Privacy Policy

1. Introduction

This Privacy Policy explains how NorthStar AI S.R.L. ("NorthStar," "we," "us," or "our") collects, uses, discloses, and protects personal data when you use our software-as-a-service platform at ns-ai.io and related services (collectively, the "Platform").

We respect your privacy and are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), Romanian Law no. 190/2018 implementing GDPR, the EU-US Data Privacy Framework where applicable, Regulation (EU) 2024/1689 (the "EU AI Act"), and other applicable data protection laws.

Identity of the Controller:

NorthStar AI S.R.L. Sat Ghionea, Comuna Ulmi, Jud. Giurgiu, cf 747 N Registered with the Romanian Trade Registry under RO54842326 Email: privacy@ns-ai.io Website: https://ns-ai.io​

Data Protection Contact:

For all privacy-related inquiries, requests, or complaints, please contact us at privacy@ns-ai.io. We have not designated a Data Protection Officer (DPO) as we do not currently meet the criteria under Article 37 GDPR. We will review this assessment annually.

2. Scope and Definitions

This Privacy Policy applies to personal data we process about:

• Account holders: individuals who register and create accounts on the Platform (typically employees of our business customers, designated administrators, or end users)
• Customer organization representatives: authorized personnel of business customers interacting with us in their professional capacity
• Candidates: individuals whose CVs and application materials are submitted to the Platform by our customers for use with the Recruitment Assistant digital employee
• Visitors: individuals who visit our website without creating an account

Throughout this Policy, terms such as "personal data," "processing," "controller," "processor," "data subject," and "special category data" have the meanings given in Article 4 GDPR.

3. Personal Data We Collect

We collect personal data in the following categories:

3.1 Account and Profile Data

When you create an account, we collect: full name, email address, professional title, organization name, language preferences, profile picture (optional), and account preferences.

3.2 Authentication Data

When you authenticate, we process: login credentials, multi-factor authentication tokens (if enabled), OAuth tokens (when you sign in via Microsoft Azure AD or Google), session identifiers, and authentication timestamps.

3.3 Customer Content Data

We process content that you or your organization upload to or generate within the Platform: documents and files uploaded to the Knowledge Base, prompts and conversations with digital employees, generated outputs (analyses, reports, recommendations), task-related content and attachments, and metadata associated with the above.

3.4 Recruitment Assistant Candidate Data

When customers use the Recruitment Assistant digital employee for recruitment workflows, we process candidate data on behalf of the customer, including: candidate name and contact information, CV content (employment history, education, skills), application materials, candidate scoring outputs (generated by the AI system as recommendations only), and interview-related information. See Section 13 (AI Features and Automated Decision-Making) for detailed information about how the Recruitment Assistant processes this data.

3.5 Communication Data

When you communicate with us, we process: email correspondence, support requests and ticket content, feedback submissions, and chat or message content within Platform-provided communication features.

3.6 Usage and Technical Data

When you use the Platform, we automatically collect: IP address (hashed in long-term storage), browser type and version, operating system and device characteristics, language preference, referring URL, pages and features accessed, timestamps of actions, and error and diagnostic logs.

3.7 Payment and Billing Data

For paid subscriptions: billing contact name and email, billing address, organization VAT number (CUI), invoice records, subscription tier and payment history. We do not store payment instrument data (credit card numbers, etc.) — this is processed directly by our payment processor Stripe in their PCI-DSS-scoped environment.

3.8 Cookie and Tracking Data

Limited cookie-based data as detailed in our Cookie Policy. We do not use advertising cookies, behavioral tracking, or cross-site profiling.

4. Sources of Personal Data

We collect personal data from the following sources:

Directly from you: when you register, configure your profile, communicate with us, upload content, or interact with the Platform.

From your organization: when you are invited to an account by your administrator, your basic profile information may be provided by your organization on your behalf.

From OAuth authentication providers: when you sign in via Microsoft Azure AD or Google, we receive identity information (name, email, organization tenant identifier) from these providers under their respective terms.

From your organization's customers and candidates: when your organization uses the Platform to process information about its own customers, candidates, or other third parties, we process such data on your organization's behalf.

From public registries and third-party data sources (see Section 7.2 below): when company verification is needed during onboarding, we may retrieve company information from public registries.

5. Legal Basis for Processing

We process personal data on the following legal bases under Article 6 GDPR:

• Creating and maintaining your account, providing the Platform, processing your transactions — Article 6(1)(b) — performance of contract
• Billing, invoicing, payment processing — Article 6(1)(b) — performance of contract + Article 6(1)(c) — legal obligation (Romanian fiscal law)
• Authentication and security (login, MFA, fraud detection) — Article 6(1)(b) — performance of contract + Article 6(1)(f) — legitimate interest in platform security
• Service improvement based on aggregated, non-identifying usage data — Article 6(1)(f) — legitimate interest
• Communications about service updates, security notices, billing — Article 6(1)(b) — performance of contract
• Marketing communications and promotional emails — Article 6(1)(a) — consent (opt-in required; you can withdraw at any time)
• Compliance with legal obligations (tax, accounting, AML, court orders) — Article 6(1)(c) — legal obligation
• Establishment, exercise, or defence of legal claims — Article 6(1)(f) — legitimate interest
• Aggregation of business operational data for analytics and product improvement (excluding special category data) — Article 6(1)(f) — legitimate interest; opt-out available

For special category data under Article 9 GDPR (typically encountered in Recruitment Assistant workflows), the legal basis is determined by our customer (the Controller), as detailed in Section 11 below. Aggregation of special category data for analytics requires explicit opt-in by the customer administrator.

Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override your rights and freedoms. LIA documentation is available upon written request to privacy@ns-ai.io.

6. How We Use Your Data

We use personal data for the following purposes:

• Service delivery: providing platform functionality, generating AI-powered outputs requested by customers, processing tasks initiated by users
• Account management: creating and maintaining accounts, providing customer support, processing user requests
• Security and integrity: preventing fraud and abuse, detecting and responding to security incidents, enforcing our Terms of Service and Acceptable Use Policy
• Service improvement: analyzing aggregated usage patterns to improve platform features (subject to opt-out as described in Section 5)
• Compliance: meeting our legal obligations under applicable laws, including GDPR, AI Act, Romanian fiscal law, and tax authority requirements
• Communications: sending transactional notifications (security alerts, billing, account updates), and — only with your consent — marketing communications
• Legal protection: establishing, exercising, or defending legal claims; cooperating with regulators and law enforcement when required

7. Sharing of Personal Data

7.1 Sub-Processors

We engage third-party service providers ("sub-processors") who process personal data on our behalf under Article 28 GDPR. Sub-processors are bound by contracts that include the safeguards required by GDPR. The current list of sub-processors is:

The current and authoritative list of sub-processors is also published at https://ns-ai.io/subprocessors and is updated when sub-processors are added, removed, or change. We will notify customers of material changes at least 30 days in advance, as required by our Data Processing Agreement.

7.2 Third-Party Data Sources

In addition to sub-processors, we obtain certain information from third-party data sources. These third parties do not process personal data on our behalf — instead, we retrieve information from them as independent sources:

• Termene.ro (RO) — Romanian company verification (ONRC data) — Company details; administrator and shareholder names
• VIES (European Commission) — EU VAT number validation — Company name, VAT-registered status
• BNR (National Bank of Romania) — Currency exchange rates — None (no personal data)
• OpenRouter Inc. — AI model pricing metadata — None (no user data)
• Google (YouTube Transcript API) — Knowledge Base content ingestion when a user submits a YouTube video URL — None (publicly available content)

For Termene.ro, we act as Controller for the personal data we receive. We rely on Article 14(5)(b) GDPR (disproportionate effort) regarding direct notification of company administrators referenced in the data. If you are an administrator or shareholder whose details appear in our records via Termene.ro and you wish to exercise your rights, please contact privacy@ns-ai.io.

7.3 Other Disclosures

We may share personal data with:

• Professional advisors: our auditors, lawyers, accountants, and insurers when necessary for the operation of our business
• Business transfers: in the event of a merger, acquisition, or sale of assets, with the same protections applying to the transferred data
• Legal and regulatory authorities: when required by law, court order, regulatory inquiry, or to defend our legal rights

7.4 No Sale of Personal Data

We do not sell, rent, or trade personal data to third parties for their independent commercial purposes. We do not use personal data for advertising or behavioral targeting.

8. International Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For such transfers, we rely on:

EU-US Data Privacy Framework (DPF): where the sub-processor is certified under the EU-US Data Privacy Framework, transfers are made under the European Commission's adequacy decision (Implementing Decision (EU) 2023/1795). DPF certification can be verified at https://www.dataprivacyframework.gov/list.

Standard Contractual Clauses (SCCs): where DPF certification is not in place or has been suspended, we rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914), supplemented by:

• Transfer Impact Assessments (TIA) evaluating the legal environment of the recipient country
• Technical and organizational measures including encryption in transit (TLS 1.2+) and at rest (AES-256)
• Contractual safeguards such as no-training clauses, retention limits, and confidentiality obligations

You may request copies of relevant SCCs by contacting privacy@ns-ai.io.

9. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

• Account data — Duration of subscription + 3 years after account closure (general statute of limitations under Romanian Civil Code Art. 2517)
• Acceptance records (ToS, Privacy Policy, AUP acceptance) — 3 years after account closure (pseudonymized upon erasure request — see Section 10)
• Consent records (marketing) — 3 years after consent withdrawal or account closure
• Customer Content (uploaded documents, conversations) — Duration of subscription + 90 days for export, then permanent deletion (30 additional days for backup rotation)
• Recruitment Assistant CV data — Processed in real-time during active screening sessions only; not persistently stored beyond session duration. Customer-side storage of outputs (scoring, recommendations) is configurable, with default retention of 90 days
• Audit logs — 90 days hot storage + 5 years archived storage
• Feedback submissions (closed/resolved) — 3 years post-resolution, then anonymized; anonymized records retained 5 additional years for operational records, then deleted
• Communications (support tickets, emails) — 3 years after last interaction
• Payment and billing data — 10 years (Romanian fiscal law requirement)
• Backups — Rolling 30-day backup retention; erased personal data is overwritten in the normal rotation cycle

When retention periods expire, we permanently delete or anonymize the data. Backups containing erased personal data are overwritten in the normal backup rotation cycle (up to 30 days).

10. Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): request a copy of the personal data we hold about you and information about how we process it.

Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.

Right to erasure / "right to be forgotten" (Art. 17): request deletion of your personal data when the conditions in Article 17 apply. See Section 10.1 below for details on how erasure is handled for specific data categories.

Right to restriction of processing (Art. 18): request that we limit how we process your data in certain circumstances.

Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.

Right to object (Art. 21): object to processing based on legitimate interest. For marketing communications, you have an absolute right to object.

Right to withdraw consent (Art. 7(3)): withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right not to be subject to solely automated decision-making (Art. 22): see Section 13 below for how this applies to AI features.

Right to lodge a complaint: with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — see Section 17.

To exercise any of these rights, contact us at privacy@ns-ai.io. We will respond within one month of receiving your request, as required by Article 12(3) GDPR. This period may be extended by up to two additional months for complex requests, in which case we will inform you of the extension and the reasons for it.

We may need to verify your identity before processing your request. For account holders, confirmation via your registered email address is generally sufficient. For other data subjects, we may request additional verification information.

These rights are exercised free of charge. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

10.1 Erasure Handling for Specific Data Categories

When you exercise your right to erasure (Article 17 GDPR), the handling differs depending on the data category:

Account data: personal identifiers (name, email) are deleted or anonymized. Where retention is required by law (e.g., fiscal records under Romanian law), only the minimum necessary data is retained for the legally required period.

Feedback submissions you have made: personal identifiers (your name, email, user reference) are permanently removed. The substantive content of your submission is anonymized through replacement with placeholder text. Attachments you have uploaded are permanently deleted from our storage. Organizational metadata (submission date, category, resolution status) is retained for operational record-keeping under legitimate interest (Article 6(1)(f) GDPR) and Article 17(3)(b) GDPR derogation. Staff responses and internal notes constitute separate expressions by NorthStar personnel and are not subject to your erasure right.

Acceptance records (your historical acceptances of Terms, Privacy Policy, AUP): personal identifiers are pseudonymized; non-identifying metadata (document version, date of acceptance, method) is retained under Article 17(3)(e) GDPR (establishment, exercise, or defence of legal claims) for the full retention period, enabling us to demonstrate the legal basis for our processing.

Consent records (marketing): pseudonymized; the consent event metadata (timestamp, source, scope) is retained as proof of consent history under Article 7(1) GDPR demonstration requirement.

Recruitment Assistant outputs: scoring and ranking records generated for candidates can be deleted by the customer organization through their administrative controls. Where you are a candidate and wish to exercise your rights regarding screening outputs about you, please contact the customer organization that initiated the screening (acting as Controller); NorthStar will assist that customer in fulfilling your request.

Backups: backups containing erased personal data are overwritten in the normal backup rotation cycle (up to 30 days). We do not proactively purge backups before the rotation cycle completes.

11. Special Category Data (Article 9 GDPR)

Some platform features, particularly the Recruitment Assistant, may involve processing of special category personal data as defined in Article 9 GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or other sensitive characteristics that may incidentally appear in CVs or candidate materials).

Customer responsibility (Controller): when our customers submit candidate data, they act as Controllers under GDPR. The legal basis for processing special category data is determined by the customer, typically:

• Article 9(2)(b): processing necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment, social security, and social protection law
• Article 9(2)(a): explicit consent of the data subject

Customers must ensure they have a valid legal basis under Article 9 before submitting such data through the Platform.

NorthStar's role (Processor): we process special category data on behalf of the Customer (Controller). Our Data Processing Agreement defines our obligations.

Aggregation: aggregation of special category data for product improvement or analytics requires explicit opt-in by the customer administrator. By default, special category data is not included in any aggregated dataset.

Candidate rights: candidates whose CVs are processed by the Recruitment Assistant have rights under Articles 15-22 GDPR. To exercise these rights, candidates should first contact the customer organization that initiated the screening (acting as Controller). NorthStar will assist that customer in fulfilling such requests.

12. Children's Privacy

The Platform is intended for use by businesses and professionals. It is not directed at children under the age of 16 and we do not knowingly collect personal data from individuals under 16.

For Recruitment Assistant specifically: customers must not submit CVs of candidates under the age of 18 to the Platform. The Recruitment Assistant is not designed to process minors' data, and such submissions violate this Privacy Policy and our Acceptable Use Policy.

If we become aware that we have collected personal data from a minor in violation of this Policy, we will take prompt steps to delete such data. Parents or guardians who believe their child has provided us with personal data may contact us at privacy@ns-ai.io.

13. AI Features and Automated Decision-Making

NorthStar's Platform provides AI-powered digital employees that perform a variety of business workflows. AI processing is performed using third-party large language models from Anthropic (Claude) and OpenAI (GPT-family).

13.1 General AI Transparency

When you interact with a digital employee, you are interacting with an AI system. The Platform makes this clear through visible disclosures consistent with Article 50 of the EU AI Act.

AI-generated outputs are advisory in nature and may contain inaccuracies. We recommend that significant decisions based on AI outputs be reviewed by qualified personnel.

13.2 Recruitment Assistant — High-Risk AI System under Annex III pt. 4(a)

The Recruitment Assistant is a high-risk AI system under Annex III point 4(a) of the EU AI Act, as it is intended to be used for the recruitment or selection of natural persons, including CV analysis and candidate scoring.

Roles under the EU AI Act:

• NorthStar AI S.R.L. acts as Provider of the Recruitment Assistant under Article 16 of the EU AI Act. We are responsible for technical documentation, risk management, post-market monitoring, and conformity assessment.
• Customer organizations using the Recruitment Assistant act as Deployers under Article 26. Deployers are responsible for human oversight, candidate transparency, record-keeping, and ensuring non-discriminatory use.

Article 22 GDPR — No Solely Automated Decisions:

The Recruitment Assistant produces recommendations only. It does not make autonomous decisions with legal or similarly significant effects on candidates. Specifically:

• Scoring outputs are preliminary; final decisions on shortlisting, interviewing, hiring, or rejecting candidates are made by qualified human reviewers at the customer organization
• Customers are contractually required to ensure meaningful human review before any decision affecting candidates
• Candidates have the right to contest AI-assisted decisions and request human review by contacting the customer organization

Candidate transparency: customer organizations using the Recruitment Assistant are required by our Acceptable Use Policy to inform candidates that their CVs will be processed by an AI system, in accordance with Articles 13 GDPR and Article 50 EU AI Act.

Prohibited uses: the Recruitment Assistant must not be used to discriminate against candidates based on protected characteristics (race, ethnicity, gender, age, disability, religion, sexual orientation, or other characteristics protected by applicable law). Customers must not submit CVs of candidates under the age of 18.

13.3 No Training on Customer Data

We do not use Customer Data to train AI models. Our use of Anthropic and OpenAI APIs is governed by their respective Commercial Terms and Data Processing Addenda, which contractually prohibit the use of Customer Data for AI model training. Default API retention periods are 7 days for Anthropic and 30 days for OpenAI (for abuse monitoring), after which the data is deleted from the providers' systems.

14. Cookies

We use cookies and similar technologies as detailed in our Cookie Policy. In summary:

• Strictly necessary cookies (authentication, session management, multi-tenant routing, CSRF protection) — set without consent as they are essential for the Platform to function
• Functional cookies (language preference, UI preferences) — set only with your consent
• Analytics — we use privacy-friendly analytics that do not require cookies or persistent identifiers
• No advertising, behavioral targeting, or cross-site tracking cookies

You can manage cookie preferences at any time via the Cookie Settings link in our website footer.

15. Security

We implement technical and organizational measures appropriate to the risk of processing, including:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
• Access controls: role-based access control (RBAC), multi-tenant isolation via row-level security (RLS), multi-factor authentication for administrators
• Authentication: secure authentication via Supabase Auth, with optional MFA and OAuth integration with Microsoft Azure AD and Google
• Monitoring: continuous error and performance monitoring; audit logs for sensitive actions
• Network security: infrastructure security via Vercel and Supabase, both providers with established security certifications
• Vendor management: sub-processor agreements with contractual security obligations; periodic review of sub-processor security posture
• Incident response: documented procedures for detecting, responding to, and reporting personal data breaches in accordance with Articles 33 and 34 GDPR

Despite our efforts, no security measures are completely impervious. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the competent supervisory authority in accordance with applicable law.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective upon publication of the updated version at ns-ai.io/privacy.

Material changes — including changes to: the categories of data we collect, the purposes for which we process data, our sub-processors list, international transfer arrangements, or your rights — will be notified to active account holders at least 30 days in advance by email and via in-application notification. Where required, we will request your renewed acknowledgment.

Minor changes — including typographical corrections, clarifications without changing meaning, and updates to contact information — may be made without prior notice but will be reflected in the version history at the top of this Policy.

You can view the version history and previous versions of this Policy by contacting privacy@ns-ai.io.

17. Contact and Complaints

17.1 Contact Us

For any questions about this Privacy Policy or to exercise your rights, contact us at:

NorthStar AI S.R.L. Email: privacy@ns-ai.io General inquiries: contact@ns-ai.io Postal address: Sat Ghionea, Comuna Ulmi, Jud. Giurgiu, cf 747 N

17.2 Lodge a Complaint

If you believe that our processing of your personal data does not comply with applicable data protection laws, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, București, 010336, România Email: anspdcp@dataprotection.ro Phone: +40.318.059.211 / +40.318.059.212 Website: https://www.dataprotection.ro

You also have the right to lodge a complaint with the supervisory authority in your habitual residence, place of work, or place of the alleged infringement.

You may also seek a judicial remedy in accordance with Article 79 GDPR.

This Privacy Policy is published in English as the authoritative version. A Romanian translation is available at ns-ai.io/privacy?lang=ro. In case of any discrepancy between the language versions, the English version prevails for legal interpretation, except where Romanian law requires otherwise (e.g., consumer protection contexts).