Stellan ComplianceBack to home

Privacy Policy

Effective date: 5 May 2026 · Version 1.0

Stellan Compliance (“Stellan”, “we”, “us”) builds a Compliance Intelligence Operating System for FSA-regulated institutions. This page explains, in plain language, what personal data we collect, why we collect it, how we store it, and what rights you have under the EU General Data Protection Regulation (GDPR).

This policy covers the demo tier hosted at stellan.app. Paid customers sign a separate Data Processing Agreement (DPA) that supersedes this page on terms-of-processing for their tenant data.

1. Who is the controller

For the demo tier, Stellan acts as the controller of account-identifying data (your email address, display name, login events) and as the processor of any compliance content you upload into your demo workspace. For paid tenants, the customer is the controller of all tenant content; Stellan is only the processor.

2. What we collect

Identity and account data

  • Email address — used as your login and to send transactional messages (password reset, sign-off requests, audit notifications)
  • Display name — shown to teammates inside your tenant
  • Hashed password — managed by Supabase Auth (we never see the plaintext)
  • Role — your permission tier inside your tenant (owner, admin, compliance officer, editor, viewer, internal auditor)
  • Login timestamps and IP address — for audit and abuse prevention; retained 90 days

Tenant content (compliance documents and metadata)

  • Documents you create or upload, their text, version history, and sign-off chain
  • Hierarchies, business units, domains, initiatives, regulatory mappings
  • AI agent outputs — gap findings, draft suggestions, audit log entries
  • Vector embeddings derived from your text, used for semantic search. These are treated as ephemeral cache and can be rebuilt from source on request.

Telemetry

  • Page views, feature usage, agent run events (anonymous tenant ID, no document content)
  • Server-side error reports (stack traces, no document content)

3. What we do not collect

  • We do not use your data to train any third-party AI model. All LLM calls explicitly disable training (Anthropic zero-retention enterprise terms; OpenAI API training is off by default).
  • We do not sell, rent, or share personal data with advertisers.
  • We do not set third-party advertising cookies.

4. Where data is stored

All primary infrastructure is pinned to the European Union:

  • Application database — Neon (PostgreSQL) in Frankfurt (eu-central-1)
  • Authentication — Supabase in Frankfurt (eu-central-1)
  • Application hosting — Vercel anycast edge network; server-side rendering pinned to Frankfurt
  • Email transport — Loopia AB (Sweden) over STARTTLS

LLM inference (Anthropic, OpenAI) currently transits to US-located endpoints under Standard Contractual Clauses (SCCs). Paid tenants can opt into EU-only inference via Anthropic on AWS Bedrock Frankfurt or OpenAI Azure West Europe.

5. Why we process data (legal basis)

PurposeLegal basis (GDPR Art. 6)
Provide the service you signed up forContract performance — Art. 6(1)(b)
Send transactional emails (login, sign-offs)Contract performance — Art. 6(1)(b)
Audit logs, fraud detection, securityLegitimate interest — Art. 6(1)(f)
Product analytics (anonymous)Legitimate interest — Art. 6(1)(f)
Comply with regulatory record-keepingLegal obligation — Art. 6(1)(c)

6. How long we keep data

  • Account data — kept while your account is active, deleted within 30 days of account closure
  • Tenant content — kept until you delete it; full tenant export available on request before closure
  • Audit logs — retained 7 years per typical FI retention requirements, even after account closure
  • Login IP addresses — 90 days
  • Backups — Neon point-in-time recovery 7 days; encrypted snapshots up to 30 days

7. Sub-processors

We use a small set of vetted sub-processors to operate the service. See the full live list with regions, purposes, and DPA links at /sub-processors.

8. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure(“right to be forgotten”) — delete your account and associated personal data, subject to regulatory retention obligations
  • Portability — export your tenant data in a machine readable format
  • Restriction — pause specific processing activities
  • Objection — object to processing based on legitimate interest
  • Complaint — lodge a complaint with IMY (Integritetsskyddsmyndigheten), the Swedish data protection authority

To exercise any of these rights, email privacy@stellan.app. We respond within 30 days.

9. Security

  • TLS 1.3 in transit; AES-256 at rest (database + backups)
  • Tenant isolation enforced at the application layer on every query (tenant_id required, no cross-tenant reads possible)
  • Supabase Auth handles password hashing (bcrypt) and rate limiting
  • Audit log records every privileged action (role changes, sign-offs, document deletions)
  • Founders have access on a least-privilege basis. We never read tenant content unless responding to an explicit support request from that tenant.

10. Cookies

Stellan uses only first-party, strictly-necessary cookies for authentication (the Supabase session cookie). We do not use marketing or analytics cookies that would require ePrivacy consent. If we add product analytics in the future, they will be cookie-less or consent-gated.

11. Children

Stellan is a B2B compliance product for financial institutions. It is not directed at children under 16 and we do not knowingly collect their data.

12. Changes to this policy

We will notify all account-holders by email at least 14 days before material changes take effect. The version number and effective date at the top of this page always reflects the current version.

13. Contact

Privacy enquiries: privacy@stellan.app
General contact: hello@stellan.app