1. The short version
Stelar ("we", "us", "our") is operated by Cynosuirc Tech Labs. This policy explains what personal data we collect when you use usestelar.com (the "Service"), why we collect it, who we share it with, and the rights you have over it.
We process personal data in line with the Nigeria Data Protection Act 2023 and the regulations of the Nigeria Data Protection Commission (NDPC). If you're accessing Stelar from outside Nigeria, your data is still handled under the same standard.
2. Information we collect
Information you give us. When you create an account we collect your name, email address, and a password (stored as a salted hash, never in plain text). If you sign in with Google, we receive the name and email address you have shared with that provider.
Information collected automatically. Each time you sign in we record your IP address and user-agent string, attached to that session for security and abuse prevention. We also store a UI preference ("sidebar open or closed") in a cookie on your device.
Your story content. Anything you generate with the wizard — story text, character names and descriptions, scene text, and the illustrations we produce for you — is stored against your account. If you publish a story, the slug, title, and a byline become publicly viewable at usestelar.com/s/<slug>.
Billing identifiers. When you upgrade, our payment processor Paystack gives us a customer ID and subscription ID. We never see or store your full card number, CVV, or banking credentials — Paystack does.
Your own API keys (BYOK). On The Archmage plan you may add your own Groq, OpenRouter, KIE.ai, or Fal.ai keys. These are encrypted at rest with AES-256 before they ever touch our database and are decrypted only at the moment they are needed to call the provider. We never log decrypted key values.
3. How we use your information
We use your data to:
- create and operate your account, including signing you in and keeping a session alive;
- run the story, character, and image generation pipelines you request;
- process subscription payments and enforce plan limits (story counts, art-style access, page counts);
- secure the Service — detect abuse, rate-limit bad actors, investigate reports, and resolve incidents;
- send you transactional emails you asked for (a welcome, a password reset, a notification you enabled);
- comply with our legal obligations, including content-moderation and takedown requests under Nigerian law.
4. Our legal basis (NDPA)
Under the Nigeria Data Protection Act 2023, we rely on the following lawful bases:
- Performance of a contract — running the account you signed up for and generating the storybooks you request.
- Consent — for non-essential communications like product updates, which you can withdraw at any time, and for signing in with a social provider.
- Legal obligation — keeping accurate billing records, responding to lawful requests, and meeting content-moderation duties.
- Legitimate interests — recording IP addresses and user-agents per session to prevent fraud, abuse, and automated attacks on the Service.
6. International data transfers
Stelar is operated from Nigeria, but the processors listed above are global services and may process data in the United States, the European Union, and other regions. We share data with them only to the extent necessary to provide the Service, and they handle it under their published data-protection commitments.
8. AI-generated content & your stories
When you generate a storybook, the text prompts, character details, and the resulting text and images are stored against your account so you can edit, regenerate, and re-export them. We do not use your private, unpublished stories to train any model.
Prompts are sent to our AI providers (Groq, OpenRouter, KIE.ai, Fal.ai, or your BYOK provider) only to fulfil your generation request. Those providers may retain inputs and outputs for a limited period under their own terms — please review them if this matters to you.
9. Your own API keys (BYOK)
If you supply your own API keys under Bring-Your-Own-Key, those keys are encrypted with AES-256 before being stored, and decrypted only at the instant a provider call is made. They never appear in logs, emails, or error messages. You can remove a key at any time from Settings, and it is purged from our database immediately.
10. Children's privacy
Stelar is a tool for adults — parents, educators, and creators — to make storybooks for children. The Service is not directed at children, and accounts may only be held by individuals aged 13 or older (or, where applicable, with the supervision of a parent or legal guardian).
We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact legal@usestelar.com and we will delete it promptly. Story content you create for a child (for example, a character named after a child) is treated as your data, and you control whether it stays private or is published.
11. How long we keep data
- Account data is kept for as long as your account is active. Deleting your account removes your profile, stories, characters, scenes, and BYOK keys within 30 days.
- Session data (IP, user-agent) is retained for the life of the session plus a short security window.
- Billing records are kept for as long as required by Nigerian tax and accounting law.
- Moderation records (flagged content, decisions, admin notes) are retained to support appeals and audits.
12. Security
We use reasonable technical and organisational measures to protect your data — encrypted connections (TLS) in transit, AES-256 at rest for BYOK keys, salted hashing for passwords, scoped server-side access controls, and audit logging for admin actions. No method of transmission or storage is fully secure, but we work to keep the attack surface small and respond quickly to incidents.
13. Your rights under the NDPA
You have the right to:
- access the personal data we hold about you;
- rectify data that is inaccurate or incomplete;
- erase your data and delete your account (Settings → Delete account);
- restrict or object to certain processing, including marketing;
- withdraw consent at any time where we relied on consent;
- data portability — receive your story content in a structured, machine-readable format on request.
To exercise any of these rights, email legal@usestelar.com. We respond within 30 days. If you're not satisfied with our response, you can complain to the Nigeria Data Protection Commission (NDPC).
14. Changes to this policy
We'll update this policy as the Service evolves. The "Last updated" date at the top always reflects the most recent version. For material changes that affect how we handle your data we'll notify you in-product or by email before they take effect.
15. Contact & data controller
The data controller responsible for your personal data is Cynosuirc Tech Labs, the operator of Stelar. For privacy questions, data-subject requests, or to file a complaint, contact us at legal@usestelar.com — for general questions, hello@usestelar.com.

