Privacy Policy
Effective May 28, 2026. Stelo is operated by getstelo.app. This policy describes how we collect, use, and protect information when you use our service.
1. Information We Collect
Account and profile
When you create an account we collect your email address. Optionally you may provide a display name, avatar, timezone, work style preference (deep-focus, balanced, or reactive), and preferred focus hours.
Productivity data
Stelo stores the tasks, projects, and goals you create, including titles, notes, priorities, due dates, recurrence rules, skip reasons, completion status, and the relationships between them. This data is stored exclusively in your account and is never sold.
Behavioral signals
To power AI personalization we track behavioral patterns derived from your activity: completion rates by priority, skip counts and reasons, overdue streaks, and focus session durations and outcomes. This data is used solely to improve recommendations — it is not shared with third parties for advertising.
Calendar data
If you connect Google Calendar, Stelo reads your calendar's busy times to avoid scheduling conflicts and includes today's events in your daily AI briefing. With your consent to the calendar.events scope, Stelo also writes time-block events to your calendar to schedule focus time — it creates and deletes only the events Stelo itself created, and never reads, modifies, or deletes your other events. Stelo does not retain calendar event data beyond the current session's context window. Stelo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Meeting data
If you use the meeting recording feature, audio is sent to AssemblyAI for transcription. Transcripts and AI-generated summaries are stored in your account. Raw audio files are not retained by Stelo after transcription.
Communications
We store your email address for transactional notifications (daily digests, task reminders, weekly reviews). If you opt into SMS notifications, we also store the phone number you provide.
Billing
Subscription tier, status, and payment events are managed by Polar.sh. Stelo stores your plan tier and subscription status — we do not store payment card details.
Analytics and error data
We use PostHog to collect page view events and associate them with your user ID and email for product analytics. We use Sentry (and an internal Observer service) to capture error messages, stack traces, and route information for debugging.
Local storage
The app stores UI preferences in your browser's localStorage (timer mode, widget visibility, sidebar state). No credentials or sensitive data are stored locally.
2. How We Use Your Information
- Core functionality — storing and serving your tasks, projects, goals, and documents.
- AI personalization — generating your daily brief, weekly review, task planning suggestions, and natural language input parsing. Task titles, notes, and behavioral context are sent to OpenAI or Azure OpenAI for this purpose.
- Notifications — sending email digests and reminders via Resend, and optional SMS via Twilio.
- Billing and subscriptions — enforcing plan limits and processing subscription events via Polar.sh.
- Product analytics — understanding how features are used so we can improve the product.
- Security and debugging — detecting errors, preventing abuse, and rate-limiting sensitive endpoints.
3. Third-Party Services
Stelo relies on the following sub-processors. Each receives only the data necessary for its function:
| Service | Purpose & data shared |
|---|---|
| Supabase | Primary database and authentication. All app data and auth sessions are stored here, protected by row-level security. |
| OpenAI / Azure OpenAI | Powers all AI features. Task titles, notes, and behavioral context are included in prompts. |
| AssemblyAI | Audio transcription for meeting recordings. Audio files are sent to AssemblyAI and not retained by Stelo after transcription. |
| Google Calendar | Optional integration. Reads your busy times to avoid conflicts and enrich your daily AI brief, and writes Stelo-created focus blocks (creating/deleting only its own events). Requires explicit OAuth consent. |
| Slack | Optional integration for task notifications. Requires explicit OAuth consent. |
| Resend | Transactional email. Your email address and task data are included in digest and reminder emails. |
| Twilio | Optional SMS notifications. Your phone number and task data are included in SMS alerts. |
| PostHog | Product analytics. Receives page view events, your user ID, and email. |
| Polar.sh | Billing and subscription management. Receives subscription events and status. |
| Sentry / Observer | Error tracking. Receives error messages, stack traces, and route information from the web app and mobile app. |
| Expo | Mobile push notifications for the iOS and Android app. |
4. Data Retention
- Deleting your account permanently removes all associated data — tasks, projects, goals, meetings, integrations, and API keys — via cascading database deletion.
- Behavioral context used for AI recommendations is limited to a rolling window: 7–14 days on the Free plan and 30–90 days on Pro and Team plans.
- Task timeline events (audit history) and AI usage logs are retained until your account is deleted.
- Backups held by Supabase may retain data for a short additional period per their own retention policy.
5. Your Rights and Controls
You can exercise the following controls directly in the product without contacting us:
- Access your data — all tasks, projects, and goals are visible in the app.
- Delete your account — Settings → Account → Delete account. Deletion is permanent and cascades all data.
- Revoke integrations — Settings → Integrations. Disconnecting Google Calendar or Slack stops data sharing with those services immediately.
- Revoke API keys and share links — Settings → API keys / Sharing.
- Manage notification preferences — Settings → Notifications. You can disable email, SMS, and push notifications independently.
- Clear local storage — your browser's developer tools or "Clear site data" setting.
To request a data export or to opt out of PostHog analytics, email us at [email protected].
6. Security
- All database tables are protected by row-level security (RLS) — users can only access their own data.
- API keys are stored as SHA-256 hashes; the raw key is shown only once at creation time.
- External OAuth integrations use the PKCE flow to prevent authorization code interception.
- Session cookies are HttpOnly and Secure.
- Authentication and AI endpoints are rate-limited to mitigate abuse.
No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to [email protected].
7. Children's Privacy
Stelo is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. Changes to This Policy
We may update this policy as the product evolves. Material changes will be communicated via email or an in-app notice. Continued use of Stelo after changes take effect constitutes acceptance of the revised policy.
9. Contact
Questions, data requests, or concerns about this policy: [email protected]