Legal

Privacy Policy

Effective date: 22 May 2026 · Version 1.0 (interim) · Last reviewed: 22 May 2026

This is an interim policy published while a qualified data-protection lawyer finalises the long-form version. The data flows, sub-processors, and retention windows described below are accurate as of the date above. Material changes will be announced on this page with a new version number.

1. Who we are

StarX (the "Service", accessible at starxvip.com) is a members-only concierge catalogue operated for an international audience. For the purposes of the EU General Data Protection Regulation (GDPR) and Thailand's Personal Data Protection Act (PDPA), the operator of the Service is the data controller.

Privacy questions and data-subject requests: [email protected].

2. What we collect

Category	Examples	Why
Account data	Email, hashed password, display name, OAuth identifier from Google or LINE (if you sign in that way)	Authentication, session management
Booking data	Your name, requested date/time, duration, contact channel (phone, LINE, email), free-text notes	Fulfilling reservation requests you submit
Visit analytics	Hashed IP address (SHA-256), country, language, page path, user-agent string, referrer (gated on cookie consent in the EU)	Aggregate traffic understanding, abuse detection
AI chat data (optional)	Messages you send to the in-site AI assistant, viewer-role (public / member), hashed IP, language	Generating replies, abuse prevention, quality review
Session cookies	`starx_session` (HTTP-only, strictly necessary), `__cf_bm` (Cloudflare bot management)	Keeping you signed in, security

We do not collect special-category data (health, biometrics, race, religion) and do not knowingly process data of children under 18.

3. Lawful basis (GDPR Art. 6)

Contract — for account, booking, and member-portal data: we need it to provide the Service you signed up for.
Consent — for non-essential analytics cookies and AI chat: you can withdraw at any time via the cookie banner or by contacting us.
Legitimate interest — for abuse prevention (hashed IP, rate-limiting): the impact is minimal and you can object.

4. Sub-processors

We use the following service providers under data-processing agreements:

Processor	Purpose	Region
Cloudflare, Inc.	Edge hosting (Workers, Pages), CDN, object storage (R2), DNS, bot management	Global (anycast); EU traffic served from EU PoPs
Neon Inc.	Managed PostgreSQL database (HTTP driver)	EU-Central (Frankfurt)
Anthropic, PBC	AI chat — primary LLM (Claude). Only when you use the in-site assistant.	United States
OpenAI, LLC	AI chat — fallback LLM (GPT). Only when Anthropic is unavailable.	United States
Google LLC	AI chat — second fallback (Gemini); OAuth sign-in if you choose Google	Global
LINE Corporation	OAuth sign-in if you choose LINE	Japan / Thailand

AI chat content is transmitted to the chosen LLM provider for the sole purpose of generating your reply. We do not authorise these providers to train models on your messages. Each provider's own privacy notice applies to their processing: Anthropic, OpenAI, Google.

5. International transfers

Some sub-processors are based outside the EEA / Thailand. We rely on Standard Contractual Clauses (EU SCCs) and equivalent safeguards under PDPA Section 28 for these transfers. A copy of the SCCs in effect for any specific transfer is available on request.

6. Retention

Account data: until you delete the account, then up to 30 days for backup expiry.
Booking records: 24 months after the booking date for accounting and dispute resolution.
Visit analytics: hashed IP rotated daily; aggregated rows retained 90 days.
AI conversation transcripts: 90 days from the last message, then permanently deleted by a scheduled job. Active conversations are kept alive while you keep chatting.
Session cookies: starx_session for 30 days from last use; __cf_bm per Cloudflare default (~30 min).

7. Your rights

Under GDPR and PDPA you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate data.
Erasure — ask us to delete your data (subject to legal retention obligations).
Restriction and objection — pause or object to certain processing.
Portability — receive your data in a machine-readable format.
Withdraw consent — at any time, with future effect.
Lodge a complaint — with your local data-protection authority (EU) or the PDPC (Thailand).

To exercise any of these rights, email [email protected]. We respond within 30 days.

8. Cookies and tracking

EU visitors see a consent banner on first visit. Strictly-necessary cookies (starx_session, security cookies) are set regardless. Analytics and AI chat are paused until you give consent. You can change your choice at any time via the cookie settings link in the footer.

9. Security

Passwords are stored as bcrypt hashes (cost factor 10). Session tokens are opaque random 256-bit values, hashed at rest. All traffic is TLS 1.2+ (HSTS enforced). The database connection is restricted by IP allow-list and uses TLS. Operational access requires hardware-key 2FA. We disclose data breaches affecting EU subjects to the relevant supervisory authority within 72 hours of awareness, per GDPR Art. 33.

10. Changes to this policy

Material changes will be announced on this page with a new version number. We may notify registered members by email if a change substantively affects their rights.

11. Contact

Privacy questions: [email protected]
General contact: [email protected]

This interim policy will be replaced by a lawyer-reviewed long-form version. If a discrepancy exists between this page and a future signed policy, the signed policy controls.