Privacy Policy

1. Introduction

Asteri ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service management platform, including our integrations with third-party services such as Google Business Profile, Stripe, and communication providers.

This policy applies to all users of the Asteri platform, including service business owners and their team members ("Business Users") and customers who book services through the platform ("End Customers").

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Organization/business name
• Password (securely hashed — we never store plaintext passwords)

2.2 Booking & Customer Information

When End Customers book a service, we collect:

• Name, email address, and phone number
• Service address
• Service selections and preferences
• Special instructions or notes

This information is collected on behalf of the Service Provider and is shared with them to fulfill your booking.

2.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. Your card number, expiration date, and CVC are transmitted directly to Stripe and are neverstored on Asteri’s servers. We receive only:

• A confirmation that the payment succeeded or failed
• The last four digits of the card (for display purposes)
• The card brand (e.g., Visa, Mastercard)
• Transaction amounts and timestamps

2.4 Google Business Profile Data

When a Business User connects their Google Business Profile, with their explicit consent, we access and store:

• Business Locations: Name, address, phone number, website, business hours
• Reviews: Customer reviews, star ratings, reviewer display names, and your responses
• Posts: Business updates, offers, and events you create through our platform
• Performance Insights: Search views, map views, website clicks, direction requests, phone calls
• OAuth Tokens: Encrypted access and refresh tokens to maintain your connection

2.5 Communications Data

When Business Users use our communication features, we process:

• SMS messages: Sent and received via Twilio on behalf of the Business User
• Emails: Sent via Resend on behalf of the Business User (appointment confirmations, invoices, review requests, etc.)

2.6 Log & Device Data

When you access the platform, we automatically collect:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent on each page
• Referring URL
• Date and time of access

2.7 What We Do NOT Collect

• Full credit or debit card numbers (handled by Stripe)
• Social Security numbers or government-issued ID numbers
• Personal information of reviewers beyond their public display name
• Your personal Google account data unrelated to your Business Profile
• Customer contact lists from Google

3. How We Use Your Information

We use the collected information to:

• Provide, operate, and maintain the platform and its features
• Process bookings and facilitate communication between Business Users and End Customers
• Process payments through Stripe on behalf of Service Providers
• Send transactional communications (confirmations, reminders, invoices)
• Display your business locations and performance metrics in our dashboard
• Enable you to view and respond to customer reviews
• Generate AI-powered suggestions (review responses, floor inspection analysis)
• Provide analytics and insights about your business performance
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations

4. Data Storage and Security

4.1 Encryption

All OAuth tokens are encrypted using AES-256-GCM encryption before being stored. Tokens are never stored in plaintext. All data in transit is encrypted using TLS 1.2 or higher.

4.2 Access Control

Your data is isolated at the organization level using Row-Level Security (RLS) policies. Only authenticated users within your organization can access your data.

4.3 Infrastructure

Our data is hosted on secure cloud infrastructure with industry-standard security measures, including encryption at rest and in transit. File uploads are stored on Cloudflare R2 with access-controlled URLs.

4.4 PCI Compliance

Asteri does not process, store, or transmit cardholder data. All payment card processing is handled by Stripe, which is certified as a PCI Level 1 Service Provider.

5. Data Sharing

We do NOT:

• Sell your data to third parties
• Share your data with other organizations on the platform
• Use your data for advertising purposes
• Transfer your data to third parties for their marketing purposes

We may share data with:

• Service Providers you book with: Your booking details and contact information to fulfill your appointment
• Payment processor (Stripe): Transaction data necessary to process payments and prevent fraud
• Communication providers (Twilio, Resend): Phone numbers and email addresses necessary to deliver messages
• AI services: Anonymized or pseudonymized data may be sent to AI providers to generate suggestions
• Legal compliance: When required by law, subpoena, or court order
• Business transfer: In connection with a merger, acquisition, or sale of assets

6. Data Retention and Deletion

6.1 Active Accounts

While your account is active, we retain your data to provide our services. Booking and payment records are retained for at least 7 years for tax and legal compliance purposes.

6.2 Google Business Profile Disconnection

When you disconnect your Google Business Profile from Asteri, we immediately and permanently delete all cached reviews, posts, performance insights, business location data, review request history, and OAuth tokens.

6.3 Account Deletion

If you delete your Asteri account, all data is permanently deleted within 30 days, except where retention is required by law.

6.4 End Customer Data

End Customer data is retained by the Business User’s organization. End Customers who wish to have their data deleted should contact the Service Provider directly. If unresponsive, contact us at privacy@getasteri.com.

7. Your Rights

You have the right to:

• Access: Request a copy of all data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Request a copy of your data in a portable, machine-readable format
• Disconnect: Remove any third-party integration at any time from Settings
• Revoke: Revoke Asteri's access to Google directly through your Google Account settings
• Opt-out: Opt out of non-essential communications at any time

To exercise any of these rights, contact us at privacy@getasteri.com. We will respond within 30 days.

8. Third-Party Services

Our platform integrates with the following third-party services:

• Stripe: Payment processing. Stripe Privacy Policy
• Google Business Profile API: Business listing and review management. Google Privacy Policy
• Twilio: SMS messaging. Twilio Privacy Policy
• Resend: Email delivery. Resend Privacy Policy
• Cloudflare R2: File storage. Cloudflare Privacy Policy

9. Cookies and Tracking

We use essential cookies to maintain your session and preferences. We do not use third-party tracking or advertising cookies. For full details, see our Cookie Policy.

10. Children's Privacy

Asteri is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

11. Our Role as Data Processor

When Service Providers use the Asteri platform to collect and manage End Customer data, the Service Provider is the "data controller" and Asteri acts as a "data processor" on their behalf.

• The Service Provider determines why and how End Customer data is collected and used
• Asteri processes this data only as necessary to provide the platform’s features
• End Customers with questions about how their data is used should contact the Service Provider directly
• Service Providers are responsible for ensuring they have a lawful basis to collect and process their customers’ data

12. California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under the CCPA:

• Right to Know: Request disclosure of what personal information we have collected about you
• Right to Delete: Request deletion of your personal information, subject to legal exceptions
• Right to Opt-Out of Sale: We do not sell your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at privacy@getasteri.com. We will respond within 45 days.

13. European Economic Area & United Kingdom (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Lawful Basis: We process your data based on contractual necessity (to provide the Service), legitimate interests (to improve the platform and prevent fraud), and your consent (where explicitly given)
• Right to Restriction: Request that we restrict processing of your personal data under certain conditions
• Right to Object: Object to processing of your personal data based on our legitimate interests
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (data protection authority)
• Automated Decision-Making: Our AI-powered features (review response suggestions, floor inspection analysis, proposal generation) produce recommendations only. No solely automated decisions with legal or similarly significant effects are made without human review and approval

For GDPR-related inquiries, contact us at privacy@getasteri.com. We will respond within 30 days.

14. Do Not Track Signals

We do not currently respond to DNT browser signals. However, we do not use third-party tracking or advertising cookies.

15. Security Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of confirming the breach
• Provide details about what information was affected and what steps we are taking
• Notify relevant regulatory authorities as required by applicable law
• Offer guidance on steps you can take to protect yourself

16. International Data Transfers

Our services are hosted in the United States. If you access the platform from outside the United States, your data will be transferred to and processed in the United States.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy and sending an email notification to registered users.

18. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: privacy@getasteri.com

Address: 4503 Forge Road, Perry Hall, MD 21128

19. Google API Services User Data Policy

Asteri's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.