Privacy Policy
Pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) and Legislative Decree 196/2003
1. Data Controller
The data controller is:
Kirill Minyaev VAT Number: IT17516761008 Address: Via Gregorio VII 58, 00165 Roma (RM), Italia Email: ciao@stello.it PEC: k.minyaev@pec.it
2. Scope of this Policy
This policy describes how Stello processes personal data relating to:
- registered users and accounts; - proprietors, restaurants, bars and businesses using Stello; - persons contacting Stello for support or information; - website visitors; - any persons whose data are entered by the User in menus, public pages or uploaded content.
The User who enters, uploads or publishes personal data of clients, employees, collaborators or third parties via Stello remains responsible for having an adequate legal basis for such processing and for providing, where necessary, the information required by applicable law.
3. Types of Data Processed
Stello may process the following data categories:
Registration and account data: email, name, account identifiers, authentication provider, technical access and security data.
Business data: business name, address, category, contacts, descriptions, hours, logo, images and other data entered by the User.
Menu data: product names, descriptions, prices, ingredients, allergens, photos, translations, sections, availability, publication settings and uploaded or generated content.
Google Places public data: rating, number of reviews, public reviews, location and other publicly available data, if the User links or selects their business.
Usage data: interactions with the platform, pages visited, features used, technical events, logs, performance data, QR scans or aggregated metrics when available.
Payment and billing data: chosen plan, subscription status, Paddle identifiers, receipts, invoices and data necessary for administrative management. Full payment card data is managed by Paddle and is not stored on Stello's servers.
Communication data: support requests, emails, feedback, messages, communication preferences.
4. Purposes and Legal Bases
Personal data are processed for the following purposes and legal bases:
Contract performance or pre-contractual measures (Art. 6.1.b GDPR):
- create and manage the account; - provide the Stello service; - generate and publish digital menus; - manage plans, subscriptions, login and features; - provide operational support; - generate translations, parsing, reports and AI content requested by the User.
Legal obligation (Art. 6.1.c GDPR):
- fulfil tax, accounting, administrative and legal obligations; - retain billing data for periods required by applicable law; - respond to requests from competent authorities.
Legitimate interest (Art. 6.1.f GDPR):
- security of the Service; - prevention of fraud, abuse and unauthorized access; - technical improvement of the platform; - aggregated analysis or statistics on Service operation; - protection of rights of Stello, Users or third parties.
Consent (Art. 6.1.a GDPR):
- promotional communications or newsletters, where provided; - cookies or non-technical tracking tools, where required; - other processing for which law requires consent.
5. Public Pages and QR Codes
Digital Menus and Public Pages created by the User may be accessible to anyone who has the link or QR code. The User is responsible for the data and content they decide to publish.
The User must avoid entering unnecessary personal data, confidential data, information of third parties without authorization or content they do not intend to make public on public pages.
6. Use of Artificial Intelligence
Stello uses third-party artificial intelligence models and services, including Anthropic Claude API, for features such as:
- automatic menu translation; - menu parsing or recognition from photos/PDFs; - generation of reports, digests, suggestions or analyses.
To provide these features, menu text, product information and other necessary content may be sent to AI providers. Such providers process data according to their own terms, policies and applicable security measures.
Based on available Anthropic API documentation, data sent via API is not used to train models without customer authorization. Data may, however, be retained for security, abuse prevention, logging purposes or according to settings and terms applicable to the API service, except where specific zero data retention agreements are available.
Translations, parsing, reports and AI outputs are support tools. The User remains responsible for verifying content before publication or operational use, particularly regarding allergens, ingredients, prices, availability, health information and translations.
7. Google Places API
Stello may use Google Places API to access publicly available data relating to commercial businesses, such as name, address, rating, public reviews and location.
Access is via API and does not require User OAuth authentication, unless future features require it. Data use is subject to Google Maps Platform Terms of Service.
8. Recipients and Processors
Personal data may be processed by third-party vendors and services necessary to provide Stello, including:
Supabase Inc. — database, authentication and data infrastructure. Anthropic PBC — AI features, translations, parsing, reports or analyses. Vercel Inc. — hosting, deployment, edge network and web infrastructure. Paddle.com Market Limited — Merchant of Record, payments, VAT/taxes, billing, receipts, chargebacks and payment management. Resend Inc. — sending transactional emails, notifications and operational communications. Google / Google Maps Platform — public business data and related services. Analytics or advertising tools — only to the extent actually implemented and according to applicable cookie preferences/consent.
Stello does not sell personal data to third parties.
9. International Transfers
Some vendors may be based or have infrastructure outside the European Economic Area. In such cases, transfers occur on the basis of adequacy decisions, Standard Contractual Clauses (SCCs) or other mechanisms provided for in Articles 44 et seq. of the GDPR, where applicable.
For Paddle.com Market Limited, based in the United Kingdom, the transfer may be based on the adequacy decision applicable to the United Kingdom, unless changes to regulations occur.
10. Data Retention
Data are retained for the time necessary for the purposes for which they are collected, except where legal obligations or legitimate interests require retention.
Typically:
- account data: for the duration of the account and up to 90 days after deletion, unless legal obligations require otherwise; - menu and content data: for the duration of the account or as long as the menu remains active/published; - billing data: for periods required by applicable tax and accounting regulations; - technical and security logs: for the time necessary for security, debugging, abuse prevention and technical obligations; - support data: for the time necessary to handle the request and protect the rights of the parties; - data processed by AI providers or third parties: according to their respective policies and applicable terms, plus available contractual configurations.
The User may request deletion of their account and data, provided that Stello must or may retain data for legal obligations, security, accounting, protection of rights or abuse prevention.
11. Data Subject Rights
Within the limits provided by the GDPR, the data subject may exercise the following rights:
- access to personal data; - rectification of inaccurate data; - deletion; - restriction of processing; - data portability; - objection to processing based on legitimate interest; - withdrawal of consent, when processing is based on consent.
To exercise rights: ciao@stello.it or PEC k.minyaev@pec.it.
The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali): https://www.garanteprivacy.it.
12. Cookies and Tracking Tools
Stello uses technical cookies necessary for the operation of the site and platform, including session management and security. Technical cookies do not require consent.
Stello may use cookies or analytics tools to measure traffic, performance, conversions or use of the Service. When such tools require consent under applicable law, they are activated only with user consent.
Users may manage or revoke cookie preferences through tools available on the site, if present, or through browser settings. Disabling technical cookies may impair Service functionality.
13. Security
Stello adopts reasonable technical and organizational measures to protect personal data, including:
- encrypted HTTPS/TLS connections; - access controls; - secure authentication; - logical data separation where applicable; - backup and recovery measures; - technical monitoring and anti-abuse measures.
No online service can guarantee absolute security. Users must protect their account and notify Stello in case of unauthorized access or suspected breach.
14. Automated Decision-Making
Stello does not use fully automated decision-making processes under Article 22 GDPR that produce legal effects on the data subject or similarly significantly affect them.
AI features generate support content that the User can verify, modify, approve or disregard.
15. Minors
Stello is intended for adults and professional businesses. Stello does not knowingly collect personal data of minors. If the Controller becomes aware of unauthorized processing of minor data, it will take reasonable measures to delete it.
16. Modifications
Stello may modify this policy. Modifications will be published on this page with an update to the date. In case of substantial modifications, Stello will use reasonable means to notify users.
17. Contact
For questions regarding privacy or personal data processing:
Controller: Kirill Minyaev Email: ciao@stello.it PEC: k.minyaev@pec.it Address: Via Gregorio VII 58, 00165 Roma (RM), Italia VAT Number: IT17516761008
© 2026 Stello — Kirill Minyaev · P.IVA IT17516761008