← Back to Stellar

Privacy Policy

Effective date: March 3, 2026

Stellar ("we", "us", or "our") operates the Stellar mobile application, available on the Apple App Store, and the website at stellarmusic.io (together, the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information We Collect

Account information. When you create an account we collect your email address, username, and display name. Your password is hashed with bcrypt before storage and is never stored in plain text.

Profile image. You may optionally upload a profile avatar. The image is stored on our server and associated with your account.

Music preferences. We store the artists you mark as favorites, disliked, known, or discovered so that we can power your personalized music maps and recommendations.

Galaxy maps and universes. We store the music visualizations and universe snapshots you create, including the artist graph data, seed artists, and any thumbnails generated for sharing.

Social features. If you use friend features, we store your friend connections, friend requests, and any shared content such as collision snapshots (music-taste comparisons between friends), shared galaxies, shared universes, and collaborative playlists.

Invite codes. If you create or accept an invite, we store the invite code and the association between inviter and invitee.

2. Information We Do Not Collect

• We do not collect your location.
• We do not access your camera, microphone, contacts, or calendar.
• We use Google Analytics to collect anonymous, aggregated usage data (such as page views and general traffic patterns). Google Analytics may set cookies to distinguish unique visitors. We do not use advertising or other tracking SDKs.
• We do not collect device identifiers or transmit them to third parties.

3. How We Use Your Information

• To provide and maintain the Service — creating your account, generating personalized music maps, powering recommendations, and enabling social features.
• To authenticate you — via secure JWT tokens and HTTP-only session cookies.
• To send transactional emails — specifically password-reset emails when you request them. We do not send marketing or promotional emails.
• To generate link previews — when you share a galaxy or universe, we inject Open Graph metadata so that messaging apps can display a preview.

4. Third-Party Services

We use the following third-party services to provide the Service:

• Last.fm API — to fetch similar-artist relationships, artist genres, and artist metadata. Your requests are proxied through our server; Last.fm does not receive your personal information.
• Deezer API — to fetch artist images, fan counts, and 30-second track previews. Requests are proxied through our server; Deezer does not receive your personal information.
• Google Analytics — to collect anonymous, aggregated website usage data such as page views and traffic patterns. Google Analytics may set cookies; see Google's Privacy Policy for details.
• Google SMTP (Gmail) — to deliver password-reset emails. Only your email address is transmitted for this purpose.

We do not sell, rent, or share your personal information with any other third parties.

5. Data Storage and Security

Your data is stored in a server-side database. We protect it with:

• HTTPS/TLS encryption for all data in transit.
• Bcrypt password hashing (12 rounds).
• HTTP-only, secure cookies to prevent cross-site scripting access to session tokens.
• Rate limiting on authentication endpoints to prevent brute-force attacks.
• Short-lived JWT access tokens (15 minutes) with rotating refresh tokens (7 days).

6. Data Retention

• Account data, music preferences, maps, and social connections are retained for as long as your account is active.
• Session refresh tokens expire and are deleted after 7 days of inactivity.
• Password-reset tokens expire after 1 hour.
• Shared galaxies and universes remain accessible until you delete them.

7. Your Rights

You can:

• Access and update your profile information at any time through the app's settings.
• Delete your content — remove maps, favorites, dislikes, friend connections, and shared content from within the app.
• Request account deletion — contact us at the email below to request complete deletion of your account and all associated data.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top of this page. We encourage you to review this page periodically.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Stellarmusic.app@gmail.com