We collect data in three buckets, all triggered by your explicit actions:

Account identity

When you sign in at agent-northstar.com (Google OAuth or email), we receive your email address, a Google account ID (if applicable), and any profile fields you supply. This is stored in our Supabase database.

Editing-session content

When you open the side panel on a page and submit an instruction (e.g. “rewrite this CTA”), the extension sends our agent server:

• the URL of the page you have open;
• the part of the page’s DOM around the element you picked;
• a screenshot of the region you picked or dragged;
• your typed instruction text.

When you click Save & share, we additionally capture a full-page screenshot of the page using Chrome’s debugger API and persist the resulting prototype (your edits + screenshots) to an Amazon S3 bucket under your account.

Diagnostic events

We log API request metadata (timestamp, request type, error codes) on our agent server. We do not log page contents or DOM payloads in production telemetry. PostHog analytics on agent-northstar.com may record anonymous pageviews and clicks on the marketing site; the side panel itself does not call PostHog.

• Generate edits. Your editing-session content is sent to Anthropic (Claude) or OpenAI (GPT) — your choice in the side panel settings — to generate the DOM patches that satisfy your instruction. These providers process the data under their own privacy policies and do not retain it for training when accessed via our API keys.
• Render share previews. Saved prototypes are served from S3 when teammates open the share URL you give them.
• Operate the product. Account identity is used to authenticate API calls and to scope your saved prototypes to your account.

• We do not sell your data, share it with advertisers, or use it for targeted marketing.
• We do not run the extension in the background. The content script does not transmit page data unless you open the side panel and submit an instruction.
• We do not collect keystrokes, form-field contents, passwords, or financial data.
• We do not use editing-session content to train our own models.

We retain your account identity and saved prototypes for the lifetime of your account. The agent server keeps request-level diagnostic logs for 30 days for debugging, then deletes them.

You can request deletion of your account and all associated prototypes once we publish our company contact channel (see Contact below). We will action requests within 14 days of receipt.

NorthStar AI is not intended for users under 16. We do not knowingly collect data from children.

We will update this policy as the product evolves. The effective date at the top reflects the current revision. Material changes will be announced via the extension’s update notes.

We will publish a dedicated contact channel once our company domain is configured. Until then, please reach out via agent-northstar.com. This page will be updated as soon as the channel is live.