Cookie Policy

1. Introduction

This Cookie Policy explains how Stellary ("we", "us", or "our") uses cookies and similar tracking technologies when you visit our website stellary.co or use our project management application (collectively, the "Service"). This policy is issued in compliance with the European Union's General Data Protection Regulation (GDPR), the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), and the French Data Protection Act (Loi Informatique et Libertés).

We believe in transparency and want you to fully understand what cookies are, why we use them, and what options you have to control them. By using the Service, you consent to the use of cookies as described in this policy. You can manage your cookie preferences at any time through your browser settings or through the consent mechanism described in Section 12 below.

This Cookie Policy should be read together with our Privacy Policy and our Terms of Service, which provide additional context on how we collect, use, and protect your personal data. In the event of any conflict between this Cookie Policy and the Privacy Policy regarding cookie-specific matters, this Cookie Policy shall prevail.

2. Definitions

For the purposes of this Cookie Policy, the following terms shall have the meanings set out below:

• "Cookie" — a small text file placed on your device (computer, tablet, smartphone, or other electronic device) by a website you visit. Cookies are stored in your browser's cookie storage and typically contain a name, an expiration date, and a value (often a unique identifier).
• "First-party cookie" — a cookie set directly by the website you are visiting (in this case, stellary.co or app.stellary.co). These cookies are controlled exclusively by Stellary.
• "Third-party cookie" — a cookie set by a domain other than the one the user is visiting. Third-party cookies are typically used for cross-site tracking, advertising, and analytics purposes.
• "Session cookie" — a temporary cookie that exists only for the duration of your browser session. It is automatically deleted when you close your browser or when the session ends.
• "Persistent cookie" — a cookie that remains stored on your device for a predetermined period of time (which varies by cookie) or until you manually delete it. Persistent cookies are activated each time you visit the website that created them.
• "Personal data" — any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the GDPR. In the context of cookies, this includes any data that can be used to directly or indirectly identify you, such as unique identifiers stored in cookies.
• "Controller" — Stellary, as the entity that determines the purposes and means of processing personal data through cookies on the Service.
• "Consent" — any freely given, specific, informed, and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you, as defined under Article 4(11) of the GDPR.
• "Local storage" — a web browser feature (HTML5 Web Storage API) that allows websites to store key-value pairs of data locally within the user's browser. Unlike cookies, local storage data is not automatically sent to the server with each HTTP request.
• "Web beacon" — also known as a tracking pixel, clear GIF, or pixel tag. A small, typically invisible, image or piece of code embedded in a web page or email that is used to track user behavior, such as whether an email has been opened or a page has been visited.

3. What Are Cookies?

Cookies are small text files that are placed on your computer, smartphone, or other device when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide reporting information to the site owners. Cookies were first introduced in 1994 by Netscape Communications and have since become a fundamental part of how the web operates.

When you visit a website, the web server sends a cookie to your browser. Your browser stores the cookie on your device. On subsequent visits, your browser sends the cookie back to the server, allowing the server to recognise your device and remember information about your previous visits. This mechanism is what allows websites to keep you logged in, remember your preferences, and provide a personalised experience.

Cookies set by the website operator are called "first-party cookies". Cookies set by parties other than the website operator are called "third-party cookies". Third-party cookies enable third-party features or functionality to be provided on or through the website (e.g., advertising, interactive content, and analytics). The parties that set these third-party cookies can recognise your device both when you visit the website in question and when you visit certain other websites.

It is important to note that cookies themselves do not contain executable code and cannot install malware or viruses on your device. They are purely data files. However, cookies can be used to track your browsing activity across websites, which is why privacy regulations require transparency about their use and, in many cases, your explicit consent before they are set.

4. Types of Cookies

Cookies can be classified by their purpose and duration:

4.1 By purpose

• Strictly necessary cookies: essential for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your language preference, logging in, or filling in forms. Without these cookies, the Service cannot function properly. Because these cookies are strictly necessary, they do not require your consent under the ePrivacy Directive.
• Functional cookies: enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, some or all of these services may not function properly. Functional cookies remember choices you make (such as your preferred theme or the state of your sidebar) to provide a more personalised experience.
• Analytics cookies: allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.
• Advertising cookies: may be set through our site by advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. Stellary does not currently use any advertising cookies.

4.2 By duration

• Session cookies: temporary cookies that are erased when you close your browser. These cookies do not collect information from your device and are typically used to manage session state such as CSRF protection tokens.
• Persistent cookies: remain on your device for a set period of time or until you manually delete them. These cookies are activated each time you visit the website that created them. Persistent cookies are used for purposes like remembering your login state or language preference across visits.

4.3 By origin

• First-party cookies: set by the domain you are visiting directly (stellary.co or app.stellary.co). All cookies used by Stellary are first-party cookies.
• Third-party cookies: set by a domain other than the one displayed in the browser's address bar. Stellary does not set or allow any third-party cookies on the Service.

5. How We Deploy Cookies

When you visit the Service, cookies are deployed through the standard HTTP cookie mechanism. Here is a step-by-step explanation of how this process works:

• Initial request: your browser sends an HTTP request to our server at stellary.co or app.stellary.co. On first visit, no cookies are included in this request because none have been set yet.
• Server response: our server responds with the requested page content along with one or more "Set-Cookie" HTTP headers. Each header instructs your browser to store a specific cookie with defined attributes (name, value, expiration, path, domain, and security flags).
• Cookie storage: your browser receives the Set-Cookie headers and stores the cookies in its cookie jar (a local database managed by the browser). Each cookie is associated with the domain that set it.
• Subsequent requests: on every subsequent request to the same domain, your browser automatically includes all non-expired cookies for that domain in the"Cookie" HTTP header. This allows our server to recognise your session, preferences, and other state information.
• Expiration: when a cookie reaches its expiration date, the browser automatically removes it from storage. Session cookies are removed when you close the browser.

All cookies set by Stellary use the following security attributes:

• Secure flag: cookies are only transmitted over encrypted HTTPS connections, preventing interception over unencrypted networks.
• HttpOnly flag: where applicable, cookies are marked as HttpOnly, meaning they cannot be accessed by client-side JavaScript, which reduces the risk of cross-site scripting (XSS) attacks.
• SameSite attribute: our cookies use the SameSite=Lax or SameSite=Strict attribute to prevent cross-site request forgery and limit cross-site cookie leakage.

6. Cookies We Use

Stellary uses a minimal set of cookies, limited to what is strictly necessary for the Service to function and to provide you with a personalised experience. Below is a comprehensive list of every cookie used by the Service.

7. Third-Party Cookies

Stellary does not use third-party advertising or behavioral tracking cookies. We do not share cookie data with any third party for marketing or advertising purposes. This means no external company can track your activity on our Service through cookies.

We do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any similar third-party analytics platform. All usage analytics, if any, are processed internally on our own infrastructure located within the European Union. No cookie data is ever sent to servers outside of our control.

If we ever introduce third-party cookies in the future (for example, for embedded content or integration with external services), we will update this Cookie Policy accordingly and seek your explicit consent before setting any such cookies.

8. Web Beacons & Pixels

Web beacons (also known as "tracking pixels", "clear GIFs", or "pixel tags") are tiny, invisible images — typically a 1×1 pixel transparent image — embedded in web pages or emails. When your browser or email client loads the page or email, it makes a request to the server hosting the beacon image, transmitting information such as your IP address, the time the page was viewed, the browser type, and whether cookies were previously set.

Web beacons are commonly used in conjunction with cookies to measure user activity, track email open rates, and build user profiles for advertising purposes. They are a widespread tracking technology used by advertising networks and analytics providers.

Stellary does not use web beacons, tracking pixels, or any similar invisible tracking technologies on its website, in its application, or in any emails sent to users. We believe in transparent, privacy-respecting communication and do not engage in covert tracking of any kind.

Emails sent by Stellary (such as notifications, password reset links, or workspace invitations) are plain functional communications and do not contain embedded tracking pixels or open-tracking mechanisms.

9. Do Not Track Signals

"Do Not Track" (DNT) is a web browser setting that sends a signal to websites requesting that they do not track the user's browsing activity. The DNT header is sent as an HTTP request header (DNT: 1) by the browser with each request. While the DNT standard has been proposed by privacy advocates and is supported by most major browsers, there is currently no universally accepted standard for how websites should respond to DNT signals, and the W3C Tracking Protection Working Group that was developing the standard was closed in 2019.

Stellary respects Do Not Track signals. However, because we do not engage in any cross-site tracking, behavioral profiling, or third-party cookie usage in the first place, the practical effect is the same whether or not a DNT header is present. Our Service already operates in a manner consistent with a DNT request by default.

Similarly, we respect the Global Privacy Control (GPC) signal, a newer browser-based mechanism that communicates a user's privacy preferences. When we detect a GPC signal, we treat it as a valid request to opt out of any non-essential data processing.

10. Local Storage & Similar Technologies

In addition to cookies, the Service may use local storage (HTML5 localStorage and sessionStorage) for the following purposes:

• Storing UI preferences (e.g., sidebar collapsed state, last viewed project, board view settings)
• Caching application data for performance optimization and reducing server load
• Storing draft content (e.g., unsaved card descriptions, document edits, comment drafts) to prevent data loss if you accidentally close a tab or navigate away
• Storing temporary authentication state during the OAuth login flow
• Maintaining client-side feature flags and configuration for the application interface

Local storage data remains on your device and is not transmitted to our servers automatically with each HTTP request (unlike cookies). The data is only accessible by JavaScript running on our domain (stellary.co and app.stellary.co) and cannot be read by other websites. You can clear local storage through your browser's developer tools (usually accessible via F12 → Application → Local Storage) or through your browser's settings by clearing site data.

Session storage (sessionStorage) works similarly to local storage but is automatically cleared when you close the browser tab. We use session storage for temporary data that should not persist between sessions, such as the state of multi-step forms.

11. Legal Basis for Processing

Under the GDPR and the ePrivacy Directive, different legal bases apply to different categories of cookies:

• Strictly necessary cookies (session, csrf_token, locale, cookie_consent): these cookies are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive because they are strictly necessary for the provision of the Service explicitly requested by you. The legal basis for processing any personal data contained in these cookies is Article 6(1)(b) GDPR — processing necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract.
• Functional cookies (remember_me, theme_preference, sidebar_state, last_workspace): these cookies require your consent under Article 5(3) of the ePrivacy Directive because, while they enhance your experience, they are not strictly necessary for the Service to function. The legal basis for processing is Article 6(1)(a) GDPR — your consent, which you provide through the cookie consent mechanism when you first visit the Service.

You may withdraw your consent for functional cookies at any time. See Section 12 below for instructions on how to manage your consent preferences.

12. Cookie Consent

When you first visit the Stellary website or application, a cookie consent banner is displayed at the bottom of the screen. This banner informs you about our use of cookies and gives you the ability to accept or reject non-essential cookies before they are set on your device.

12.1 How consent is obtained

The consent banner presents you with clear, specific options:

• "Accept all" — enables all cookies, including functional cookies that enhance your experience.
• "Necessary only" — only strictly necessary cookies are set. Functional cookies are not used.
• "Customise" — allows you to toggle individual categories of cookies on or off based on your preferences.

No non-essential cookies are set until you have made an active choice. Simply browsing the site without interacting with the banner does not constitute consent — only strictly necessary cookies are active in this state.

12.2 How to withdraw consent

You can change or withdraw your cookie consent at any time by:

• Clicking the "Cookie settings" link in the footer of any page on our website
• Navigating to the "Privacy" section in your account settings within the application
• Clearing your browser's cookies for stellary.co and app.stellary.co (the consent banner will reappear on your next visit)
• Contacting us at support@stellary.co and requesting that your consent preferences be reset

When you withdraw consent for functional cookies, those cookies will be deleted from your device and will not be set again until you provide new consent. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

13. Managing Cookies in Your Browser

In addition to the consent mechanism described above, most web browsers allow you to control cookies directly through their settings. You can typically:

• View all cookies currently stored on your device
• Delete cookies individually or in bulk
• Block cookies from specific sites or all sites
• Block third-party cookies while allowing first-party cookies
• Set your browser to notify you when a cookie is being set
• Set your browser to automatically clear cookies when you close it
• Create exceptions for specific websites that you trust

Below are detailed instructions for managing cookies in the most commonly used browsers:

Google Chrome

• Click the three-dot menu icon in the top-right corner of the browser
• Select "Settings"
• Navigate to "Privacy and Security" → "Cookies and other site data"
• Here you can block third-party cookies, block all cookies, clear cookies on exit, or manage per-site exceptions
• To view and delete individual cookies: "Privacy and Security" → "Cookies and other site data" → "See all cookies and site data"

Mozilla Firefox

• Click the hamburger menu icon in the top-right corner
• Select "Settings"
• Navigate to "Privacy & Security"
• Under "Enhanced Tracking Protection", choose Standard, Strict, or Custom
• The Custom option allows you to choose exactly which types of cookies and trackers to block
• To manage stored cookies: scroll down to "Cookies and Site Data" and click"Manage Data"

Apple Safari

• Click "Safari" in the top menu bar, then "Preferences" (or "Settings" on newer versions)
• Go to the "Privacy" tab
• Check "Prevent cross-site tracking" to block third-party cookies
• Click "Manage Website Data" to view and delete cookies for specific sites
• Safari's Intelligent Tracking Prevention (ITP) also automatically limits the lifetime of certain cookies

Microsoft Edge

• Click the three-dot menu icon in the top-right corner
• Select "Settings"
• Navigate to "Cookies and site permissions" → "Manage and delete cookies and site data"
• Toggle options to block third-party cookies or all cookies
• Click "See all cookies and site data" to view and remove individual cookies
• Edge also has a "Tracking prevention" feature with Basic, Balanced, and Strict modes

Brave Browser

• Click the hamburger menu icon, then "Settings"
• Navigate to "Shields" for global blocking preferences
• Brave blocks third-party cookies by default and provides aggressive tracker blocking
• For per-site settings, click the Brave Shields icon in the address bar when visiting a site

Please note that disabling strictly necessary cookies may prevent you from using certain features of the Service, such as staying logged in or maintaining your language preference. See Section 16 for a detailed explanation of the impact of disabling cookies.

14. Mobile Devices

If you access Stellary from a mobile device, you can also manage cookies through your mobile browser settings. Below are instructions for the most common mobile operating systems:

iOS (iPhone / iPad) — Safari

• Open the "Settings" app on your device
• Scroll down and tap "Safari"
• Under "Privacy & Security", you can enable "Prevent Cross-Site Tracking" and"Block All Cookies"
• To clear existing cookies: tap "Clear History and Website Data"
• For more granular control: "Settings" → "Safari" → "Advanced" →"Website Data" allows you to view and delete cookies per site

iOS — Chrome

• Open Chrome and tap the three-dot menu at the bottom
• Go to "Settings" → "Privacy and Security"
• Tap "Clear Browsing Data" to remove cookies
• Under "Content Settings" → "Cookies", you can block cookies

Android — Chrome

• Open Chrome and tap the three-dot menu in the top-right corner
• Go to "Settings" → "Privacy and Security"
• Tap "Clear browsing data" to remove cookies, cached images, and other data
• Under "Site settings" → "Cookies", you can block third-party cookies or all cookies

Android — Samsung Internet

• Open Samsung Internet and tap the hamburger menu
• Go to "Settings" → "Privacy and Security"
• Under "Accept cookies", toggle the setting to allow or block cookies
• Tap "Delete browsing data" to clear cookies and site data
• Samsung Internet also includes "Smart anti-tracking" which limits cross-site tracking

Please note that mobile browsers may handle cookies slightly differently than their desktop counterparts. Some mobile browsers may also limit the lifetime of cookies or apply additional privacy protections automatically.

15. Impact of Disabling Cookies

While you have the right to disable cookies at any time, doing so may affect your ability to use the Service. Below is a detailed breakdown of what functionality is impacted when specific cookies are disabled:

If strictly necessary cookies are disabled:

• Authentication will not work: you will be unable to log in to the application. Each page load will treat you as a new, unauthenticated visitor.
• CSRF protection will fail: any form submission or state-changing action (creating tasks, updating projects, changing settings) will be rejected by the server as a security precaution.
• Language preferences will not persist: the site may display in the wrong language on each visit, falling back to browser-based language detection.
• Consent preferences will not be remembered: the cookie consent banner will appear on every single page load.

If functional cookies are disabled:

• "Remember me" will not work: you will need to enter your email and password every time you visit the application, as extended sessions cannot be maintained.
• Theme preferences will reset: the application may flash between themes on each page load as it cannot remember your preferred appearance setting.
• Sidebar state will reset: the navigation sidebar will return to its default expanded state on every page load, regardless of whether you previously collapsed it.
• Workspace redirect will not work: you will be shown the workspace selection screen each time you log in instead of being automatically taken to your most recently used workspace.

Disabling cookies does not prevent you from viewing the public Stellary website (stellary.co). However, using the authenticated application (app.stellary.co) requires at minimum the strictly necessary cookies to be enabled. The Service is designed to be fully functional with only strictly necessary cookies enabled; functional cookies provide convenience enhancements but are not required.

16. International Data Transfers

All data collected through cookies on the Stellary Service is processed and stored exclusively within the European Economic Area (EEA). Our servers are hosted in data centres located in France and Germany, operated by European infrastructure providers.

We do not transfer any cookie data, or any personal data derived from cookies, to countries outside the EEA. This applies to all categories of cookies — strictly necessary, functional, and any future categories we may introduce.

Because we do not use any third-party cookies or third-party analytics services, there is no risk of your cookie data being sent to servers in the United States or other jurisdictions that may not provide an adequate level of data protection as determined by the European Commission.

If our data hosting arrangements change in the future, we will ensure that any transfers of personal data outside the EEA are covered by appropriate safeguards in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission, and we will update this policy accordingly.

17. Automated Decision Making

Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Stellary does not make any automated decisions based on data collected through cookies. Cookies are used exclusively for the technical purposes described in this policy (authentication, security, preferences). No cookie data is used to:

• Profile your behaviour or interests
• Make decisions about your access to features or pricing
• Evaluate personal aspects relating to you, such as performance, reliability, or behaviour
• Target you with personalised advertising
• Score or rank you in any way

The Stellary application may use artificial intelligence features for project management assistance (such as task suggestions or document summarisation). However, these AI features operate on application data you explicitly provide and are not influenced by or connected to cookie data in any way.

18. Children's Privacy

The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and become aware that your child has provided us with personal data or has consented to cookies on our Service, please contact us at support@stellary.co and we will take immediate steps to remove such data and revoke any consent.

In accordance with the GDPR, where we rely on consent as the legal basis for processing (i.e., for functional cookies), such consent must be given or authorised by the holder of parental responsibility for children under 16 in France (the age may vary between 13 and 16 depending on the EU Member State).

19. Data Protection Officer

If you have questions or concerns about how your personal data is handled through cookies on the Stellary Service, or if you wish to exercise any of your rights under the GDPR (including the right of access, rectification, erasure, restriction of processing, data portability, or the right to object), you may contact our Data Protection Officer at:

Data Protection Officer
Stellary
Email: support@stellary.co

We will respond to your request within 30 days in accordance with Article 12(3) of the GDPR. In certain cases, this period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of your request.

20. Supervisory Authority

If you believe that our processing of your personal data through cookies infringes the GDPR or applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

As Stellary is based in France, the lead supervisory authority for our data processing activities is the Commission Nationale de l'Informatique et des Libertés (CNIL):

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07
France

Website: www.cnil.fr
Online complaints: www.cnil.fr/fr/plaintes

You may also contact your local data protection authority if you reside in a different EU/EEA Member State. A list of EU data protection authorities is available on the European Data Protection Board's website at edpb.europa.eu.

21. Updates and Notifications

We may update this Cookie Policy from time to time to reflect changes in technology, legislation, our business operations, or any other reason we deem necessary or appropriate. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Publish the revised policy on our website at the same URL
• For significant changes (such as introducing new cookie categories or third-party cookies), display a prominent notice on the Service and/or send an email notification to registered users
• Where required by law, obtain your renewed consent before implementing changes that affect non-essential cookies

We encourage you to review this policy periodically to stay informed about our use of cookies. We maintain an archive of previous versions of this policy, which is available upon request by contacting us at support@stellary.co.

Your continued use of the Service after any changes to this Cookie Policy constitutes your acceptance of the updated policy, except where your renewed consent is required by law.

22. Contact

If you have any questions, concerns, or requests regarding this Cookie Policy, our use of cookies, or your privacy rights, please do not hesitate to contact us:

Stellary
Email: support@stellary.co

We are committed to resolving any complaints about our collection or use of your personal data. We will endeavour to respond to all enquiries within a reasonable timeframe and will work with you to find a satisfactory resolution to any issue you raise.