Privacy Policy

1. Data Controller

The data controller for the personal data collected through the Stellary platform (stellary.co and related services) is:

Stellary
Email: privacy@stellary.co

This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable French data protection laws.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Full name
• Email address
• Password (stored as a salted hash, never in plain text)
• Profile picture (optional)
• Organization name and role (if applicable)

2.2 Usage Data

We automatically collect:

• IP address and approximate geolocation
• Browser type, version, and language
• Device type and operating system
• Pages visited, features used, and actions performed within the Service
• Timestamps and session duration
• Referring URL

2.3 Payment Data

When you subscribe to a paid plan, payment information (credit card number, billing address) is collected and processed directly by Stripe. Stellary does not store your full credit card number. We receive from Stripe: the last four digits of your card, card type, expiration date, and billing address for invoicing purposes.

2.4 AI Interaction Data

When you use AI features (Project Wizard, AI Agents, automated suggestions), we collect:

• Prompts and queries you submit to AI features
• AI-generated responses
• Context data sent to the AI provider (project names, task descriptions, document content)

This data is processed solely for the purpose of providing AI features and is not used to train third-party AI models.

2.5 User-Generated Content

Content you create within the Service (projects, tasks, documents, comments, knowledge base entries) is stored to provide the Service. This content may contain personal data that you or your team members choose to include.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract execution (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for, including account management, billing, and core functionality.
• Consent (Art. 6(1)(a)): For optional analytics cookies, marketing communications, and non-essential data processing. You may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): For security monitoring, fraud prevention, service improvement, and error tracking. Our legitimate interests do not override your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): For compliance with tax, accounting, and other legal requirements.

4. How We Use Your Data

We use the collected data to:

• Provide, maintain, and improve the Service
• Process payments and manage subscriptions
• Send transactional communications (account confirmations, security alerts, billing notices)
• Provide customer support
• Monitor and ensure the security of the Service
• Detect and prevent fraud and abuse
• Generate aggregated, anonymized analytics to improve the Service
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal effects.

5. Third-Party Processors

We share personal data with the following third-party processors, each bound by data processing agreements compliant with GDPR:

5.1 OVHcloud (Hosting)

All data is hosted on OVHcloud infrastructure in France (EU). OVH provides dedicated servers with data encrypted at rest (AES-256) and in transit (TLS 1.3). Daily backups are stored in geographically separate EU locations.

5.2 Stripe (Payments)

Stripe processes payment transactions and stores payment credentials. Stripe is PCI DSS Level 1 certified. Data may be processed in the EU and the US under Stripe's EU-US Data Privacy Framework certification. See Stripe's Privacy Policy.

5.3 Sentry (Error Tracking)

Sentry collects error reports and performance data to help us monitor and fix issues. Data sent to Sentry may include IP addresses, browser information, and error stack traces. Sentry processes data in the EU. See Sentry's Privacy Policy.

5.4 OpenAI (AI Features)

When you use AI features, prompts and contextual data are sent to OpenAI for processing. Stellary uses OpenAI's API with data processing terms that prohibit OpenAI from using your data to train their models. Data may be processed in the US under OpenAI's data processing agreement. See OpenAI's Privacy Policy.

6. Data Retention

We retain your personal data for the following periods:

• Account data: For the duration of your account plus 30 days after deletion to allow recovery.
• User-generated content: For the duration of your account. Permanently deleted within 30 days of account deletion.
• Usage and analytics data: Up to 24 months in identifiable form, then anonymized and retained indefinitely for analytics.
• Payment and billing data: 10 years from the transaction date, as required by French tax and accounting regulations.
• AI interaction data: 90 days in identifiable form, then anonymized.
• Server logs: 12 months, as required by French law (LCEN).
• Cookie consent records: 13 months from the date of consent.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You can request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention requirements.
• Right to restriction (Art. 18): You can request that we limit the processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection authority, at www.cnil.fr.

8. Exercising Your Rights

To exercise any of your rights, you can:

• Send an email to privacy@stellary.co with the subject line "Data Rights Request"
• Use the data export and deletion features available in your account settings

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. If we cannot fulfill your request, we will explain the reasons and inform you of your right to lodge a complaint with the CNIL.

9. Cookies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

Essential cookies (authentication, security, CSRF protection) are necessary for the Service to function and cannot be disabled. Analytics and optional cookies require your explicit consent.

10. International Data Transfers

Your data is primarily stored and processed within the European Union (France). However, some third-party processors may process data outside the EU:

• Stripe: EU-US Data Privacy Framework certified
• OpenAI: Data processing agreement with Standard Contractual Clauses (SCCs)

All international transfers are protected by appropriate safeguards as required by GDPR Chapter V, including adequacy decisions, Standard Contractual Clauses, or Data Privacy Framework certifications.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Salted password hashing (bcrypt)
• HTTP-only cookies with CSRF protection for authentication
• Role-based access control with organization and workspace-level permissions
• Regular security audits and dependency updates
• Daily encrypted backups with geographic redundancy within the EU
• Network segmentation and firewall rules on dedicated infrastructure

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the CNIL within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Provide details about the nature of the breach, the data affected, the likely consequences, and the measures taken to address it

13. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@stellary.co.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days before they take effect via email or through a notice within the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

15. Contact

For any questions or concerns about this Privacy Policy or the processing of your personal data, please contact us:

Stellary — Data Protection
Email: privacy@stellary.co

You may also contact the CNIL (French Data Protection Authority) if you believe your rights have not been respected:

CNIL
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: www.cnil.fr