Privacy Policy

See Stella provides general wellness and skincare information only. It is not a medical service and does not diagnose, treat, cure, or prevent any disease or condition. Stella’s insights are educational and should never replace professional medical advice. Always consult a qualified healthcare practitioner for a personalised diagnosis or treatment.

Title

Last updated: Aug 2025

1. Overview

This Privacy Policy explains how See Stella Pty Ltd ("Stella", "we", "our" or "us") collects, uses, discloses, and protects your Personal Information when you visit seestella.com.au, use the Stella mobile applications, or interact with any other product or service that links to this Policy (collectively, the "Services").
 

We are committed to handling your information in accordance with the Privacy Act 1988 (Cth) and its Australian Privacy Principles ("APPs"), the California Consumer Privacy Act as amended by the CPRA ("CPRA"), and in anticipation of the U.S. consumer‑health‑data statutes (WA MHMD, NV SB370, CT CPA, CO SB24‑205).

 

By accessing or using the Services, you agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with any part of this Policy, you should not use the Services.

1.1 Scope & Relationship to Terms

This Policy forms part of, and is incorporated by reference into, the See Stella Terms & Conditions (the "Terms"). Capitalised terms not defined here have the meanings given in the Terms. If there is any conflict between this Policy and the Terms, the Terms prevail to the extent of the inconsistency, except where privacy laws require otherwise.

1.2 Responsible Entity

For all markets in which we operate, See Stella Pty Ltd (ACN 669 216 924), Suite 329/98-100 Elizabeth Street
Melbourne, VIC, 3000, is the organisation responsible for your personal information (the “data controller” under the Australian Privacy Act 1988 (Cth) and a “business” under applicable U.S. privacy statutes).

1.3 Contact Details

If you have questions about this Policy or wish to exercise your privacy rights, please contact our Privacy Team.

 

Email. privacy@seestella.com.au
Post. Suite 329/98-100 Elizabeth Street, Melbourne, VIC, 3000

 

We aim to respond to all privacy‑related enquiries within ten (10) business days. For escalation and complaint handling, see Section 13.

2. Information We Collect

We collect various types of information in order to deliver the Services, personalise your experience, and meet our legal obligations. The tables below satisfy notice requirements under APP 5 (Australia), CPRA §1798.110(c) (California), and the emerging U.S. consumer‑health‑data statutes.

2.1 Categories, Examples, Purpose & Retention

Account Identifiers

  1. Examples: Name, e‑mail, mobile number, country, age confirmation, referral code
  2. Purpose: Account creation, authentication, customer support
  3. Retention: Life of account + 3 years (Section 8.1)

Device & Usage Data

  1. Examples: Device model, OS version, IP address, app version, page views, button taps, crash logs
  2. Purpose: Prevent fraud, debug, improve UX, analytics
  3. Retention: Up to 3 years from collection (aggregated thereafter)

Biometric Data

  1. Examples: Facial images, wrinkle depth, redness index, pore visibility, pigmentation maps
  2. Purpose: Generate Skin Insights, personalised product recommendations
  3. Retention: Max 3 years from last activity (Section 8.2)

 

Consumer Health Data

  1. Examples: HRV, resting heart rate, sleep stages, UV exposure, step count
  2. Purpose: Trend analysis, contextual alerts (e.g., high UV), wellness advice
  3. Retention: Max 3 years from last activity (Section 8.2)

 

Payment & Transaction Data

  1. Examples: Last 4 digits of card, Stripe token, billing address, order history, subscription status
  2. Purpose: Process payments, detect fraud, comply with tax law
  3. Retention: Life of account + 3 years (tax record requirement)

Precise Geolocation (≤ 183 m)

  1. Examples: GPS coordinates captured during scan or when searching Practitioner Directory
  2. Purpose: Surface local UV metrics, find nearby practitioners
  3. Retention: Raw coordinates purged after 24 hours; derived UV value stored 3 years

Cookies & Similar Tech

  1. Examples: GA4 client ID, Amplitude device ID, marketing‑pixel IDs, cookie preferences
  2. Purpose: Analytics, first‑party contextual marketing, cookie‑consent tracking
  3. Retention: Cookie life (max 13 months) or until deletion

* All categories may also be used for legal, security, and compliance purposes (see Section 3.5).

2.2 How We Collect Information

Direct from you. When you create an account, complete a scan, place an order, contact support, or manually enter data (e.g. skin concerns).


Automatically. Through cookies, SDKs, and similar technologies that capture device details and usage analytics as you use our app or website.


Connected wearables. When you link a compatible device (e.g., Apple Watch, Fitbit, Garmin, Oura, WHOOP) we receive sensor data you authorise (such as heart rate, sleep, and activity).


Health and fitness apps. When you connect third‑party apps (e.g., MyFitnessPal, Apple Health, Google Fit) we import only the data types you choose to share.


Images. Facial photos you capture in‑app are analysed by Stella’s AI models (hosted on Google Cloud) and stored for quality checks and ongoing insights.


Transactions. Payment details are processed by Stripe; order and fulfilment data come from Shopify and, where applicable, dropship partners.


Affiliate platforms. If you purchase via a Stella affiliate link (e.g., Amazon), we receive aggregated conversion statistics without personal identifiers.

 

If you decline to provide required information (such as an email address, scan consent, or payment details), we may be unable to create your account, perform a skin analysis, or process purchases.

3. How We Use Information

We use the information we collect for the purposes outlined below. Where privacy laws require a legal basis (e.g., CPRA, upcoming GDPR rollout), the main bases are consent, performance of a contract, legitimate interests (improving the Services, preventing fraud), and legal obligation.

3.1 Core Service Delivery

We process your information to:

  1. Create & manage your account (authenticate, reset passwords, store preferences).
  2. Generate Skin Insights from facial scans and wearables data.
  3. Display your historical trends (hydration, UV exposure, skin‑age estimates).
  4. Fulfil orders & subscriptions (process payments via Stripe, coordinate shipping with Stella fulfilment, Dropship Partners, or Affiliate Platforms).
  5. Provide customer support (respond to tickets, troubleshoot, issue refunds).

3.2 Personalisation & Recommendations (First‑Party)

We analyse Biometric Data, Consumer Health Data, and device usage to:

  1. Recommend products or routines that match your skin metrics and goals.
  2. Surface contextual promotions—including sponsored items—inside the Stella app (e.g., suggesting a sunscreen when UV is high). These promos never share your identifiable data with third‑party ad networks.
  3. Sort recommendations listings by relevance (see T&Cs Section 11) while clearly labelling sponsored placements.

3.3 Research & Product Improvement

To make Stella better, we:

  1. Train and validate machine‑learning models on de‑identified or aggregated data whenever feasible; limited identifiable data may be used under strict access controls where de‑identification would defeat the research purpose.
  2. Run A/B tests to compare new features, messaging, or UI layouts.
  3. Generate usage analytics (Amplitude, GA4) to identify pain points and optimise performance.

3.4 Marketing Communications (Opt‑In/Opt‑Out)

E‑mail & Push Promos. With your consent (or as permitted by the Spam Act 2003 (Cth) and CAN‑SPAM), we send newsletters, product launches, and exclusive offers.


Personalisation. We may tailor content based on your Skin Insights (e.g., acne‑focused tips if your breakout score is low). No sensitive health metrics are shared with third‑party marketers.
 

Your Choices. You can opt out anytime via the unsubscribe link, in‑app settings, or by e‑mailing info@seestella.com.au. Transactional messages (order confirmations, security alerts) are still sent.

3.5 Legal, Security & Compliance

We may also use information to:

  1. Detect, investigate, and prevent fraud or security incidents.
  2. Enforce our Terms & Conditions and other policies.
  3. Comply with legal obligations, regulatory requests, tax requirements, and dispute‑resolution processes.
  4. Maintain audit logs and evidence for accounting or regulatory inquiries.

4. When We Share Information

We do not sell or rent your Personal Information for money. We share it only in the circumstances listed below and always under contracts that prohibit secondary use, except where you have given informed consent or where the law permits otherwise.

4.1 Service Providers & Sub‑processors

We engage carefully vetted third‑party vendors (“Sub‑processors”) for cloud hosting, authentication, payment processing, analytics, messaging, fulfilment, and customer support. Each Sub‑processor is:

  1. Bound by a written agreement that limits processing to See Stella’s documented instructions;
  2. Required to apply appropriate technical and organisational safeguards consistent with recognised industry best practices; and
  3. Referenced by category in our Terms and Conditions. A complete, named list is available under NDA on written request. Where privacy laws grant a right to object, we will give at least thirty (30) days’ advance notice before a new Sub‑processor begins handling Personal Information

4.2 Affiliate Platforms & Sponsored Links

When you click an affiliate link (e.g., to Amazon) we add a non‑personal referral tag so we can earn commission. We do not include your name, e‑mail, Biometric Data, Consumer Health Data, or device identifiers in that tag. The retailer may place its own cookies; their privacy policy governs further data collection. Under CPRA this does not constitute a “sale” or “share” of Personal Information because no identifiable data is exchanged.

4.3 Dropship Partners & Logistics Providers

If you purchase a product fulfilled by a Dropship Partner or third‑party logistics provider, we share only the information they need to ship your order: name, shipping address, phone/e‑mail (for tracking), and ordered items. These partners may contact you solely about shipment status or returns and are contractually prohibited from marketing to you unless you consent separately.

4.4 Legal, Safety & Corporate Events

We may disclose your information to third parties.
 

Legal Requirements. To comply with subpoenas, court orders, or other legal processes; to meet tax, consumer‑protection, or health‑regulation obligations.


Protect Rights & Safety. To investigate fraud, enforce our Terms, or protect the rights, property, or safety of Stella, our users, or the public.


Business Transfers. In connection with a merger, acquisition, financing, or sale of all or a portion of our business. We will require the successor entity to honour this Policy or notify you and give you choices before your data is transferred or becomes subject to a different privacy policy.


Aggregated & De‑identified Data. We may share aggregated statistics (e.g., average breakout score by age group) or de‑identified data that cannot reasonably be used to identify you. Such data is not Personal Information under the Privacy Act or CPRA.

5. Cookies & Tracking Technologies

We use the term “cookies” broadly to include browser cookies, mobile SDK identifiers, pixels, and local storage.

5.1 Types of Cookies We Use

Strictly Necessary

  1. Examples: Session token, CSRF token, load‑balancer cookie
  2. Purpose: Keep you logged in, route traffic securely
  3. Can You Turn Them Off?: Only by disabling cookies entirely in your browser; the site may not function.

Analytics

  1. Examples: Google Analytics 4 (_ga), Amplitude device ID
  2. Purpose: Measure page views, button taps, crash logs, A/B tests
  3. Can You Turn Them Off?: Yes – via Cookie Settings banner or GPC signal (see 6.2).

Functional

  1. Examples: Language preference, cookie‑consent state
  2. Purpose: Remember your choices, improve UX
  3. Can You Turn Them Off?: Yes – but some preferences will reset.

Marketing / Affiliate

  1. Examples: Stella affiliate tag in URL, first‑party promo impression tracker
  2. Purpose: Attribute in‑app sponsored placements; show relevant offers
  3. Can You Turn Them Off?: Yes – via Cookie Settings; note that promos may still appear but won’t be personalised.

Advertising cookies and pixels
See Stella uses third‑party advertising technologies—such as Meta Pixel, TikTok Pixel, Google Ads Conversion Tags, and similar cookies or SDKs—to:

  1. measure the effectiveness of our marketing campaigns;
  2. create audience segments for personalised ads; and
  3. limit how often you see the same advertisement.

These tools may track your activity across our sites, apps, and (in limited cases) other websites. We deploy advertising cookies only after you have given consent via our cookie banner. You may withdraw or adjust that consent at any time through the in‑app Cookie Settings or by contacting privacy@seestella.com.au.

5.2 Your Choices & Global Privacy Control (GPC)

On your first visit we display a banner that lets you accept all cookies, refuse non‑essential cookies, or manage your settings

 

Your choice is saved in a first‑party cookie for up to twelve (12) months—or until you clear cookies or change your preferences—so we don’t keep asking.
 

Global Privacy Control. We honour browser‑based GPC signals as a valid opt‑out of analytics and marketing cookies for California residents.
 

Browser Controls. Most browsers let you block or delete cookies. Blocking strictly necessary cookies may break core functionality.

5.3 Do‑Not‑Track (DNT)

Legacy DNT signals are not standardised; we treat GPC as the modern, enforceable equivalent and apply it globally where technically feasible.

5.4 Mobile Advertising Identifiers

The Stella app does not access the Apple IDFA or Google AAID for third‑party advertising. Our in‑app promotions rely on first‑party device IDs and do not track you across other apps.

5.5 Changes to Cookies & Tracking

If we add new cookies or SDKs that materially change tracking practices (e.g., third‑party ad network), we will re‑surface the consent banner before activation.

6. International Data Transfers

6.1 Hosting Regions & Data Location

Stella uses Google Cloud Platform (GCP) with multi‑region deployments.


Australia: Default for AU residents.
United States: Default for U.S. residents.

 

Your data may be mirrored across these regions for resilience and latency; we use geo‑fencing to keep facial images processed in the region closest to you.

6.2 Transfer Mechanisms & Contractual Safeguards

Australia. APP 8.1 “reasonable steps” — we verify overseas recipients have comparable privacy protections via certifications and contract clauses.

 

California & CPRA States. Service‑provider contracts (CPRA §1798.140 & §1798.100(e)); data‑processing agreements prohibit “selling” or “sharing.” Copies available on request.

 

Consumer‑Health‑Data States (WA, NV, CT, CO). Written CHD contracts mandating no secondary use, deletion on request, and breach notification within 24 hours. Mirrors RCW 19.373.040 requirements.

6.3 Your Rights & How to Learn More

Access Safeguards. You may request a copy of the relevant contractual safeguards (subject to redactions for confidentiality) by e‑mailing privacy@seestella.com.au.


Object to Transfer. Where local law allows, you may object to certain cross‑border transfers; turning off scans or closing your account may be required to honour the objection.
 

Complaints. Australian users can lodge a complaint with the OAIC if unsatisfied. U.S. users may contact their State Attorney General or privacy regulator.

7. Data Retention & Destruction

7.1 Account & Transaction Records (Life of Account + 3 Years)

Account identifiers (name, e‑mail, phone, country)

  1. Why We Keep It: Keep your profile active; respond to legal requests; audit log
  2. When We Delete or De‑Identify: Within 30 days after you permanently delete your account, we flag for purge. Full deletion (including backups) occurs within 90 days unless legal hold applies.

Order & payment history

  1. Why We Keep It: Mandatory tax, accounting, and fraud‑prevention obligations
  2. When We Delete or De‑Identify: Retained for 3 years after account deletion, then deleted or irreversibly hashed.

7.2 Biometric & Consumer Health Data (User‑Controlled, Max 3 Years)

Raw facial images

  1. Default Retention: 3 years (for quality control & re‑scan preview)
  2. Early Deletion Options: Not stored in backups; permanently deleted at day 30 or immediately upon user request.

Derived Biometric metrics (wrinkle depth, redness, etc.)

  1. Default Retention: Up to 3 years from last account activity
  2. Early Deletion Options: You can delete scans or wipe metrics anytime by deleting your account.

Consumer Health Data (HRV, sleep, UV, steps)

  1. Default Retention: Same 3‑year window
  2. Early Deletion Options: Disconnect your wearables in your account settings; we comply within 45 days (30 days for Illinois residents).

A detailed retention schedule is published at seestella.com.au/biometric‑policy and updated when legal requirements change.

7.3 Cookie & Analytics Data

Browser cookies & local storage. Expire after 13 months (analytics) or sooner if you clear cookies or withdraw consent.
 

Mobile analytics device IDs. Reset when you toggle off analytics in app settings or uninstall the app; aggregated reports stay anonymised.

7.4 De‑identification & Archival Standards

When we “de‑identify” data we:

  1. Remove direct identifiers (name, e‑mail, device tokens).
  2. Hash remaining IDs with a secret salt stored separately.
  3. Aggregated metrics are grouped (e.g., by age bracket) so individuals cannot be singled out.
  4. We commit not to re‑identify or allow vendors to re‑identify de‑identified data.

7.5 Backup & Disaster Recovery Copies

Encrypted backups are stored on GCP multi‑region cold storage. Deleted data may persist in these backups until overwritten; it is inaccessible to production systems.

8. Your Privacy Rights

8.1 Australia – APP Rights

Access (APP 12)

  1. What It Means: Get a copy of the Personal Information we hold about you.
  2. How to Exercise: E‑mail info@seestella.com.au
  3. Response time: ≤ 30 days

Correction (APP 13)

  1. What It Means: Ask us to correct inaccurate or outdated info.
  2. How to Exercise: Email info@seestella.com.au
  3. Response time: ≤ 30 days

Complaint to OAIC

  1. What It Means: Lodge a complaint with the Australian regulator if unsatisfied.
  2. How to Exercise: First, contact Stella’s Privacy Officer. If unresolved after 30 days, visit www.oaic.gov.au

8.2 United States – CPRA Rights (California Residents)

Know / Access

  1. CPRA §: 1798.110
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 45 days (15‑day extension)

Delete

  1. CPRA §: 1798.105
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 45 days

Correct

  1. CPRA §: 1798.106
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 45 days

Limit Use of Sensitive PI

  1. CPRA §: 1798.121
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 15 days

Opt‑Out of Sale/Share (N/A today)

  1. CPRA §: 1798.120
  2. How to Exercise: If enabled, email info@seestella.com.au or use a Global Privacy Control (GPC) signal
  3. Response Time: ≤ 15 days

Non‑Discrimination

  1. CPRA §: 1798.125
  2. How to Exercise: We will not deny goods/services or charge different prices for exercising CPRA rights.
  3. Response Time: N/A

8.3 U.S. Consumer Health Data States (WA, NV, CT, CO)

Access / Confirm

  1. Statute: WA RCW 19.373.040; NV SB370 §4
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 45 days

Delete

  1. Statute: Same
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 45 days

Portability

  1. Statute: Same
  2. How to Exercise: Email info@seestella.com.au
  3. Response Time: ≤ 45 days

Withdraw Consent

  1. Statute: Same
  2. How to Exercise: Unlink wearable authentication or stop scanning
  3. Response Time: Immediate

Appeal Denial (CT, CO)

  1. Statute: CT CPA §42‑471; CO SB24‑205
  2. How to Exercise: Reply “APPEAL” to decision e‑mail
  3. Response Time: ≤ 45 days

8.4 How to Exercise Your Rights

E‑mail Requests. Send a request to info@seestella.com.au with (a) the right you wish to exercise, (b) the data involved, and (c) proof of identity (e.g., reply from your registered e‑mail).
 

Verification. We may ask for additional information to verify your identity before processing (CPRA §1798.130).
 

Agent Requests. California residents may authorise an agent; you must provide signed permission and we may still ask you to verify identity.


Response Times. See tables above. We will confirm receipt within 10 days and include a reference number.
 

Fees. Requests are free up to twice per 12‑month period. Excessive or manifestly unfounded requests may incur a reasonable fee or be refused.

9. Children’s Privacy

9.1 Age Restrictions

Stella’s Services are intended only for legal adults.
 

Australia. You must be 18 years or older.
 

United States. You must be 18 years or older (or the age of majority in your state, whichever is higher). 

 

We do not knowingly collect Personal Information from anyone under these age thresholds. If you are below the minimum age, do not use the Services or submit any information to us.

9.2 No Child Accounts

During account creation we require age confirmation. Accounts flagged as under‑age are rejected or promptly deleted. If we later discover we have collected information from a minor without appropriate authorisation, we will delete that information as quickly as possible.

10. Security Measures

10.1 Technical & Organisational Measures

Encryption. All data in transit is encrypted using TLS 1.2+; data at rest is encrypted with AES‑256 on Google Cloud Platform (GCP) managed disks.


Network Segmentation. Production environments are isolated from development/staging via VPC‑level segmentation and firewall rules.
 

Access Controls. Principle of least privilege enforced via Google Cloud IAM; multi‑factor authentication (MFA) required for all privileged accounts; quarterly access‑review audits.
 

Data Minimisation & Pseudonymisation. Identifiers (e.g., user IDs) are hashed in analytics pipelines.
 

Logging & Monitoring. Centralised logging (Cloud Logging) with anomaly detection; logs retained 12 months for forensic analysis.

11. Changes to this Privacy Policy

We may update this Policy from time to time.
 

Minor updates (purely administrative fixes or clarifications that don’t affect your rights or fees). We will give you at least 3 days’ notice.


Material updates (changes to how the Service works or to your legal rights, but not to price. We’ll give you at least 7 days’ notice.


Price changes (any increase to subscription fees). We will give you at least 30 days’ notice.
 

We will notify you by e‑mail and/or in‑app message. If a later effective date is stated in the notice, that date applies; otherwise, the change takes effect when the relevant notice period ends.

If we must change the Terms immediately to comply with a law, a court order, or to address security or safety concerns, we may do so immediately and will notify you as soon as practicable.
 

Your options. If you do not agree with a change, you may cancel your subscription and delete your account before the effective date without penalty; we’ll refund any prepaid fees for unused periods on a pro‑rata basis. Your continued use of the Services after the effective date constitutes your acceptance of the revised Terms.

11.2 Minor or Administrative Changes

For non‑material updates (e.g., typographical errors, new contact details, added examples) we will update the “Last updated” date at the top of this page and post the revised Policy without advance notice.

12. Contact & Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our data‑handling practices, please contact us first—most issues can be resolved quickly.

12.1 Contact Us

E‑mail. privacy@seestella.com.au
Postal. See Stella Pty Ltd (ACN 669 216 924), 9 Plummer Road, Mentone VIC 3194, Australia

 

We aim to acknowledge receipt within 5 business days and provide a substantive response within 30 days.

12.2 OAIC Complaint Process (Australia)

If you are in Australia and are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC):


Online. www.oaic.gov.au/privacy/privacy‑complaints
Phone. 1300 363 992
Post. GPO Box 5218, Sydney NSW 2001, Australia

12.2 OAIC Complaint Process (Australia)

If you reside in a U.S. state with privacy legislation and are unsatisfied with our response, you may contact:
 

California. California Privacy Protection Agency (CPPA) – privacy.ca.gov
Washington. Office of the Attorney General – atg.wa.gov
Nevada. Office of the Attorney General – ag.nv.gov
Connecticut. Office of the Attorney General – portal.ct.gov/AG
Colorado. Department of Law – coag.gov
 

We will cooperate fully with these regulators in resolving any complaints.