Privacy Policy

1. Who we are

The Service is operated by Sophie Stardust, trading as a sole trader in England. For any privacy question, request, or to exercise your rights, contact sophie@sophiestardust.com. If you are in the EU you may also contact us at the same address; we will appoint an EU representative on request where required.

2. What we collect

• Account & admin data: name, email address, password hash, authentication metadata, sign-in timestamps and IP address (for the admin dashboard).
• Onboarding form: first and last name, email, business name, years in business, website(s), social handles, the session type you booked, summary of your situation and goals, plus any notes you choose to share.
• Priority list form: name, email, preferred block size, project description.
• VIP application: name, email, business name, optional calendar link, proposed dates and notes.
• Billing data: handled by our invoicing provider. We hold the limited information needed to issue an invoice and meet our statutory record-keeping obligations; we do not store full card numbers.
• Support correspondence: messages you send us by email, and our replies.

We do not knowingly collect special category data (such as health, racial or political information) and ask you not to upload it in free-text fields. We do not knowingly collect data from children under 16; the Service is not directed at children.

3. How we use your data

• To prepare for, deliver and follow up on coaching, strategy and consulting sessions.
• To authenticate admin accounts and keep the portal secure.
• To process invoices and manage payments.
• To respond to enquiries from the priority list and VIP application forms.
• To send service emails (essential) and, where you have opted in, occasional updates.
• To prevent fraud and abuse and to enforce our Terms.
• To comply with legal, tax and accounting obligations.

4. Legal bases (UK / EU GDPR)

• Contract: to deliver the Services you have engaged us for (Art. 6(1)(b)).
• Legitimate interests: to respond to enquiries, keep the Service secure, prevent abuse, debug issues and run the business (Art. 6(1)(f)). We balance these interests against your rights.
• Consent: for optional analytics cookies and marketing emails. You can withdraw consent at any time (Art. 6(1)(a)).
• Legal obligation: for tax, accounting, fraud prevention and responding to lawful requests (Art. 6(1)(c)).

5. How long we keep it

• Active client records: kept for the duration of our engagement plus 2 years.
• Priority list entries: kept for up to 12 months from submission, then deleted.
• VIP applications that don't proceed: kept for up to 12 months, then deleted.
• Financial records: kept for 6 years to meet HMRC requirements.

After you ask us to delete your data, we remove it from production systems promptly and from encrypted backups within 90 days, except where we are legally required to keep it.

6. Who we share data with

• Lovable Cloud / Supabase — hosting of the onboarding portal, database, authentication and file storage.
• Cloudflare — infrastructure, security and content delivery.
• Resend — transactional and confirmation emails sent from sophiestardust.com.
• TidyCal — scheduling and booking time slots for sessions.
• Invoicing / accounting software — issuing invoices and keeping financial records.
• Professional advisers, regulators and law enforcement, where legally required.

We never sell your personal data and we do not share it for cross-context behavioural advertising.

7. International transfers

Some of our providers are located outside the UK and EEA, including in the United States. Where personal data is transferred internationally we rely on UK and EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision where one exists. You can request a copy of the relevant safeguards by emailing us.

8. Your rights

Depending on where you live, you may have the right to:

• Access a copy of your personal data.
• Correct inaccurate or incomplete data.
• Ask us to delete your data where there is no longer a lawful reason to keep it.
• Object to or restrict certain processing.
• Receive your data in a portable format.
• Withdraw analytics or marketing consent at any time.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

US residents (including California) may additionally request information about categories of personal data collected and shared, and may opt out of the "sale" or "sharing" of personal data, although we do not sell or share personal data as defined under those laws. To exercise any of these rights, email sophie@sophiestardust.com. We will respond within one calendar month.

9. Cookies and tracking

Essential cookies keep admin users signed in and remember your cookie preferences. Optional analytics cookies are only set after you accept them in the consent banner; you can change your choice at any time by clearing the ss-cookie-consent value in your browser or by emailing us. We do not use marketing or advertising cookies.

10. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit, encryption at rest, scoped access controls and row-level security on databases. No system is perfectly secure; please use a strong unique password for the admin area and do not share your credentials.

11. Changes

We may update this policy as the Service evolves. Material changes will be flagged in-app or by email. The current version is always available at /privacy. Continued use of the Service after a change means you accept the updated policy.

12. Contact

Privacy questions or requests: sophie@sophiestardust.com.