Privacy Policy

This privacy policy explains how Stell Tech AS ("Stell", "we", "us") collects and processes personal data in two contexts:

1. As a Data Controller — when you visit our website or contact us directly
2. As a Data Processor — when we process data on behalf of our business customers (merchants or point-of-sale providers) through our digital pass platform

1. What is Personal Data?

Personal data refers to information that can be directly or indirectly linked to an individual physical person, for example: name, address and telephone number.

Processing of personal data is all use of personal data, typically: collection, storage, transmission, and deletion.

Data Controller means the entity that determines the purposes and means of processing personal data. Data Processor means an entity that processes personal data on behalf of a controller.

For our website and direct communications, Stell Tech AS is the data controller. For our platform services, our business customers (merchants or POS providers) are the data controllers, and Stell acts as a data processor or sub-processor.

2. Our Website (Stell as Data Controller)

When you interact with our website at getstell.com, we may collect personal data directly from you.

Contact Form

When you submit our contact form, we collect:

• Email address

Purpose: To respond to your inquiry and provide information about our services.

Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) — we have a legitimate interest in responding to business inquiries.

Business Communications

During subsequent communications (such as emails or calls), we may collect additional information including:

• Name
• Company name
• Phone number

Purpose: To maintain our business relationship, provide information about our services, and follow up on inquiries.

Legal Basis: Legitimate interest (Article 6(1)(f) GDPR) and, where applicable, necessity for entering into or performing a contract (Article 6(1)(b) GDPR).

Retention: We retain contact and business communication data for up to 24 months after last contact, unless a business relationship is established, in which case data is retained for the duration of the relationship plus any legally required retention period.

Storage: Contact and business relationship data is stored in HubSpot (see Sub-processors below).

Server Logs

Our web servers automatically collect technical information including IP addresses and browser information for security and operational purposes. This data is retained for a maximum of 90 days.

Legal Basis: Legitimate interest in maintaining website security and functionality.

3. Our Platform Services (Stell as Data Processor)

Stell provides a digital pass management platform that enables businesses to offer mobile wallet passes (Apple Wallet, Google Wallet) for loyalty cards, membership cards, access cards, and stamp cards.

Our Role

When processing personal data through our platform:

• Stell acts as a Data Processor when we provide services directly to merchants
• Stell acts as a Sub-processor when we provide services through point-of-sale (POS) providers who have their own agreements with merchants

In both cases, the merchant (or their contracted POS provider) remains the Data Controller and determines what personal data is collected and how it is used.

What Data May Be Processed

Depending on the merchant's configuration, the platform may process:

• Name
• Email address
• Phone number
• Postal code or address
• Loyalty/membership identifiers
• Transaction or visit history related to the pass

Your Rights Regarding Platform Data

If you are an end-user with a digital pass from a merchant using our platform, the merchant is the data controller for your personal data. To exercise your data protection rights (access, correction, deletion, etc.), please contact the merchant directly. They will coordinate with us as needed to fulfill your request.

Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with all our business customers in accordance with Article 28 of the GDPR. These agreements govern how we process personal data on their behalf and ensure appropriate technical and organizational security measures are in place.

4. Data Storage and Security

Our data is stored in a cloud-based service operated by Amazon Web Services within the European Union (EU/EEA region) in Stockholm, Sweden.

Sub-processors

We use the following sub-processors to deliver our services:

We maintain Data Processing Agreements with all sub-processors and ensure they provide appropriate safeguards for personal data.

International Transfers

Our platform data is stored and processed within the EU/EEA (AWS Stockholm). Contact form data processed by HubSpot may be transferred to the United States. For such transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate safeguards for personal data.

Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS) and at rest
• Access controls and authentication
• Regular security assessments
• Incident response procedures

5. Your Rights

Stell is committed to comply with all applicable data protection laws and regulations.

Under the GDPR, you have the following rights regarding personal data we control:

• Right of Access — Request information about what personal data we hold about you
• Right to Rectification — Request correction of inaccurate personal data
• Right to Erasure — Request deletion of your personal data (subject to legal retention requirements)
• Right to Restriction — Request that we restrict processing of your personal data in certain circumstances
• Right to Object — Object to processing based on legitimate interests
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time
• Right to Data Portability — Receive your personal data in a structured, commonly used format

We will respond to requests within 30 days as required by law.

Important: If you are an end-user of a merchant's digital pass, please contact the merchant directly to exercise your rights, as they are the data controller for that data.

6. Data Controller and Contact Information

Data Controller:

For questions about this privacy policy or to exercise your data protection rights:

Email: hello@getstell.com

7. Supervisory Authority

Stell Tech AS is a Norwegian company supervised by the Norwegian Data Protection Authority (Datatilsynet). If you are not satisfied with our handling of your personal data, you have the right to lodge a complaint with the Norwegian Data Protection Authority.

Norwegian Data Protection Authority (Datatilsynet):

• Web: datatilsynet.no
• Email: postkasse@datatilsynet.no
• Postal Address: PO Box 8177 Dep., 0034 Oslo, Norway

8. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through our website. We encourage you to review this policy periodically.