Stello

Privacy Policy

Last updated: April 6, 2026

This Privacy Policy explains how Stello (“we,” “us,” “our”) collects, uses, shares, and protects information when you use our service. Stello is operated by Thomas Mitchell, a sole proprietor based in Illinois, United States.

This policy applies to two groups of people:

  • Account holders — small business owners who sign up for a Stello account and use the service to request reviews from their customers.
  • Recipients — the customers of an account holder, who receive an SMS asking about their experience and may visit a Stello feedback page to leave a rating or comment.

1. Information We Collect

From account holders

  • Account information: Email address, name (if provided), and authentication credentials (managed by Supabase). If you sign in with Google, we receive your name, email address, and profile picture from Google.
  • Business profile: Business name, service type, and Google review URL.
  • Billing information: If you upgrade to Pro, your payment information is collected and processed directly by Stripe. We receive only the last four digits of your card, your billing email, and your Stripe customer ID.
  • Usage data: Information about how you use the service, including review requests sent, plan limit usage, and basic error logs.

From recipients

  • Contact details provided by the account holder: Name, phone number, and (optionally) email address.
  • Service information provided by the account holder: A short description of the service performed.
  • Sentiment rating: If you visit a feedback page and tap a rating, we record your selection (positive, neutral, or negative).
  • Feedback text: If you submit private feedback through a Stello feedback page, we record the text you wrote.

We do not collect location data, IP addresses for tracking purposes, device fingerprints, or browsing history beyond what is strictly needed to operate the service.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the service.
  • Generate personalized SMS messages and suggested review drafts using OpenAI's API (see Sub-Processors below).
  • Send the SMS via Twilio.
  • Process payments and manage subscriptions via Stripe.
  • Send transactional emails such as login links and billing receipts.
  • Respond to support requests.
  • Detect, investigate, and prevent abuse, fraud, or violations of our Terms.
  • Comply with legal obligations.

We do not sell personal information. We do not use your data or your customers' data to train AI models. We do not run third-party advertising or behavioral tracking on Stello.

3. Sub-Processors

Stello uses the following sub-processors to operate the service. Each is bound by their own privacy commitments and (where applicable) data processing agreements with us.

  • Vercel — application hosting (United States)
  • Supabase — database, authentication, and file storage (United States)
  • Stripe — payment processing (United States)
  • Twilio — SMS delivery (United States)
  • OpenAI — AI-generated message and review drafts (United States). OpenAI's API does not use submitted data to train models.
  • Google — OAuth sign-in for users who choose Google login
  • Sentry — error monitoring and performance diagnostics

4. Data Retention

  • Account information — retained while your account is active and for ninety (90) days after you cancel, then deleted.
  • Customer Data (review requests, sentiment, feedback) — retained while your account is active and for ninety (90) days after you cancel, then deleted.
  • Billing records — retained for the longer of seven (7) years (for tax purposes) or as required by Stripe's own retention rules. After thirty (30) days post-cancellation, billing records are stripped of all personal identifiers and retained only as anonymized financial records.
  • Error logs — retained for thirty (30) days, then automatically deleted.

5. How We Share Information

We share information only as described in this policy:

  • With sub-processors as listed in Section 3, only as needed to operate the service.
  • With your account holder if you are a recipient. Sentiment ratings and feedback you submit through a Stello feedback page are visible to the account holder who sent you the request, so they can act on your feedback.
  • To comply with the law when required by valid legal process, court order, or government request.
  • To protect rights and safety if necessary to enforce our Terms, prevent fraud, or protect the safety of users.
  • In a business transfer — if Stello is acquired, merged, or sold, your information may be transferred as part of that transaction. We will provide notice if this happens.

6. Your Rights

You have the following rights regarding your personal information:

  • Access — you can request a copy of the personal information we hold about you.
  • Correction — you can correct inaccurate information, either through your account settings or by contacting us.
  • Deletion — you can request deletion of your personal information. We will honor your request unless we are required to retain it for legal or accounting reasons.
  • Portability — you can request a machine-readable export of your data.
  • Objection — you can object to certain uses of your information.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.

To exercise any of these rights, email us at support@usestello.com. We will respond within thirty (30) days.

Residents of California (CCPA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and the European Economic Area, United Kingdom, and Switzerland (GDPR) have additional rights under their respective laws. You can exercise those rights by contacting us at the same email address.

7. Security

We protect your information with industry-standard security practices, including encryption in transit (HTTPS) and at rest, role-based access controls, and database row-level security. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at support@usestello.com.

8. International Data Transfers

Stello is operated from the United States. If you access the service from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the service, you consent to this transfer.

9. Children's Privacy

Stello is not intended for use by children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at support@usestello.com and we will delete it.

10. Cookies

Stello uses only essential cookies required for authentication (session cookies set by Supabase) and basic security. We do not use cookies for advertising, analytics, or cross-site tracking.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the service. Your continued use of the service after changes take effect constitutes your acceptance of the updated policy.

12. Contact

Questions about this policy or how we handle your information? Email us at support@usestello.com.

Questions? Email support@usestello.com.