Privacy policy

WARNING: this document contains [PENDING: …] markers that the operator must complete before commercial activity. Informational document, pending review by a qualified lawyer.

This policy describes how Stelvia processes personal data collected via stelvia.space, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 of 5 December on personal data protection and digital rights (LOPDGDD).

1. Data controller

Controller: [PENDING: full name or registered company name, identical to the legal notice]. Tax ID: [PENDING]. Address: [PENDING]. Email for contact and exercising rights: [PENDING: email, e.g. privacy@stelvia.space]. Data Protection Officer (DPO): not appointed. Stelvia is not a public body, does not carry out large-scale processing of special-category data, and its core activities do not consist of operations requiring regular and systematic large-scale monitoring (Art. 37 GDPR), so the conditions for mandatory appointment do not apply. This assessment will be reviewed periodically.

2. Data we collect

We collect the following data: (a) buyer identification and contact data (name, email); (b) billing data when needed for invoicing or required by the payment gateway (Stripe may request name, postal address and country); (c) payment data: handled directly by Stripe; Stelvia does not store full card data; (d) content provided freely by the buyer: chosen star name and dedication, which may contain personal data of the recipient; (e) technical data: IP address, session identifiers, browser and device type, collected via strictly necessary cookies; (f) aggregated usage data via PostHog Cloud EU (Frankfurt servers) for analytics and product improvement, pseudonymised, captured only if you have accepted the «Analytics» category in the cookie banner; (g) technical error-diagnostic data via Sentry (browser type, route, error message and stack trace), without first-party cookies and with a «no PII» configuration to ensure operational continuity and site security.

3. Purposes of processing

We process data to: (a) perform the sales contract, generate the certificate, allocate the star and deliver the digital experience; (b) comply with accounting and tax obligations under the Commercial Code and tax legislation; (c) manage queries, complaints and the exercise of rights; (d) prevent fraud, detect technical errors and ensure site security and operational continuity (this includes error diagnostics via Sentry); (e) where applicable, and subject to consent, send commercial communications about our products; (f) with your granular and revocable consent given through the cookie banner, measure aggregated site usage via PostHog Cloud EU to improve the conversion funnel and product experience.

4. Lawful bases

(a) Performance of a contract (Art. 6.1.b GDPR): processing of buyer data and dedication to deliver the product; (b) Compliance with a legal obligation (Art. 6.1.c GDPR): accounting and tax retention; (c) Legitimate interests (Art. 6.1.f GDPR): site security, fraud prevention and technical error diagnostics via Sentry (pseudonymised data, no first-party cookies, «no PII» configuration), after a balancing test; (d) Consent (Art. 6.1.a GDPR): analytics cookies — currently PostHog Cloud EU for aggregated usage metrics — and commercial communications, when activated.

5. Retention periods

Buyer data is kept during the contractual relationship and afterwards for the legal periods that apply: 6 years for accounting and commercial documentation (Art. 30 Spanish Commercial Code); 4 years for tax obligations (Art. 66 Spanish General Tax Law); 5 years for data protection compliance. The dedication is kept while the certificate and the unique star page exist; the buyer may request its deletion at any time. Dedications published on the public sky map are kept while the buyer's express consent for publication remains in force.

6. Recipients and processors

To deliver the service we rely on the following processors, all located in the European Union or bound by adequate safeguards: Stripe Payments Europe Ltd. (Ireland, EU) for payment processing; Supabase Inc. with infrastructure in Frankfurt (Germany, EU) for storage and database; Resend Inc. with servers in the European region (Ireland) for transactional email; Vercel Inc. with compute deployed in European regions for frontend hosting; Inngest Inc. for asynchronous task execution; PostHog Inc. (Cloud EU, Frankfurt) for aggregated site-usage analytics when you have accepted the «Analytics» category; and Functional Software, Inc. d/b/a Sentry for technical error diagnostics [PENDING: confirm processing region — Sentry SaaS defaults to US processing; if EU residency is required, contract the EU Data Residency plan]. Processors access data only to provide their service under our documented instructions and under contract pursuant to Art. 28 GDPR.

7. International transfers

We have selected providers with European infrastructure to avoid unnecessary international transfers. Some of them, however, are US entities (Resend Inc., Vercel Inc., Inngest Inc., Stripe Inc. within its group). Where a transfer to the United States is unavoidable for technical support or operational continuity of the parent company, that transfer is covered by the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) under Article 46.2.c GDPR, or by the provider's adherence to the EU-US Data Privacy Framework when available, with supplementary measures aligned with the Schrems II ruling.

8. Data subject rights

You have the right to access, rectify, erase, object to, restrict and port your data. You can exercise these rights by emailing [PENDING: rights email, e.g. privacy@stelvia.space] indicating the right you wish to exercise and attaching a copy of an identification document. We will respond within one month, extendable by two months when justified by complexity or volume. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD, https://www.aepd.es) if you consider that processing does not comply with the law.

Star visibility alerts (ephemeris)

If you voluntarily subscribe to ephemeris alerts, we send you a single email a year: on the night your star reaches its best visibility. Purpose: to send you that annual alert. Data processed: your email address and an approximate latitude that we compute from the country and, if you provide it, the city you select manually in the form; we do not use GPS or browser geolocation, nor do we set any cookies for this feature. Lawful basis: your consent (Art. 6.1.a GDPR), given when you subscribe through a double opt-in confirmation. Retention: for as long as your consent remains in effect; if you unsubscribe, we delete this data. Rights: you may access, rectify, object to or erase your data as described elsewhere in this policy, and unsubscribe in a single click from the link included in every alert.

9. Minors

Stelvia does not sell to anyone under 18. By placing an order, the user represents that they are of legal age and have legal capacity to contract. If we detect that we have collected data of a minor without the consent of the parental authority, we will delete it immediately.

10. Security

We apply reasonable technical and organisational measures to protect data: encryption in transit (HTTPS/TLS), encryption at rest in the database, role-based access control, activity logs and periodic supplier review. In the event of a security breach posing a risk to your rights, we will notify the AEPD within 72 hours and, where necessary, inform you directly.

11. Changes to this policy

We may amend this policy to reflect regulatory or service changes. The last update date appears at the end of the document. Substantial changes will be communicated by email when we have your address.