Back to home
02Legal

Privacy Policy

Last updated: June 22, 2026

We keep this short, plain, and specific to what Stelar actually does. If anything here surprises you, that's a bug — please tell us.

1. The short version

Stelar ("we", "us", "our") is operated by Cynosuirc Tech Labs. This policy explains what personal data we collect when you use usestelar.com (the "Service"), why we collect it, who we share it with, and the rights you have over it.

We process personal data in line with the Nigeria Data Protection Act 2023 and the regulations of the Nigeria Data Protection Commission (NDPC). If you're accessing Stelar from outside Nigeria, your data is still handled under the same standard.

2. Information we collect

Information you give us. When you create an account we collect your name, email address, and a password (stored as a salted hash, never in plain text). If you sign in with Google, we receive the name and email address you have shared with that provider.

Information collected automatically. Each time you sign in we record your IP address and user-agent string, attached to that session for security and abuse prevention. We also store a UI preference ("sidebar open or closed") in a cookie on your device.

Your story content. Anything you generate with the wizard — story text, character names and descriptions, scene text, and the illustrations we produce for you — is stored against your account. If you publish a story, the slug, title, and a byline become publicly viewable at usestelar.com/s/<slug>.

Billing identifiers. When you upgrade, our payment processor Paystack gives us a customer ID and subscription ID. We never see or store your full card number, CVV, or banking credentials — Paystack does.

Your own API keys (BYOK). On The Archmage plan you may add your own Groq, OpenRouter, KIE.ai, or Fal.ai keys. These are encrypted at rest with AES-256 before they ever touch our database and are decrypted only at the moment they are needed to call the provider. We never log decrypted key values.

3. How we use your information

We use your data to:

  • create and operate your account, including signing you in and keeping a session alive;
  • run the story, character, and image generation pipelines you request;
  • process subscription payments and enforce plan limits (story counts, art-style access, page counts);
  • secure the Service — detect abuse, rate-limit bad actors, investigate reports, and resolve incidents;
  • send you transactional emails you asked for (a welcome, a password reset, a notification you enabled);
  • comply with our legal obligations, including content-moderation and takedown requests under Nigerian law.

5. Who we share data with

We do not sell your personal data. We share it only with processors that power a specific part of Stelar, each bound by their own data terms:

  • Groq, OpenRouter — large-language-model inference for story text, character extraction, and scene splitting.
  • KIE.ai, Fal.ai — image generation for character portraits and scene illustrations (you may also use your own key under BYOK).
  • Cloudinary and Cloudflare R2 — storing, transforming, and delivering story illustrations and exports.
  • Paystack — subscription billing. Payment instrument data is handled entirely by Paystack and never touches our servers.
  • Resend — transactional email delivery (welcome, password reset, notifications you have enabled).
  • Google and GitHub — optional social sign-in providers. We receive your name and email; we do not post on your behalf.

We may also disclose data where required by law, court order, or to protect the rights, property, or safety of Stelar, our users, or the public — including in connection with child-safety investigations.

6. International data transfers

Stelar is operated from Nigeria, but the processors listed above are global services and may process data in the United States, the European Union, and other regions. We share data with them only to the extent necessary to provide the Service, and they handle it under their published data-protection commitments.

7. Cookies

We set only essential cookies. There are no analytics cookies, no ad trackers, and no third-party marketing pixels on Stelar. Specifically:

  • better-auth.session_token — keeps you signed in. Deleting it logs you out.
  • sidebar_state — remembers whether your dashboard sidebar is open or collapsed.
  • A short-lived Better Auth cookie cache (≈5 minutes) used to speed up session lookups.

Because all of these are strictly necessary for the Service to work, we do not show a cookie consent banner. If we add analytics or any non-essential cookies in future, we'll update this section and give you a way to opt out before they load.

8. AI-generated content & your stories

When you generate a storybook, the text prompts, character details, and the resulting text and images are stored against your account so you can edit, regenerate, and re-export them. We do not use your private, unpublished stories to train any model.

Prompts are sent to our AI providers (Groq, OpenRouter, KIE.ai, Fal.ai, or your BYOK provider) only to fulfil your generation request. Those providers may retain inputs and outputs for a limited period under their own terms — please review them if this matters to you.

9. Your own API keys (BYOK)

If you supply your own API keys under Bring-Your-Own-Key, those keys are encrypted with AES-256 before being stored, and decrypted only at the instant a provider call is made. They never appear in logs, emails, or error messages. You can remove a key at any time from Settings, and it is purged from our database immediately.

10. Children's privacy

Stelar is a tool for adults — parents, educators, and creators — to make storybooks for children. The Service is not directed at children, and accounts may only be held by individuals aged 13 or older (or, where applicable, with the supervision of a parent or legal guardian).

We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact legal@usestelar.com and we will delete it promptly. Story content you create for a child (for example, a character named after a child) is treated as your data, and you control whether it stays private or is published.

11. How long we keep data

  • Account data is kept for as long as your account is active. Deleting your account removes your profile, stories, characters, scenes, and BYOK keys within 30 days.
  • Session data (IP, user-agent) is retained for the life of the session plus a short security window.
  • Billing records are kept for as long as required by Nigerian tax and accounting law.
  • Moderation records (flagged content, decisions, admin notes) are retained to support appeals and audits.

12. Security

We use reasonable technical and organisational measures to protect your data — encrypted connections (TLS) in transit, AES-256 at rest for BYOK keys, salted hashing for passwords, scoped server-side access controls, and audit logging for admin actions. No method of transmission or storage is fully secure, but we work to keep the attack surface small and respond quickly to incidents.

13. Your rights under the NDPA

You have the right to:

  • access the personal data we hold about you;
  • rectify data that is inaccurate or incomplete;
  • erase your data and delete your account (Settings → Delete account);
  • restrict or object to certain processing, including marketing;
  • withdraw consent at any time where we relied on consent;
  • data portability — receive your story content in a structured, machine-readable format on request.

To exercise any of these rights, email legal@usestelar.com. We respond within 30 days. If you're not satisfied with our response, you can complain to the Nigeria Data Protection Commission (NDPC).

14. Changes to this policy

We'll update this policy as the Service evolves. The "Last updated" date at the top always reflects the most recent version. For material changes that affect how we handle your data we'll notify you in-product or by email before they take effect.

15. Contact & data controller

The data controller responsible for your personal data is Cynosuirc Tech Labs, the operator of Stelar. For privacy questions, data-subject requests, or to file a complaint, contact us at legal@usestelar.com — for general questions, hello@usestelar.com.