enforce our Terms of Service.

We do not sell personal information. We do not use the content tenants put into Northstar Business to train AI models, and we do not authorize our AI subprocessors to do so either (see AI processing).

We share personal information only in these circumstances:

With subprocessors that help us run the service — hosting, storage, analytics, AI providers, communication tools, and so on. See the Subprocessors list below.
With platforms you connect at your direction. If you authorize Northstar Business to publish a post to your Facebook Page, the post (and the data needed to publish it) goes to Facebook. We only act on the scopes you grant.
For legal reasons: when required by law, to enforce our terms, or to protect rights, safety, and property — ours, yours, or someone else's.
In a business transfer: if Northstar is acquired, merged, or reorganized, personal information may transfer to the successor entity, subject to this policy or a successor policy at least as protective.

Subprocessors

We rely on the following third parties to operate our services. Each is bound by their own terms and privacy commitments; we link to their policies. We use only the categories of data each provider needs to do its job.

Provider	What they do	Data involved
AWS Lightsail (Amazon)	Application hosting	All operational data, at rest and in transit through the host
Cloudflare	CDN, edge proxy, email routing	Request metadata, IP, headers; routed mail headers and contents
Backblaze B2	Tenant photo + media storage	Tenant-uploaded photos and media
AWS SES	Transactional email delivery (account confirmations, password resets, notifications, system alerts) — see AWS privacy notice	Recipient email addresses, message content, sender metadata; delivery and bounce metadata retained by AWS per their defaults
Telesign	SMS / phone verification and two-factor authentication delivery — see Telesign privacy policy	Phone numbers, verification codes, SMS message content; delivery metadata retained by Telesign per their defaults
Google (Analytics, Search Console, Business Profile, Gemini)	Analytics on the marketing site; presence data on tenant request; AI model access	Site analytics events; tenant-authorized GSC/GBP data; content sent for AI processing
Anthropic	AI model access (Claude)	Content sent for AI processing (see AI Usage Disclosure)
OpenAI	AI model access (GPT models)	Content sent for AI processing
DeepSeek	AI model access	Content sent for AI processing
xAI	AI model access (Grok)	Content sent for AI processing
Let's Encrypt	TLS certificate issuance	Domain names only; no personal data
Meta	Facebook Pages publishing — see Meta privacy policy	Tenant-authorized page tokens; content the tenant publishes

We update this list when we add or change providers. For the current AI-specific picture, see the AI Usage Disclosure.

Cookies and analytics

The marketing site uses Google Analytics 4 (property G-P60077HYKP) for traffic analytics. Northstar Business uses session and security cookies needed for authentication. We do not run third-party advertising trackers. For details, see the Cookie Policy.

AI processing

Northstar Business uses third-party AI providers to generate measurements, narratives, and content authoring assistance. We send the provider only the data needed for that specific request. Our AI providers' API terms commit them to not use customer API content to train their models; we rely on that contractual commitment and pass it through to our tenants. See the AI Usage Disclosure for the full picture.

Data retention

Marketing site analytics: retained per Google Analytics 4 defaults (currently 14 months) unless we shorten the window.
Server logs: typically 30–90 days, then deleted or aggregated.
Tenant account and content data: retained for the life of the account. When an account is deleted or a deletion request is honored, data is removed within 30 days, except where retention is required by law (for example, financial records).
Backups: may persist for up to 90 days after primary deletion before backup expiry.

Your rights

Wherever you are, you can ask us to:

Tell you what personal information we have about you.
Correct information that's wrong.
Delete your information (subject to the limits noted below and in Data Deletion Instructions).
Stop using your information for a specific purpose, where the law gives you that right.

Send the request to [email protected]. We respond within 30 days, faster when we can. We may need to verify your identity before acting on a request.

California residents (CCPA/CPRA)

If you live in California, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Categories of personal information collected

In the past 12 months we may have collected the following CCPA-defined categories: identifiers (name, email, IP), customer-records information (account details), commercial information (services subscribed), internet activity (browsing within our properties), geolocation (approximate, from IP), professional information (business name, role), and inferences drawn from the above (for example, presence-score signals about a tenant's business).

Sources, purposes, and sharing

We collect this information directly from you, from your interaction with our services, from connected accounts you authorize, and from our subprocessors. We use it for the purposes described in How we use information and share it only as described in How we share information.

Your CCPA rights

Right to know what personal information we have collected, used, disclosed, and shared about you in the prior 12 months.
Right to delete personal information we have collected from you, subject to statutory exceptions.
Right to correct inaccurate personal information.
Right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined in the CCPA. There is nothing to opt out of, but you can confirm this with us.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
Right to non-discrimination for exercising any of the above. We will not deny service, charge a different price, or provide a lesser quality of service because you exercised a CCPA right.

To exercise any of these rights, email [email protected]. You may use an authorized agent; we will ask for proof of the agent's authority and may also need to verify your identity directly.

We do not currently have an EEA or UK customer base. If you reach us from the EEA, UK, or Switzerland, the following applies:

Legal bases. We process personal information on the bases of contract (to provide services you've signed up for), legitimate interests (to operate, secure, and improve our services, where those interests are not overridden by your rights), legal obligations, and consent (for example, optional analytics where consent is required).
Your rights. Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your local supervisory authority.
International transfers. Our services are operated from the United States. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms put in place by our subprocessors for transfers out of the EEA/UK.

To exercise these rights, email [email protected]. If we add EEA/UK customers in volume, we will revise this section accordingly.

Children's privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, please email [email protected] and we will remove it.

Security

We use encryption in transit (TLS) for all public traffic, restrict access to production systems, log administrative actions, and patch our hosts regularly. No system is perfectly secure. If you believe your account has been compromised, contact us immediately at [email protected].

Changes to this policy

When we make material changes to this policy, we update the "Last updated" date at the top and, for active customers, notify the account contact by email or in-app notice. The current version is always at northstardata.com/privacy/.

Contact

Privacy questions, data requests, and complaints:

Northstar Data Services Inc.
1634 Fairview Beach Rd NE
Alexandria, MN 56308
United States

Email: [email protected]
General contact: [email protected]

Related disclosures. See the Cookie Policy, AI Usage Disclosure, Data Deletion Instructions, and Terms of Service. The Disclosures hub lists everything in one place.