1. Scope & Joint Controller Arrangement
Stella AI GmbH ("Stella AI") and the respective cooperation partner / brand may act as joint controllers within the meaning of Article 26 GDPR in certain usage scenarios, as they jointly determine the purposes and means of processing personal data.
This joint controllership applies to processing activities carried out through the Stella AI solution, including the StellaMatch and StellaAssist modules, where these services are integrated into the cooperation partner's website or accessed through QR codes or similar channels.
2. Purposes of Processing
The purpose of the processing is to:
- Analyze user interests, needs, and characteristics;
- Provide personalized product recommendations and content;
- Assist users in finding suitable products;
- Improve the relevance and presentation of products.
This may take place through analysis funnels (e.g., color, skincare, haircare, or product recommendation assessments) or through chat-based interactions using StellaAssist.
Processing is carried out within Stella AI's systems and, where necessary, by selected technical service providers. The resulting recommendations and analysis results are made available to the respective cooperation partner.
3. Categories of Data & Data Subjects
Data Subjects
Visitors, users, or prospective customers of the cooperation partner's website or application.
Categories of Data (depending on the specific use case)
- Information voluntarily provided as part of analyses or consultations;
- Image data (e.g., selfies used for color, skincare, or product recommendation analyses);
- Information relating to physical characteristics (e.g., skin tone, eye color, undertone);
- Information relating to skincare, haircare, or beauty-related needs;
- Product preferences and routines;
- Analysis results (e.g., color type, skin type, or product recommendations);
- Age information, where requested;
- Free-text entries submitted through chat functionality;
- Usage, interaction, and technical log data.
Data Minimization
Stella AI follows a strict data minimization approach. Personal data is only processed to the extent necessary for the relevant functionality. Stella AI does not store email addresses or surnames within its own systems and primarily operates using pseudonymized data.
4. Allocation of Responsibilities
Responsibilities of Stella AI GmbH
- Collection and processing of data through the Stella AI solution;
- Storage and processing within Stella AI systems;
- Technical implementation of analysis and recommendation logic;
- Provision of analysis and recommendation results to the cooperation partner;
- Implementation of technical and organizational security measures;
- Support in fulfilling applicable data protection obligations.
Responsibilities of the Cooperation Partner / Brand
- Integration and implementation of the solution (e.g., website integration, landing pages, QR codes);
- Use of the analysis and recommendation results;
- Processing within the partner's own systems (e.g., e-commerce, CRM, or marketing platforms);
- Fulfillment of transparency and information obligations toward users;
- Collection of any required consents where applicable.
Shared Responsibilities
- Defining the purposes and means of the joint processing;
- Handling data subject requests pursuant to Articles 15โ22 GDPR;
- Coordination in the event of data protection incidents;
- Documentation and demonstration of GDPR compliance;
- Selection and oversight of relevant service providers and subprocessors.
5. Data Subject Rights
Data subjects may exercise their rights under Articles 15โ22 GDPR against either of the joint controllers.
Stella AI and the respective cooperation partner will coordinate the handling of such requests and ensure that data subjects receive all information and support required under applicable data protection laws.
Central contact point for questions relating to the joint processing:
Stella AI GmbH
Kaiserdamm 87
14057 Berlin
Germany
Email: privacy@askstella.ai
6. Transparency & Information Obligations
Stella AI and the cooperation partner ensure that all information required under Articles 12โ14 GDPR is provided in a coordinated, consistent, and easily accessible manner.
Users are informed in the cooperation partner's privacy policy about the joint controllership arrangement, the use of AI-powered systems, and any applicable international data transfers.
7. Data Protection, Security & Data Minimization
Stella AI and the cooperation partner commit to implementing appropriate technical and organizational measures in accordance with Article 32 GDPR.
These measures include, among others:
- Access controls and role-based permissions;
- Encryption and secure data transmission;
- Regular review of security measures;
- Employee confidentiality and training;
- Documentation of relevant processes;
- Data minimization and purpose limitation.
Where users voluntarily upload selfies, such images are used solely for the purpose of performing the relevant analysis and are deleted after the analysis has been completed, unless explicitly stated otherwise.
8. Data Protection Incidents
In the event of a data protection incident affecting the joint processing, Stella AI and the cooperation partner will promptly inform each other and coordinate any necessary measures to mitigate risks, including any required notifications to supervisory authorities or affected individuals.
9. Validity & Updates
This agreement becomes effective upon publication on this page and applies to all existing and future partnerships unless a separate individual agreement has been concluded.
Changes to this agreement become effective upon publication on this page. Cooperation partners will be informed of material changes where appropriate.
Stella AI maintains version control and documentation of previous versions internally.
Last updated: June 2026