Stella Growth Intelligence
Last Updated: January 27, 2026
Effective Date: January 27, 2026
Welcome to Stella Growth Intelligence ("Stella," "we," "us," or "our"). We are committed to protecting your privacy and maintaining the confidentiality and security of your personal information. This Privacy Policy explains how we collect, use, share, and protect information when you visit our website at stellaheystella.com (the "Website") or use our marketing measurement platform (the "Services").
Our Services: Stella is a marketing measurement platform that provides three integrated tools: Incrementality Testing, Media Mix Modeling (MMM), and Always-On Incrementality. We help marketers measure and optimize their advertising effectiveness.
Your Rights: We respect your privacy rights and are committed to transparency about our data practices. This Privacy Policy complies with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other applicable privacy laws.
For general browsing of our Website, we respect your privacy and do not collect or store personally identifiable information. You may explore our Website without providing any personal data. We use essential cookies only to enhance website functionality and optimize user experience, without collecting personally identifiable information.
Cookie Management: You can manage your cookie preferences directly on our Website. We do not use tracking cookies or third-party data aggregators for general browsing activities.
To access the full capabilities of our Services, you must create an account. During account creation, we collect:
When you use our Services, we collect and process:
Platform Integration Data: - Advertising platform data (Google Ads, Meta Ads, TikTok Ads, Pinterest Ads) - E-commerce platform data (Shopify, Amazon) - Campaign performance metrics - Conversion data - Advertising spend information
Uploaded Data: - Data you upload via Google Sheets integration - CSV files containing marketing and sales data - Custom data sources you connect to our platform
Usage Information: - Log data (IP addresses, browser type, device information) - Platform usage metrics and activity logs - Feature engagement analytics - Session information
Communications: - Support requests and correspondence - Feedback you provide - Survey responses
Under the California Consumer Privacy Act, we collect the following categories of personal information:
Categories We Collect:
A. Identifiers - YES
Examples: Real name, email address, IP address, account name
B. Personal information categories listed in California Civil Code § 1798.80(e) - YES
Examples: Name, address, payment information
C. Protected classification characteristics under California or federal law - NO
Examples: Age, gender (if voluntarily provided)
D. Commercial information - YES
Examples: Transaction history, purchase records
E. Biometric information - NO
Examples: Fingerprints, voiceprints, facial recognition
F. Internet or other electronic network activity - YES
Examples: Browsing history, search history, interaction with our Services
G. Geolocation data - YES
Examples: Approximate location based on IP address
H. Sensory data - NO
Examples: Audio, electronic, visual, thermal, olfactory, or similar information
I. Professional or employment-related information - YES
Examples: Job title, company name, work email
J. Non-public education information - NO
Examples: Educational records
K. Inferences drawn from other personal information - YES
Examples: Profile reflecting preferences, behavior, attributes
L. Sensitive Personal Information - YES*
Examples: Precise geolocation, account credentials
*We collect account credentials (passwords) which are immediately encrypted and stored securely. We may collect precise geolocation with your explicit consent for location-based features.
We collect information from:
We use your information for the following business and commercial purposes:
Service Delivery: - To create and manage your account - To provide, operate, and maintain our Services - To process your transactions and manage payments - To perform data analysis and generate insights - To deliver marketing measurement and attribution results
Communication: - To respond to your inquiries and provide customer support - To send you service-related announcements and updates - To provide technical notices and security alerts - To send you information about new features and services
Platform Improvement: - To understand how our Services are used - To develop new features and functionality - To diagnose technical problems and improve performance - To conduct internal research and analytics
Marketing (with your consent): - To send promotional materials about our Services - To provide information about products we think may interest you - To conduct market research and surveys
Legal and Security: - To comply with legal obligations and respond to legal requests - To protect our rights, property, and safety - To prevent fraud and enhance security - To enforce our Terms of Service
We process your information based on:
We do not use fully automated decision-making that produces legal or similarly significant effects without human involvement. Our platform uses AI and machine learning to analyze marketing data and provide insights, but all significant decisions regarding your account, services, or business relationship remain subject to human review.
See Section 7 for detailed information about our use of Automated Decision-Making Technology (ADMT).
Stella does not sell or trade your personal information. We do not receive monetary compensation in exchange for sharing your personal data with third parties. However, we may share information in the following circumstances:
We share information with trusted third-party service providers who assist us in operating our Services:
All service providers are bound by strict confidentiality agreements and data protection obligations. They may only use your information to perform services on our behalf and are prohibited from using it for their own purposes.
In the event of a merger, acquisition, reorganization, asset sale, or similar business transaction, we may transfer your information to the acquiring entity. The acquiring entity will be bound by the commitments made in this Privacy Policy. We will provide notice and obtain consent as required by applicable law.
We may disclose your information when required by law or to protect our rights:
We may share your information with third parties when you explicitly consent to such sharing.
We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This information may be used for research, analytics, and improving our Services without restriction.
We share personal information with the following categories of third parties:
Depending on your location, you may have the following rights regarding your personal information:
Right to Access - Request access to the personal information we hold about you
Right to Correction - Request correction of inaccurate or incomplete information
Right to Deletion - Request deletion of your personal information (subject to certain exceptions)
Right to Data Portability - Request a copy of your information in a structured, commonly used format
Right to Object - Object to processing of your personal information for certain purposes
Right to Restrict Processing - Request restriction of how we process your information under certain conditions
Right to Withdraw Consent - Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact us at:
Email: marketing-admin@stellaheystella.com
Mail: Stella Growth Intelligence, Privacy Rights Department, 1007 N Orange St. 4th Floor Suite #5033, Wilmington, Delaware 19801, United States
We will respond to your request within 15 business days (or as required by applicable law). We may need to verify your identity before processing your request.
We will not discriminate against you for exercising any of your privacy rights. We will not:
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
Right to Know - You have the right to request that we disclose: - The categories of personal information we collected about you - The categories of sources from which we collected your personal information - The business or commercial purpose for collecting, selling, or sharing personal information - The categories of third parties to whom we disclose personal information - The specific pieces of personal information we collected about you
Right to Delete - You have the right to request deletion of your personal information that we collected from you, subject to certain exceptions.
Right to Correct - You have the right to request correction of inaccurate personal information we maintain about you.
Right to Opt-Out - You have the right to opt-out of: - The sale of your personal information (we do not sell personal information) - The sharing of your personal information for cross-context behavioral advertising (we do not share for this purpose)
Right to Limit Use of Sensitive Personal Information - You have the right to limit our use and disclosure of your sensitive personal information to purposes necessary to provide our Services.
Right to Non-Discrimination - We will not discriminate against you for exercising your CCPA rights.
Stella does not sell personal information. We do not receive monetary or other valuable consideration in exchange for sharing your personal information with third parties for their commercial purposes.
Stella does not share personal information for cross-context behavioral advertising. We do not share your information with third parties for targeted advertising across websites, apps, or services.
Therefore, we do not provide a "Do Not Sell or Share My Personal Information" link, as these activities do not occur.
We recognize and honor Global Privacy Control (GPC) signals. If you have enabled GPC in your browser, we will treat this as a valid opt-out request for applicable data sharing activities.
We collect the following categories of sensitive personal information:
We use sensitive personal information only for: - Performing the services you requested - Ensuring security and integrity of our systems - Short-term transient use - Purposes that do not infer characteristics about you
You have the right to limit our use of sensitive personal information. To exercise this right, contact us at marketing-admin@stellaheystella.com.
Email: marketing-admin@stellaheystella.com
Subject Line: "CCPA Privacy Rights Request"
Mail: Stella Growth Intelligence, Privacy Rights Department, 1007 N Orange St. 4th Floor Suite #5033, Wilmington, Delaware 19801, United States
Verification Process:
To protect your information, we must verify your identity before processing requests. We may ask for:
- Email address associated with your account
- Account information
- Additional identifying information
We will match at least two data points you provide against information we maintain about you. For requests to access or delete sensitive personal information, we may require additional verification steps.
Authorized Agents:
You may designate an authorized agent to submit requests on your behalf. The authorized agent must provide:
- Written permission signed by you
- Verification of their own identity
We may also require you to directly verify your identity and confirm you authorized the agent.
Response Timeline:
We will respond to verifiable requests within 45 days of receipt. If we need more time (up to 90 days total), we will inform you of the reason and extension period within 45 days.
Previous Calendar Year Metrics (2025):
We are required to report the following metrics annually. For the 2025 calendar year:
We will update these metrics annually by July 1st of each year on our website, as required by the CCPA.
We retain personal information for as long as necessary to provide our Services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
See Section 9 for detailed retention practices.
We do not knowingly sell or share personal information of consumers under 16 years of age without affirmative authorization.
Stella uses Automated Decision-Making Technology (ADMT), including artificial intelligence (AI) and machine learning, to analyze marketing data and generate insights. We are committed to transparency about how these technologies work and their impact on your experience.
ADMT refers to technology that processes information using computational algorithms, machine learning, or similar methods to make decisions, predictions, or recommendations that have significant effects.
We use ADMT for the following purposes:
Marketing Analysis and Attribution: - Analyzing campaign performance across channels - Calculating incrementality and marketing attribution - Generating Media Mix Models (MMM) - Predicting future marketing performance - Optimizing budget allocation recommendations
Platform Features: - AI-powered interpretation of results - Automated insight generation - Pattern recognition in marketing data - Anomaly detection in campaign performance
We do not use ADMT to make "significant decisions" as defined by the CCPA - decisions that have legal or similarly significant effects concerning you, such as:
All ADMT-generated insights and recommendations in Stella are advisory in nature. Decisions about your marketing strategy, budget allocation, and business operations remain entirely under your control.
All ADMT processes include human oversight:
You have the right to:
Access Information - Request information about: - The logic involved in our ADMT processes - The likely outcome of ADMT processing on you - The categories of data used in ADMT
Opt-Out - Since we do not use ADMT for significant decisions, there is no need for a specific opt-out. However, you may always choose not to use specific platform features.
Human Review - Request human review of any ADMT-generated insights or recommendations
To exercise these rights, contact us at marketing-admin@stellaheystella.com.
ADMT processes the following types of data:
ADMT does not use: - Biometric information - Health information - Financial account numbers - Precise geolocation (except with explicit consent for location-based features)
Model Performance:
Our ADMT models are continuously monitored for accuracy, fairness, and performance. We conduct regular audits to ensure models operate as intended.
Limitations:
ADMT recommendations are based on historical data and statistical modeling. They may not account for unprecedented market changes, external events, or unique business circumstances. Always apply human judgment when acting on ADMT insights.
Updates:
We regularly update and improve our ADMT systems. Material changes to how we use ADMT for significant decisions (if any in the future) will be communicated through updates to this Privacy Policy.
Stella employs comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. We recognize the critical importance of data security and maintain rigorous protocols.
Encryption: - All data is encrypted in transit using TLS 1.2 or higher - All data is encrypted at rest using AES-256 encryption - Passwords are hashed using industry-standard algorithms (bcrypt) - Database encryption with column-level encryption for sensitive fields
Access Controls: - Role-based access control (RBAC) for internal systems - Multi-factor authentication (MFA) for employee access - Principle of least privilege - access limited to what's necessary - Regular access reviews and deprovisioning procedures
Infrastructure Security: - Secure cloud infrastructure with leading providers - Network segmentation and firewalls - Intrusion detection and prevention systems (IDS/IPS) - Regular security patching and updates - Distributed Denial of Service (DDoS) protection
Monitoring and Response: - 24/7 security monitoring and logging - Security information and event management (SIEM) - Incident response plan and procedures - Regular penetration testing and vulnerability assessments
Personnel Security: - Background checks for employees with data access - Mandatory security awareness training - Confidentiality agreements for all personnel - Strict data handling policies and procedures
Third-Party Security: - Vendor security assessments before engagement - Ongoing monitoring of service provider security - Contractual data protection obligations - Annual SOC 2 Type II audits for critical vendors
Stella maintains SOC 2 Type II compliance, demonstrating our commitment to: - Security - Protection against unauthorized access - Availability - System availability for operation and use - Processing Integrity - Complete, valid, accurate, timely, and authorized processing - Confidentiality - Protection of confidential information - Privacy - Collection, use, retention, disclosure, and disposal of personal information
We undergo annual SOC 2 audits by independent third-party auditors. Our SOC 2 report is available to customers upon request and execution of a non-disclosure agreement.
We maintain compliance with: - SOC 2 Type II - ISO 27001 (in progress) - GDPR requirements - CCPA/CPRA requirements
As required by CCPA regulations effective January 1, 2026, Stella undergoes regular cybersecurity audits conducted by independent auditors. These audits assess:
Audit results and certifications are maintained and available to regulatory authorities upon request.
In the unlikely event of a data breach affecting your personal information, we will:
To report a suspected security vulnerability, contact: marketing-admin@stellaheystella.com with subject line "Security Vulnerability Report"
While we implement strong security measures, you also play a role in protecting your information:
While we use industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of information transmitted over the internet or stored in our systems. You provide information at your own risk.
We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.
Account Information: - Retained while your account is active - Retained for 90 days after account closure (to allow account recovery) - Permanently deleted after 90-day grace period unless legal obligations require longer retention
Service Usage Data: - Marketing campaign data: Retained while your account is active plus 3 years - Platform analytics: Aggregated data retained indefinitely; individual-level data retained for 2 years - Log data: Retained for 12 months for security and troubleshooting purposes
Communication Records: - Support tickets: Retained for 3 years after resolution - Email correspondence: Retained for 3 years - Marketing communications: Retained until you unsubscribe plus 30 days
Financial Records: - Payment information: Retained for 7 years (required by tax and accounting laws) - Transaction records: Retained for 7 years
Legal and Compliance: - Records required for legal proceedings: Retained for duration of legal matter plus 7 years - Compliance documentation: Retained as required by applicable laws and regulations
When you request deletion of your personal information:
Immediate Actions: - Your account will be deactivated within 24 hours - You will no longer be able to access Services
Within 30 Days: - Personal identifiers are removed from active systems - Data is moved to secure deletion queues - Confirmation email sent to verify deletion
Within 90 Days: - All personal information is permanently deleted from production systems - Backup data is purged according to scheduled cycles - Deletion confirmation provided upon request
We may retain information despite a deletion request when necessary for:
When we retain information for these purposes, we implement appropriate safeguards.
We may retain de-identified or aggregated data indefinitely for: - Platform improvement and development - Market research and analytics - Product development - Business intelligence
De-identified data cannot be re-associated with you and is not subject to this Privacy Policy.
Stella is based in the United States. Your information may be transferred to, stored, and processed in the United States and other countries where we or our service providers maintain facilities.
When we transfer personal information internationally, we implement appropriate safeguards to ensure your information receives equivalent protection:
Standard Contractual Clauses (SCCs):
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we use Standard Contractual Clauses approved by the European Commission.
Data Processing Agreements:
We enter into data processing agreements with international service providers that include appropriate data protection obligations.
Privacy Shield Principles:
Although the EU-U.S. Privacy Shield framework has been invalidated, we continue to adhere to Privacy Shield principles for European data transfers where applicable.
If you are located outside the United States, you have rights regarding international transfers:
To exercise these rights or learn more about our international transfer practices, contact marketing-admin@stellaheystella.com.
We comply with applicable privacy laws in jurisdictions where we operate, including:
If you are located in a jurisdiction with specific privacy laws, additional rights may apply. Contact us for information about rights specific to your location.
Stella Services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16.
If you are under 16 years of age, you may not create an account or use our Services without verifiable parental consent. Parents or guardians must create and manage accounts on behalf of users under 16.
If we discover that we have collected personal information from a child under 16 without proper parental consent, we will:
If you are a parent or guardian and believe your child under 16 has provided personal information to Stella without your consent, please contact us immediately at:
Email: marketing-admin@stellaheystella.com
Subject Line: "Children's Privacy - Deletion Request"
We will promptly investigate and delete the information.
If you are a California resident under 18 years of age and have created an account, you have the right to request removal of content or information you posted. To request removal, contact marketing-admin@stellaheystella.com with "California Minor Content Removal" in the subject line.
Please note that removal does not ensure complete or comprehensive deletion (e.g., content shared with others).
We may update this Privacy Policy periodically to reflect:
Material Changes:
If we make material changes to this Privacy Policy, we will provide notice by:
Non-Material Changes:
For non-material changes, we will update the "Last Updated" date. We encourage you to review this Privacy Policy periodically.
Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you may close your account before the effective date.
As privacy laws evolve (particularly CCPA/CPRA regulations), we will update this Privacy Policy to maintain compliance. Updates related to regulatory changes will be clearly marked.
We maintain a history of Privacy Policy versions. To request previous versions, contact marketing-admin@stellaheystella.com.
For questions about this Privacy Policy or to exercise your privacy rights, contact us:
Email: marketing-admin@stellaheystella.com
Mail: Stella Growth Intelligence
Privacy Rights Department
1007 N Orange St. 4th Floor Suite #5033
Wilmington, Delaware 19801
United States
Response Time: We respond to privacy inquiries within 15 business days (or as required by applicable law).
For CCPA-specific requests (access, deletion, correction, opt-out):
Email: marketing-admin@stellaheystella.com
Subject Line: "CCPA Privacy Rights Request"
Mail: Stella Growth Intelligence, Privacy Rights Department, 1007 N Orange St. 4th Floor Suite #5033, Wilmington, Delaware 19801, United States
For users in the European Economic Area:
Email: marketing-admin@stellaheystella.com
Subject Line: "Data Protection Inquiry - EEA"
If you are in the European Economic Area and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority.
For California Residents:
California Privacy Protection Agency (CPPA)
Website: https://cppa.ca.gov
Email: info@cppa.ca.gov
For Other Jurisdictions:
Contact your local data protection authority.
To report security vulnerabilities:
Email: marketing-admin@stellaheystella.com
Subject Line: "Security Vulnerability Report"
We take security reports seriously and will respond promptly.
At or before the point of collection, we inform you about:
This information is provided in Section 2 (Information We Collect) and Section 3 (How We Use Your Information) of this Privacy Policy.
As stated throughout this Privacy Policy:
WE DO NOT SELL YOUR PERSONAL INFORMATION
WE DO NOT SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING
Therefore, there is no need to provide a "Do Not Sell or Share My Personal Information" link.
We do not currently offer financial incentive programs that require disclosure under the CCPA. If we implement such programs in the future, we will provide a Notice of Financial Incentive explaining:
We will publish updated CCPA request metrics annually on our Website and in this Privacy Policy by July 1st of each year.
Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Sell/Sale: Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration.
Share/Sharing: Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for cross-context behavioral advertising.
Service Provider: A person or entity that processes personal information on behalf of a business and is subject to contractual restrictions on use.
Sensitive Personal Information: Personal information that reveals social security number, driver's license, state ID, passport number; account log-in, financial account, debit card, or credit card number with security code; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, union membership; contents of mail, email, text messages (unless the business is the intended recipient); genetic data; biometric information for identification; health information; sex life or sexual orientation information.
Automated Decision-Making Technology (ADMT): Any technology that processes personal information using computational algorithms, machine learning, or similar methods to make or assist in making decisions, predictions, or recommendations.
This Privacy Policy is effective as of the date stated at the top of this document. By creating an account, accessing our Website, or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
Last Updated: January 27, 2026
Version: 2.0 (CCPA/CPRA Compliant - 2026 Regulations)
© 2026 Stella Growth Intelligence. All rights reserved.