We deliberately collect as little personal data as possible. We don't sell it, we don't profile you, and we don't link product ratings to your name or email. This page explains what we do collect, why, and what you can do about it — in language that doesn't require a law degree.
Effective24 May 2026
Version1.0
Governing lawUK GDPR · DPA 2018
Data controllerKayyan Elmasry
01 · Introduction
What this policy covers.
GreenStar is a browser extension that displays sustainability ratings for fashion products on retailer websites. This privacy policy explains what personal data we collect when you use the GreenStar browser extension and the GreenStar website, why we collect it, how we use it, who we share it with, and what rights you have under UK data protection law.
This policy applies to:
The GreenStar browser extension (currently Chrome; any future browser versions will be covered by the same policy unless stated otherwise).
The GreenStar website.
By installing and using GreenStar, you agree to the practices described in this policy.
02 · Who we are
The controller of your data.
GreenStar is operated by Kayyan Elmasry, an individual based in the United Kingdom, trading as “GreenStar.” Kayyan Elmasry is the data controller responsible for your personal data.
GreenStar is in the process of being incorporated as a UK limited company. Once incorporation is complete, this policy will be updated to name the new corporate entity as the data controller, and the change will be reflected in the “Last updated” date above.
03 · Who this service is for
UK users, 16+.
GreenStar is intended for users aged 16 or over who are based in the United Kingdom.
We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not install or use GreenStar. If you are a parent or guardian and believe your child has used GreenStar, please contact us at the email above and we will delete any associated data.
GreenStar is designed and tested for UK users. If you install the extension from outside the UK, you do so at your own initiative, and your local data protection laws may grant you additional rights not described in this policy.
04 · What data we collect
What we collect, category by category.
When you use the GreenStar extension, we collect the following categories of data.
(a) Product page data
When you open the GreenStar extension on a retailer product page, we collect:
The URL of the product page you are viewing.
Information extracted from that page, including: product name, brand, price, material composition, manufacturing location, care labels, and any product-specific sustainability claims.
This data is sent to our servers, processed by our scoring engine, and stored to build our product database and improve our ratings and alternative-product suggestions over time.
We only collect data from pages where you actively open the extension. We do not run in the background on pages you have not chosen to scan.
(b) Anonymous device identifier
The first time you use the extension, we generate a random anonymous identifier and store it in your browser's local extension storage. This identifier:
Is sent to our servers with each rating request and click event.
Does not contain your name, email address, or any directly identifying information.
Allows us to count repeat usage, measure how the product is working, and detect abuse.
You can reset this identifier at any time by uninstalling and reinstalling the extension or by clearing your browser's extension storage.
(c) Usage events
We log certain interactions with the extension, including:
When you open the extension on a product page.
When a sustainability rating is generated for a product.
When you click on a suggested “better alternative” product.
When you click outbound links to retailer websites.
(d) Technical data
When your browser communicates with our servers, we automatically log:
Your IP address (used for security, rate limiting, and abuse prevention).
Your browser type and version.
The date and time of each request.
(e) What we do not collect
Your name, email address, or other contact details (unless you choose to contact us directly).
Your full browsing history. We only see URLs from product pages where you actively open the extension.
Payment or financial information.
Account credentials of any kind.
Data from pages on retailer websites that are not product pages (e.g. your cart, account, or checkout).
05 · Legal basis for processing
Why we're allowed to process this.
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we rely on the following legal bases for processing your personal data:
Legitimate interests — for providing the rating service, generating recommendations, improving the product and methodology, security, and abuse prevention. We have considered your rights and freedoms and consider this processing proportionate, given that the data we collect is limited, product-focused, and not linked to a directly identifying account.
Consent — by installing the extension you consent to its core functionality. You can withdraw consent at any time by uninstalling.
You have the right to object to processing carried out on the basis of legitimate interests. See section 9.
06 · How we use your data
What we do with it.
We use the data we collect to:
Generate sustainability scores for the products you view.
Recommend more sustainable alternative products.
Build and improve our product and brand sustainability database.
Refine our scoring methodology and the AI systems that support it.
Detect and prevent misuse, abuse, or technical failures.
Understand how the extension is being used so we can improve it.
Produce aggregated, non-identifying insights about sustainability-related shopping behaviour (see section 11).
We do not use your data to build advertising profiles, target you with adverts, or sell your individual data to third parties.
07 · Who we share your data with
Our processors.
We use the following third-party service providers (“processors”) to operate GreenStar. Each is bound by a data processing agreement to handle your data only on our instructions and to apply appropriate security measures.
Provider
Purpose
Primary processing location
OpenAI
AI processing to interpret product data from retailer pages
United States
Replicate
AI model inference
United States
Zyte
Web scraping infrastructure for retailers that block direct extraction
United Kingdom
Supabase
Database and backend infrastructure (PostgreSQL hosted by Supabase)
European Union
Render
Application server hosting
United States
Vercel
Website and frontend hosting
United States
We do not sell, rent, or share your individual personal data with marketing companies, advertisers, brands, or any other third party.
08 · International transfers
Data moving across borders.
Several of our service providers process data outside the United Kingdom, primarily in the United States. When personal data is transferred outside the UK, we rely on lawful transfer mechanisms recognised under UK data protection law, which may include:
The UK extension to the EU–US Data Privacy Framework, where the recipient is certified under that framework.
The UK International Data Transfer Agreement (IDTA).
The UK Addendum to the EU Standard Contractual Clauses.
09 · Your rights
What you can ask us to do.
Under UK GDPR you have the right to:
Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data (“right to be forgotten”) in certain circumstances.
Restrict or object to certain processing, including processing based on legitimate interests.
Receive your data in a portable format where applicable.
Withdraw consent at any time, where consent is the legal basis (uninstalling the extension is the easiest way).
Lodge a complaint with the Information Commissioner's Office (see section 15).
Because we deliberately do not link your data to a name or email, we may need additional information from you to identify the data associated with your anonymous identifier. You can find your current identifier in the extension's settings panel.
To exercise any of these rights, email kayyan03@outlook.com. We will respond within one calendar month, in line with UK GDPR.
10 · How long we keep your data
Retention periods.
Product and rating data: retained as part of our product database. Where this data is linked to your anonymous identifier, the link will be removed after 24 months, after which the product data is held in fully anonymised form.
Usage events: retained for 24 months from the date of the event.
IP addresses in server logs: retained for 30 days for security purposes, then deleted.
Anonymous device identifier: stored in your browser until you uninstall the extension or clear extension storage; held on our servers in line with the periods above.
11 · Aggregated insights and reports to brands
What brands do and don't see.
Part of GreenStar's longer-term business model is to provide fashion brands with aggregated insights about how shoppers respond to sustainability information — for example, how often users switch from one product to a more sustainable alternative.
Where we share insights with brand customers, those insights will be:
Aggregated across many users. We will never report on a single identifiable user.
Free of directly identifying information. No names, email addresses, IP addresses, or device identifiers will be shared.
Potentially segmented by broad demographic categories (for example, “users in the 16–20 age band switch more often than users in the 21–25 band”), where we have collected such data with appropriate consent.
We will never tell a brand that a specific person viewed or purchased a specific product.
12 · Cookies and similar technologies
Cookies and local storage.
The GreenStar extension does not set traditional browser cookies on retailer websites.
We do store a small amount of data in your browser's local extension storage, including:
Your anonymous device identifier.
Cached ratings (to make the extension faster on pages you have viewed before).
Any preferences you set within the extension.
You can clear this data at any time by removing the extension from your browser.
The GreenStar website may use a small number of essential cookies to make the site work. We do not use advertising or third-party tracking cookies on the website.
13 · Security
How we protect it.
We take reasonable technical and organisational measures to protect your data, including:
Encryption in transit (HTTPS / TLS) between the extension, our servers, and our processors.
Access controls on our backend, with access limited to those who need it.
Use of reputable infrastructure providers with their own security certifications.
No internet service is completely secure. If we become aware of a data breach affecting personal data, we will notify the Information Commissioner's Office within 72 hours where required by law, and we will notify affected users where the breach is likely to result in a high risk to your rights and freedoms.
14 · Changes to this policy
How we update this page.
We may update this policy from time to time. When we do:
We will update the “Last updated” date at the top of this document.
For material changes (for example: new categories of data collected, significant new uses of data, or new categories of processor), we will notify you in advance through the extension or our website, normally at least 14 days before the change takes effect.
15 · Complaints
If you think we've got it wrong.
If you believe we have mishandled your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO):
This policy is intended to comply with the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and the Chrome Web Store developer programme policies.