Privacy Policy - Stella Gmail Invoice Scanner

1. Introduction

Welcome to Stella - Gmail Invoice Scanner ("Stella", "the Extension", "we", "us", or "our"). Stella is a Chrome browser extension developed and operated by Still Kettle, an EU-based company. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome Extension.

We are committed to protecting your privacy and ensuring transparency in how we handle your data. Stella is designed with a privacy-first architecture — your email content is processed locally in your browser and is never transmitted to or stored on our servers.

By using Stella, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies, please do not use the Extension.

2. Data Controller & Contact Information

Data Controller: Still Kettle (Hanchen Li)

Location: 1035 Budapest, Vorosvari ut 5, Hungary

Email: hello@stillkettle.com

Website: stella.stillkettle.com

For GDPR-related inquiries, our Data Protection Officer (DPO) can be reached at hello@stillkettle.com.

3. Data We Collect

We collect the following categories of data:

3.1 Account Information (Stored on Servers)

Email address: Used for account identification, authentication, and communication
Subscription status: Information about your plan type and billing status

3.2 Usage Metrics (Stored on Servers)

Aggregate counts only: Number of emails processed, number of invoices extracted
Feature usage statistics: Which features are used (without content data)
We do NOT store the content of emails or extracted invoice data

3.3 User Preferences (Stored on Servers)

Trusted vendor patterns: Email addresses or domains you mark as trusted vendors
Custom field configurations: Your preferences for data extraction fields

3.4 Local Browser Storage

OAuth tokens: Google OAuth tokens are stored locally in your browser's secure storage
Extension settings: Your local preferences and configuration
Session data: Temporary data needed for the extension to function

4. Data We Do NOT Collect or Store

Stella is designed with privacy at its core. We explicitly do NOT collect, transmit, or store:

Email content: The body, subject, or attachments of your emails are processed entirely in your browser
Extracted invoice data: Invoice details (amounts, dates, vendors, etc.) are sent directly to YOUR Google Sheet, never to our servers
Full email metadata: We do not store sender/recipient information, timestamps, or email headers
Google Sheets content: We have no access to or storage of your spreadsheet data
Personal financial information: Bank details, payment amounts, or sensitive financial data
Browsing history: We do not track your browsing activity outside the extension

5. How We Use Your Data

We use the limited data we collect for the following purposes:

Service delivery: To provide, maintain, and improve the Stella extension
Authentication: To verify your identity and manage your subscription
Usage limits: To enforce plan limits (e.g., monthly email processing quotas)
Customer support: To respond to your inquiries and provide assistance
Product improvement: To analyze aggregate usage patterns and improve features
Communication: To send important service updates and, with your consent, marketing communications
Legal compliance: To comply with applicable laws and regulations

6. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

Contract Performance (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you, including providing the Stella service, managing your subscription, and delivering the agreed functionality.

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, where these interests are not overridden by your rights.

Consent (Article 6(1)(a))

For optional processing activities, such as marketing communications, we rely on your explicit consent, which you may withdraw at any time.

Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, such as tax, accounting, and regulatory requirements.

7. Third-Party Services

Stella integrates with the following third-party services:

Google APIs (Gmail API, Google Sheets API)

Purpose: To access your Gmail messages for invoice detection and to write extracted data to your Google Sheets

Data shared: OAuth authentication only; email content is processed locally in your browser

Privacy Policy: Google Privacy Policy

Supabase (Authentication & Database)

Purpose: To provide secure authentication, store account information, and manage subscription data

Data shared: Email address, subscription status, usage metrics (counts only)

Privacy Policy: Supabase Privacy Policy

Paddle (Payment Processing)

Purpose: To process subscription payments securely

Data shared: Email address, payment information (handled directly by Paddle)

Privacy Policy: Paddle Privacy Policy

We carefully select third-party service providers that maintain appropriate security measures and comply with applicable data protection laws. We have Data Processing Agreements (DPAs) in place with these providers where required.

8. Google API Services User Data Policy

Compliance Statement

Stella's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

Stella accesses Google user data solely to:

Read Gmail messages to identify and extract invoice information
Write extracted invoice data to user-selected Google Sheets

We Commit To:

Limited use: Using Google user data only for the specific purposes disclosed in this policy
No transfer for advertising: Not using or transferring Google user data for advertising purposes
No transfer to third parties: Not transferring Google user data to third parties unless necessary to provide the service, required by law, or with explicit user consent
No human review: Not allowing humans to read your Google user data unless with your affirmative consent, required for security purposes, to comply with law, or when aggregated and anonymized for internal operations
Secure handling: Implementing appropriate security measures to protect Google user data

9. Data Retention

We retain your data according to the following principles:

●

Account data:

Retained while your account is active and for up to 30 days after account deletion to allow for account recovery

●

Usage metrics:

Aggregated usage statistics are retained for up to 24 months for analytics purposes

●

Subscription/billing records:

Retained as required by applicable tax and accounting laws (typically 7 years)

●

Local browser data:

Cleared when you uninstall the extension or clear browser data

Email content and extracted invoice data are processed in real-time and are never stored on our servers. This data exists only temporarily in your browser during processing.

10. Data Security

We implement appropriate technical and organizational security measures to protect your data:

Encryption in transit: All data transmitted between your browser and our services uses TLS/HTTPS encryption
Encryption at rest: Stored data is encrypted using industry-standard encryption algorithms
Access controls: Strict access controls limit who can access personal data within our organization
Security audits: Regular security reviews and updates to our infrastructure
Local processing: Email content is processed locally in your browser, minimizing data exposure
OAuth 2.0: Secure OAuth 2.0 authentication for Google API access, with tokens stored locally

While we strive to protect your data, no method of transmission or storage is 100% secure. If you become aware of any security incident, please contact us immediately at hello@stillkettle.com.

11. Your Rights Under GDPR (EU/EEA)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and access to a copy of that data.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances ("right to be forgotten").

Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU member state.

Response Time: We will respond to your request within 30 days. If we need more time due to the complexity of your request, we will inform you of the extension and the reasons for it.

How to Exercise Your Rights: Contact us at hello@stillkettle.com

12. Your Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know

You have the right to know what personal information we collect, use, disclose, and sell (if applicable).

Right to Delete

You have the right to request deletion of your personal information.

Right to Correct

You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing

You have the right to opt-out of the sale or sharing of your personal information.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your privacy rights.

Do Not Sell or Share My Personal Information

We do not sell or share your personal information as defined by the CCPA/CPRA. We do not sell personal information to third parties for monetary consideration, nor do we share personal information for cross-context behavioral advertising.

Response Time: We will respond to your verifiable consumer request within 45 days. If we need more time (up to an additional 45 days), we will inform you in writing.

How to Exercise Your Rights: Contact us at hello@stillkettle.com

13. Your Rights Under LGPD (Brazil)

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD):

Confirmation of the existence of processing
Access to your personal data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion of unnecessary or excessive data
Portability of data to another service provider
Deletion of personal data processed with consent
Information about public and private entities with which your data has been shared
Information about the possibility of not providing consent and the consequences
Revocation of consent

Response Time: We will respond to your request within 15 days as required by LGPD.

How to Exercise Your Rights: Contact us at hello@stillkettle.com

14. Your Rights Under PIPEDA (Canada)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). We adhere to PIPEDA's fair information principles:

Accountability

We are responsible for personal information under our control and have designated a privacy officer.

Consent

We obtain meaningful consent for the collection, use, and disclosure of personal information.

Access and Correction

You have the right to access your personal information and challenge its accuracy.

Challenging Compliance

You may challenge our compliance with PIPEDA. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.

How to Exercise Your Rights: Contact us at hello@stillkettle.com

Complaints: You may file a complaint with the Office of the Privacy Commissioner of Canada

15. International Data Transfers

As an EU-based company, Still Kettle primarily processes data within the European Economic Area (EEA). However, some of our service providers may process data outside the EEA.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

Adequacy decisions: Transfers to countries with an adequacy decision from the European Commission
Standard Contractual Clauses (SCCs): EU-approved contractual clauses that provide appropriate safeguards
Supplementary measures: Additional technical and organizational measures where necessary

You may request information about the safeguards in place for specific transfers by contacting us at hello@stillkettle.com.

16. Children's Privacy

Stella is not intended for use by individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@stillkettle.com. We will take steps to delete such information promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this policy
Notify you via email and/or through the Extension
Obtain your consent where required by applicable law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email:

hello@stillkettle.com

Data Controller:

Still Kettle (Hanchen Li)
1035 Budapest, Vorosvari ut 5, Hungary
stella.stillkettle.com

We are committed to resolving any concerns you may have about our privacy practices. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.