Privacy Notice
Last updated: May 16, 2024
About StarRez
StarRez is a global software development company that produces and hosts the world’s leading student housing management software.
Overview
At StarRez, we are committed to safeguarding your privacy and protecting the confidentiality of your data, as well as that of your customers. We are committed to protecting the individual’s right to privacy and implement safeguards that prevent the misuse of private information.
StarRez is committed to meeting the legislated data protection and privacy regulations across all regions where we operate, including the European Union (EU), Switzerland, the United States (US), the United Kingdom (UK) and Australia.
Our commitment to data protection encompasses compliance and continuous improvement with the following:
If you have any inquiries regarding our data privacy policy, information security practices, or any other measures, please do not hesitate to contact us at legal.data@starrez.com.
What We Collect
Personal Data
In order to provide our products and support services, StarRez collects the following information from its customers: contact details (such as name, email address, and phone number), booking data, and business information (including financial and transaction data). Additionally, each StarRez customer can configure a variety of additional fields. You have the right to access your personal data held by us and to request its correction or deletion.
End User Personal Data
StarRez products enable our customers to process personal data of their end-users ("End Users") for the purpose of providing them with services such as accommodation, conference venues, and food. The personal data collected from End Users may include, but is not limited to, name, email address, phone number, gender, date of birth, and identifiers such as student IDs. We act as a Data Processor under the relevant data protection legislations and work with our customers (who act as Data Controllers) to ensure compliance with data protection regulations. Any data protection issues concerning End Users can be raised with us and will be forwarded to the appropriate Data Controller for resolution.
Logs & Telemetry
As with most web applications, StarRez’s services automatically collect certain information and store it in log files and services. This information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system, and other usage information about the use of our services, including a history of the functions you access. We utilize this information to improve our services, analyze trends, diagnose problems, and administer our systems. Additionally, our websites use cookies and web beacons.
Who We Share Data With
StarRez does not share your personal information with marketing organizations or for purposes unrelated to providing our services. We do aggregate and anonymize personal data for analytics purposes to enhance our services and those of our customers. We engage cloud service providers to host and transmit encrypted personal data under contracts that require the same standards of protection for data subjects. If data needs to be disclosed to a third party for a substantially different purpose from our existing services, you will be given the opportunity to opt-out. StarRez remains liable for the handling of your personal data in such instances.
StarRez may be required to disclose personal information in response to lawful requests by public authorities, including those related to national security or law enforcement.
Data Processing Agreement (DPA) and Sub-processors
As part of our commitment to transparency and data protection, we have established a Data Processing Agreement (DPA) that governs our relationship with sub-processors. This agreement outlines the responsibilities and obligations of sub-processors in handling personal data on our behalf.
For details on our sub-processors and the terms of our Data Processing Agreement, please refer to the following link: Data Processing Agreement.
Our current sub-processors include a range of providers who assist us in delivering our services. By accessing the Data Processing Agreement, you can review the specific arrangements and safeguards in place for the processing of personal data by our sub-processors. If you have any questions or concerns regarding our data processing practices or the Data Processing Agreement, please contact us at legal.data@starrez.com.
StarRez shares data with the following sub-processors in order to provide our services:
How We Use Data
We utilize Personal Data to provide our services and host End User data to enable our customers to provide services to their customers. Examples of how we may use Personal Data include:
All information maintained and hosted by StarRez for its customers is treated with the utmost care and security. We employ commercially reasonable efforts to ensure that data is:
Your Rights
European Union (EU):
Under the General Data Protection Regulation (GDPR), individuals in the European Union have the following rights regarding their personal data:
United Kingdom (UK):
Under the UK GDPR, individuals in the United Kingdom have similar rights to those outlined under the EU GDPR, including:
California:
Under the California Consumer Privacy Act (CCPA), residents of California have the following rights regarding their personal information:
If you would like to exercise any of these rights, please contact us using the DPO’s information, provided below. We will respond to your request consistent with the applicable data protection laws and regulations.
Children’s Online Privacy Protection Act
At StarRez, we take special care when it comes to the collection and processing of children's data. We recognize the sensitivity and importance of protecting the privacy of children, particularly in online environments. Our services are not directed at children under the age of 13 (or equivalent minimum age as defined by relevant regulations), and we do not knowingly collect personal data from children without obtaining verifiable parental consent where required by applicable laws. If we become aware that we have collected personal data from a child without parental consent, we take immediate steps to delete such data from our systems. We encourage parents and guardians to supervise their children's online activities and to contact us if they have any concerns about their child's privacy or if they need assistance with exercising their rights under applicable data protection laws."
This paragraph underscores StarRez's commitment to protecting children's privacy and outlines the measures taken to comply with regulations such as the Children's Online Privacy Protection Act (COPPA) in the United States and similar laws in other jurisdictions.
Data Protection Officer
StarRez has appointed an internal Data Protection Officer for you to contact if you have any questions or concerns about our personal data policies or practices:
Stephen Muff 6100 Greenwood Plaza Blvd. Greenwood Village, Colorado 80111 United States legal.data@starrez.com
If any concerns or complaints remain unresolved after contacting the Data Protection Officer, you may raise the issue with the relevant Data Protection Authority in your country, which serves as a free and independent resolution mechanism.
Last updated: March 25, 2025
About the StarRez Family of Companies
Welcome! We’re the StarRez Family of Companies — a global team passionate about creating software that helps manage student housing smoothly and efficiently. Here’s how we protect your privacy.
The StarRez Family ofCompanies (herein after, “StarRez”) includes:
· StarRez, Inc.
· StarRez Global Pty.
· StarRez Ltd.
· Adirondack Solutions, Inc.
· Residential Management Solutions, Inc.
· Seattle Technology Group, Inc.
This document is designed to inform you about how we collect, use, store, and protect your personal data in accordance with various data protection laws and regulations.
StarRez is committed to ensuring the privacy and security of your personal information. We adhere to the principles and obligations set forth by the General Data Protection Regulation (GDPR) for the European Union, the Federal Act on Data Protection (FADP) for Switzerland, the Federal Trade Commission Act and specific laws such as the Family Educational Rights andPrivacy Act (FERPA) in the United States, along with relevant state laws including but not limited to the California Consumer Privacy Act (CCPA),Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), andConnecticut Data Privacy Act (CTDPA).
Furthermore, our practices are in line with the Privacy Act 1988 of Australia, the Protection of Personal Information Act (POPIA) of South Africa, thePersonal Information Protection and Electronic Documents Act (PIPEDA) ofCanada, and the Digital Personal Data Protection Act (DPDPA) of India.
This Privacy Notice serves as a comprehensive guide to help you understand our data protection practices. We encourage you to read this notice carefully to become fully aware of how we handle your personal data and the rights you have in relation to that data.
Data Controller and Contact Details
StarRez interacts with its customer data as a data processor, responsible for the processing of your personal data in conformity with the instructions of a data controller, such as a university. As such, we will work with the proper data controller in the event that an individual would like to exercise applicable data rights.
If you wish to exercise your rights in relation to your personal data, please contact us using the StarRez Privacy Center under the “IndividualRights and How to Exercise Them”. If you have any questions about this Privacy Notice or our data protection practices, please contact:
Data Protection Officer: Stephen Muff
Email: legal.data@starrez.com
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If you believe that we have not been able to assist with your complaint or concern, you have the right to lodge a complaint with the data protection authority of your country.
Types of Personal Data Collected
At StarRez, we collect various categories of personal data to provide and improve our services, ensure a seamless user experience, and meet our legal obligations. The personal data we collect can be broadly categorized as follows:
1. Identifying Information: This includes data that can be used to identify you as an individual, such as your name, date of birth, and gender. For our end-users, this may also include identifiers such as student IDs.
2. Contact Details: We gather contact information to communicate with you. This typically includes your email address, phone number, and mailing address.
3. Booking Data: When you use our services for accommodation, conference venues, or food services, we collect details related to your bookings to fulfill our contractual obligations.
4. Business Information: For our customers, we collect business-related information, which may encompass financial and transaction data necessary for processing payments and providing support services.
5. Additional Data Fields: Our customers have the flexibility to configure additional data fields within our software to tailor the services to their specific needs. This data is collected in accordance with the requirements of our customers and may vary depending on the services utilized.
6. Logs and Telemetry: To maintain and enhance our services, we automatically collect data such as IP addresses, browser types, operating systems, and a history of the functions accessed within our services.
7. Cookies and Web Beacons: Our websites use cookies and web beacons to gather information about your interactions with our services, which helps us to personalize your experience and improve service quality.
We ensure that the collection of personal data is limited to what is necessary in relation to the purposes for which they are processed. StarRez is dedicated to upholding the privacy of our users and handles all personal data in compliance with applicable data protection laws and regulations.
Purpose and Legal Basis for Data Processing
StarRez processes your personal data for various purposes, each with a clear legal basis to ensure compliance with data protection laws. The purposes for which we collect and process your data include:
- Providing Services: We process personal data to fulfill our contractual obligations to you, such as providing software for managing accommodation, conference venues, and food services. This is necessary for the performance of the contract between you and StarRez.
- Customer Support: To offer customer support and maintain the quality of our services, we process contact details and any other relevant information you provide.
- Business Operations: We use business information, including financial and transaction data, to manage our relationship with you, process payments, and comply with legal requirements.
- Service Improvement: Logs, telemetry data, cookies, and web beacons are utilized to understand how our services are used, identify issues, and make improvements. This processing is based on our legitimate interests in ensuring the reliability and efficiency of our services.
- Legal Compliance: We may process personal data to comply with legal obligations, such as responding to legal processes or mandatory government requests.
The legal bases for processing your personal data under the GDPR and other applicable laws include:
- Consent: In certain instances, we may process your personal databased on your explicit consent. You have the right to withdraw your consent at any time. However, the legal basis is more often the performance of a contract.
- Performance of a Contract: We process personal data as necessary to enter into or perform our contractual obligations with you.
- Legal Obligation: Where required by law, we process personal data to comply with our legal obligations.
- Legitimate Interests: We process personal data based on legitimate interests, such as improving our services, preventing fraud, and ensuring network and information security, provided that such processing does not outweigh your rights and freedoms.
StarRez takes into consideration the necessity of each data processing activity and ensures that your fundamental rights and interests are not overridden b your legitimate interests. We maintain a balanced approach to data processing, ensuring transparency and respect for your privacy rights.
Data Sharing and Recipients
In the course of providing our services and operating our business, StarRez may share your personal data with various third parties.These entities play a crucial role in enabling us to offer you a comprehensive suite of services. The categories of recipients with whom your personal data may be shared include:
- Payment Processors: To facilitate financial transactions, we share necessary transaction and payment data with trusted payment processing partners.
- Analytics Service Providers: To better understand how our services are used and to improve user experience, we share non-identifiable data with analytics service providers.
- Cloud Service Providers: We utilize cloud computing services for data storage and processing needs, ensuring that our partners maintain high standards of data security and privacy.
- Affiliates and Subsidiaries: Your personal data may be shared within theStarRez group of companies for internal administrative purposes, service delivery, and support.
- Legal and Regulatory Authorities: If required by law or in response to valid requests by public authorities, we may disclose your personal data to comply with legal obligations such as court orders or to protect the rights, property, or safety of StarRez, our customers, or others. In the event thatStarRez is a data processor, we will allow the data controller an opportunity to seek a protective order.
- Service Partners: We may engage with various service partners to provide specific functionalities within our services, such as hosting conferences or catering services. Only the necessary information will be shared with these partners to deliver the requested service.
- Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of some or all of our assets, personal data may be part of the transferred assets.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Our third-party service providers are not permitted to use your personal data for their own purposes and are only allowed to process your personal data for specified purposes in accordance with our instructions and the law.
StarRez takes appropriate steps to ensure that any data sharing is conducted in compliance with applicable data protection laws and regulations, including the execution of data processing agreements or standard contractual clauses where necessary to safeguard the transfer and processing of your personal data.
Data Security and Retention
StarRez is dedicated to the security of your personal data and has implemented robust technical and organizational measures to prevent unauthorized access, disclosure, alteration, or destruction of the information we hold. Our security measures include, but are not limited to:
- Encryption: We use encryption technologies to protect data during transmission and when stored on our systems.
- Access Controls: Access to personal data is strictly limited to authorized personnel who require the information to perform their job functions. We enforce a policy of least privilege to minimize the risk of unauthorized access.
- Regular Security Audits: We conduct regular security assess ments and audits to identify potential vulnerabilities and implement corrective actions to strengthen our data protection measures.
- Incident Response Plan: We have established procedures to manage any suspected data security incidents and will notify you and any applicable regulator of an incident where we are legally required to do so.
Regarding data retention, StarRez retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The criteria used to determine the retention period for personal data include:
- Contractual Necessity: We retain personal data for the duration of our contractual relationship with you and for a reasonable period thereafter to fulfill any contractual obligations or to address any issues that may arise.
- Legal Obligation: Where laws or regulations require us to retain personal data for a specific period, we comply with those requirements.
- Legitimate Interests: We may retain data for as long as necessary to protect our legitimate interests, such as for fraud prevention, resolving disputes, and enforcing our terms and conditions.
Upon the expiration of the retention period, or when personal data is no longer needed, or upon your request, we will securely delete or anonymize your personal data, unless further retention is required by law or for legitimate business purposes. Our customers also have the ability to manage and delete the data they control through our services in accordance with their own data retention policies.
StarRez is committed to conducting periodic reviews of our data retention policies to ensure that personal data is not kept longer than necessary and that our practices remain in compliance with applicable data protection laws and regulations.
Data Processing Agreement (DPA) and Sub-processors
As part of our commitment to transparency and data protection, we have established a Data Processing Agreement (DPA) that governs our relationship with sub-processors. This agreement outlines the responsibilities and obligations of sub-processors in handling personal data on our behalf.
For details on our sub-processors and the terms of our Data Processing Agreement, please refer to the following link: Data Processing Agreement.
Individual Rights and How to Exercise Them
As an individual whose personal data is processed by StarRez, you are afforded specific rights under various data protection laws, which may be broader than what is applicable law, but not narrower. These rights are designed to give you control over your personal data and include:
- The Right to Access: You have the right to request access to the personal data we hold about you. This enables you to receive a copy of the personal data we have on file and to check that we are lawfully processing it.
- The Right to Rectification: If the information we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.
- The Right to Erasure: Also known as the 'right to be forgotten', this right allows you to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.
- The Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data, for example, if you want us to verify its accuracy or the reason for processing it.
- The Right to Data Portability: This right allows you to request the transfer of your personal data to another party in a structured, commonly used, and machine-readable format.
- The Right to Object: You have the right to object to the processing of your personal data based on grounds relating to your particular situation, at any time, under certain conditions.
- Rights in Relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
To exercise any of these rights, submit a ticket through the StarRez Privacy Center.
We will respond to your request in accordance with the applicable data protection laws and within the timeframes required by those laws. In some cases, we may need to request specific information from you to help us confirm your identity and ensure your right to access the information(or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Please note that these rights are not absolute and may be subject to certain conditions and exemptions under applicable law. For example, we may be unable to delete your data if we are required to retain it to comply with legal obligations or to establish, exercise, or defend legal claims.
If you have any concerns about our use of your personal data, you also have the right to lodge a complaint with the data protection authority in your country. However, we encourage you to contact us first, and we will do our utmost to resolve your concerns directly.
International Data Transfers
StarRez operates on a global scale, and as such, your personal data may be transferred to, and processed in, countries other than the country in which you reside (unless otherwise contractually limited). These international transfers of personal data are necessary for the provision of our services and the operation of our business.
We ensure that all international data transfers comply with the data protection laws applicable to the specific data in question. To safeguard your personal data and to achieve compliance with these regulations, we implement the following measures:
- Standard Contractual Clauses (SCCs): We incorporate StandardContractual Clauses approved by the European Commission into our agreements with third-party service providers and affiliates outside the European Economic Area (EEA) to ensure that any transferred personal data receives an adequate level of protection.
- Inter-Group Transfer Agreement: For transfers within the StarRez group of companies, we have established an Inter-Group Transfer Agreement that includes data protection terms to ensure the secure and lawful transfer of personal data between our entities.
- Data Protection Impact Assessments (DPIAs): Where necessary, we conduct Data Protection Impact Assessments to evaluate and mitigate the general risks associated with transferring personal data outside of its country of origin.
- Transfer Impact Assessments (TIAs): Where necessary, we conduct TransferImpact Assessments to evaluate and mitigate the particular risks associated with transferring personal data outside of its country of origin, particularly legal requirements.
- Local Data Processing: When possible, we aim to process and store personal data locally to minimize the need for cross-border data transfers.
- Consent: In certain circumstances, we may seek data controller or your explicit consent for the transfer of personal data outside of the data controller’s home country, particularly when other transfer mechanisms are not available or suitable.
We regularly review our data transfer mechanisms to ensure they remain in compliance with the latest legal requirements and best practices. In the event of changes to data protection laws or regulations that affect international data transfers, we will take appropriate action to modify our practices and safeguard your personal data.
By using our services, you acknowledge and agree to the transfer, storage, and processing of your personal data in countries outside of your country of residence, which may have different data protection rules than those of your country. We will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Notice.
Updates to This Privacy Notice
StarRez is committed to maintaining the accuracy and relevance of this Privacy Notice. As legal, technical, or business developments occur, we may need to update this document to reflect those changes. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
We will post any changes to the Privacy Notice on our website. We encourage you to review the Privacy Notice regularly to stay informed about how we are protecting the personal data we collect.
The date of the last update will be indicated at the top of the Privacy Notice so that you can easily identify when it was last revised. If you continue to use our services after those changes are in effect, you agree to the revised policy.
For the most current version of our Privacy Notice, please visit our website or contact our Data Protection Officer, Stephen Muff, at legal.data@starrez.com.If you have any questions or concerns about our privacy practices or thisPrivacy Notice, please do not hesitate to reach out to us.
Children's Privacy
StarRez recognizes the importance of protecting the privacy of children, especially in the online environment. In compliance with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and other applicable laws, we do not knowingly collect, use, or disclose personal data from children under the age of 13 without obtaining parental consent.
Our services are not directed to children under the age of 13, and we do not intentionally collect personal data from this demographic. If we become aware that we have inadvertently received personal data from a child under the age of 13 without the requisite parental consent, we will take immediate steps to remove such information from our records.
In instances where our services are used by educational institutions, which may involve the collection and processing of personal data from children under the age of 13, we rely on the educational institution to obtain and provide appropriate consent and to act in compliance with FERPA, COPPA, and other relevant laws. The educational institution, in its role as the Data Controller, is responsible for ensuring that parental consent is obtained before any personal data of children is collected and processed.
We provide clear information to our customers regarding the types of personal data that may be collected from children and the purposes for which it will be used. We also ensure that our customers have the necessary tools and functionalities within our software to manage parental consent and to up hold the rights of children and their parents or guardians with respect to their personal data.
Parents or guardians who have questions or concerns about their children's personal data and the consent provided on their behalf may contact the educational institution directly. Additionally, they may reach out to our Data Protection Officer, Stephen Muff, at legal.data@starrez.com, for further assistance. We are committed to working cooperatively with parents, guardians, and educational institutions to protect the privacy of children and to comply with all applicable laws and regulations concerning children's data.
Targeted Advertising
StarRez does not engage in targeted advertising practices.We do not collect or use personal data to deliver advertisements based on your interests, behaviors, or demographics.
