This Privacy Policy describes how the Stelaah entity that provides the Services ("Stelaah", "we", "us") handles personal data. For personal data contained in a customer's workspace content, the customer is the controller and we act as a processor under our Data Processing Addendum; this policy describes our own processing as a controller, such as for our websites, accounts, and billing.
1 Who this policy covers
This policy applies to visitors to stelaah.com, people who create or use a Stelaah account, and people who contact us. It does not change the terms of the DPA, which governs personal data our customers store in their workspaces.
2 The data we collect
We collect:
- Account and profile data — name, email, password (hashed), workspace name, role, and preferences you set.
- Billing data — plan, billing contact, and transaction records. Card details are handled by our payment processor; we do not store full card numbers.
- Workspace content — the data you put into Stelaah. We process this as your processor under the DPA, on your instructions.
- Usage and device data — log data, device and browser information, IP address, and how you interact with the Services, used to operate, secure, and improve them.
- Cookies and similar technologies — as described in our Cookie Policy.
- Support and communications — messages you send us and records of our correspondence.
- Data from integrations — where you connect a third-party product, the data needed to provide that integration.
3 How we use data
We use personal data to provide, maintain, secure, and improve the Services; to process payments and manage subscriptions; to provide support; to communicate with you about the Services and, where permitted, about features and offers; to detect and prevent fraud and abuse; and to comply with legal obligations.
4 Legal bases (GDPR)
Where the GDPR or UK GDPR applies, we rely on: performance of our contract with you; our legitimate interests in operating and improving the Services and keeping them secure, balanced against your rights; your consent, where we ask for it, which you can withdraw; and compliance with legal obligations.
5 Aria and AI features
When you use Aria, your inputs and relevant workspace content are processed to generate responses and take actions you request, as described in our Aria AI Terms. We do not use Customer Content to train third-party foundation models, and you can choose your AI provider in workspace settings. AI requests are handled by the model providers listed in our Subprocessors.
6 Cookies and analytics
We use a small set of cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Services are used. You can control these as described in our Cookie Policy.
7 How we share data
We share personal data with: subprocessors who help us run the Services (listed at Subprocessors); integrations you choose to connect; professional advisers and authorities where required by law or to protect rights and safety; and a successor in connection with a merger, acquisition, or sale of assets. We do not sell personal data, and we do not share it for cross-context behavioral advertising.
8 International transfers
We may process personal data in countries other than your own. Where required, we use appropriate safeguards such as the Standard Contractual Clauses and the UK IDTA, as described in Appendix 3 of the DPA.
9 Retention
We keep personal data for as long as your account is active and as needed to provide the Services, then delete or de-identify it within a reasonable period, except where we must retain it to meet legal, tax, or accounting obligations or to resolve disputes. Consistent with our recoverable-by-default model, deletions are reversible for a limited window before permanent removal.
10 How we protect data
We protect personal data with technical and organizational measures, including encryption in transit and at rest, row-level security that isolates every workspace at the database, role-based access, and audit logging. Read more in our security overview. No system is perfectly secure, so we cannot guarantee absolute security.
11 Your rights (GDPR / UK)
Subject to applicable law, you may request access to, correction, deletion, or a portable copy of your personal data; object to or ask us to restrict certain processing; and withdraw consent. You can exercise many of these directly in your account settings, or by emailing privacy@stelaah.com. You may also complain to your local data protection authority. Where you are using a workspace controlled by another customer, please direct your request to that customer.
12 US state privacy rights (CCPA / CPRA and others)
If you are a resident of California or another US state with a comprehensive privacy law, you may have rights to know, access, correct, delete, and obtain a portable copy of your personal information, and to opt out of "sale" or "sharing" and targeted advertising. We do not sell or share personal information as those terms are defined under these laws. We will not discriminate against you for exercising your rights. To exercise them, email privacy@stelaah.com; we may need to verify your request.
13 Brazil (LGPD)
If the LGPD applies, you have rights to confirmation of processing, access, correction, anonymization or deletion, portability, and information about sharing, which you can exercise by contacting privacy@stelaah.com.
14 Children
The Services are for business use and are not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
15 Changes to this policy
We may update this policy from time to time. If we make material changes, we will give notice through the Services or by email and update the date above.
16 Contact us
For privacy questions or to exercise your rights, email privacy@stelaah.com. We will respond within the timeframes required by applicable law.
Questions about this policy? Email legal@stelaah.com.
Back to top