PRIVACY POLICY

Vellme
Last updated: May 5, 2026

1. Data controller

The controller of your personal data is:

ConsultIT Michał Giernatowski
sole trader registered in CEIDG (Polish Central Registration and Information on Business)
Alpaki 20
05-506 Lesznowola, Poland
Tax ID: 5361887961
Email: support@stellarxlab.com

We have not appointed a data protection officer. For all questions relating to privacy, personal data, data subject rights or security, you can contact us at support@stellarxlab.com.

2. What this document covers

This Privacy Policy explains how we process personal data of Vellme app users, people who contact us, and visitors of Vellme informational pages, including the /privacy and /terms pages.

Vellme is an affirmation, journaling and mood-tracking app. Vellme is not a medical, therapeutic or diagnostic service.

3. Key points

We collect data needed to operate accounts, run the app, manage subscriptions, send notifications, deliver newsletters and provide support.
Your journal entries and mood data are treated as private user content and are not publicly shared with other users.
We do not sell personal data and we do not use your journal entries or notes to train AI models.
Payments are handled by Apple App Store and Google Play. We do not store full payment card details.
You have rights of access, rectification, erasure, restriction, objection, portability and withdrawal of consent where consent is the legal basis.

4. Categories of data we process

4.1 Account and authentication data

When you create an account or sign in, we may process:

email address,
first name, last name or other profile information shared by your sign-in provider,
internal user identifier,
information about the sign-in method, such as email, Google or Apple.

4.2 User content, journal and mood data

When using the app, you may voluntarily provide:

mood ratings,
journal entries, notes and reflections,
information related to rituals, affirmations and in-app activity history.

Important: Vellme is not a medical service. Please do not enter special category data or other sensitive information in notes.

4.3 Subscription and billing data

In connection with Premium plans, we may process:

subscription status,
information about activation, renewal, expiry, trial eligibility and auto-renewal,
basic transaction identifiers and technical product or plan information.

Payments are handled by Apple App Store or Google Play. As a rule, we do not receive full payment card details.

4.4 Technical, security and diagnostic data

To operate the app and maintain security, we may process:

device type, operating system, app version and technical identifiers,
IP address or network-related data,
error logs, crash reports and diagnostic data,
push token data, device platform, device name and app version,
feature usage data and analytics events.

4.5 Communications, support and complaints

If you contact us, submit a complaint or request data export or deletion, we may process the contents of your message, contact details, support history and other information needed to handle the request.

4.6 Newsletter and marketing communications

If you subscribe to our newsletter, we process your email address and information about the status of your newsletter subscription.

4.7 Informational website visitor data

If you visit our informational website or legal pages hosted under stellarxlab.com, our hosting provider and we may process standard server logs such as IP address, request date and time, URL, browser information and other data required for security and service operation.

5. Where the data comes from

We obtain data:

directly from you when you create an account, use the app, write notes, subscribe to the newsletter or contact us,
from sign-in providers and app store platforms such as Google, Apple, Apple App Store and Google Play,
automatically from your device and app usage,
from our infrastructure and technology providers as needed to run the service.

6. Purposes and legal bases

6.1 Providing the service and operating your account

We process data to create and maintain your account, enable sign-in, store your user content, synchronize data and provide app functionality.

Legal basis: GDPR Article 6(1)(b), performance of a contract for the supply of a digital service.

6.2 Managing Premium subscriptions

We process subscription data to activate or verify Premium access, resolve subscription issues and synchronize plan status.

Legal basis: GDPR Article 6(1)(b).

6.3 Security, reliability, diagnostics and fraud prevention

We process technical and diagnostic data to keep accounts secure, detect abuse, diagnose failures, manage push delivery and improve service stability.

Legal basis: GDPR Article 6(1)(f), our legitimate interest in ensuring security, integrity and reliability of the service.

6.4 Product analytics and usage statistics

We may process app usage data to understand how features are used, measure stability, improve UX and develop the product.

Legal basis: GDPR Article 6(1)(f), and where consent is required by applicable law or implementation model, GDPR Article 6(1)(a).

6.5 Newsletter and direct marketing

If you subscribe to the newsletter, we process your data to send marketing information about Vellme.

Legal basis: GDPR Article 6(1)(a), your consent. You may withdraw that consent at any time.

6.6 Service communications, support and complaints handling

We process data to answer requests, handle complaints, comply with privacy rights requests and communicate with you about your account or the service.

Legal basis: GDPR Article 6(1)(b), (c) or (f), depending on the nature of the request.

6.7 Legal obligations and claims

We may process data to comply with accounting, tax or legal obligations and to establish, defend or pursue claims.

Legal basis: GDPR Article 6(1)(c) and (f).

7. Who we share data with

We use external providers. Depending on the provider and service, they act either as our processors or as independent controllers for their own services.

7.1 Main technology and operational providers

hosting, infrastructure, database, backend and authentication providers,
analytics, crash reporting, security and technical service providers,
push notification and technical communication providers,
subscription and Premium plan management providers,
email and newsletter service providers,
internal operational and administrative tool providers,
website and informational page hosting providers.

Upon request, we may provide more specific information about the providers currently used.

7.2 Sign-in, platform and ecosystem providers

Google and Apple in connection with external sign-in and device-related services.
Apple App Store and Google Play in connection with subscription purchase, renewal, cancellation and refunds.

7.3 Public authorities and advisers

We may disclose data to public authorities, courts, law firms, accountants, auditors or other authorized recipients where required by law or necessary to protect our rights.

8. International transfers

Some providers may process data outside the EEA, especially in the United States. Where this happens, we rely on appropriate safeguards such as:

adequacy decisions, including the EU-U.S. Data Privacy Framework where applicable,
European Commission Standard Contractual Clauses,
additional technical and organizational safeguards where needed.

9. Retention periods

We retain personal data for no longer than necessary for the purposes described above, unless a longer period is required by law or necessary for claims handling.

Account data: for as long as your account exists, and afterwards for as long as needed for legal obligations or claims.
Journal entries, mood data and other user content: until deleted by you, until account deletion, or up to 24 months of inactivity if we implement or apply such a retention policy.
Subscription data: for the duration of the service and as long as needed for accounting, complaints and claims.
Technical, diagnostic and security logs: typically up to 12 months unless a longer period is justified by security or investigations.
Newsletter data: until you unsubscribe or withdraw consent, and thereafter as long as needed to demonstrate compliance.
Support and complaint records: for as long as needed to handle the matter and to evidence its history.
After permanent account deletion: data should be deleted or anonymized without undue delay, typically within 30 days, subject to backups, security logs and data that must be retained for legal obligations or claims.

10. Your rights

Subject to applicable law, you have the right to:

access your data,
rectify your data,
erase your data,
restrict processing,
data portability,
object to processing based on our legitimate interests,
withdraw consent at any time where consent is the legal basis,
lodge a complaint with a supervisory authority.

In Poland, the supervisory authority is the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

We do not make decisions about you based solely on automated processing, including profiling, that would produce legal effects concerning you or similarly significantly affect you.

11. Exercising your rights and data export

You can send privacy requests to support@stellarxlab.com. Where reasonably necessary for security, we may ask you to verify your identity.

If you request a copy or export of your data, we may fulfill that request through in-app tools, backend tools, database export or dedicated server-side functions.

We respond to privacy rights requests without undue delay and, as a rule, within 1 month of receipt. Where the request is particularly complex or we receive a higher number of requests, this period may be extended by up to a further 2 months, in which case we will inform you as required by law.

12. Newsletter and withdrawal of consent

If you subscribe to the newsletter, you can unsubscribe at any time through the unsubscribe link or by contacting us. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

Where we process personal data for direct marketing on the basis of our legitimate interests as permitted by law, you also have the right to object to that processing.

13. Push notifications

We only send push notifications if you grant the necessary device permissions. You can withdraw that permission or turn off notifications in your device settings at any time.

14. Data security

We use appropriate technical and organizational measures to protect personal data, including access controls, transport encryption, authentication mechanisms, security logging and need-to-know access restrictions.

However, no Internet transmission or storage method can be guaranteed to be completely secure.

If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you where required by law.

15. Children

Vellme is intended for users aged 16 and older. If we learn that we are processing data of a younger person in violation of law or our rules, we will take steps to delete that data.

16. Changes to this Policy

We may update this Privacy Policy from time to time, especially in response to legal, technical, product or organizational changes. The current version will always be published at the same address together with the last updated date. If the changes are material, we may also notify you by email or in the app.

17. Contact

ConsultIT Michał Giernatowski
sole trader registered in CEIDG (Polish Central Registration and Information on Business)
Alpaki 20, 05-506 Lesznowola, Poland
Tax ID: 5361887961
Email: support@stellarxlab.com