1. Who we are
Starship is operated by Rocket Incentive Pvt Ltd (“Rocket Incentive”, “we”, “us”). This policy describes the data we collect, how we use it, and your rights as a data subject or as a client organization using Starship.
2. What we collect
2.1 Business-to-business data
When a client organization uses Starship to buy or sell gift cards, we process:
- Client account identity — company name, billing address, settlement currency, tax identifiers
- Admin and authorized-user accounts — name, work email, hashed credentials, 2FA/WebAuthn tokens
- Order records — SKUs, denominations, quantities, timestamps, allocation outcomes
- Voucher allocations — voucher codes (encrypted at rest), expiry, vendor source
- Wallet transactions — top-ups, settlements, currency conversions
- Reconciliation records — vendor-side references, drift logs, audit trail
2.2 API client data
For API partners we additionally store: API key fingerprints, IP allowlist entries, webhook endpoint URLs and signing secrets, rate-limit counters, and request/response audit logs (redacted of PII).
2.3 Operational telemetry
We collect anonymous server metrics (response times, error rates, cache hit ratios) for capacity planning and incident response. These do not contain personal data.
3. How we use it
- To deliver the voucher platform service contracted by the client organization
- To detect, prevent, and investigate fraud, double-allocation, and vendor drift
- To comply with legal, regulatory, and contractual obligations (audit logs, tax reporting)
- To communicate operational incidents, security advisories, and material service changes
We do not sell personal data. We do not share data with third parties except as required to deliver the service (e.g. transmitting an order to a voucher vendor you’ve authorized) or as required by law.
4. Where data lives
Data is stored in ISO 27001 certified cloud regions (primary: AWS ap-south-1 / eu-west-1 depending on client jurisdiction). PostgreSQL is the durable record of truth; Valkey holds short-lived allocation state. Object storage (Cloudflare R2) holds non-sensitive artifacts like exported CSVs. All disks are encrypted at rest; all traffic is TLS 1.2+ in transit.
5. Retention
- Order and transaction records — retained for 7 years to satisfy commercial audit requirements
- Voucher codes — retained until expiry, then purged within 30 days
- API audit logs — 365 days
- Operational telemetry — 90 days
- Backups — rolling 30 days, encrypted
6. Your rights
If you are an end-user whose personal data has been processed by Starship on behalf of a client organization, please contact that client directly first — they are the data controller. If you cannot resolve your request with them, email hello@rocketincentive.com and we will help.
You have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion, subject to our lawful retention obligations
- Object to or restrict processing
- Data portability in a machine-readable format
7. Sub-processors
We use a small set of sub-processors to run Starship. Current list is available on written request. Each is bound by a data-processing agreement with confidentiality, security, and audit terms at least as strict as this policy.
8. Security
We follow industry best practices: TLS everywhere, AES-256 at rest, HMAC-signed webhooks, OAuth 2.0 + IP allowlists for API access, 2FA/WebAuthn for admin accounts, least-privilege IAM, and continuous security monitoring. Vulnerability disclosure: hello@rocketincentive.com.
9. Changes
We will post material changes on this page and notify active client organizations by email at least 30 days before they take effect.
10. Contact
Rocket Incentive Pvt Ltd · hello@rocketincentive.com