Stellia
← Back to home

Politique de confidentialité

Last updated: February 17, 2026

Last updated: February 17, 2026 Effective date: February 17, 2026

This Privacy Policy describes how KODYO SRL (”KODYO”, ”we”) collects, uses, protects, and shares your personal data when you use the Stellia mobile application (”Stellia” or ”the App”).

It supplements Stellia’s Terms of Use and constitutes mandatory information under the General Data Protection Regulation (GDPR).

1. Who is responsible for processing your data?

The data controller for your personal data under the GDPR is:

KODYO SRL

Courbevoie 13

1348 Louvain-La-Neuve

Belgium

Company / VAT number: BE1028900081

For any questions regarding your personal data or this Policy, you can contact us at:

Email: [email protected]

2. What categories of data do we collect?

We apply the principle of data minimization and limit directly identifying data as much as possible. Using Stellia primarily relies on a username and usage data related to your emotional and relational well-being.

2.1. Identification and account data

  • Username (display name in the App)
  • Email address (if required for account creation or subscription management)
  • Technical identifiers linked to your account (internal ID, push notification tokens, etc.)

2.2. Emotional well-being and content data

  • Emotional check-ins: mood/status in star form, levels of various pillars (life domains) via sliders or equivalents
  • Comments/free text associated with your check-ins or other interactions
  • Photos optionally associated with certain check-ins (at your initiative)
  • History of your check-ins and use of tracking features

Important clarification: Stellia is a general well-being app and is not a medical device. It is not intended to diagnose, treat, prevent, or monitor mental or physical health conditions. The well-being data collected reflects your subjective perception of your daily life and does not constitute health data within the meaning of Article 9 of the GDPR.

2.3. Social and relational data

  • Structure of your ”tribe/galaxy”: links between accounts (family, friends, close ones)
  • Sharing settings (who sees what, with what level of detail)
  • Information relating to social interactions within the App (e.g., sharing check-ins, social notifications, etc.)

2.4. Usage and technical data

  • Information about your device (model, operating system, app version, language, technical identifiers necessary for operation)
  • Usage logs (app opens, screens viewed, main clicks, technical errors)
  • Approximate location information (for example, country or region, derived from IP address or store settings)
  • Data relating to notifications: sending, opening, interaction, reception preferences

2.5. AI-related data

To power Stellia’s AI features (e.g. Ora), we process:

  • The text content of your messages and conversations with the AI
  • Your check-in scores (star rating, pillar slider values)
  • The text content of your check-in comments
  • Your check-in history (dates, scores, moods)
  • Your pseudonym (display name) — never your real name or email
  • Technical metadata (date and time of interactions, event type)

This data may be sent to Google and OpenAI (listed in Section 5.2) solely to generate personalized responses within your use of Stellia. We minimize identifying information by using your pseudonym and internal identifiers only.

Important: Your data is never used to train the AI models of our third-party providers. It is only used to generate personalized responses as part of your use of Stellia.

3. For what purposes and on what legal bases do we use your data?

We process your data only for specific and legitimate purposes. The table below summarizes the processing activities, their purposes, and applicable legal bases.

3.1. Providing and operating Stellia

Purpose:

  • Create and manage your account
  • Enable emotional tracking, display of your star and pillars
  • Manage tribe/galaxy features
  • Generate service notifications

Legal basis: Performance of a contract (Terms of Use) — Article 6.1.b GDPR

3.2. Social features and sharing within the tribe

Purpose:

  • Enable tribe/galaxy creation
  • Display information shared between members
  • Send social notifications (for example, when a member shares a check-in or joins the galaxy), in accordance with your settings

Legal basis: Performance of a contract — Article 6.1.b GDPR

3.3. AI, analyses, and personalized suggestions

Purpose:

  • Analyze your data (check-ins, pillars, usage history, messages) to generate:
    • insights (observations about your trends, correlations, patterns);
    • suggestions or reflective questions;
    • contextual notifications (e.g., “Star Moments”, Ora insights, etc.)
  • Improve the coherence and relevance of AI responses

Legal basis:

  • Explicit consent — Article 6.1.a GDPR

During your first use of Stellia (onboarding), a dedicated consent screen asks whether you accept that your data be analyzed by our third-party AI providers (Google and OpenAI). If you accept, AI features (Ora, analysis of your check-ins) are activated. If you decline, you can use the App without AI features. If you later attempt to access Ora without having given your consent, the consent screen will be presented again, allowing you to change your mind.

Profiling and automated decisions:

The analyses and suggestions generated by Stellia’s AI constitute a form of profiling under the GDPR (Article 22). However, these processing activities do not produce any automated decisions having legal effects or significantly affecting you (e.g., denial of access, price changes, exclusion from a service). You always retain control over decisions concerning your use of the App.

3.4. Subscription and payment management

Purpose:

  • Manage your freemium access, trial periods, paid subscriptions (monthly, annual, family plans), in connection with Apple/Google stores
  • Prevent fraudulent use

Legal basis: Performance of a contract and legal obligation (accounting, transaction records) — Articles 6.1.b and 6.1.c GDPR

Payments are processed by app stores (Apple, Google). We do not store your credit card numbers.

3.5. Product improvement and statistics

Purpose:

  • Understand how the App is used (most viewed screens, notification open rates, most used features, etc.)
  • Improve performance, usability, and feature relevance
  • Produce aggregated and anonymized usage statistics

Legal basis: Legitimate interest — Article 6.1.f GDPR

Balancing of interests: We have conducted an analysis demonstrating that this processing does not disproportionately infringe on your rights and freedoms, considering: (i) the non-sensitive nature of technical usage data, (ii) the pseudonymization and aggregation measures applied, (iii) the lack of significant impact on your privacy, and (iv) your reasonable expectation that an app publisher analyzes service usage to improve it. You can object to this processing (see section 8).

3.6. Engagement notifications and reminders

Purpose:

  • Send reminders to encourage you to complete your check-ins
  • Send “insights” or personalized suggestion notifications
  • Inform you of news or App features

Legal basis:

  • Service notifications (check-in reminders, tribe alerts): Performance of a contract — Article 6.1.b GDPR
  • Engagement and AI insights notifications: Consent — Article 6.1.a GDPR

You can manage your notification preferences at any time in the App or device settings.

3.7. Security, abuse prevention, and compliance with legal obligations

Purpose:

  • Ensure the security of the App (detection of suspicious activities, hacking attempts, feature abuse)
  • Respond to legal or regulatory requests (authorities, courts) when required by law
  • Manage potential disputes

Legal basis: Legitimate interest and legal obligation — Articles 6.1.f and 6.1.c GDPR

4. How long do we retain your data?

We retain your personal data only for the duration necessary for the purposes described above, then we delete or anonymize them.

Data categoryRetention period
Check-ins, pillars, comments, photosRetained as long as your account is active. Permanently deleted upon account deletion.
AI data and conversation historyConversation history retained to ensure continuity of exchanges with the AI. Regular deletion or anonymous aggregation of the oldest data.
Technical and usage logs6 months maximum for debugging and security. Then aggregated/anonymized for statistics.
Billing data10 years (Belgian accounting legal obligation).

Anonymization and retention for statistical purposes

Anonymization is a process by which we delete or modify data so that it can no longer be linked to an identifiable person, even indirectly. Anonymized data is no longer considered personal data under the GDPR.

We commit to never commercially exploiting your personal data (no resale to third parties, no derivative products based on your personal data).

5. With whom do we share your data?

We do not sell your personal data.

We share it only in the following cases:

5.1. Technical subcontractors

To operate Stellia, we use service providers (hosting, email sending, push notifications, analytics, AI, etc.) who process data on our behalf and according to our instructions.

These providers are contractually bound to:

  • process data only on KODYO’s instructions,
  • provide sufficient guarantees regarding security and confidentiality,
  • not use your data for other purposes.

We ensure that all third parties with whom we share user data provide the same or equal level of protection of user data as described in this Privacy Policy and as required by applicable laws and the App Store Review Guidelines.

5.2. Artificial intelligence providers

For AI features (Ora), we use the services of:

ProviderLocationSafeguards
Google LLCUnited StatesEU-US Data Privacy Framework + SCCs
OpenAI, Inc.United StatesSCCs + supplementary measures

Applied protective measures:

  • Pseudonymization: your data is transmitted in pseudonymized form (username + internal ID, never your real name or email)
  • Minimization: only data strictly necessary for generating responses is transmitted
  • Encryption: all communications are encrypted in transit (TLS 1.3)
  • No training: your data is never used to train these providers’ models

Links to their policies:

What data is shared with Google and OpenAI

When you use Stellia’s AI features, the following specific data may be transmitted to Google and OpenAI:

Data typePurposeExample
Chat messagesGenerate contextual AI responsesYour messages to Ora
Check-in scoresAnalyze trends and patternsStar rating, pillar values
Check-in commentsProvide personalized insightsFree-text notes on your check-ins
Check-in historyIdentify patterns over timeDates and scores of past check-ins
PseudonymPersonalize conversationsYour display name (never real name or email)
Interaction metadataMaintain conversation contextTimestamps, event types

What is NOT shared with Google and OpenAI:

  • Your email address
  • Your real name
  • Your payment or subscription information
  • Your photos
  • Your tribe/galaxy membership details
  • Your device identifiers

This data is sent only when you actively use AI features, and only after you have given your explicit consent (see Section 3.3).

5.3. Distribution and payment platforms

Payments and subscriptions are managed through app stores (Apple App Store, Google Play Store).

These platforms collect and process certain of your data according to their own privacy policies, independently of KODYO.

5.4. Authorities and legal obligations

We may be required to disclose certain data if required by law or if we receive a valid request from a competent authority (court, supervisory authority, police, etc.), in strict compliance with the applicable legal framework.

5.5. Data shared with other users

Within the App, certain of your data may be visible to other users in your tribe/galaxy, according to your settings (visual status, level of detail, social notifications, etc.).

You control, to the extent permitted by the App, the modes and levels of sharing. You are responsible for the people you invite and the content you choose to share.

5.6. In case of acquisition or merger

In case of acquisition, merger, or asset transfer of KODYO, your personal data may be transferred to the new acquirer.

In this case:

  • We will inform you in advance by notification in the App or by email
  • You will have the opportunity to delete your account before the effective transfer
  • The acquirer will be required to respect the commitments of this Policy or offer you new terms that you will be free to accept or refuse

6. Where is your data stored? Transfers outside the EU

6.1. Hosting and infrastructure

Your data is hosted on secure cloud infrastructure located primarily in Europe and the United States.

We use the following services:

  • Supabase: Database and authentication
  • Railway: Application hosting
  • Cloudflare: Content delivery network (CDN) and security

These providers have geographically distributed data centers and apply strict security measures in accordance with international standards.

6.2. Transfers to the United States

Some of our providers (notably the AI providers mentioned in section 5.2) are located in the United States or may process data in the United States.

For these transfers, we implement the following appropriate safeguards:

  • EU-US Data Privacy Framework: when the provider is certified under this framework (European Commission adequacy decision of July 10, 2023)
  • Standard Contractual Clauses (SCCs): clauses approved by the European Commission (decision 2021/914)
  • Supplementary measures in accordance with EDPB recommendations post-Schrems II:
    • Pseudonymization of data before transmission
    • Encryption in transit and at rest
    • Limitation of data access to what is strictly necessary
    • Assessment of the legal framework of the destination country

6.3. Other countries

If other transfers to third countries become necessary, we will ensure the existence of:

  • an adequacy decision from the European Commission, or
  • appropriate safeguards (SCCs, binding corporate rules, etc.)

7. How do we protect your data?

We implement technical and organizational measures designed to protect your data against unauthorized access, loss, accidental or unlawful destruction or modification, and unauthorized disclosure.

7.1. Technical measures

  • Encryption of communications between the App and our servers (HTTPS/TLS 1.3)
  • Encryption at rest of sensitive data stored on our servers
  • Secure authentication and token management
  • Intrusion monitoring and detection
  • Regular backups and disaster recovery plans

7.2. Organizational measures

  • Strict access control: only staff who need access to data as part of their duties are authorized
  • Team awareness and training on data protection
  • Internal security incident management policy
  • Periodic security audits

7.3. Minimization and pseudonymization

  • Systematic use of usernames rather than real names
  • Non-meaningful internal identifiers
  • Limitation of collected data to what is strictly necessary

7.4. Data breach management

In case of a personal data breach likely to pose a risk to your rights and freedoms, we will:

  • notify the Data Protection Authority within 72 hours
  • inform you as soon as possible if the risk is high
  • document the incident and corrective measures taken

8. What are your rights regarding your data?

In accordance with the GDPR and applicable legislation, you have the following rights:

8.1. Right of access (Article 15)

You can obtain confirmation whether we are processing data concerning you and, if so, request a copy of this data as well as information about the processing carried out.

8.2. Right to rectification (Article 16)

You can request the correction of inaccurate or incomplete data concerning you.

8.3. Right to erasure (Article 17)

In certain cases, you can request the deletion of your personal data, notably:

  • when the data is no longer necessary for the purposes pursued
  • when you withdraw your consent (for processing based on consent)
  • when you validly object to the processing
  • when the data has been unlawfully processed

Note: Deleting your account results in the permanent loss of your history and content within Stellia.

8.4. Right to restriction (Article 18)

You can request that the processing of your data be restricted (“frozen”) in certain cases, for example while we verify their accuracy or the existence of an overriding legitimate ground.

8.5. Right to object (Article 21)

You may, for reasons relating to your particular situation, object to processing based on our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.

You may also object at any time and without justification to the use of your data for direct marketing purposes.

8.6. Right to data portability (Article 20)

For processing based on your consent or contract performance and carried out by automated means, you may request to receive your data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), or request their direct transmission to another controller where technically feasible.

8.7. Right to withdraw consent

When processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before this withdrawal.

For AI features: if you did not give consent during onboarding, AI features remain disabled. If you wish to withdraw your consent after having given it, you can contact us at [email protected].

8.8. Right to lodge a complaint

You can lodge a complaint with a data protection authority:

9. How to exercise your rights?

9.1. Via the App

Use the settings features available in the App:

  • Modifying your profile and username
  • Managing sharing and notification settings
  • Account deletion

9.2. By email

Contact us at: [email protected]

In your request, please include:

  • Subject: “GDPR Rights Request”
  • The email address associated with your Stellia account
  • The right(s) you wish to exercise
  • Any information that helps process your request

We may request additional information to verify your identity and protect the confidentiality of your data.

9.3. Response times

We will respond to your request within 30 days of receipt.

This period may be extended by two additional months depending on the complexity or number of requests. In this case, we will inform you of this extension and its reasons within the initial 30-day period.

If we cannot fulfill your request, we will inform you within the same timeframe, stating the reasons and available remedies.

10. Minor users

10.1. Minimum age

Stellia is intended for persons aged 13 and over.

If you are between 13 and 15 years old, you may use Stellia only with the verifiable consent of your parent or legal guardian. When creating an account, we will ask you to confirm that you have obtained this authorization.

10.2. Rights of parents and guardians

If you are a parent or legal guardian of a minor using Stellia, you can:

  • Request access to your child’s data
  • Request rectification or deletion of this data
  • Withdraw the consent you gave
  • Request account deletion

To exercise these rights, contact us at [email protected] with proof of your parental authority.

10.3. Enhanced protection

We apply enhanced protection measures for accounts identified as belonging to minors, including increased vigilance regarding AI-generated content and social interactions.

11. Tracking technologies and analytics

11.1. SDKs and analytics tools

The App uses analytics tools to understand how it is used and improve the user experience. These tools may collect:

  • Anonymized or pseudonymized usage data
  • Technical information about your device
  • App performance data

11.2. Advertising identifiers and marketing attribution

We use advertising identifiers (IDFA on iOS, GAID on Android) only with your explicit consent to measure the effectiveness of our advertising campaigns.

Consent and transparency:

  • On iOS, your consent is requested via the system App Tracking Transparency (ATT) popup before any IDFA collection
  • On Android, you can manage your preferences in your device’s Google settings
  • You can refuse or withdraw your consent at any time without affecting your use of Stellia

Purpose and partner:

  • We use the Tenjin service to measure attribution of our advertising campaigns (notably on TikTok Ads)
  • This allows us to know which campaigns are most effective and optimize our marketing investments
  • Data is used only for attribution measurement (knowing where installs and conversions come from), not for targeted advertising within the App

We do not use these identifiers for cross-app tracking for purposes other than measuring the effectiveness of our own campaigns.

11.3. Managing your tracking preferences

You can manage or withdraw your consent to advertising tracking at any time:

iOS:

  • Settings > Privacy & Security > Tracking
  • Disable “Allow Apps to Request to Track” or specifically disable Stellia

Android:

  • Settings > Google > Ads
  • Enable “Opt out of Ads Personalization”

11.4. Analytics and attribution partners

We use the following partners for usage analytics and marketing attribution:

  • Tenjin: Attribution and advertising campaign performance measurement (with IDFA/GAID consent)
  • Other internal analytics tools for App improvement

A detailed and up-to-date list of third-party SDKs used in the App is available upon request at [email protected].

12. Modifications to this Policy

Version history:

  • v2.1 — February 17, 2026: Enhanced transparency on AI data sharing (detailed data types, explicit provider identification, consent flow description)
  • v2.0 — 2026-01-01: Initial publication

We may update this Privacy Policy to:

  • reflect changes to Stellia (new features, new processing activities)
  • account for legislative or regulatory changes
  • improve its clarity

12.1. Notification of modifications

Minor modifications (clarifications, corrections): update of the last modification date, accessible in the App.

Substantial modifications (new purposes, new recipients, change of legal basis): we will inform you via:

  • A notification in the App
  • An email to the address associated with your account (if available)

You will have a reasonable period to review the modifications before they take effect.

12.2. Your choices

If you do not agree with substantial modifications, you can:

  • Exercise your rights (objection, deletion)
  • Delete your account before the modifications take effect

Continued use of Stellia after the modifications take effect constitutes acknowledgment of the new Policy (not “acceptance” in the contractual sense, as the Policy is an informational document).

13. Contact

For any questions, information requests, or to exercise your rights regarding your personal data:

KODYO SRL — Data Protection (Stellia)

Courbevoie 13

1348 Louvain-La-Neuve

Belgium

Email: [email protected]

For GDPR rights requests, please clearly state the subject of your request for faster processing.