Legal · Privacy

Privacy Policy

How Stellad collects, uses, shares, and protects personal data — written to comply with GDPR, the French Loi Informatique et Libertés, and LCEN.

Effective May 5, 2026Last updated May 5, 2026
Privacy PolicyTerms of ServiceData Processing Agreement

Privacy Policy

Effective date: 2026-05-05 Last updated: 2026-05-05

This Privacy Policy explains how Stellad collects, uses, shares, and protects personal data when you install and use the Stellad app on your Shopify store. It is written to comply with the EU General Data Protection Regulation (GDPR), the French Loi Informatique et Libertés, and the Loi pour la Confiance dans l'Économie Numérique (LCEN).

If you are a shopper buying from a Shopify store that uses Stellad, please read Section 4 — Shoppers (end customers of Stellad merchants) which describes the very limited and indirect way your data is involved.

1. Who we are

Stellad is operated by:

  • Achille Antoine DECOUTTERE, entrepreneur individuel (French sole trader)
  • SIREN: 984 586 693
  • SIRET: 984 586 693 00017
  • Registered address: 941 Route de Lady Les Granges, 74120 Megève, France
  • VAT: Franchise en base de TVA (no VAT charged)

Throughout this policy, "Stellad", "we", "us", and "our" refer to this entity.

Data Protection contact: privacy@stellad.app

The role of Data Protection Officer is performed directly by Achille Antoine DECOUTTERE. Under GDPR Article 37, no separate DPO designation is mandatory for our processing activities at this scale. You can reach the DPO at privacy@stellad.app.

2. What Stellad does (so you understand what we process)

Stellad is a Shopify app that creates and manages Meta (Facebook and Instagram) advertising campaigns automatically for Shopify merchants. To do this, we:

  • read your Shopify store data (products, customers, orders, theme, content)
  • generate ad creatives (text, images, videos) using AI
  • identify target audiences
  • launch and optimize campaigns through the Meta Marketing API
  • forward purchase and checkout events to Meta via the Conversions API (CAPI), with personal data hashed before transmission
  • upload hashed customer email lists to Meta to build Custom Audiences

We process two kinds of personal data:

  • Merchant data — about you, the Shopify store owner. This is the main subject of this policy.
  • Shopper data — about people who shop at your store. We process this on your behalf as a data processor / sub-processor; see Section 4.

3. Merchants (Shopify store owners)

3.1 Personal data we collect

When you install Stellad and connect your accounts, we collect:

| Category | Examples | Source | | --- | --- | --- | | Account identity | First name, last name, email address, company name, job title, phone | You, during onboarding | | Authentication | Supabase user ID, OAuth tokens for Shopify and Meta (encrypted at rest with AES-256-GCM) | Shopify, Meta, Supabase | | Shop information | Shop domain, shop name, shop owner email, billing address, shop currency | Shopify API | | Catalog and content | Product titles, descriptions, prices, images, inventory, blog posts, pages, theme metadata | Shopify API | | Aggregated customer / order data | Anonymous aggregates only — counts, averages, top regions, repeat rate, cohort buckets, payment gateway distribution. No individual customer rows are stored. See Section 4. | Computed in memory from Shopify API | | Campaign and performance data | Meta campaign IDs, ad creatives we generated for you, performance metrics (spend, ROAS, CTR), brand DNA we synthesized about your store | Stellad-generated, Meta API | | Billing and subscription | Subscription plan (Starter / Growth), Shopify subscription state, billing history | Shopify Billing API | | Communications | Emails you send us, in-app feedback, alert preferences | You | | Technical | Browser type, IP address, log entries, error events | Your browser; Sentry |

| Purpose | Legal basis | | --- | --- | | Provide the service you signed up for (running ads, generating creatives, billing) | Contract — Art. 6(1)(b) | | Comply with French and EU law (tax, accounting, GDPR webhooks, Shopify obligations) | Legal obligation — Art. 6(1)(c) | | Send service emails (incidents, billing, account, security) | Contract / legitimate interest — Art. 6(1)(b) and (f) | | Send product updates and tips | Consent — Art. 6(1)(a) — you can opt out at any time | | Detect fraud, abuse, security incidents | Legitimate interest — Art. 6(1)(f) | | Improve Stellad (aggregate analytics; we do not train AI models on your data) | Legitimate interest — Art. 6(1)(f) |

3.3 How long we keep merchant data

| Data | Retention | | --- | --- | | Active account data (while you have Stellad installed) | Kept for the duration of the contract | | All merchant data after uninstall / shop redaction | Deleted within the Shopify-mandated 48-hour window via a full database cascade (see Section 6) | | Backups | Per Supabase's automated backup retention; deleted on the rolling backup schedule (typically up to 30 days) | | Billing records required by French tax law | Retained up to 10 years (Code de commerce L123-22) — minimal data only (invoice, amount, date, identity) | | Sentry error logs | 30 days default retention |

3.4 Your rights as a merchant

Under GDPR Articles 15–22 and the French Loi Informatique et Libertés, you have the right to:

  • Access — get a copy of your data
  • Rectify — correct inaccurate data
  • Erase — request deletion ("right to be forgotten")
  • Restrict — limit how we process your data
  • Portability — receive your data in JSON (machine-readable, structured)
  • Object — object to processing based on legitimate interest
  • Withdraw consent — for any processing based on consent
  • Lodge a complaint with the CNIL (the French data-protection authority) at https://www.cnil.fr or with your local supervisory authority

To exercise any right, email privacy@stellad.app. We respond within 30 days (extendable by 60 days for complex requests, per GDPR Art. 12).

You can also export your data as JSON directly from the in-app settings, or trigger account deletion by uninstalling the app from your Shopify admin (which fires the shop/redact webhook and cascades the deletion).

4. Shoppers (end customers of Stellad merchants)

This section is important and is written plainly because the data flow is unusual.

Stellad does not store any personal data about shoppers. No row in our database is keyed on, or contains, a shopper's email, name, phone, address, or Shopify customer ID. We have audited this and re-audit before any change to our Shopify scopes or our Meta integration.

However, we do process shopper data transiently in two ways, as a sub-processor acting on the merchant's instructions. The merchant is the data controller; Stellad is a sub-processor; Meta is a separate processor that the merchant has chosen to use.

4.1 Conversions API (CAPI) event forwarding

When a shopper places an order or starts a checkout on a Shopify store using Stellad, Shopify sends Stellad a webhook. Stellad:

  1. Verifies the webhook's HMAC signature
  2. Reads the shopper's email, phone (if present), first name, last name, and Shopify customer ID in memory only
  3. Hashes each field with SHA-256
  4. Sends the hashed values to Meta's Conversions API as event data so the merchant's pixel can attribute conversions to the right campaigns
  5. Discards the in-memory data

No raw or hashed shopper data is written to Stellad's database at any step. Stellad does not collect shopper IP addresses or user-agent strings for CAPI.

4.2 Custom Audience uploads

Once per week, for each connected merchant, Stellad:

  1. Pulls up to 2,000 customer email addresses from Shopify
  2. Hashes each email with SHA-256 in memory
  3. Uploads the hashed list to Meta to create or update two Custom Audiences (all purchasers; top-spending purchasers)
  4. Stores only the resulting Meta audience ID and a count
  5. Discards all email data

The hashed emails are not written to Stellad's database. Counts and audience IDs are not reversible to individual shoppers.

4.3 What this means for shoppers

If you are a shopper, the merchant — not Stellad — is the data controller for your data. To exercise your GDPR rights against your shopping data:

  1. Contact the merchant directly. They have access to Shopify and to the Meta tools needed to honor erasure of Custom Audience entries and Off-Facebook activity.
  2. You may also contact us at privacy@stellad.app and we will forward the request to the merchant and confirm we hold no records keyed on your identity.
  3. Shopify provides a built-in shopper-data-request flow that we participate in via the customers/data_request and customers/redact webhooks. When triggered, we confirm we have no records to return or delete, and notify the merchant.

5. Sub-processors

Stellad uses the following sub-processors. All EU-bound data transferred outside the EU is covered by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, additional safeguards required by the Schrems II ruling.

| Sub-processor | Role | Region | Data category | | --- | --- | --- | --- | | Supabase | Database, authentication, file storage | EU (Frankfurt) | Merchant data, aggregates, encrypted tokens | | Vercel | Application hosting, edge functions, cron jobs | Global edge; primary compute in EU and US | Merchant data in transit | | Anthropic | AI models (Claude) for ad copy generation, recommendations, evaluations | US | Merchant brand aggregates and product catalog (no shopper PII) | | fal-ai | AI image generation for ad creatives | US | Product images, generation prompts | | Higgsfield | AI video / creative generation | US | Product images, generation prompts | | Resend | Transactional email delivery | US | Merchant email address, message body | | Sentry | Error monitoring, observability | EU / US | Stack traces, request metadata, merchant user ID | | Shopify | Primary data source, OAuth provider, billing | Global | All merchant and shop data we read | | Meta (Facebook) | Ad platform, OAuth provider, recipient of hashed shopper PII via CAPI and Custom Audiences | Global | Ad campaign data; hashed shopper PII forwarded on the merchant's behalf |

Contemplated sub-processor: Stripe (payment processing, US/global) is integrated for testing but not currently active in production. When activated, you will receive at least 30 days' prior notice via email and an in-app notification, and this list will be updated. You may object to the change by terminating your subscription before the new sub-processor is activated.

We require all sub-processors to provide protections at least equivalent to those we offer you (GDPR Art. 28(4)).

6. Data deletion

6.1 When you uninstall the app

Shopify fires a shop/redact webhook 48 hours after uninstall. On receipt, Stellad triggers a full cascade deletion: we delete the underlying Supabase auth user, which causes every database row referencing that user (across approximately 30 tables) to be deleted automatically through ON DELETE CASCADE foreign keys.

This includes:

  • merchant profile, preferences, billing records (kept only as required by French tax law in a separate, minimized record)
  • Shopify connection, encrypted access token, raw catalog snapshot
  • Meta connection, encrypted access token, audience IDs and counts
  • all generated creatives, campaigns, recommendations, performance metrics, brand dossiers

Backups roll off according to Supabase's retention schedule.

6.2 Shopper redaction

If a shopper requests deletion via the Shopify customers/redact webhook, we confirm to Shopify that we hold no records keyed on that shopper. The merchant remains responsible for any deletion required at Meta (via Custom Audience and Off-Facebook activity tools).

6.3 Manual deletion

You can request immediate deletion at any time by emailing privacy@stellad.app. We will execute the deletion within 30 days, sooner where feasible.

7. Security

We protect personal data with measures appropriate to the risk, in line with GDPR Art. 32:

  • HTTPS everywhere, HTTP Strict Transport Security (HSTS) in production
  • AES-256-GCM encryption at rest for sensitive tokens (Shopify and Meta access tokens)
  • HMAC verification with constant-time comparison (timingSafeEqual) on every webhook
  • Row-Level Security (RLS) enforced on every Supabase table holding merchant data
  • OAuth-only authentication — Stellad does not store user passwords
  • Principle of least privilege on all sub-processor accounts
  • Continuous error monitoring via Sentry with alerting on anomalous patterns

Stellad is not itself SOC 2 certified. Several of our sub-processors are (Supabase, Vercel, Stripe), and we rely on their certifications for their respective parts of the stack.

For security-sensitive disclosures (vulnerabilities, suspected breaches), please email security@stellad.app.

In the event of a personal data breach affecting your data, we will notify you and the CNIL within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33–34.

8. International transfers

Some of our sub-processors are based outside the European Economic Area (notably in the United States). For those transfers we rely on:

  • the European Commission's Standard Contractual Clauses (SCCs) where applicable
  • the EU-US Data Privacy Framework where the sub-processor is certified
  • supplementary technical measures (encryption in transit, hashing of shopper PII before any transfer to Meta, encryption at rest)

You can request a copy of the SCCs in force for any sub-processor at privacy@stellad.app.

9. Children

Stellad is a B2B service for Shopify merchants and is not directed at children. We do not knowingly process personal data of anyone under 16. If you believe we hold data about a child, contact privacy@stellad.app and we will delete it.

10. Changes to this policy

We may update this policy. Material changes will be notified by email to your account email and via in-app notification at least 30 days before they take effect. The "Last updated" date at the top is always current.

11. Contact

| Topic | Email | | --- | --- | | Privacy, GDPR, DSAR | privacy@stellad.app | | Security disclosures | security@stellad.app | | Legal notices | legal@stellad.app | | Support | support@stellad.app |

Postal mail: Achille Antoine DECOUTTERE 941 Route de Lady Les Granges 74120 Megève France

You may also contact the CNIL (Commission Nationale de l'Informatique et des Libertés) at https://www.cnil.fr if you believe your rights have not been respected.

Also seeTerms of ServiceThe rules of using Stellad.Also seeData Processing AgreementGDPR Art. 28 obligations between Stellad and you as a merchant.