Privacy Policy

Friday (“we”, “us”) is a product of StarkSphere Labs Umbrella FZ-LLC. We provide an embeddable AI assistant that website owners install on their sites to help their visitors.

If you are a visitor chatting with Friday on someone else's website, the website owner is the data controller; we are the processor. If you are a website owner with a Friday account, we are the controller for your account data.

From visitors (people chatting with Friday):

• Identity you give us through the chat: name, email, optional phone number.
• The messages you send and Friday's replies.
• A first-party cookie (fr_vid) that identifies your session for up to 90 days.
• The page URL you're on when chatting, page title, and a short text excerpt (≤ 4 KB) from the visible page so Friday can answer questions about it.
• Any actions Friday takes for you on the site (clicks, form fills, navigations) — recorded as an audit log so the site owner can review what Friday did.

From website owners (Friday account holders):

• Email address (via Supabase Auth), optional name.
• Site URLs you connect, content you upload (PDFs, text), workspace settings.
• Billing data (handled by Stripe — we don't see card numbers).

• Anything from form fields marked as password, credit card, or sensitive (the widget actively skips these).
• Anything in DOM elements marked with data-friday-deny by the site owner.
• Browser fingerprints, IP geolocation, advertising identifiers — we don't sell or share data with ad networks.

To answer visitor questions, message content is sent to AI providers as the technical processing step:

• Anthropic (Claude) — primary AI provider. Anthropic does not train on the data sent to us.
• Google (Gemini) — used as fallback. Same no-training stance.
• Supabase — hosts the database (visitor messages, audit logs, account data).
• Vercel — hosts the application servers.
• Stripe (when paid plans are introduced) — handles payments.

We never sell visitor data. We never use it to train our own models.

• Visitor messages: retained for the lifetime of the website owner's account, or until the visitor requests deletion (whichever is shorter).
• Visitor identity (name / email / phone): kept until the visitor requests deletion via the website owner.
• Audit logs of actions Friday took: retained 90 days for support / debugging, then aggregated.
• The fr_vid cookie: 90 days; resets on clearing browser cookies.

If you're an EU/UK/California resident, you have the right to access, correct, export, or delete your data. To exercise these rights:

• If you're a visitor: contact the website owner whose Friday widget you used (they hold the controller relationship). Or email us at support@starkspherelabs.com and we'll route the request.
• If you're a Friday account holder: email support@starkspherelabs.com or delete your account from the dashboard.

We respond to verifiable requests within 30 days.

Friday sets one first-party cookie on the host site: fr_vid (90 days, SameSite=Lax). It identifies a returning visitor so Friday remembers them across visits. It is not used for advertising and is not shared with third parties.

If the host website uses a cookie-consent banner, Friday respects its decisions: when consent is rejected, the cookie isn't set and Friday operates as a stateless guest each visit.

Data is transmitted over TLS, stored encrypted at rest by Supabase, and accessible to our team via least-privilege service roles. We log access for audit. No system is perfectly secure — but we treat your data like our own.

We'll post material changes here with a new “Last updated” date. For substantial changes (e.g. adding a new processor), we'll notify Friday account holders by email.

Questions, requests, or concerns: support@starkspherelabs.com

StarkSphere Labs Umbrella FZ-LLC — Dubai, UAE.