StarSkew Privacy Policy
Effective date: June 16, 2026
StarSkew is a browser extension that displays a review-authenticity risk badge on Amazon product pages. This policy explains what data the extension and its backend process, why, and your rights over it.
For the purposes of the EU/UK GDPR, the data controller is the operator of StarSkew, reachable at support@starskew.com.
Plain-language summary
- We do not require an account, set cookies, run analytics, or serve ads.
- We process the rating data shown on the Amazon product pages you visit, plus your IP address, to compute the badge and to prevent abuse.
- We minimize and pseudonymize what we keep: raw IP addresses are never written to storage, only short-lived salted hashes are. Records expire within 10 minutes to 24 hours.
- We never sell or share your data, and we never read your Amazon account, orders, payment details, or browsing history outside Amazon product pages.
Data we process
| Data | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Product ASIN | Identify which product to analyze | Legitimate interest (provide the service) | Up to 24h |
| Average rating, review count, rating histogram | Compute the risk badge and cross-verify across clients | Legitimate interest | Up to 24h, keyed by hashed client id |
| Marketplace hostname | Per-marketplace selector tracking | Legitimate interest | Up to 24h |
| Sanitized DOM skeleton (structure + rating/count numbers, page text removed) | Repair scrapers when Amazon changes its layout | Legitimate interest | 10 minutes |
| IP address | Abuse prevention (rate limiting) and cross-client verification | Legitimate interest (network security, data quality) | Rate-limit counters: in-memory only, minutes. Otherwise replaced by a salted hash before storage |
A note on IP addresses and "personal data"
An IP address — and a salted hash derived from it — can constitute personal data under the GDPR. We therefore treat it as such. We reduce this exposure by:
- never persisting the raw IP address (rate-limit counters live only in server memory and are discarded within minutes);
- replacing the IP with a salted, one-way SHA-256 hash before any database write, so stored records cannot be reversed to recover the address; and
- expiring and purging those hashed records automatically (opportunistically on traffic and at least once daily by a scheduled job).
The hash is a pseudonym used only to compare independent observations of the same product. We do not link it to your identity, and we hold no other information that would let us do so.
What we never collect
- Your name, email, or any account information
- Your Amazon account data, order history, or payment information
- Your browsing history outside of Amazon product pages
- Cookies, session tokens, or authentication credentials
- Full page HTML — only a stripped structural skeleton with text removed (except the rating/count values needed to compute the badge)
Sub-processors
To run the service we share the limited data above with the following providers, who act as our processors. Data is hosted in the United States; transfers from the EU/UK rely on the providers' Standard Contractual Clauses and Data Processing Addenda.
| Provider | Role | Data shared |
|---|---|---|
| Vercel | Backend hosting / API | All request data above (transiently) |
| Neon | PostgreSQL database | Pseudonymized scrape and selector records |
| OpenAI | Selector repair (GPT-4o-mini), only when scrapers break | Sanitized DOM skeleton (no personal data) |
All transmission is over HTTPS.
Your rights
Depending on where you live (e.g. the EU/UK under GDPR, or California under CCPA/CPRA), you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to lodge a complaint with a supervisory authority.
Because we deliberately store data only in pseudonymized, short-lived form and hold no identifiers that link records to you, we are often unable to single out the data of one individual (GDPR Art. 11). In practice this means most records are unrecoverable to a specific person and are deleted automatically within 24 hours regardless. To exercise any right, contact support@starskew.com and we will respond as the law requires.
California (CCPA/CPRA)
We do not sell or share your personal information, and we do not use it for cross-context behavioral advertising. The only category of personal information processed is online/network identifiers (IP address), used for the security and service purposes described above.
Children
StarSkew is not directed to children under 13 (or the equivalent age in your jurisdiction) and we do not knowingly process their data.
Security
Data is transmitted over HTTPS and pseudonymized at rest. We retain the minimum necessary and purge it on the short schedules described above.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected in the extension's store listing and in this document, with an updated effective date.
Contact
Questions or requests: support@starskew.com