```html Privacy Policy (United States) | StellaAi

Privacy Policy (United States)

Effective date: Nov 2, 2025

StellaAi (“StellaAi”, “we”, “us”, “our”) describes below how we collect, use, disclose, and retain information when you use the StellaAi service (the “Service”) — including tarot readings, community features, subscriptions/in-app purchases, events/promotions, recommendations, and personalization.

Your Privacy Choices
Manage consent and opt-outs any time:

In-app: Settings → Privacy / Ads & Personalisation
Do Not Sell or Share My Personal Information
Limit the Use of My Sensitive Personal Information
Submit a Privacy Request

1) Who we are

StellaAi
Attn: Privacy Team
Email: stellaai.labs@gmail.com

2) How we publish and change this Policy

This Policy is always available in the app (Settings → Legal) and on our website.
For material changes, we provide reasonable advance notice where practicable (at least 7 days).

3) Notice at Collection (California)

This table summarises the categories of personal information we may collect, the purposes, and typical retention. Full details appear in Sections 4–10.

CPRA Category	Examples	Business/Commercial Purposes	Retention
A. Identifiers	Email (via SSO), display name, device/ads IDs (AAID/IDFA), IP address	Account, security/fraud prevention, analytics, personalisation/ads (opt-out available)	Account life; logs kept for limited periods
B. Customer records	Purchase receipts, subscription status; no card numbers/CVV	Provide paid features, verify purchases, support/refunds	Up to applicable accounting/tax periods
C. Protected classification	Not collected	—	—
D. Commercial information	Purchase history, entitlement records	Fulfil purchases, prevent abuse, analytics	Up to accounting/tax periods
E. Biometric information	Not collected	—	—
F. Internet or network activity	App events, crash logs, interactions	Service delivery, diagnostics, security	Limited operational periods
G. Geolocation	Coarse IP-based location; no precise GPS	Regional settings, legal compliance, abuse prevention	Limited operational periods
H. Sensory data	Not collected	—	—
I. Employment information	Not collected	—	—
J. Education information	Not collected	—	—
K. Inferences	Basic preference segments for recommendations	Personalisation (opt-out available)	Limited to the life of the feature
Sensitive personal information (SPI)	Account auth tokens/SSO identifiers; no government IDs; no precise location	Account security and authentication only	Account life (no use for additional purposes)

4) Information we collect

Category	Examples	Why we process it	Typical retention
Account	Email (via SSO), display name/nickname, optional profile image, OAuth UID/tokens	Account creation and authentication; session and fraud management	Until account deletion; minimal records may be kept up to 3 years for disputes
Usage & logs	IP, device info, crash/performance logs, event logs	Deliver and protect the Service; diagnostics and improvement	Limited operational periods
Payments	Google Play / Apple App Store purchase IDs, receipts, subscription status	Provide paid features; purchase verification; support/refunds	Up to applicable accounting/tax periods
Reading content	Your prompts/questions/context, card results, settings	Generate content (sending minimal context to generative AI APIs) and show history	Deleted when no longer needed or de-identified/aggregated

5) How we collect information

You provide it directly in the app/website.
We receive it from partners during sign-in (SSO) or purchase verification.
We collect it automatically via SDKs and server logs.

6) How we use information (purposes)

Provide and operate the Service, including tarot readings via generative AI APIs.
Authentication, security, and fraud/abuse prevention.
Customer support and incident handling.
Analytics, performance and crash diagnostics, and Service improvement.
Marketing communications with your consent (you may withdraw at any time).
Recommendations and personalisation within your settings.

7) Online behavioural advertising & personalisation

We may collect online identifiers and usage events (e.g., AAID/IDFA, app events) to measure campaigns, detect invalid traffic, and—if you opt in—deliver personalised ads.
You can change choices in the app (Settings → Privacy / Ads & Personalisation) or via platform controls (e.g., “Limit Ad Tracking”).
We minimise the data shared with ad/analytics partners and do not send sensitive prompts/content for ad personalisation.

8) Cookies and similar technologies

We use cookies/local storage for essential functions (sign-in, preferences). Non-essential cookies/SDKs for personalisation/advanced analytics run only with your choice.
Managing cookies/SDKs may affect some features.

9) How long we keep information

We keep information only as long as needed for the purposes described in this Policy.
Payment/accounting records are typically kept for legally required periods.
Security/diagnostics logs are kept for limited periods to investigate and prevent abuse.
When no longer needed, we delete or irreversibly anonymise data.

10) International transfers

We may transfer information outside the United States (e.g., to the EEA or UK) for hosting, analytics, or AI processing. We use appropriate safeguards (contractual clauses, encryption in transit, access controls, data minimisation).

11) Service providers and third parties

We disclose information to service providers who act on our instructions (processors) and, where applicable, to third parties as described below.

Recipient (country)	What & why	Safeguards	Retention
Google / Firebase (US/EU/Global)	Hosting, authentication, push, analytics, crash diagnostics	Contractual controls; encryption; access control	For the term of the service
Apple / Google Play (Global)	Purchase verification and subscription status	Platform safeguards; contractual controls	As per legal retention
AI API providers (e.g., OpenAI) (US/EU)	Generate reading text from minimal prompts/context	Contractual controls; strict minimisation	For generation only; not retained beyond necessity

12) U.S. State Privacy Notice

This section supplements the Policy for residents of states with comprehensive privacy laws (e.g., California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana). It explains your state rights and how to exercise them.

Your rights (state laws)

Right to know/access the categories and specific pieces of personal information we collect and use.
Right to delete information, subject to exceptions.
Right to correct inaccurate information.
Right to portability of certain information you provided to us.
Right to opt out of the sale or sharing of personal information and of targeted advertising/profiling where applicable.
Right to limit the use and disclosure of sensitive personal information (California).
Non-discrimination for exercising your privacy rights.

We do not sell personal information for money. We may allow advertising/analytics partners to collect certain device identifiers or events to provide services to us; under some state laws, this may be considered a “sale” or “share” or “targeted advertising.” You can opt out at any time:

In-app: Settings → Privacy / Ads & Personalisation (turn off personalised ads/targeting)
Global Privacy Control (GPC): Where we detect a valid GPC signal in your browser, we treat it as an opt-out request for that device/browser.

Sensitive personal information

We do not use sensitive personal information to infer characteristics. We use limited authentication data (e.g., SSO tokens) solely to operate the account. If the right to limit use of sensitive personal information applies to you (e.g., California), you may exercise it via the in-app privacy settings or by contacting us.

Appeals (CO/VA/CT/OR/MT, etc.)

If we deny your privacy request, you may appeal by replying to our decision email. We will inform you of the appeal outcome and how to contact your state regulator if you remain unsatisfied.

How to submit requests

Submit a privacy request (access, delete, correct, portability, opt-out):

In-app: Settings → Privacy
Email: stellaai.labs@gmail.com

Verification: We may ask you to verify your email/device or provide limited information so we can confirm you are the account holder. Authorized agents may submit requests with proof of authorization and, where required, the consumer's verification.

Account deletion

In-app deletion:
- Mobile app: Settings screen > Delete Account button
- Web app: Web app Settings screen > Delete Account button (same functionality)
Web deletion request (if app access is unavailable):
- (Recommended) Web form: Submit your email or UID at https://stellaai.me/privacy/delete-request
- (Alternative) Email: Send to stellaai.labs@gmail.com with subject "Account Deletion Request"
Processing procedure and timeframe: Requests are processed within 7 days of receipt.
Data deletion scope:
- Deleted items: Account information (Firebase Auth), reading records (tarotReadings), user settings (userSettings), ad events (adsSsvEvents), unlock events (unlockEvents), entitlements
- Retained items: Payment records (purchases), coin ledger (ledger) - retained for legally required periods
Exceptions (legal/security):
- Payment/tax records: Retained for 5 years per e-commerce laws
- Fraud prevention logs: May be retained for up to 3 years for security purposes

Minors

We do not knowingly sell or share personal information of consumers under 16 years of age. If you believe a person under 16 has provided personal information, please contact us.

Financial incentives

We do not offer programs that provide price or service differences in exchange for personal information (no “financial incentives” as defined by California law).

Shine the Light (California Civil Code §1798.83)

We do not share personal information with third parties for their own direct marketing purposes. If our practices change, we will update this notice and provide opt-out mechanisms as required.

13) Children’s privacy (COPPA)

We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe a child has provided personal information without consent, please contact us and we will delete it.

14) Security

Access controls and least-privilege permissions
TLS encryption in transit; encryption/masking where appropriate
Vulnerability management, logging, backups and disaster recovery
Staff training and confidentiality commitments

15) Data breaches

We maintain procedures to investigate and respond to security incidents. Where required by law, we will notify you and applicable authorities without undue delay.

16) In-app purchases

We do not store payment card numbers or CVV. Purchases are processed by Google Play and Apple App Store; we receive only the data necessary to verify and fulfil your purchase.

17) Contact us

Privacy contact
Email: stellaai.labs@gmail.com

iOS notice. For personalised advertising on iOS, Apple’s App Tracking Transparency (ATT) may require your permission. The device identifier used is IDFA (on Android, AAID).

We may update this Policy to reflect changes to the Service or the law. We will notify you of important changes in advance where practicable.

```