Privacy Policy

Last Updated: 2026-02-05

Effective Date: 2026-02-05
Last Updated: 2026-02-05

1. Introduction

Uovo Labs Oy ("we," "our," "us" or "Northstar") provides Northstar OKR (Objectives and Key Results) management services. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password (encrypted)
  • Profile Information: First name, last name, avatar image
  • Organization Data: Organization name, domain, team memberships
  • OKR Data: Objectives, key results, progress updates, comments

2.2 Information We Collect Automatically

  • Usage Data: How you interact with our services
  • Technical Data: IP address, browser type, device information
  • Session Data: Login sessions, authentication tokens
  • Service Analytics / Telemetry Data (server-side): Performance metrics, feature usage, and diagnostic data to help us maintain and improve the Services

2.3 Information from Third Parties

  • OAuth Providers: Google, Microsoft, Apple (when you choose to sign in with these services)
  • Organization Administrators: When you're invited to join an organization

3. How We Use Your Information

We use your personal information to:

  • Provide Services: Deliver OKR management functionality
  • Authentication: Verify your identity and manage access
  • Communication: Send service-related notifications
  • Service Improvement and Internal Analytics: Understand usage at a high level, diagnose issues, plan capacity, measure performance, and improve the Services
  • Security: Protect against fraud and unauthorized access
  • Compliance: Meet legal and regulatory requirements

We do not use third-party analytics on our website. We do not use analytics cookies, local storage identifiers, fingerprinting, or similar technologies for analytics purposes. Where feasible, we use aggregated and/or de-identified statistics to reduce privacy impact.

4. Legal Basis for Processing

We process your personal information based on:

  • Contract Performance: To provide the services you've requested
  • Legitimate Interest: To operate, secure, maintain, and improve the Services (including internal analytics and telemetry), prevent abuse, and ensure reliability
  • Consent: Only where required by law for optional features (for example, if we introduce non-essential cookies or marketing communications)
  • Legal Obligation: To comply with applicable laws

Where processing is based on legitimate interests, you may have the right to object. To submit an objection, contact us at support@northstarokr.app.

5. Information Sharing

We do not sell your personal information. We may share information with:

  • Your Organization: Other members of your organization (as controlled by your organization's administrator)
  • Service Providers: Trusted third parties who help us operate our services (under strict data protection agreements)
  • Legal Requirements: When required by law or to protect our rights

We use European service providers: Scaleway (hosting), Paddle (payments), Mistral AI (AI features). Your data stays in Europe and is managed by European companies.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption: Data encrypted in transit and at rest
  • Access Controls: Limited access to authorized personnel only
  • Regular Audits: Security assessments and monitoring
  • Secure Infrastructure: Industry-standard security practices

7. Data Retention

We retain your personal information for as long as:

  • Your account is active
  • Required to provide our services
  • Required by law
  • Necessary for legitimate business purposes

When you delete your account, we will delete your personal information within 30 days, except where we're required to retain it for legal reasons.

8. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal information
  • Rectification: Correct inaccurate information
  • Erasure: Request deletion of your personal information
  • Portability: Receive your data in a structured format
  • Restriction: Limit how we process your information
  • Objection: Object to certain processing activities
  • Withdraw Consent: Withdraw consent for optional processing

To exercise these rights, contact us at support@northstarokr.app or use the settings in your account.

9. International Transfers

We do not transfer or process your personal data outside the European Union (EU). Our core systems and the service providers we use to operate the Services are located in the EU.

Payment processing is handled by Paddle. When you make a purchase, payment and billing-related information is processed by Paddle in the UK in accordance with Paddle's privacy practices.

If you choose to connect or sign in using third-party OAuth providers listed in Section 2.3, those providers may process personal data in accordance with their own privacy policies, including in countries outside the EU/UK/EEA. Such processing is carried out by the third-party provider as an independent controller and is governed by their policies, not ours.

10. Cookies and Tracking (Essential Only)

We only use essential cookies and similar technologies that are necessary for our Services to function:

  • Authentication: Remember your login status
  • Security: Protect against fraud and unauthorized access
  • Session Management: Keep you logged in during your session
  • Preferences: Remember your language and region settings

Essential cookies cannot be disabled because they are required for basic functionality like login and secure access. We do not use analytics or marketing cookies.

11. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from children under 16.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our services.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: support@northstarokr.app

Your Data Rights Under GDPR (Data Subject Rights Notice)

1. Your Rights Overview

Under the General Data Protection Regulation (GDPR), you have several important rights regarding your personal data. This notice explains these rights and how to exercise them.

2. Your Rights

2.1 Right of Access (Article 15)

What it means: You can request a copy of all personal data we hold about you.

What you can request:

  • Confirmation that we process your personal data
  • What personal data we process
  • Why we process it and our legal basis
  • Who we share it with
  • How long we keep it
  • Your other rights under GDPR

How to exercise: Contact us at support@northstarokr.app

2.2 Right to Rectification (Article 16)

What it means: You can ask us to correct inaccurate or incomplete personal data.

What you can request:

  • Correct spelling errors in your name or email
  • Update your contact information
  • Fix any other inaccurate information
  • Complete incomplete data

How to exercise: Update your information in your account settings or contact us directly.

2.3 Right to Erasure ("Right to be Forgotten") (Article 17)

What it means: You can request deletion of your personal data in certain circumstances.

When you can request deletion:

  • Your data is no longer necessary for the original purpose
  • You withdraw consent and there's no other legal basis
  • Your data has been processed unlawfully
  • You object to processing and there are no overriding legitimate grounds

Limitations: We may not be able to delete data if:

  • We need it for legal compliance
  • It's necessary for legal claims
  • It's required for public interest reasons

How to exercise: Use the "Delete Account" feature or contact us at support@northstarokr.app.

2.4 Right to Restrict Processing (Article 18)

What it means: You can limit how we process your personal data.

When you can request restriction:

  • You contest the accuracy of your data
  • Processing is unlawful but you don't want deletion
  • We no longer need the data but you need it for legal claims
  • You object to processing and we're considering your objection

How to exercise: Contact us at support@northstarokr.app with your specific request.

2.5 Right to Data Portability (Article 20)

What it means: You can receive your personal data in a structured, commonly used format.

What you can request:

  • Your data in a machine-readable format (JSON, CSV, etc.)
  • Direct transfer to another service (where technically feasible)
  • Only data you provided or that was generated by your use of our services

How to exercise: Contact us at support@northstarokr.app with your specific request.

2.6 Right to Object (Article 21)

What it means: You can object to certain types of processing.

When you can object:

  • Processing based on legitimate interests
  • Direct marketing
  • Processing for research or statistics

How to exercise: Contact us at support@northstarokr.app

2.7 Rights Related to Automated Decision-Making (Article 22)

What it means: You have rights regarding decisions made solely by automated means.

Your rights:

  • Not to be subject to automated decision-making that significantly affects you
  • Human review of automated decisions
  • Explanation of automated decision-making logic

Our commitment: We do not currently use automated decision-making that significantly affects individuals.

3. How to Exercise Your Rights

3.1 Online Methods

  • Account Settings: Many rights can be exercised through your account settings
  • Data Export: Use the "Export My Data" feature
  • Account Deletion: Use the "Delete Account" feature
  • Privacy Settings: Adjust your privacy preferences

3.2 Contact Methods

  • Email: support@northstarokr.app

3.3 What to Include in Your Request

  • Your full name and email address
  • Specific right you want to exercise
  • Any relevant details or context
  • Preferred response method

4. Response Times

4.1 Standard Response

  • Access Requests: Within 1 month (can be extended by 2 months for complex requests)
  • Other Requests: Within 1 month
  • Urgent Requests: We'll respond as quickly as possible

4.2 Verification

  • We may need to verify your identity before processing requests
  • This helps protect your data from unauthorized access
  • We'll use the least intrusive verification method possible

5. Fees and Charges

5.1 Free Requests

  • Most requests are free of charge
  • We don't charge for standard data subject requests

5.2 Excessive Requests

  • We may charge a reasonable fee for excessive or repetitive requests
  • We'll explain any charges before processing
  • You can appeal any fee decisions

6. Complaints and Appeals

6.1 Internal Appeals

  • If you're not satisfied with our response, you can appeal
  • Contact our Data Protection Officer at support@northstarokr.app
  • We'll review your appeal within 30 days

6.2 Supervisory Authority

  • You can complain to your local data protection authority
  • In the EU: Your local data protection authority
  • We'll cooperate with any official investigations

7. Special Circumstances

7.1 Third-Party Requests

  • We don't process requests from third parties without proper authorization
  • Legal representatives must provide appropriate documentation
  • We'll verify authorization before processing

8. Data Breach Notifications

8.1 Our Obligations

  • We'll notify you of data breaches that may affect you
  • Notification will be within 72 hours after the confirmation of the data breach
  • We'll explain what happened and what we're doing about it

8.2 Your Actions

  • Change your password if you suspect unauthorized access
  • Monitor your account for unusual activity
  • Contact us immediately if you notice anything suspicious

9. Contact Information

Email: support@northstarokr.app