Legal

Privacy Policy

Last updated: May 15, 2026

1. Introduction

Asteri ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service management platform, including our integrations with third-party services such as Google Business Profile, Stripe, and communication providers.

This policy applies to all users of the Asteri platform, including service business owners and their team members ("Business Users") and customers who book services through the platform ("End Customers").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Organization/business name
  • Password (securely hashed — we never store plaintext passwords)

2.2 Booking & Customer Information

When End Customers book a service, we collect:

  • Name, email address, and phone number
  • Service address
  • Service selections and preferences
  • Special instructions or notes

This information is collected on behalf of the Service Provider and is shared with them to fulfill your booking.

2.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. Your card number, expiration date, and CVC are transmitted directly to Stripe and are neverstored on Asteri’s servers. We receive only:

  • A confirmation that the payment succeeded or failed
  • The last four digits of the card (for display purposes)
  • The card brand (e.g., Visa, Mastercard)
  • Transaction amounts and timestamps

2.4 Google Business Profile Data

When a Business User connects their Google Business Profile, with their explicit consent, we access and store:

  • Business Locations: Name, address, phone number, website, business hours
  • Reviews: Customer reviews, star ratings, reviewer display names, and your responses
  • Posts: Business updates, offers, and events you create through our platform
  • Performance Insights: Search views, map views, website clicks, direction requests, phone calls
  • OAuth Tokens: Encrypted access and refresh tokens to maintain your connection

2.5 Communications Data

When Business Users use our communication features, we process:

  • SMS messages: Sent and received via Twilio on behalf of the Business User
  • Emails: Sent via Resend on behalf of the Business User (appointment confirmations, invoices, review requests, etc.)

2.6 Log & Device Data

When you access the platform, we automatically collect:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on each page
  • Referring URL
  • Date and time of access

2.7 Location & Vehicle Data

When a Business User enables mobile location features (such as field-technician tracking, time-clock geofencing, dispatch, or route optimization) or connects a vehicle telemetry device, we collect:

  • Precise GPS coordinates (latitude and longitude)
  • Speed, heading, and timestamps
  • Trip history (start/stop points, route taken)
  • For connected vehicles: telemetry such as ignition status, odometer, and device identifiers, received via our integration partner Flespi

On mobile, location may be collected in the background while the app is open or while you are clocked in, in accordance with the permissions you grant your device. Location data is visible only to authorized users within your organization and is used for dispatch, time and attendance, vehicle history, and analytics. You may disable location collection at the device level or by signing out / clocking out; certain features (live dispatch, drive-time analytics) will not function while location is disabled. Business Users are responsible for informing their team members about location tracking before enabling it and for complying with applicable employment and privacy laws.

2.8 What We Do NOT Collect

  • Full credit or debit card numbers (handled by Stripe)
  • Social Security numbers or government-issued ID numbers
  • Personal information of reviewers beyond their public display name
  • Your personal Google account data unrelated to your Business Profile
  • Customer contact lists from Google
  • Biometric identifiers (facial geometry, fingerprints, voiceprints)

3. How We Use Your Information

We use the collected information to:

  • Provide, operate, and maintain the platform and its features
  • Process bookings and facilitate communication between Business Users and End Customers
  • Process payments through Stripe on behalf of Service Providers
  • Send transactional communications (confirmations, reminders, invoices)
  • Display your business locations and performance metrics in our dashboard
  • Enable you to view and respond to customer reviews
  • Generate AI-powered suggestions (review responses, floor inspection analysis, proposal and estimate drafting, smart chat replies, marketing copy generation)
  • Provide dispatch, routing, time-and-attendance, and vehicle-history features using device or vehicle location data, for Business Users who enable those features
  • Provide analytics and insights about your business performance
  • Measure product usage and improve the Service through first-party product analytics (such as which steps of the booking flow customers complete or abandon). These events are recorded by Asteri directly and are not shared with third-party advertising or marketing companies
  • Monitor errors, crashes, and performance through our error-monitoring provider (Sentry), to keep the Service reliable
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations

4. Data Storage and Security

4.1 Encryption

All OAuth tokens are encrypted using AES-256-GCM encryption before being stored. Tokens are never stored in plaintext. All data in transit is encrypted using TLS 1.2 or higher.

4.2 Access Control

Your data is isolated at the organization level by application-layer access controls enforced on every API request. Only authenticated users within your organization, and with the appropriate role-based permissions, can access your data.

4.3 Infrastructure

Our data is hosted on secure cloud infrastructure with industry-standard security measures, including encryption at rest and in transit. File uploads are stored on Cloudflare R2 with access-controlled URLs.

4.4 PCI Compliance

Asteri does not process, store, or transmit cardholder data. All payment card processing is handled by Stripe, which is certified as a PCI Level 1 Service Provider.

5. Data Sharing

We do NOT:

  • Sell your data to third parties
  • Share your data with other organizations on the platform
  • Use your data for advertising purposes
  • Transfer your data to third parties for their marketing purposes

For purposes of the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), we do not “sell” or “share” your personal information as those terms are defined in Cal. Civ. Code § 1798.140.

We share data with the following categories of service providers:

  • Service Providers you book with: Your booking details and contact information to fulfill your appointment
  • Payment processor (Stripe): Transaction data necessary to process payments and prevent fraud
  • Communication providers (Twilio, Resend): Phone numbers and email addresses necessary to deliver SMS and email
  • AI provider (OpenAI):When you use AI features (Smart Chat, Floor Inspector, proposal and estimate generation, review-response suggestions, marketing studio drafting), the content you submit to those features—including customer names, addresses, service descriptions, photos, and chat messages—is transmitted to OpenAI’s API over an encrypted connection so the model can generate a response. We do not anonymize or pseudonymize content before transmission. Under OpenAI’s default API terms, data submitted via the API is not used to train OpenAI’s general-purpose models, but OpenAI may retain inputs for a limited period for abuse monitoring and policy enforcement. See OpenAI’s Privacy Policy. We may add or change AI providers in the future and will update this Section and Section 8 if we do. If you do not want particular content processed by an AI provider, do not submit it to AI features.
  • Vehicle telemetry provider (Flespi): For Business Users who enable vehicle tracking, device identifiers and GPS telemetry are exchanged with Flespi to deliver fleet features
  • File storage (Cloudflare R2): Files, photos, and documents you upload are stored on Cloudflare R2 with access-controlled URLs
  • Legal compliance: When required by law, subpoena, or court order, or to protect the rights, property, or safety of Asteri, our users, or the public
  • Business transfer: In connection with a merger, acquisition, financing, reorganization, or sale of assets

6. Data Retention and Deletion

6.1 Active Accounts

While your account is active, we retain your data to provide our services. Booking and payment records are retained for at least 7 years for tax and legal compliance purposes.

6.2 Google Business Profile Disconnection

When you disconnect your Google Business Profile from Asteri, we immediately and permanently delete all cached reviews, posts, performance insights, business location data, review request history, and OAuth tokens.

6.3 Account Deletion

If you delete your Asteri account, all data is permanently deleted within 30 days, except where retention is required by law.

6.4 End Customer Data

End Customer data is retained by the Business User’s organization, which is the data controller. End Customers who wish to have their data deleted should contact the Service Provider directly using the contact information on their booking confirmation.

Backstop:If a Service Provider does not respond to a deletion request within 30 days, the End Customer may contact us at privacy@getasteri.com with a copy of the original request. Upon verification, we will delete the End Customer’s personal data from our systems within 30 days of receiving the escalation, except where retention is required by law (for example, transaction records retained for tax or anti-fraud purposes), in which case we will restrict processing of that retained data to the legally required use.

7. Your Rights

You have the right to:

  • Access: Request a copy of all data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Portability: Request a copy of your data in a portable, machine-readable format
  • Disconnect: Remove any third-party integration at any time from Settings
  • Revoke:Revoke Asteri's access to Google directly through your Google Account settings
  • Opt-out: Opt out of non-essential communications at any time

To exercise any of these rights, contact us at privacy@getasteri.com. We will respond within 30 days.

8. Third-Party Services

Our platform integrates with the following third-party services:

  • Stripe: Payment processing. Stripe Privacy Policy
  • Google Business Profile API: Business listing and review management. Google Privacy Policy
  • Twilio: SMS messaging. Twilio Privacy Policy
  • Resend: Email delivery. Resend Privacy Policy
  • Cloudflare R2: File storage. Cloudflare Privacy Policy
  • OpenAI: AI inference for Smart Chat, Floor Inspector, proposal and estimate generation, review-response suggestions, marketing studio drafting, and other AI features. OpenAI Privacy Policy
  • Flespi: Vehicle telemetry for fleet and routing features, for Business Users who enable vehicle tracking. Flespi Privacy Policy
  • Sentry: Application error and performance monitoring. Sentry receives error stack traces and a sample of performance traces from the platform. We do not enable session replay and our Sentry configuration is set to omit personally identifying request data by default. Sentry Privacy Policy

9. Cookies and Tracking

We use essential cookies to maintain your session and preferences. We do not use third-party tracking or advertising cookies. For full details, see our Cookie Policy.

10. Children's Privacy

Asteri is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

11. Our Role as Data Processor

When Service Providers use the Asteri platform to collect and manage End Customer data, the Service Provider is the "data controller" and Asteri acts as a "data processor" on their behalf.

  • The Service Provider determines why and how End Customer data is collected and used
  • Asteri processes this data only as necessary to provide the platform’s features
  • End Customers with questions about how their data is used should contact the Service Provider directly
  • Service Providers are responsible for ensuring they have a lawful basis to collect and process their customers’ data

12. California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under the CCPA:

  • Right to Know: Request disclosure of what personal information we have collected about you
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions
  • Right to Opt-Out of Sale: We do not sell your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at privacy@getasteri.com. We will respond within 45 days.

13. European Economic Area & United Kingdom (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

  • Lawful Basis: We process your data based on contractual necessity (to provide the Service), legitimate interests (to improve the platform and prevent fraud), and your consent (where explicitly given)
  • Right to Restriction: Request that we restrict processing of your personal data under certain conditions
  • Right to Object: Object to processing of your personal data based on our legitimate interests
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Right to Lodge a Complaint: File a complaint with your local supervisory authority (data protection authority)
  • Automated Decision-Making: Our AI-powered features (review response suggestions, floor inspection analysis, proposal generation) produce recommendations only. No solely automated decisions with legal or similarly significant effects are made without human review and approval

For GDPR-related inquiries, contact us at privacy@getasteri.com. We will respond within 30 days.

EU / UK Representative (GDPR Art. 27 & UK GDPR)

Asteri is a US-based controller. We are in the process of engaging an EU and UK representative under GDPR Art. 27 / UK GDPR Art. 27. Until that representative is appointed and listed here, EEA and UK data subjects may exercise all GDPR rights directly with us at privacy@getasteri.com or in writing to our address listed in Section 19. Once the representative is appointed, their name and contact details will appear here.

14. Do Not Track Signals

We do not currently respond to DNT browser signals. However, we do not use third-party tracking or advertising cookies.

15. Security Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of confirming the breach
  • Provide details about what information was affected and what steps we are taking
  • Notify relevant regulatory authorities as required by applicable law
  • Offer guidance on steps you can take to protect yourself

16. International Data Transfers & Hosting Locations

Our services are hosted in the United States. If you access the platform from outside the United States, your data will be transferred to and processed in the United States.

Where your data is stored

  • Application database (PlanetScale Postgres): US-East (N. Virginia). Multi-region EU residency is available on request for Enterprise customers.
  • File storage (Cloudflare R2): US default region with global edge cache. Region restriction available on request.
  • Real-time queue + cache (Redis): US-East.
  • Email delivery (Resend): US.
  • SMS gateway (Twilio): US.
  • Vehicle telemetry (Flespi / Gurtam): European Union (Lithuania).
  • Error monitoring (Sentry): US, with PII scrubbing before transmission.
  • Application hosting (Vercel): US primary region, global edge for static assets only (no customer data persisted at the edge).

Where personal data is transferred outside the EEA, UK, or Switzerland we rely on Standard Contractual Clauses (SCC 2021/914), the UK International Data Transfer Addendum, the EU-U.S. Data Privacy Framework where the sub-processor is certified, or your explicit consent.

17. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes (for example, new categories of data collected, new sub-processors that process your personal information, or new purposes of processing), we will post the revised Policy with an updated “Last updated” date, provide a short summary of what changed, and notify registered Business Users by email at least 30 days’ in advance of the change taking effect. For non-material changes (clarifications, typos, formatting), the revised Policy takes effect when posted.

18. Sub-processor Changes

The current list of sub-processors that process personal information on our behalf is in Section 8. We may engage new sub-processors as we add features or change vendors. We will update Section 8 when we make material changes to that list and treat the change as a material change under Section 17.

19. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: privacy@getasteri.com

Address: 4503 Forge Road, Perry Hall, MD 21128

20. Google API Services User Data Policy

Asteri's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

See also: Terms of Service · Refund & Cancellation Policy · Cookie Policy