LEGAL

WebSTAR Privacy Policy

Updated February 23, 2026

WebSTAR Inc. ("WebSTAR," "we," "us," or "our"), a company incorporated in Ontario, Canada, respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how WebSTAR collects, uses, and shares your personal data when you use the WebSTAR website, application, and services (collectively, the "Service").

We process data in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL) for Canadian users, the General Data Protection Regulation (GDPR) and EU Artificial Intelligence Act (Regulation 2024/1689) for European users, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents, and all other applicable data protection laws.

We treat any data that relates to an identified or identifiable individual as "personal data," no matter where the individual lives. Aggregated data is considered non-personal data. If we combine aggregated data with personal data, the combined data will be treated as personal data for as long as it remains combined.

Data You Provide

When you create an account, use the Service, or participate in a quiz or AI-assisted interaction, we may collect:

  • Account & identity data — name, username, email, password (hashed — we never store plaintext passwords), profile picture, display name, and biographical information.
  • Social login data — if you authenticate via Google or another third-party provider, we receive limited profile information (name, email, profile image) as authorized by you. We do not receive or store your third-party password.
  • Portfolio & profile content — work samples, project descriptions, images, videos, audio, links, professional information, and profile configuration data.
  • Quiz responses & Origin data — your answers to WebSTAR quizzes (including the "16 Origins" quiz), resulting Origin classification, scores, and quiz session identifiers used to link anonymous attempts with accounts created after completion.
  • AI advisor interactions — messages, prompts, and queries you submit to the AI advisor, AI-generated responses, and context data the AI uses to personalize its responses.
  • Technical & usage data — IP address, browser type, operating system, device type, screen resolution, time zone, pages visited, features used, click patterns, scroll depth, session duration, referral sources, error logs, and crash reports.
  • Transaction data — if you purchase a paid subscription, your payment method details are processed by Stripe. We receive a transaction identifier, subscription status, and billing history, but never store your full credit card number.

Data from Other Sources

  • Authentication providers — when you sign in via Google or another OAuth provider, we receive profile data you have authorized for sharing.
  • Payment processors — Stripe provides us with transaction status, subscription details, and limited payment method identifiers.
  • Analytics services — we may receive aggregated, de-identified usage data from analytics tools.

We do not purchase personal data from data brokers. We do not receive data from advertising networks.

Providing & Operating the Service

  • Creating and managing your account and profile.
  • Displaying your portfolio and profile to visitors who access your link.
  • Processing quiz responses and generating your Origin analysis.
  • Powering and personalizing the AI advisor based on your Origin, portfolio, and interaction history.
  • Processing payments and managing subscriptions.

Improving & Developing the Service

  • Analyzing usage patterns to improve features, interface design, and performance.
  • Training and improving the accuracy of the Origin quiz system using aggregated, de-identified quiz data.
  • Conducting internal research and development.

Communicating with You

  • Sending essential account notifications (password resets, security alerts, subscription confirmations).
  • Responding to your support requests and feedback.
  • Sending optional product updates and feature announcements (which you can opt out of at any time).

Safety, Security & Legal Compliance

  • Detecting, preventing, and addressing fraud, security breaches, and violations of our Terms of Use.
  • Complying with applicable laws, regulations, legal processes, and government requests.
  • Enforcing our Terms of Use and other agreements.

We do not sell your personal data. We do not use your personal data for third-party advertising. We do not use your content to train general-purpose AI models for commercial distribution to third parties.

AI Advisor & Automated Decision-Making

The AI advisor reads your Origin quiz results, portfolio items, and prior conversations to provide contextual suggestions. Your personalization context is isolated to your account — the AI does not have access to data from other users. AI-generated responses are not stored or used to train models for other users.

Important: The AI advisor is a tool, not a professional advisor. It does not constitute legal, financial, career, medical, or psychological advice. AI-generated output may be inaccurate, incomplete, or inappropriate. You must evaluate all output for accuracy before acting on it. WebSTAR remains fully liable for all AI-generated information provided through the Service, consistent with Canadian law (see Moffatt v. Air Canada, 2024 BCCRT 149). However, you are solely responsible for decisions you make based on AI recommendations.

The Origin quiz uses algorithmic scoring to classify your responses into one of 16 Origin categories. This is a content personalization feature designed for professional self-discovery, not a legally significant automated decision. It is not a psychological assessment, clinical diagnostic tool, or scientifically validated personality test. It does not affect your access to services, pricing, eligibility, or rights. The quiz is not intended for use in employment, recruitment, hiring, promotion, or termination decisions. You may retake the quiz at any time. If you believe the system has produced an incorrect or harmful result, contact us at privacy@webstar.com.

EU AI Act Compliance

For users in the European Economic Area: WebSTAR's AI advisor and Origin quiz system are not classified as high-risk AI systems under Annex III of the EU Artificial Intelligence Act (Regulation 2024/1689). These tools are designed for personal professional development and content personalization only. They are not intended for, and must not be used for, employment recruitment, selection, promotion, task allocation, performance monitoring, or work-related contractual decisions. Any such use by third parties is strictly prohibited and violates these Terms.

WebSTAR does not sell your personal data and does not share it with third parties for their own marketing purposes.

Service Providers

We use third-party service providers who process data on our behalf. These providers are contractually bound to use your data only for the purposes we specify and to maintain appropriate security measures:

  • Cloud hosting & infrastructure — for storing and serving your data securely.
  • Payment processing — Stripe processes subscription payments under their own privacy policy.
  • Email delivery — for sending transactional emails (verification, password reset).
  • AI model providers — for powering the AI advisor. Prompts are sent with your data only when you use the AI feature.

Public Profile Content

When you create a public profile, the information you choose to make public is accessible to anyone with your profile link. You control what is visible.

Legal Requirements & Business Transfers

We may disclose personal data if reasonably necessary to: (a) comply with a law, regulation, legal process, or government request; (b) enforce our Terms of Use; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of WebSTAR, our users, or the public. If WebSTAR is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

Security Measures

  • Encryption in transit — TLS 1.2 or higher for all data transmissions.
  • Encryption at rest — AES-256 encryption for stored data.
  • Password security — bcrypt hashing; never stored in plaintext.
  • Access controls — restricted to authorized personnel on a need-to-know basis.
  • Infrastructure security — SOC 2-compliant data centers with physical security controls.
  • Monitoring — continuous monitoring for unauthorized access and security incidents.

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but are committed to promptly addressing any security incident.

Cookies

We use only essential cookies: authentication cookies (maintain your session), security cookies (CSRF protection), and preference cookies (theme settings). We do not use third-party advertising cookies, tracking pixels, retargeting cookies, cross-site tracking, or fingerprinting. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR.

All Users

  • Access — request a copy of the personal data we hold about you.
  • Correction — update or correct inaccurate data via account settings or by contacting us.
  • Deletion — delete your account and all associated data from Settings, or by contacting us.
  • Portability — request a machine-readable export of your personal data.
  • Opt out — unsubscribe from non-essential communications at any time.

European Economic Area (GDPR)

If you reside in the EEA, you additionally have the right to: restrict processing, object to processing, withdraw consent at any time, and lodge a complaint with your local data protection authority. Our legal bases: contract performance, legitimate interests, consent, and legal obligation.

Canada (PIPEDA & CASL)

Canadian users in all provinces and territories have the right to access and correct their personal data, withdraw consent to collection, use, or disclosure, and challenge compliance with PIPEDA. WebSTAR complies with Canada's Anti-Spam Legislation (CASL): we obtain meaningful consent before sending commercial electronic messages, provide clear identification and unsubscribe mechanisms in all marketing communications, and do not use address-harvesting techniques. To exercise your rights or file a complaint, contact privacy@webstar.com or the Office of the Privacy Commissioner of Canada.

United States

California residents (CCPA/CPRA) have the right to: know what data is collected, request deletion, opt out of the sale of personal data (we do not sell personal data), and not be discriminated against for exercising privacy rights. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other state residents with applicable privacy laws have similar rights including access, correction, deletion, and opt-out of targeted advertising and profiling. To exercise your rights, email privacy@webstar.com. We will respond within 45 days (or as required by your state law).

Australia

Australian users have rights under the Privacy Act 1988 including access to personal information, correction of inaccurate data, and the right to complain to the Office of the Australian Information Commissioner (OAIC). In the event of a data breach likely to result in serious harm, we will notify affected individuals and the OAIC as required by the Notifiable Data Breaches scheme.

Brazil (LGPD)

Brazilian users have rights under the Lei Geral de Proteção de Dados (LGPD) including confirmation of processing, access, correction, anonymization, deletion, portability, and the right to revoke consent. You may contact the Brazilian National Data Protection Authority (ANPD) if you believe your rights have been violated.

Japan

Japanese users have rights under the Act on Protection of Personal Information (APPI) including disclosure, correction, suspension of use, and deletion of personal data. You may contact the Personal Information Protection Commission if you have concerns about our data handling practices.

South Korea

South Korean users have rights under the Personal Information Protection Act (PIPA) including access, correction, deletion, suspension of processing, and the right to request destruction of personal information. You may contact the Personal Information Protection Commission or Korea Internet & Security Agency (KISA) for complaints.

Singapore

Singapore users have rights under the Personal Data Protection Act (PDPA) including access and correction of personal data. You may contact the Personal Data Protection Commission (PDPC) if you believe your rights have been violated.

India

Indian users have rights under the Digital Personal Data Protection Act 2023 (DPDPA) including access, correction, deletion, and grievance redressal. You may contact the Data Protection Board of India for complaints.

New Zealand

New Zealand users have rights under the Privacy Act 2020 including access, correction, and the right to complain to the Privacy Commissioner. We comply with the New Zealand Privacy Principles.

United Arab Emirates

Users in the UAE (including DIFC and ADGM free zones) have rights under applicable data protection laws including access, correction, and deletion of personal data.

South Africa

South African users have rights under the Protection of Personal Information Act (POPIA) including access, correction, deletion, and objection to processing. You may contact the Information Regulator for complaints.

Israel

Israeli users have rights under the Privacy Protection Law including access, correction, and deletion of personal data. You may contact the Privacy Protection Authority for complaints.

Mexico

Mexican users have ARCO rights (Access, Rectification, Cancellation, and Opposition) under the Federal Law on Protection of Personal Data Held by Private Parties. Contact privacy@webstar.com to exercise these rights.

Argentina

Argentine users have rights under the Personal Data Protection Act including access, rectification, deletion, and the right to file complaints with the National Directorate for Personal Data Protection (DNPDP).

Other Jurisdictions

If you access the Service from a jurisdiction not explicitly mentioned above, we will process your personal data in accordance with the principles set forth in this Privacy Policy and applicable local law. We respect your fundamental privacy rights regardless of your location. You may contact us at privacy@webstar.com to understand how your local data protection laws apply to your use of the Service and to exercise any rights available to you under local law.

Data Retention

  • Account data — retained for the lifetime of your account; permanently deleted within 30 days of account deletion.
  • Portfolio content — deleted when you remove items or delete your account.
  • Quiz responses — retained while your account is active. Anonymous sessions expire after 90 days.
  • AI conversation history — deleted upon account deletion.
  • Transaction records — retained for 7 years as required by financial regulations.
  • Server logs — retained for 90 days, then automatically purged.

When data is deleted, it is permanently removed from our active systems and backups within 30 days.

Children

WebSTAR is not intended for users under 16. We do not knowingly collect data from children under 16. If you are a parent or guardian and believe your child has provided data to WebSTAR, contact privacy@webstar.com and we will promptly delete it.

WebSTAR is based in Toronto, Ontario, Canada. Your personal data is stored and processed in Canada and may be transferred to service providers in other jurisdictions (including the United States and European Union) as necessary to operate the Service. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms under GDPR. You may request a copy by contacting privacy@webstar.com.

We communicate our privacy and security guidelines to all WebSTAR personnel and enforce safeguards throughout the company. We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service at least 30 days before changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy, would like to exercise your privacy rights, or would like to file a complaint, contact us:

Email: privacy@webstar.com
Address: WebSTAR Inc., Toronto, Ontario, Canada

Regulatory Authorities

You have the right to lodge a complaint with the relevant data protection or privacy authority in your jurisdiction:

  • Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca) or Ontario's Information and Privacy Commissioner (ipc.on.ca)
  • EEA: Your local data protection supervisory authority
  • UK: Information Commissioner's Office (ICO) (ico.org.uk)
  • Australia: Office of the Australian Information Commissioner (OAIC) (oaic.gov.au)
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) (gov.br/anpd)
  • Japan: Personal Information Protection Commission (ppc.go.jp)
  • South Korea: Personal Information Protection Commission or KISA (pipc.go.kr)
  • Singapore: Personal Data Protection Commission (PDPC) (pdpc.gov.sg)
  • New Zealand: Privacy Commissioner (privacy.org.nz)
  • South Africa: Information Regulator (inforegulator.org.za)
  • Israel: Privacy Protection Authority (gov.il)