Legal
Privacy Policy
Last updated: 8 April 2026 · Effective date: 8 April 2026
Version 2.0 — Compliant with UK GDPR, Data Protection Act 2018, and PECR
Data Encrypted
TLS 1.2+ in transit, AES-256 at rest
Transparent
Specific PII listing for every data category
Minimal Data
We only collect what is strictly necessary
UK GDPR Compliant
Full data subject rights honoured
Active Opt-In Cookies
Non-essential cookies require your consent
No Data Sales
We never sell, rent, or trade your data
1. Data Controller
Company: TalaStar Digital Ltd
Registration: Company No. 17060305, registered in England and Wales
Registered Office: Goldington Estate, Pancras Road, King's Cross, London, NW1 1UH
Data Protection Contact: [email protected]
Supervisory Authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, SK9 5AF
TalaStar Digital Ltd (“we”, “us”, “our”) is the data controller responsible for your personal data processed through this website (www.talastar.digital) and any associated services. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
2. Personal Data We Collect
We collect and process the following categories of Personally Identifiable Information (PII):
2.1 Account and Identity Data
- Full name (as provided during registration)
- Email address
- Authentication identifiers (OAuth tokens, session IDs)
- User role and account status
2.2 Financial and Transaction Data
- Stripe customer ID and subscription ID (we do not store full card numbers, CVV, or card expiration dates)
- Payment intent IDs and invoice references
- Donation amounts, currency, and campaign references
- Trial subscription status and expiry dates
2.3 Technical and Usage Data
- IP address (anonymised where possible)
- Browser type and version
- Device type and operating system
- Pages visited, time spent, and navigation paths
- Referring URL and exit pages
2.4 MoneyGuard™ Concept Data (Future Product)
Note: MoneyGuard™ is currently a technology concept under development. The following describes data that may be processed if and when the product becomes operational.
- Transaction metadata (merchant name, category, amount, date) — not raw bank data
- Subscription detection patterns (anonymised and aggregated)
- User-configured alert preferences and card control settings
- Caregiver-linked account references (with explicit consent only)
2.5 Data We Do NOT Collect
- Full credit or debit card numbers
- Card CVV or security codes
- Bank account login credentials
- Health or medical records (unless explicitly provided for research participation with separate consent)
- Biometric data
- Raw webhook payloads or API keys
3. Lawful Basis for Processing
Under Article 6 of the UK GDPR, we process your personal data on the following lawful bases:
| Purpose | Lawful Basis | Reference |
|---|---|---|
| Account creation and authentication | Contractual necessity | Art. 6(1)(b) |
| Processing payments and donations | Contractual necessity | Art. 6(1)(b) |
| Fraud prevention and security | Legitimate interest | Art. 6(1)(f) |
| Analytics and service improvement | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| MoneyGuard™ transaction monitoring (future) | Consent + Contractual necessity | Art. 6(1)(a) + (b) |
| Legal compliance and regulatory obligations | Legal obligation | Art. 6(1)(c) |
| SMS/WhatsApp alerts (if applicable) | Consent (PECR Reg. 22) | Art. 6(1)(a) + PECR |
4. Electronic Communications (PECR Compliance)
In compliance with the Privacy and Electronic Communications Regulations 2003 (PECR), we observe the following:
- Cookies: We use cookies only with your active, informed consent. You may accept or reject all non-essential cookies via our cookie consent banner. See our Cookie Policy for details.
- Marketing emails: We will only send marketing communications where you have provided explicit opt-in consent. You may withdraw consent at any time via the unsubscribe link in any email.
- SMS/WhatsApp notifications: If MoneyGuard™ or any future service sends automated SMS or WhatsApp alerts, the legal basis for processing will be either explicit consent or contractual necessity. You may opt out at any time.
- Automated decision-making: Any AI-assisted features (including MoneyGuard™ subscription detection) use indicative models only. No automated decisions with legal or similarly significant effects are made without human oversight.
5. Data Sharing and Third Parties
We share personal data only with the following categories of recipients, and only to the extent necessary:
Stripe, Inc.
Purpose: Payment processing · Location: USA (EU-US Data Privacy Framework)
Safeguard: Standard Contractual Clauses (SCCs) + PCI-DSS Level 1
Hosting Provider
Purpose: Website hosting and authentication · Location: USA/EU
Safeguard: Standard Contractual Clauses (SCCs)
Analytics providers
Purpose: Anonymised usage analytics · Location: EU/UK
Safeguard: Data anonymisation
Law enforcement
Purpose: Where required by law or court order · Location: UK
Safeguard: Legal obligation (Art. 6(1)(c))
Irrevocable Data Sanctity Pledge
TalaStar Digital Ltd never sells, rents, trades, or monetises your personal data to any third party for any purpose — including marketing, advertising, profiling, or data brokerage. This is not merely a policy; it is a foundational principle of our company. We treat the data of every user as a sacred trust. We shall never “harvest” human information for profit, as this violates the dignity of the person. This commitment is irrevocable and applies to all data categories, in all jurisdictions, for all time.
6. International Data Transfers
Some of our service providers are located outside the United Kingdom and the European Economic Area (EEA). Where personal data is transferred internationally, we ensure adequate protection through:
- Adequacy decisions: Transfers to countries recognised by the UK Secretary of State as providing adequate data protection.
- Standard Contractual Clauses (SCCs): EU/UK-approved contractual safeguards incorporated into our agreements with data processors.
- Data Privacy Framework: For US-based processors certified under the EU-US Data Privacy Framework.
You may request a copy of the relevant safeguards by contacting [email protected].
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 12 months after deletion |
| Transaction/payment records | 7 years (UK tax and accounting requirements) |
| Donation records | 7 years (charity accounting requirements) |
| Analytics data | 26 months (anonymised after 90 days) |
| Marketing consent records | Duration of consent + 12 months |
| Cookie consent preferences | 12 months (then re-prompted) |
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
Right of Access
Request a copy of the personal data we hold about you (Subject Access Request).
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data where there is no compelling reason for continued processing.
Right to Restrict Processing
Request that we limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, commonly used, machine-readable format.
Right to Object
Object to processing based on legitimate interests, including profiling and direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Right re: Automated Decisions
Not be subject to decisions based solely on automated processing that produce legal or significant effects.
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month. If your request is complex, we may extend this by a further two months with notice.
Right to be Forgotten
You can submit a data deletion request directly through our website. Request Data Deletion
9. Data Processing Agreements (B2B)
Where TalaStar Digital Ltd acts as a data processor on behalf of a business client (for example, providing MoneyGuard™ technology to a financial institution), we will enter into a Data Processing Agreement (DPA) in accordance with Article 28 of the UK GDPR. This DPA will specify the subject matter, duration, nature, and purpose of processing, the types of personal data processed, and the obligations and rights of both parties.
Business clients may request a template DPA by contacting [email protected].
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Secure authentication via OAuth 2.0 with session management
- Regular security reviews and vulnerability assessments
- Access controls limiting data access to authorised personnel only
- Stripe PCI-DSS Level 1 compliance for all payment processing
No system can guarantee absolute security. We are committed to promptly notifying affected individuals and the ICO within 72 hours of becoming aware of any personal data breach, as required by Article 33 of the UK GDPR.
11. Children’s Privacy
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact [email protected].
12. Data Protection Impact Assessments
TalaStar Digital Ltd operates a “Compliance by Design” framework. Before introducing any new feature, product, or data processing activity that is likely to result in a high risk to individuals’ rights and freedoms, we conduct a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the UK GDPR. This includes, but is not limited to, any MoneyGuard™ features involving transaction monitoring, behavioural analysis, or automated decision-making.
13. Complaints
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We encourage you to contact us first at [email protected] so we can attempt to resolve your concern directly.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via a prominent notice on our website or by email where appropriate. The “Last updated” date at the top of this page indicates when the most recent revision was made.
Contact Us
For any privacy-related enquiries, data subject requests, or complaints:
Data Protection Contact: [email protected]
Legal Enquiries: [email protected]
General: [email protected]
TalaStar Digital Ltd · Registered in England and Wales · Company No. 17060305 · Goldington Estate, Pancras Road, King's Cross, London, NW1 1UH