Legal Document

Privacy Policy

Effective date: April 18, 2026 · Modular Technology Solutions Pte Ltd, Singapore

Startup Staff is built by Modular Technology Solutions Pte Ltd ("we", "us", "our"). This policy explains what data we collect when you use Startup Staff, how we use it, and your rights over it. We have written this in plain language because we believe you deserve to understand how your data is handled.

01 — What we collect

We collect the minimum data required to operate the service:

Account data — your name, email address, and profile photo obtained from LinkedIn via OAuth when you sign in.
Configuration data — AI provider API keys you enter, provider endpoint URLs, preferred models, and per-staff model assignments. These are stored in our database associated with your account.
Customisation data — custom staff names, uploaded staff photos, and per-staff knowledge base content (URLs and documents you upload).
Usage data — session activity such as sign-in timestamps and feature usage patterns, collected for service improvement purposes.

We do not store your conversation history or the content of your queries to AI models. Queries are sent directly from your browser to the AI provider you configure.

02 — How we use your data

To authenticate you and maintain your session.
To persist your configuration across devices and sessions.
To render your customised boardroom (staff names, photos, knowledge bases).
To improve and debug the service.

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in section 04.

03 — API keys & technical handling

You may connect third-party AI provider API keys (OpenAI, Anthropic, Google, DeepSeek, Groq, Mistral, GMI Cloud) to use Startup Staff. Here is exactly how your keys are handled — no ambiguity.

Storage. Your keys are stored in our database (Supabase), encrypted at rest, and protected by row-level security — only your authenticated account can read your own rows. No other user can access your keys.

In-browser use. When you interact with the app, your keys are loaded into browser memory for the duration of your session to make API calls directly to the AI provider. They are never written to localStorage, cookies, or any other persistent browser storage.

In transit. All communication between your browser, our servers, and AI providers is encrypted via TLS (HTTPS). Keys are transmitted only as request headers to the relevant provider endpoint.

Direct exposure risk. Because API calls are made directly from your browser to the AI provider, your keys are technically visible in your browser's Network tab during an active session. This is standard practice for browser-based AI tools, but it means you should never use Startup Staff on a shared, public, or untrusted device. Do not leave an active session unattended.

What we do not do. We do not log, cache, proxy, or use your API keys for any purpose other than making requests on your behalf within the application. We do not have access to your usage on those providers' platforms.

Our recommendations: Set monthly spending limits on each provider dashboard. Use dedicated keys for Startup Staff — separate from keys used in other projects — so you can rotate them independently if needed. Monitor your provider dashboards periodically for unexpected usage.

04 — Third parties

We use the following third-party services to operate Startup Staff:

Supabase — database, authentication, and file storage. Your account data and configuration are stored on Supabase infrastructure. Supabase is SOC 2 Type II certified.
LinkedIn — OAuth authentication provider. We receive your name, email, and profile photo upon sign-in.
Vercel — application hosting and delivery.
jsDelivr / GitHub — CDN delivery of static assets.

We do not share your personal data with AI providers. Queries sent to AI providers originate from your browser and are governed by the respective provider's privacy policy.

05 — Data retention

We retain your account and configuration data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

Uploaded documents stored in our file storage are deleted when you clear them from the Staff Knowledge Base or when your account is deleted.

06 — Your rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your data.
Object to or restrict processing of your data.
Port your data to another service.

To exercise any of these rights, contact us at privacy@modular.technology. We will respond within 30 days.

07 — Security

We implement industry-standard security measures including encryption in transit (TLS), row-level security on our database, and access controls. No system is perfectly secure; we encourage you to use strong, unique API keys and to report any suspected security issues to us immediately.

08 — Children

Startup Staff is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

09 — Changes to this policy

We may update this policy from time to time. We will notify you of material changes by updating the effective date above and, where appropriate, by sending an email to the address associated with your account. Continued use of the service after changes constitutes acceptance of the updated policy.

10 — Contact

Modular Technology Solutions Pte Ltd
Singapore
Email: privacy@modular.technology