Legal

Privacy Policy

Last updated: March 27, 2026

Stellar ("Stellar," "we," "us," or "our") operates the Stellar platform, website (stellar.ai), and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when you register for an account, subscribe to a plan, contact us, or otherwise interact with the Service:

  • Account Information: Name, email address, company name, phone number, and password when you create an account.
  • Billing Information: Payment method details (credit card number, billing address) processed through our third-party payment processors (Stripe and Polar.sh). We do not store full credit card numbers on our servers.
  • Knowledge Base Content: Documents, files, text, and other materials you upload to train your AI voice agents.
  • Contact Lists: Names, phone numbers, email addresses, and other contact details you provide for your leads, customers, or event attendees.
  • Agent Configuration: Prompts, scripts, voice settings, workflow configurations, and other settings you create for your AI voice agents.
  • Communications: Messages, feedback, and correspondence you send to us via email, contact forms, or support channels.

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information:

  • Call Data: Call recordings, transcripts, call duration, call outcomes, timestamps, and metadata associated with voice calls made by your AI agents. Call recordings and transcripts are stored securely and are accessible only to your account.
  • Usage Data: Pages visited, features used, click patterns, session duration, API calls made, minutes consumed, and other interaction data.
  • Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Cookies & Tracking Technologies: We use cookies, web beacons, and similar technologies to maintain sessions, remember preferences, and analyze usage patterns. See Section 8 (Cookies) below.
  • Log Data: Server logs including access times, pages viewed, referring URLs, and system activity.

1.3 Information from Third-Party Integrations

When you connect third-party services to Stellar, we may receive information from those services:

  • Google Calendar: Calendar event details (event title, time, attendees) to enable appointment booking and event confirmation features. We access only the calendar data necessary for the features you enable.
  • CRM Integrations (HubSpot, GoHighLevel, Salesforce): Contact records, deal information, and other CRM data you authorize us to access for lead qualification and sync purposes.
  • Communication Tools (Slack, Zapier): Notification and workflow data required to deliver real-time alerts and automate actions you configure.
  • Form & Event Platforms (Typeform, Jotform, Eventbrite, Zoom): Form submissions, event registrations, and attendee data you authorize us to access.
  • Google Sheets: Spreadsheet data you authorize for contact syncing and reporting purposes.
  • OAuth Authentication (Google): Basic profile information (name, email) when you sign in using Google OAuth.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and Maintain the Service: To operate your AI voice agents, process calls, deliver transcripts, manage your knowledge base, and provide the core functionality of the platform.
  • Account Management: To create and manage your account, process subscriptions, handle billing, and provide customer support.
  • AI and Voice Processing: To power AI conversations using speech-to-text (STT), text-to-speech (TTS), and large language model (LLM) technologies. Call audio is processed by our voice infrastructure partners to generate real-time responses.
  • Knowledge Base Processing: To extract, chunk, and embed your uploaded documents so your AI agents can reference accurate information during calls.
  • Improvements and Analytics: To understand usage patterns, diagnose technical issues, improve Service performance, and develop new features.
  • Communications: To send transactional emails (account confirmations, billing receipts, security alerts), onboarding sequences, and, with your consent, product updates and marketing communications.
  • Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, and abuse.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including TCPA and GDPR requirements.

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

  • Service Providers: We share data with third-party service providers who assist us in operating the Service, including:
    • Vapi — Voice AI infrastructure (call processing, speech-to-text, text-to-speech)
    • OpenAI — Large language model processing for AI conversations and document embeddings
    • ElevenLabs — Neural text-to-speech voice synthesis
    • Deepgram — Speech-to-text transcription
    • Supabase — Database hosting, authentication, and file storage
    • Stripe / Polar.sh — Payment processing and subscription management
    • Resend — Transactional email delivery
    • Vercel — Website hosting and content delivery
    • Railway — API and worker service hosting
  • Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal processes, such as a subpoena, court order, or government request.
  • Protection of Rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our Terms of Service, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.
  • With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.

4. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

  • Account Data: Retained for the duration of your account. Upon account deletion, personal data is deleted or anonymized within 30 days, except where retention is required for legal or compliance purposes.
  • Call Recordings & Transcripts: Retained according to your account settings and applicable data retention policies. You can configure automatic deletion schedules. Default retention is 90 days, after which recordings are automatically purged.
  • Contact Data: Retained for as long as you maintain your account and the data remains in your contact lists. You can delete individual contacts or bulk-delete data at any time.
  • Usage Logs & Analytics: Aggregated and anonymized usage data may be retained indefinitely for analytics purposes. Identifiable log data is typically deleted within 12 months.
  • Billing Records: Retained for up to 7 years as required by tax and financial regulations.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Sensitive data, including OAuth tokens and API keys, is encrypted using AES-256-GCM encryption at rest.
  • Access Controls: Database access is restricted through Row-Level Security (RLS) policies ensuring strict account isolation. Your data is never accessible to other accounts.
  • Infrastructure Security: Our services are hosted on SOC 2 compliant infrastructure providers (Vercel, Railway, Supabase).
  • API Security: API access is protected by JWT-authenticated sessions and rate limiting. API keys are hashed before storage.
  • Regular Monitoring: We monitor our systems for security vulnerabilities and unauthorized access attempts.

While we use commercially reasonable efforts to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

6.1 General Rights

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct any inaccurate or incomplete personal information.
  • Deletion: Request that we delete your personal information, subject to certain legal exceptions.
  • Data Portability: Request a copy of your data in a structured, machine-readable format.
  • Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the unsubscribe link in our emails or by contacting us.
  • Account Deletion: You may delete your account through the account settings page. This will initiate deletion of your personal data in accordance with our retention schedule.

6.2 Rights for European Economic Area (EEA) Residents (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis for Processing: We process your personal data based on: (a) your consent, (b) performance of a contract, (c) compliance with legal obligations, or (d) our legitimate business interests.
  • Right to Restrict Processing: You may request that we restrict processing of your personal data under certain circumstances.
  • Right to Object: You may object to processing of your personal data based on our legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You may file a complaint with your local data protection authority.
  • Data Transfer: Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses and other appropriate safeguards for international data transfers.

6.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, with certain exceptions.
  • Right to Opt-Out of Sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@stellar.ai. We will respond to verified requests within 30 days (or 45 days for complex requests, with notice).

7. Telephone Consumer Protection Act (TCPA) Compliance

Stellar takes TCPA compliance seriously. As a platform that facilitates automated voice calls:

  • Your Responsibility: You are responsible for obtaining proper consent from individuals before initiating automated calls through our platform, as required by the TCPA and applicable state laws.
  • Do-Not-Call Compliance: You must maintain and honor internal do-not-call lists and comply with the National Do Not Call Registry.
  • Calling Hours: Stellar enforces business hour restrictions to help ensure calls are made within permitted time windows.
  • Consent Records: We recommend maintaining records of consent for all contacts in your lists. Stellar provides tools to help you manage consent status.
  • Opt-Out Handling: Stellar supports opt-out mechanisms during calls. When a call recipient requests to be removed, you must promptly honor that request.

8. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential Cookies: Required for the Service to function. These include authentication session cookies and security tokens. You cannot opt out of essential cookies.
  • Functional Cookies: Remember your preferences, settings, and choices (e.g., sidebar collapse state, theme preferences).
  • Analytics Cookies: Help us understand how visitors interact with our website and Service, including page views, traffic sources, and usage patterns. We use these to improve the Service.

Most web browsers allow you to control cookies through browser settings. You can set your browser to refuse cookies or alert you when cookies are being sent. Note that disabling cookies may affect the functionality of the Service.

9. Third-Party Links and Services

The Service may contain links to third-party websites, services, or integrations that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with our Service.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we may have collected information from a child under 18, please contact us at privacy@stellar.ai.

11. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your jurisdiction. By using the Service, you consent to the transfer of your information to these countries. Where required by law, we implement appropriate safeguards (such as Standard Contractual Clauses) to protect your data during international transfers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or a prominent notice within the Service. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

We will make every effort to respond to your inquiry within 30 days.

See also: Terms of Service