Legal

Privacy Policy

Last updated:

This Privacy Policy explains how Stellar IT Support Inc. collects, uses, stores, and protects your personal information in connection with the Stella Unified platform. We are committed to protecting your privacy and complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Alberta provincial privacy legislation.

All customer data is stored exclusively in Canada on Canadian-based infrastructure.

1. Who We Are

Stellar IT Support Inc. is a Canadian-Controlled Private Corporation (CCPC) incorporated in Alberta, Canada. We operate the Stella Unified platform ("Service") — an M365 security compliance platform for Managed Service Providers and IT professionals.

Data Controller

Stellar IT Support Inc.

Alberta, Canada

Privacy enquiries: [email protected]

2. Data We Collect

We collect the following categories of information:

2.1 Account Information

  • Full name
  • Email address
  • Company / organization name
  • Password (stored as a one-way cryptographic hash — we cannot recover your password)
  • Billing address (for invoicing and tax purposes)
  • Payment method details (processed and stored by our payment processor; we do not store raw card numbers)

2.2 Microsoft 365 Tenant Data

When you connect a Microsoft 365 tenant, we access and store data retrieved from the Microsoft Graph API including:

  • Tenant configuration and security settings
  • User and group lists (display names, UPNs, role assignments)
  • Device inventory and compliance status (Intune)
  • Conditional Access policies
  • Exchange Online settings and transport rules
  • Secure Score and compliance scores
  • SharePoint and OneDrive sharing settings
  • MFA registration status per user

This data is accessed only as authorized by the OAuth consent flow you complete during tenant onboarding. We only access data that is within the scope of the Graph API permissions you have consented to.

2.3 OAuth Tokens

Microsoft OAuth access tokens and refresh tokens issued following your consent. These are stored encrypted at rest in Canadian PostgreSQL databases using per-tenant encryption keys.

2.4 Scan Results and Remediation History

The output of compliance scans, identified findings, and a complete history of all auto-remediation actions taken on your behalf, including the approval record (who approved, at what time, what change was made).

2.5 Usage Analytics

Aggregated, non-personally-identifying usage data including page views, feature interactions, and performance metrics. This data is used solely to improve the Service. We do not use third-party analytics providers that transmit data outside Canada.

2.6 Support Communications

Records of support tickets, emails, and other communications you send to us, including any information you provide to describe a problem or request.

2.7 Audit Logs

Immutable platform audit logs recording all authentication events, API calls, configuration changes, and approval actions within your account. These are a security and compliance feature.

3. How We Use Your Data

We use the information we collect for the following purposes:

  • Provide the Service — performing security scans, executing approved remediations, deploying compliance frameworks, and generating reports on your M365 tenants.
  • Account Management — creating and maintaining your account, processing billing, and authenticating your sessions.
  • Compliance Reporting — generating compliance status reports and audit documentation using your scan results and remediation history.
  • Service Notifications — sending transactional emails such as security alerts, scan completion notices, billing receipts, and important service announcements.
  • Platform Improvement — using aggregated, anonymized usage analytics to identify usability issues and improve platform features. We do not use your M365 tenant data to train machine learning models.
  • Security & Fraud Prevention — monitoring for unauthorized access, abuse, and suspicious activity on the platform.
  • Legal Compliance — complying with applicable Canadian laws, regulations, and lawful governmental orders.

We process your personal information only on the basis of your consent (as provided when creating an account and connecting a tenant), the performance of our contract with you (providing the Service), and our legitimate business interests in operating a secure and functional platform.

4. Data Residency

All customer data is stored exclusively in Canada.

Our database infrastructure is physically located in Canada. No customer data is stored, processed, or cached outside Canadian borders.

4.1 Database Infrastructure

All customer data — including account information, M365 tenant data, OAuth tokens, scan results, remediation history, audit logs, and all other data collected through the Service — is stored in PostgreSQL databases and associated infrastructure physically located in Canada.

4.2 Edge Portal Access Nodes

To reduce latency for users worldwide, Stella Unified deploys web portal access nodes ("edge nodes") in multiple geographic regions outside Canada. It is important to understand precisely what these edge nodes do and do not do:

What edge nodes DO

  • Serve static web application assets (HTML, CSS, JS)
  • Terminate HTTPS connections from your browser
  • Relay authenticated API requests to Canadian servers
  • Return API responses to your browser

What edge nodes do NOT do

  • Store any customer data
  • Process or cache API responses containing customer data
  • Hold any OAuth tokens or credentials
  • Log or retain M365 tenant information

In practical terms: when you use Stella Unified from outside Canada, your browser connects to a nearby edge node that serves the application interface. All actual data — your account, tenants, scan results — is fetched from and written to Canadian infrastructure in real time. The edge node is a transparent relay for application delivery, not a data store.

4.3 Encryption

  • At rest: AES-256 encryption on all database storage. OAuth tokens additionally use per-tenant encryption keys managed separately from the token data.
  • In transit: TLS 1.3 or higher on all connections between your browser, edge nodes, and Canadian backend infrastructure.

5. Data Sharing

We do not sell your data. We do not share your data with third parties for advertising or marketing purposes.

We share your information only in the following limited circumstances:

  • Microsoft Corporation — We transmit requests to the Microsoft Graph API on your behalf using the OAuth access token you authorized. This is the mechanism by which the Service functions. Your relationship with Microsoft is governed by Microsoft's own privacy policy and terms of service.
  • Payment Processor — We share your billing address and payment method details with our payment processor solely for the purpose of processing subscription payments. The payment processor is contractually prohibited from using this data for any other purpose.
  • Law Enforcement — We may disclose information if required to do so by valid and lawful process under Canadian law (such as a court order, search warrant, or production order). We will notify you of such requests where permitted by law and will challenge requests we believe to be overbroad or unlawful.
  • Business Transfer — In the event of a merger, acquisition, or sale of all or substantially all of the assets of Stellar IT Support Inc., your data may be transferred to the acquiring entity. We will provide notice of any such transfer and the acquiring entity will be required to honour this Privacy Policy.
  • With Your Consent — We may share information in any other circumstance with your explicit prior consent.

6. Data Retention

Data CategoryRetention Period
Account information (name, email, company)While subscription is active; deleted within 30 days of account termination
M365 tenant data (configurations, scan results)While subscription is active; deleted within 30 days of account termination
OAuth tokensWhile tenant is connected; immediately revoked and deleted upon tenant disconnection or account termination
Audit logs1 year from creation (retained for compliance purposes)
Billing records7 years (as required by Canadian tax and accounting regulations)
Support communications2 years from last interaction

Where we are required by applicable law to retain information for a longer period, we will do so but will restrict its use to compliance with the applicable legal obligation.

7. Your Rights (PIPEDA)

Under PIPEDA and applicable Alberta privacy legislation, you have the following rights with respect to your personal information:

  • 1

    Right of Access

    You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days.

  • 2

    Right to Correction

    You have the right to request correction of inaccurate or incomplete personal information. You can update most account information directly through your account settings.

  • 3

    Right to Deletion

    You may request deletion of your personal information. We will delete your data within 30 days of account termination, subject to legal retention requirements (such as billing records).

  • 4

    Right to Withdraw Consent

    You may withdraw consent to our collection and use of your personal information at any time. Withdrawal of consent necessary for providing the Service will result in termination of your account.

  • 5

    Right to Data Portability

    You may export your scan results, compliance reports, and remediation history at any time through the platform's export features. You may also request a complete data export by contacting [email protected].

To exercise any of these rights, contact us at [email protected]. We may require identity verification before processing requests.

If you are not satisfied with our response to a privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Office of the Information and Privacy Commissioner of Alberta.

8. Security Measures

We implement industry-standard technical and organizational security measures to protect your personal information, including:

  • Per-tenant token isolation — Microsoft OAuth tokens are encrypted with SQL-level, per-tenant encryption keys. No single database query can access tokens from multiple tenants.
  • JWT authentication — All authenticated sessions use JSON Web Tokens signed with RS256 asymmetric signatures issued by the Aegis identity service.
  • Role-Based Access Control (RBAC) — Users are assigned roles (Reseller, Tenant Admin, Technician, Viewer) with strictly scoped permissions. Least-privilege principles are enforced at the API layer.
  • Immutable audit trail — All authentication events, API calls, and configuration changes are recorded in an append-only audit log managed by the Hermes logging service.
  • Cognitive security layer — The platform's BlackHole Ecosystem cognitive framework includes 17 security modules, including the Injection Shield Engine (ISE) which detects and blocks prompt injection and adversarial input attacks at the API gateway.
  • Encryption at rest and in transit — AES-256 at rest, TLS 1.3 in transit on all connections.
  • Governed remediation — High-risk auto-remediation actions require explicit human approval via the Governed Execution Engine (GEE), preventing unauthorized automated changes.

Despite our security measures, no system is completely immune from security incidents. In the event of a data breach affecting your personal information, we will notify you as required by applicable Canadian privacy law.

9. Cookies

Stella Unified uses only functional session cookies that are strictly necessary to operate the Service:

  • Session cookie — a secure, httpOnly cookie used to maintain your authenticated session. This cookie contains only a session identifier and no personal data. It expires when you close your browser or after a configurable inactivity timeout.

We do not use:

  • Third-party tracking cookies
  • Advertising cookies
  • Analytics cookies from third-party providers
  • Cross-site tracking mechanisms

Because we use only strictly necessary functional cookies, cookie consent banners are not required. You may configure your browser to block cookies, but doing so will prevent you from logging in to the Service.

10. Children

Stella Unified is an enterprise platform intended for use by business professionals. The Service is not directed at children under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe that we have inadvertently collected information from a minor, please contact us immediately at [email protected] and we will promptly delete such information.

11. International Access

Stella Unified may be accessed from countries outside Canada. If you access the Service from outside Canada, please be aware of the following:

  • Your data remains in Canada and is subject to Canadian law (including PIPEDA) regardless of where you are located when you access the Service.
  • The application interface is served to your browser from the nearest edge node, which may be located in your jurisdiction. These edge nodes do not store or process your personal data.
  • By using the Service from outside Canada you acknowledge that Canadian law will govern the protection of your personal information, which may provide different (and in some cases stronger) protections than the law of your jurisdiction.

We do not transfer personal data to countries outside Canada for storage or processing. Microsoft Corporation, through the Graph API, may process your M365 data in accordance with Microsoft's data processing terms — this is governed by your agreement with Microsoft, not by us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes that affect how we collect, use, or share your personal information, we will provide at least 30 days notice by:

  • Sending an email notification to the address associated with your account.
  • Displaying a prominent in-platform notification when you next sign in.

The date of the most recent revision is displayed at the top of this page. Continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.

13. Contact & Complaints

For any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact our privacy team:

Privacy Officer — Stellar IT Support Inc.

Alberta, Canada

Email: [email protected]

General support: [email protected]

Website: stella-ai.ai

We will acknowledge privacy requests within 5 business days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate your complaint to:

  • Office of the Privacy Commissioner of Canada — responsible for federal PIPEDA matters. priv.gc.ca
  • Office of the Information and Privacy Commissioner of Alberta — responsible for provincial PIPA matters. oipc.ab.ca

See also our Terms of Service for the full terms governing your use of the platform.