Buy A Star Foundation

Legal

Privacy Policy

Effective: May 19, 2026 · Last updated: May 19, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Buy A Star Foundation ("Buy A Star Foundation", "we", "our", or "us") collects, uses, discloses, retains, and otherwise processes personal information when you interact with us through buyastarfoundation.com, related subdomains, mobile applications, or other digital properties that link to this Policy (collectively, the "Site"), make a purchase from us, contact our customer support, or otherwise engage with our services (the "Services").

By using the Site or Services you acknowledge the practices described in this Policy and agree to our Terms and Conditions. If you do not agree, please do not use the Site or Services.

This Policy is incorporated by reference into our Terms and Conditions. If there is a conflict between this Policy and any specific notice we provide at the point of collection, the more specific notice controls.

2. Quick Summary (for convenience only)

This summary is provided as a courtesy. It does not replace the full Policy below; the full Policy governs.

  • Who we are: Buy A Star Foundation, based in Texas, USA.
  • What we collect: Information you give us (name, email, billing address, payment details processed by our payment provider, star-naming dedication text), and information automatically collected (device, browser, IP, cookies, analytics).
  • Why we collect it: To process orders, deliver Certificates, communicate with you, prevent fraud, comply with law, and improve the Services. With your consent, also to send marketing.
  • Who we share it with: Service providers (payment processor, email/SMS provider, hosting, analytics), legal authorities when required, and successors in a business transfer. We do not sell personal information for money. Some advertising-related sharing may be considered "sale" or "sharing" under US state laws; you can opt out (see Section 12).
  • Your rights: Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your data, opt out of advertising, and complain to your data-protection regulator. See Sections 11–13.
  • Contact: support@buyastarfoundation.com for any privacy questions or requests.

3. Information We Collect

We collect personal information in three ways: directly from you, automatically when you use the Site, and from third parties.

3.1 Information you provide to us

When you create an account, place an order, contact support, or sign up for our newsletter, we may collect:

  • Identifiers: name, email address, postal address, telephone number, account username and password, gift-recipient name and contact details.
  • Payment information: payment card last four digits and expiration, billing address, and the payment-processor reference token. We do not store full payment card numbers or CVV codes on our systems — that data is collected directly by our third-party payment processor under their own privacy practices.
  • Order content: star name, dedication message, chosen constellation, dates, recipient information, gift messages, and any photographs or other content you upload for personalization.
  • Communications: the contents of emails, chat messages, SMS, and support tickets you send us.
  • Marketing preferences: your opt-in or opt-out choices for email, SMS, or other marketing.

3.2 Information collected automatically

When you visit the Site, we and our vendors may automatically collect:

  • Device and browser information: IP address, browser type and version, operating system, device identifiers, language, time zone, and approximate geolocation derived from IP.
  • Usage data: pages visited, time on page, referrer, links clicked, search terms, scroll depth, cursor movements, and similar interactions.
  • Cookies and similar technologies: see Section 6.

3.3 Information from third parties

We may receive information about you from:

  • payment processors (transaction status, fraud signals);
  • email and SMS service providers (deliverability, open/click data);
  • analytics and advertising partners (audience and campaign data);
  • social media platforms when you interact with our content there or use a social log-in (we receive what those platforms allow under your settings);
  • public sources, when needed for fraud prevention or legal compliance.

3.4 Children

Our Site and Services are not directed to children under 18 (or the age of majority in your jurisdiction, if higher), and we do not knowingly collect personal information from children. If we learn we have collected personal information from a child under 13 in the United States (or under 16 in the European Economic Area), we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@buyastarfoundation.com.

4. How We Use Personal Information

We use personal information for the following purposes:

  • Providing the Services: processing orders, generating and delivering digital Certificates, recording entries in the Buy A Star Foundation Catalog, maintaining your account, and providing customer support.
  • Communications: sending order confirmations, delivery notices, customer-support replies, account notices, and policy updates.
  • Marketing and promotions (with consent where required): sending newsletters, special offers, and personalized recommendations; running promotions, surveys, and contests.
  • Analytics and improvement: measuring how the Site is used, identifying trends, improving Site performance, developing new features, testing changes.
  • Personalization: showing you content, products, and offers that we think will be relevant.
  • Fraud prevention and security: authenticating users, preventing and detecting fraud and abuse, protecting our rights and the rights of others.
  • Legal and regulatory compliance: complying with applicable laws, regulations, subpoenas, court orders, and audit and tax requirements; enforcing our Terms and other policies.
  • Business operations: record-keeping, internal reporting, risk management, and corporate transactions (mergers, acquisitions, divestitures).

4.1 Legal bases for processing (EU / UK customers)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process personal information on the following legal bases under the GDPR / UK GDPR:

  • Performance of a contract — when processing is necessary to take steps before entering into a contract with you or to perform our contract with you (e.g., delivering your Certificate).
  • Legal obligation — when processing is necessary to comply with our legal obligations (e.g., tax records).
  • Legitimate interests — when processing is necessary for our legitimate interests (e.g., fraud prevention, improving the Services, certain analytics, defending legal claims), provided your interests and fundamental rights do not override those interests.
  • Consent — when you have given consent (e.g., for marketing emails, non-essential cookies, sensitive data processing). You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

5. How We Disclose Personal Information

We do not sell personal information for money. We disclose personal information in the following circumstances:

  • Service providers and processors. We share information with categories of vendors that perform services on our behalf, under contracts that require them to protect your information and use it only for the services they provide to us. These categories include payment-processing providers, cloud-hosting and infrastructure providers, email and customer-communication providers, customer-support and helpdesk tools, analytics and advertising providers, fraud-prevention and security providers, and professional advisors (auditors, accountants, attorneys).
  • Business partners and affiliates. We may share personal information with our parent company, affiliates, and approved business partners for purposes consistent with this Policy.
  • Gift recipients. When you purchase a gift, we share your designated recipient's name, email address, and your gift message with the recipient as necessary to deliver the Certificate.
  • Legal compliance and protection. We may disclose personal information when we believe in good faith that doing so is necessary to comply with applicable law, respond to lawful requests by public authorities, protect our rights, property, or safety, or detect, prevent, or address fraud, security, or technical issues.
  • Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business, personal information may be disclosed to actual or prospective buyers, investors, advisors, or successors as part of due diligence and post-closing.
  • With your consent. We may disclose personal information for other purposes when you direct us to or otherwise consent.

We may also disclose aggregate, anonymized, or deidentified information that cannot reasonably be used to identify you.

6. Cookies and Similar Technologies

The Site uses cookies, web beacons, pixels, local storage, and similar technologies (collectively, "Cookies") to operate the Site, remember your preferences, analyze traffic, and personalize content and advertising.

Categories of Cookies we use

  • Strictly necessary cookies — required for the Site to function (cart, login, payment authentication, fraud prevention, security). These cannot be switched off and do not require your consent under EU/UK ePrivacy law.
  • Functional / preference cookies — remember your choices (e.g., language, region, currency, recently viewed items) to personalize your experience.
  • Analytics / performance cookies — help us measure how visitors use the Site so we can improve it. We may use providers such as Google Analytics; data collected may include pages visited, time on page, referrer, and approximate location.
  • Advertising / targeting cookies — used by us and our advertising partners to deliver relevant ads on and off the Site, measure ad performance, and build audience profiles for retargeting. We may use providers such as Google Ads, Meta Pixel, and similar networks.

Consent — EU, UK, and other regulated jurisdictions: If you access the Site from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that requires prior consent for non-essential cookies, we display a cookie consent banner the first time you visit. You can accept all, reject all, or customize your preferences by category. You can change your choices at any time by clicking the "Cookie Settings" or "Manage Preferences" link in our website footer. Until you give consent, only strictly-necessary cookies will be set.

Do Not Track and Global Privacy Control (GPC): We treat a GPC signal as a request to opt out of "sales" and "targeted advertising" / "sharing" under US state privacy laws (see Section 12). We do not currently respond to other "Do Not Track" signals because there is no industry-standard interpretation of them.

Disabling some Cookies may degrade Site functionality.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including:

  • to provide the Services you requested;
  • to maintain our records of registered star names in the Buy A Star Foundation Catalog (which, as described in our Terms, is intended to be a long-term symbolic record);
  • to comply with tax, accounting, and other legal obligations;
  • to resolve disputes, enforce our agreements, and protect our legal rights.

When personal information is no longer needed for these purposes, we will either delete it, anonymize it, or, if deletion is not technically feasible (e.g., backups), securely store it and isolate it from further processing until deletion is possible. Specific retention periods vary by data type and are available on request at support@buyastarfoundation.com.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include transport-layer encryption (TLS/HTTPS), access controls, monitoring, and use of PCI-DSS-compliant payment processors for card data. No method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected unauthorized access.

9. International Data Transfers

We are headquartered in the United States, and our service providers are located in the United States and other countries. If you access the Site from outside the United States, your personal information will be transferred to, stored, and processed in the United States and potentially other countries whose data-protection laws may differ from those of your country.

For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries that have not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the Standard Contractual Clauses ("SCCs") approved by the European Commission (and the UK International Data Transfer Addendum, where applicable), supplemented by additional measures where appropriate. You may request a copy of the relevant safeguards by contacting support@buyastarfoundation.com.

10. Your Rights and Choices (General)

Regardless of where you are located, you may:

  • update your account information by logging in or contacting us;
  • unsubscribe from marketing emails by clicking the "unsubscribe" link at the bottom of any such email (transactional emails will continue);
  • opt out of SMS marketing by replying STOP to any message — see our SMS Terms;
  • adjust cookie preferences through our cookie banner or your browser settings;
  • contact us with privacy questions at support@buyastarfoundation.com.

The specific rights available to you depend on the data-protection laws of your jurisdiction; see Sections 11–13.

11. Rights of Residents of the EEA, UK, and Switzerland

If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR / UK GDPR / Swiss FADP, subject to applicable exceptions:

  • Right of access — to obtain confirmation of and a copy of your personal data we hold.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — to request deletion of your data in certain circumstances.
  • Right to restrict processing — to limit how we use your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, machine-readable format and have it transmitted to another controller.
  • Right to object — to object to processing based on our legitimate interests, including direct marketing.
  • Right to withdraw consent — to withdraw consent at any time where processing is based on consent; this does not affect prior lawful processing.
  • Right to lodge a complaint — with your local data protection authority.

To exercise any of these rights, contact us at support@buyastarfoundation.com. We will respond within the timeframes required by applicable law (generally one month, extendable in complex cases). We may need to verify your identity before processing your request.

Data controller. For the purposes of EU/UK data-protection law, the data controller is Buy A Star Foundation, c/o Registered Agent, 10601 Clarence Dr., Frisco, TX 75033, USA, contactable at support@buyastarfoundation.com.

12. Rights of Residents of Applicable US States

This section provides additional disclosures and rights for residents of US states with comprehensive consumer privacy laws, including but not limited to California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Indiana (ICDPA), Iowa (ICDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MCDPA), Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJDPPA), Oregon (OCPA), Rhode Island (DTPPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA) (collectively, "Applicable States").

In the event of any conflict between this Section 12 and the rest of the Policy, this Section governs as to Applicable State residents.

12.1 Categories of personal information collected (last 12 months)

We have collected the following categories of personal information from Applicable State residents:

CategoryExamples
Identifiers and personal records (incl. Cal. Civ. Code § 1798.80(e))Name, postal address, telephone number, email, account credentials, IP address, online identifiers, payment-method token
Commercial informationRecords of products purchased or viewed, purchase history, marketing preferences
Internet or network activityBrowser type, pages viewed, clickstream, interactions with ads
Geolocation dataApproximate location from IP address
Audio/visual dataCustomer service call recordings; uploaded photos for personalized certificates
InferencesPreferences, interests, characteristics derived from the above

We do not knowingly collect sensitive personal information (e.g., Social Security number, financial account credentials, precise geolocation, racial/ethnic origin, religious beliefs, health, sex life, sexual orientation, biometric/genetic data) and do not use any sensitive personal information for purposes that would trigger the right to limit its use.

12.2 Sources, purposes, and recipients

The sources of personal information, purposes for which we collect/use it, and categories of recipients are described in Sections 3, 4, and 5 above.

12.3 "Sales" and "Sharing" / Targeted Advertising

We do not sell personal information in exchange for money. However, some of the ways in which we disclose personal information to advertising and analytics partners for cross-context behavioral advertising may be considered "sale" or "sharing" / "targeted advertising" under Applicable State laws. The categories of personal information involved are Identifiers, Internet or Network Activity, Commercial Information, and Geolocation Data, and the recipients are third-party advertising and analytics providers.

To opt out of sales and targeted advertising:

  • Use the "Do Not Sell or Share My Personal Information" / "Opt Out of Targeted Advertising" link in our website footer.
  • Enable the Global Privacy Control (GPC) browser signal — we will honor it for the browser/device from which it is received.
  • Email us at support@buyastarfoundation.com stating your request and the state in which you reside.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

12.4 Privacy rights you may exercise

Depending on your state, you may have the right to:

  • Know / Access the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes for collection, and the categories of third parties with whom we have shared the information.
  • Correct inaccurate personal information.
  • Delete personal information you provided to us, subject to applicable exceptions.
  • Data portability — receive a copy of your personal information in a portable, machine-readable format.
  • Opt out of (a) sales, (b) sharing / targeted advertising, and (c) certain profiling that produces legal or similarly significant effects.
  • Limit use of sensitive personal information (although we do not use sensitive personal information for purposes that trigger this right).
  • Non-discrimination — we will not discriminate against you for exercising these rights.
  • Appeal a denial of your request, where state law provides this right.

How to submit a request. Email support@buyastarfoundation.com with "Privacy Request" and your state of residence in the subject line. We will verify your identity (typically by matching information you provide against information in your account or order). For requests submitted by an authorized agent, we may require verification of the agent's authority and your identity. We will respond within the time period required by applicable state law (generally 45 days, with possible extensions).

Appeals. If we deny your request, you may appeal by emailing support@buyastarfoundation.com with the subject line "Privacy Rights Appeal" and a description of the basis for your appeal.

12.5 California-specific disclosures

California "Shine the Light" law (Cal. Civ. Code § 1798.83) permits California residents to request information about our disclosure of certain categories of personal information to third parties for their own direct-marketing purposes. To make such a request, email support@buyastarfoundation.com with "California Shine the Light Request" in the subject line and your full name. We are only required to respond to one request per California customer per calendar year.

California minors. California residents under 18 may request removal of content they have posted on the Site by emailing support@buyastarfoundation.com. Removal does not guarantee removal from all locations (e.g., third-party reposts, backups).

12.6 Nevada residents

Nevada law allows Nevada residents to opt out of the sale of certain types of personal information. Although we do not currently sell personal information as defined under Nevada law, you may submit a verified request to opt out at support@buyastarfoundation.com.

12.7 Minnesota and Oregon residents

You also have the right to request a list of the specific third parties to which we have disclosed personal information. Email support@buyastarfoundation.com to make this request.

12.8 Delaware and Maryland residents

You have the right to request a list of the categories of third parties to which we have disclosed personal data. Email support@buyastarfoundation.com to make this request.

13. Other Jurisdictions

If you are located in Canada, you may have rights under PIPEDA and provincial laws to access and request correction of your personal information. If you are located in Australia, Brazil, Japan, South Korea, or another jurisdiction with comprehensive privacy law, you may have rights similar to those described above. Contact us at support@buyastarfoundation.com to exercise any such rights.

14. Third-Party Links and Integrations

The Site may contain links to third-party websites, services, and content (including social media platforms, payment pages, and partners). This Policy does not apply to those third parties. We are not responsible for their practices. Please review their privacy policies before providing personal information.

15. Automated Decision-Making and Profiling

We do not currently use automated decision-making (including profiling) that produces legal or similarly significant effects concerning you. If we begin to do so, we will update this Policy and provide you with the rights required by applicable law.

16. Marketing Communications

United States and other opt-out jurisdictions. Where opt-out is the applicable standard under your local law, we may send you marketing emails about products, promotions, and news after you make a purchase or otherwise interact with us, subject to your right to unsubscribe at any time.

EU, UK, and other opt-in jurisdictions. If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that requires prior consent for direct marketing, we will only send you marketing communications after you have given explicit, freely-given, specific, informed, and unambiguous opt-in consent (typically by ticking a non-pre-checked box at signup or checkout). Your consent for marketing is separate from your purchase decision and can be withdrawn at any time without affecting the underlying purchase. We rely on Article 6(1)(a) GDPR (consent) as our lawful basis for marketing communications to residents of these jurisdictions.

Unsubscribing from email marketing. You can withdraw marketing-email consent or unsubscribe at any time by:

  • clicking the "unsubscribe" link in any marketing email;
  • adjusting your preferences in your account settings (if available);
  • emailing support@buyastarfoundation.com with "Unsubscribe" in the subject line.

SMS / text-message marketing. If you have opted in to receive marketing text messages from us, those communications are governed by our separate SMS Terms, which are incorporated into this Policy by reference for purposes of how we collect and use your mobile number and message-engagement data. You can opt out of SMS marketing at any time by replying STOP to any text message we send, or by emailing support@buyastarfoundation.com with "SMS STOP" and your mobile number in the subject line. Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes.

We will process your unsubscribe request promptly and in any event within ten (10) business days. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

Even if you opt out of or unsubscribe from marketing, we will still send you transactional and account-related messages (order confirmations, Certificate delivery, security notices, policy updates, and similar service messages), as these are sent under our contractual obligation to you rather than for marketing purposes.

17. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last Updated" date and, if changes are material, take additional steps required by applicable law (such as direct notice). Your continued use of the Site or Services after the effective date of changes constitutes your acceptance of the updated Policy.

18. Contact Us

If you have any questions, comments, or requests regarding this Policy or our handling of your personal information, contact us at:

Email: support@buyastarfoundation.com

Mailing address (registered agent): Buy A Star Foundation, c/o Registered Agent, 10601 Clarence Dr., Frisco, TX 75033, USA

For data-subject requests, please put "Privacy Request" and your state or country of residence in the subject line of your email.

© 2026 Buy A Star Foundation. All rights reserved.