```html Privacy Policy | StellaAi

Privacy Policy

Effective date: 2 Nov 2025

StellaAi (“we”, “us”, “our”) is committed to protecting your personal data. This policy explains how we process personal data when you use the StellaAi service (the “Service”), including tarot readings, community features, subscriptions/payments, promotions, and personalisation.

1) Who we are (Controller)

The controller of your personal data for the purposes of the UK GDPR and the Data Protection Act 2018 is:

StellaAi
Attn: Privacy Team
Email: stellaai.labs@gmail.com

If we appoint a UK Representative or Data Protection Officer, we will update this notice.

2) How we publish and change this Policy

This Policy is always available in the app (Settings > Legal) and on our website.
For material changes, we will provide reasonable advance notice (at least 7 days where practicable) before the new effective date.

3) Categories of data we collect

Category	Examples	Why we process it	Typical retention
Account	Email (via SSO), display name/nickname, optional profile image, OAuth UID/tokens	Account creation and authentication; session and fraud management	Until you delete your account, then securely deleted (may retain minimal records for up to 3 years to handle disputes)
Usage & logs	IP address, device info, crash logs, event logs	Service delivery, performance/bug analysis, security and abuse prevention	As needed for these purposes and in line with legal/operational needs (see Section 9)
Payments	Google Play / Apple App Store purchase identifiers, receipts, subscription status	To provide paid features, verify purchases, manage refunds and support	In line with tax/accounting retention (typically up to 6 years in the UK)
Reading content	Your prompts/questions/context, card results, settings	To generate content (including sending minimal context to generative AI APIs) and let you view history	Deleted when no longer needed or de-identified/aggregated

4) How we collect data

You provide it directly in the app/website.
We receive it from partners during sign-in (SSO) or purchase verification.
We collect it automatically via SDKs and server logs.

5) Purposes and lawful bases

Purpose	Lawful basis under UK GDPR
Provide and operate the Service, including tarot readings via generative AI APIs	Contract (Art. 6(1)(b)); Legitimate interests for technical delivery and quality (Art. 6(1)(f))
Authentication, security, fraud prevention, misuse detection	Legitimate interests (network and information security)
Customer support and incident handling	Contract; Legitimate interests
Analytics, performance and crash diagnostics	Legitimate interests (improving the Service)
Marketing communications	Consent (you can withdraw at any time)
Personalised recommendations and ads (see Section 7)	Consent (for non-essential cookies/SDKs under PECR; you can refuse)
Compliance with legal obligations (e.g., accounting/tax)	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we balance our interests against your rights and freedoms. A summary of our legitimate interests assessment is available on request.

6) In-app purchases

We do not store payment card numbers or CVV. Purchases are processed by Google Play and Apple App Store; we receive only the data necessary to verify and fulfil your purchase.

7) Online behavioural advertising & personalisation (UK)

We may collect online identifiers and usage events (e.g., AAID/IDFA, page/app events) to measure campaigns, detect invalid traffic, and—if you consent—deliver personalised ads.
PECR consent: In the UK we obtain your consent for non-essential cookies/SDKs used for personalised ads or advanced analytics. You can change your choices at any time in the app (“Privacy / Ads & Personalisation”).
We minimise data sent to ad/analytics partners and prohibit sending sensitive prompts/content for ad personalisation.

8) Cookies and similar technologies

We use cookies/local storage for essential functions (e.g., sign-in, preferences). Non-essential cookies/SDKs (personalisation/advanced analytics) operate only with your consent.
You can manage cookie/SDK preferences via our consent banner/settings and in your browser/OS (e.g., “Limit Ad Tracking”). Refusing non-essential cookies may affect some features.

9) How long we keep your data

We keep personal data only for as long as necessary for the purposes set out in this Policy.
Payment and accounting records are typically retained for up to six years to meet UK tax/accounting requirements.
Security logs are kept for a limited period necessary to investigate and prevent abuse.
When data is no longer needed, we delete it or irreversibly anonymise it.

10) International transfers

We may transfer personal data outside the UK (e.g., to the EEA or US) for hosting, analytics, or AI processing. Where we do so, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or adequacy regulations. We also implement technical and organisational measures (encryption in transit, access controls, data minimisation).

11) Processors and third-party recipients

We share data with service providers who act on our instructions (processors) and, where applicable, with third parties as described below.

Recipient (country)	What & why	Legal basis	Transfer safeguards	Retention
Google / Firebase (US/EU/Global)	Hosting, auth, push, analytics, crash diagnostics	Contract; Legitimate interests (service reliability and security)	UK Addendum/SCCs or adequacy; encryption; access controls	For the term of the service
Apple / Google Play (Global)	Purchase verification and subscription status	Contract; Legal obligation (records)	Platform safeguards; contractual controls	As per legal retention
AI API providers (e.g., OpenAI) (US/EU)	Generate reading text from minimal prompts/context	Contract; Legitimate interests (core functionality)	UK Addendum/SCCs; strict minimisation; no prompts used for ads	For generation only; not retained beyond necessity

12) Your rights (UK GDPR)

You have the right to:

Access your personal data and obtain a copy;
Rectify inaccurate or incomplete data;
Erase your data in certain circumstances (“right to be forgotten”);
Restrict processing in certain circumstances;
Data portability for data you provided to us;
Object to processing based on legitimate interests or to direct marketing;
Withdraw consent at any time where we rely on consent.

You can exercise these rights in the app (Settings > Privacy) or by email at stellaai.labs@gmail.com. We may need to verify your identity before responding.

Account deletion

In-app deletion:
- Mobile app: Settings screen > Delete Account button
- Web app: Web app Settings screen > Delete Account button (same functionality)
Web deletion request (if app access is unavailable):
- (Recommended) Web form: Submit your email or UID at https://stellaai.me/privacy/delete-request
- (Alternative) Email: Send to stellaai.labs@gmail.com with subject "Account Deletion Request"
Processing procedure and timeframe: Requests are processed within 7 days of receipt.
Data deletion scope:
- Deleted items: Account information (Firebase Auth), reading records (tarotReadings), user settings (userSettings), ad events (adsSsvEvents), unlock events (unlockEvents), entitlements
- Retained items: Payment records (purchases), coin ledger (ledger) - retained for legally required periods
Exceptions (legal/security):
- Payment/tax records: Retained for 5 years per e-commerce laws
- Fraud prevention logs: May be retained for up to 3 years for security purposes

13) Children's privacy

In the UK, the age for online services consent is generally 13. We do not knowingly collect personal data from children under 13 without parental consent. If you believe a child has provided us personal data without consent, please contact us and we will delete it.

14) Security

Access controls and least-privilege permissions
TLS encryption in transit; encryption and masking where appropriate
Vulnerability management, logging, backups and disaster recovery
Staff training and confidentiality commitments

15) Data breaches

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) without undue delay and, where required, inform affected users promptly.

16) Automated decision-making

We do not carry out decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Our AI features generate content for entertainment/informational purposes and do not make determinations about eligibility for services or benefits.

17) Contact us

Privacy contact
Email: stellaai.labs@gmail.com

18) Complaints

If you have concerns about our use of your personal data, you can contact us first. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): https://ico.org.uk (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF).

iOS notice. For personalised advertising on iOS, Apple’s App Tracking Transparency (ATT) may require your permission. The device identifier used is IDFA (on Android, AAID).

We may update this Policy to reflect changes to the Service or the law. We will notify you of important changes in advance where practicable.

```