Starboard

Privacy Policy

Effective date: May, 2025 · Last updated: May, 2026

1. Introduction

This Privacy Policy explains how STARBOARD SYSTEMS INC. ("Starboard," "we," "us," or "our") collects, uses, discloses, and safeguards information when you use the Starboard platform, including our web application, Outlook add-in, public APIs, and related services (collectively, the "Service").

This Policy applies to:

  • Customers — companies (typically freight forwarders) that subscribe to the Service.
  • Authorized Users — individual employees or contractors of a Customer who access the Service.
  • Visitors — anyone who interacts with our website or marketing materials.

If you are an Authorized User, your employer's agreement with us governs how your employer's data is processed; this Policy describes the personal information we handle in the course of providing the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, work email, phone number, company name, role.
  • Authentication credentials:Microsoft 365 OAuth tokens issued through Microsoft's standard sign-in flow. We do not see or store your Microsoft password.
  • Customer Content: rate sheets, quotes, freight data, customer/vendor contact details, and other freight-forwarding business records you upload, generate, or store in the Service.
  • Support communications: information you provide when contacting us for help.

2.2 Information We Receive From Microsoft 365

When you connect a Microsoft 365 mailbox to the Service, we receive — only with your explicit consent and only for mailboxes you authorize:

  • Email metadata (sender, recipient, subject, timestamps).
  • Email body content for messages you actively engage with through the add-in (we do not perform a full mailbox sync).
  • Attachments relevant to a quote (rate sheets, requests for quote, etc.).
  • Profile and mailbox-settings data needed to operate the add-in.

We request the minimum Microsoft Graph scopes required: User.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.ReadWrite, and offline_access. These can be reviewed and revoked by you or your IT administrator at any time in your Microsoft account.

2.3 Information We Collect Automatically

  • Usage data: features used, actions taken, timestamps, session identifiers.
  • Device and log data: IP address, browser type, operating system, error logs.
  • Cookies and similar technologies: session cookies for authentication. We do not use third-party advertising cookies.

2.4 Information From Third Parties

  • Carrier and rate data sources: publicly listed or licensed freight rate information used to fulfill quote requests.
  • Service providers: information from our subprocessors (listed in Section 6) limited to what is necessary to operate the Service.

3. How We Use Information

We use the information we collect to:

  1. Provide, operate, and maintain the Service.
  2. Process freight quotes, parse rate sheets, generate responses, and synchronize bookings with integrated systems (e.g., CargoWise).
  3. Authenticate Authorized Users and enforce company-level data isolation.
  4. Provide customer support and respond to inquiries.
  5. Improve and develop new features (using aggregated and de-identified data where feasible).
  6. Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
  7. Comply with legal obligations, enforce our agreements, and protect the rights, property, or safety of Starboard, our Customers, or others.

4. AI and Machine-Learning Processing

The Service uses third-party large language models (LLMs) — currently OpenAI — to extract information from emails and rate sheets, generate quote drafts, and assist with related tasks.

  • We send to the LLM provider only the content needed for the specific task (e.g., the email body and rate sheet a User asks the Service to process). We do not send credentials, API keys, or bulk mailbox history.
  • We use API configurations that disable training on our inputs and minimize provider-side retention (specifically, we set store=Falseon supported endpoints; OpenAI's API terms prohibit using API inputs and outputs to train OpenAI models).
  • The LLM provider may retain submitted content for a limited period for abuse-monitoring purposes (currently up to 30 days for OpenAI) before deletion.
  • Outputs from LLMs may be inaccurate or incomplete. Authorized Users are responsible for reviewing AI-generated content before sending it to a customer or relying on it commercially.

5. How We Share Information

We do not sell personal information. We share information only as described below:

  • With your Company:Authorized Users of the same Customer may see Customer Content created within that Customer's workspace, subject to role-based controls.
  • With Subprocessors: see Section 6.
  • With Integration Partners: when you choose to connect an integration (e.g., CargoWise, a TMS), data flows between the Service and that partner per your configuration.
  • For legal reasons: in response to lawful requests from public authorities, to comply with legal process, to enforce our agreements, or to protect rights, property, or safety.
  • In a corporate transaction: in connection with a merger, acquisition, financing, or sale of assets, subject to the protections of this Policy.
  • With your consent: for any other purpose disclosed at the time of collection.

6. Subprocessors

We use the following subprocessors to operate the Service. Each is contractually bound to confidentiality and security obligations consistent with this Policy.

SubprocessorPurposeRegionCertifications
Google Cloud PlatformBackend compute (Cloud Run, Secret Manager)United States (us-east4)SOC 1/2/3, ISO 27001, PCI DSS, FedRAMP
Supabase (on AWS)Application database, file storageUnited States (us-east-1, us-west-1)SOC 2 Type II
VercelWeb application hosting and edge deliveryUnited StatesSOC 2 Type II
Upstash (on AWS)Cache and ephemeral session dataUnited StatesSOC 2 Type II
OpenAILarge language model inference for AI featuresUnited StatesSOC 2 Type II
ElasticSearch indexingUnited StatesSOC 2 Type II
Microsoft (Graph API)OAuth authentication and email integrationPer Microsoft tenant regionSOC 2, ISO 27001, FedRAMP
SentryApplication error monitoringUnited StatesSOC 2 Type II

We update this list as our subprocessor arrangements change. Material changes will be communicated to Customers in accordance with the Terms of Service.

7. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

8. Data Retention

  • Customer Contentis retained while the Customer's subscription is active and for 90 days after termination, after which it is deleted or anonymized except where retention is required by law.
  • Account information is retained for the life of the account and for a reasonable period thereafter to support audit, dispute, and legal-defense needs.
  • Log and security data is retained for up to 30 days.
  • Cached data (Redis): time-limited, typically minutes to hours, and auto-expires.
  • OAuth challenges: 5-minute TTL.

A Customer may request deletion of its data on termination per the Terms of Service.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS/HTTPS for data in transit and AES-256 encryption at rest at the storage layer.
  • Company-level data isolation enforced through query scoping and database row-level security.
  • OAuth 2.0 with PKCE for authentication; access tokens are short-lived and refresh tokens are stored encrypted.
  • Secrets stored in Google Secret Manager and Vercel encrypted environment variables — never in source code.
  • Logging and monitoring through Sentry and provider-native tooling.
  • Regular review of access controls and dependencies.

No system is perfectly secure. If we become aware of a security incident affecting your information, we will notify affected Customers without undue delay and consistent with applicable law.

10. Your Rights

Depending on where you live, you may have rights regarding your personal information, including the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete your personal information, subject to legal exceptions.
  • Restrict or object to certain processing.
  • Portability — receive your information in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at admin@starboard.biz. If you are an Authorized User of a Customer, please direct rights requests to your Customer (your employer or organization), which acts as the controller for Customer Content; we will support the Customer in responding.

11. Children's Privacy

The Service is intended for business use and is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it.

12. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects when changes were made. For material changes affecting Customer Content, we will provide reasonable advance notice (e.g., by email or in-product notification).

13. Contact Us

STARBOARD SYSTEMS INC.
300 Wilmington Ave.
Delaware, USA, 19801