Privacy Policy

How we collect, use, and protect your personal data. Updated 6 May 2026.

← Our Policies
📅 Effective: 6 May 2026 · Last updated: 6 May 2026 · Version: 2.0

About this document

This is the Privacy Policy for Stellar Mentoring UG (haftungsbeschränkt), the company that operates the Stellar.Connect mentoring platform. It explains, in plain language, what personal data we collect about you, why, who we share it with, how long we keep it, and what rights you have to access, correct, export, restrict, object to, or delete it.

If a question about your data isn't answered here, email us at privacy@stellarmentoring.com and we'll respond within 30 days.

What changed in version 2.0: we restructured this document to clearly state our lawful basis for each kind of processing (Section 2), give you concrete retention periods (Section 4), name our sub-processors (Section 3), describe how our matching algorithm works under GDPR Article 22 (Section 6), and decouple consent withdrawal from account deletion (Section 5). We also added a section on regulator complaints (Section 9). The previous version was effective 5 February 2025.

When does this apply? When you sign up for, use, or are invited to a mentoring programme on the Stellar Mentoring Platform, or when you visit stellarmentoring.com. If your organisation has a separate Data Processing Agreement (DPA) with us, the DPA's terms govern the processing of data you provide through that organisation, and override this Policy where the two conflict (see Section 10).

Will it change? Yes — we update this document when laws, our sub-processors, or our practices change. When the change is significant, we notify you in the app at next sign-in and, where required, by email. The version + effective date at the top tells you which document version was live when you accepted it.

Section 1

Who we are

The data controller for personal data processed by the Stellar Mentoring Platform is:

Under German and EU law, Stellar Mentoring UG is below the threshold that requires a designated Data Protection Officer (DPO). Privacy questions are routed to the Stellar Mentoring management team, who handles data-subject requests and serves as your single point of contact for any GDPR matter.

For full company details (Geschäftsführer, registration, VAT ID), see our Imprint.

Section 2

What data we collect, why, and on what legal basis

The table below lists every category of personal data we process, why we process it, and the legal basis under GDPR Article 6 (and, where relevant, Article 9). Multiple bases may apply to a single category; we list each that applies.

Data category What we collect Why we collect it Lawful basis (Art. 6)
Account identityEmail, first name, last name, password (hashed), tenant assignmentCreate + secure your account; authenticate sign-in6(1)(b) — performance of contract
Visitor / log dataIP, browser, device type, pages visited, error logsOperate the Service, detect abuse, debug6(1)(f) — legitimate interest in security and operation
Profile — personalGender, country, language, communication preference, timezone, profile photoTailor the platform; enable matching6(1)(a) — consent (Art. 9 if gender is treated as a special category in your jurisdiction; see Section 7)
Profile — professionalLinkedIn URL, employer, job title, work experience, sector, functional role, people-management experienceMentor-mentee matching; partner-visibility within an enrolled programme6(1)(a) — consent
Mentoring areas + ideal-mentor preferencesSelected mentoring topics, partner role preferences, capacity (mentees per mentor)Matching algorithm input; partner shortlist6(1)(a) — consent
EngagementLogin times, messages with your matched partner, sessions scheduled / attended, milestones reachedOperate the programme; provide reporting to coordinators; quality monitoring6(1)(b) + 6(1)(f)
Tandem / session contentSession notes, agenda, milestone artefacts you choose to share with your partnerProgramme operation; record for the participants6(1)(b) — performance of contract
Email + transactionalSent / delivered / bounced events for emails the platform sends youDeliverability monitoring; support6(1)(b) + 6(1)(f)
Customer serviceSupport ticket content, communications with our teamRespond to your request; quality-control our service6(1)(b) + 6(1)(f)
Tenant CRM-sourced (when you reach the platform via an organisation that integrates its CRM with us)Name + email pulled from the tenant's CRM by APICreate your Stellar account on behalf of the tenant organisation6(1)(b) under the tenant's executed Data Processing Agreement — see Section 10

We do not collect data we don't need. Fields marked optional in the platform are processed only if you choose to provide them.

Section 3

Who we share your data with

We share personal data only with:

  • Your matched partner and programme coordinators — the mentor or mentee you are matched with, plus the administrators of the programme that invited you, see your profile and the data you choose to share within the platform.
  • Sub-processors who help us operate the Service. Each is bound by a Data Processing Agreement and processes data only on our instructions:
Sub-processor What they do Where data is processed
Amazon Web Services EMEA SARLHosting, database, file storage, email delivery (SES), authentication (Cognito)eu-central-1 (Frankfurt, Germany)
Google Analytics 4 (Google Ireland Limited)Aggregated traffic + product-usage analytics on our marketing site only — disabled by default, requires your active opt-in via the cookie bannerEU-US Data Privacy Framework (where Google's certification applies) and EU Standard Contractual Clauses (Commission Decision 2021/914) for any residual transfers
Sentry (Functional Software, Inc.)Error monitoring on the platform — collects error stack traces, never message bodies or profile fieldsUnited States; transfers governed by EU Standard Contractual Clauses (Commission Decision 2021/914)
Stripe Payments Europe LimitedSubscription billing for organisation customers; we never see card detailsEU / Ireland
Atlassian Pty Ltd (Jira Service Management)Customer-support ticketingEuropean Union (Atlassian Cloud EU data residency)

We do not share data with third-party advertisers. We never sell personal data. If we add or change a sub-processor, we update this section before the change takes effect.

We may disclose data to public authorities only when legally required (e.g. court order, valid subpoena) and only to the extent required by that obligation.

Section 4

How long we keep your data

We keep personal data only as long as we need to deliver the Service, meet legal obligations, or defend legal claims. Concrete retention periods:

I am a user who… How long we keep your data
Signed up but never accepted a programme registration; did not request erasure2 years after your last login, then anonymised
Signed up + accepted at least one programme registration; did not request erasure5 years after your last login. Programme history is anonymised at that point; the ConsentRecord and audit log are retained for legal-defence purposes
Did not start a programme + requested erasureErased within 24 hours of confirming your identity
Did start at least one programme + requested erasurePersonal identifiers (name, email, photo, LinkedIn, employer, job title, gender) anonymised within 24 hours of confirming identity. ConsentRecord, audit log, and de-identified aggregate statistics retained 5 years to demonstrate consent (Art. 7(1)) and defend legal claims (Art. 17(3)(e))

Why anonymise instead of fully delete? Sessions and tandems involve another person — your matched partner. Hard-deleting your data would create gaps in their record that they did not consent to. Anonymisation removes the personal identifiers from your data while preserving the partner's right to a complete record of the programme they participated in. If you object to this approach, contact privacy@stellarmentoring.com and we'll review your case under Article 17 GDPR.

Section 5

Your rights

Under the GDPR you have the following rights. We respond to every request within 30 days (extendable by 60 more if the request is complex — we will tell you within the first 30 days if we need the extension and why).

  • Access (Art. 15) — receive a copy of the personal data we hold about you, plus a summary of how it's processed.
  • Rectification (Art. 16) — correct inaccurate or complete incomplete data. Most fields you can update directly in your profile; for the rest, contact us.
  • Erasure / "right to be forgotten" (Art. 17) — see Section 4 above for what gets erased and what is retained.
  • Restriction (Art. 18) — pause our processing in specific situations (e.g. while you contest the accuracy of data we hold).
  • Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller.
  • Object (Art. 21) — object to processing based on our legitimate interests; we'll stop unless we can show overriding legitimate grounds.
  • Withdraw consent (Art. 7(3)) — see "Withdrawing consent" below — withdrawal does not require account deletion.
  • Not be subject to solely automated decisions (Art. 22) — see Section 6 on our matching algorithm.

How to exercise your rights

  • Email privacy@stellarmentoring.com with the right you want to exercise in the subject line — for example "Data Access Request", "Data Portability Request", "Erasure Request", "Object to Processing".
  • Include the email address tied to your Stellar account so we can verify your identity. We may ask for additional verification.
  • You will receive confirmation within 24 hours and a substantive response within 30 days.

Withdrawing consent

You can withdraw consent at any time without deleting your account. Use the "Privacy & consent" section in your profile settings to revoke any consent you previously gave. We'll stop the processing that depended on it. Where the withdrawn consent was the only lawful basis for keeping certain data, we'll delete or anonymise that data per Section 4. Withdrawing consent does not affect the lawfulness of processing we did before withdrawal.

Section 6

Automated decision-making and matching

We operate a matching algorithm that suggests potential mentor-mentee pairs by comparing the profile fields you provide (job title, experience, sector, mentoring areas, language, etc.) using configurable scoring rules set by your programme coordinators.

The matching algorithm is advisory, not final. A programme coordinator (a person, not an algorithm) reviews the suggested pairs and decides which matches to confirm. You can also accept or decline a suggested match yourself once it is proposed to you. As a result, we do not consider the matching to be a "solely automated decision" within the meaning of GDPR Article 22(1).

You still have the right to:

  • Ask which profile fields contributed to a particular suggestion (we will tell you which categories of profile fields contributed to a particular suggestion (for example, that job title and sector were the dominant signals) without exposing the specific values of other users' profiles).
  • Request human review of any specific match.
  • Decline a suggested match and provide reasons that adjust your future suggestions.

Email privacy@stellarmentoring.com with subject "Matching Review Request" to exercise either right.

Section 7

Sensitive data and minimum age

Special categories of data (Art. 9). The platform asks for gender as part of profile completion. Depending on your jurisdiction, gender may be treated as data revealing characteristics protected under Article 9. We treat the field as optional, process it only when you provide it, and use it only for matching purposes you have consented to. You can leave it blank or update it at any time. If you prefer not to have gender processed as profile data, leave the field blank — the platform works without it. Where gender is treated as Article 9 special-category data in your jurisdiction, your active opt-in via the profile form serves as the explicit consent required by Article 9(2)(a).

Children. The Stellar Mentoring Platform is intended for users 18 years of age or older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account or supplied data, contact us at privacy@stellarmentoring.com and we will erase the data within 24 hours of verifying the report.

Section 8

How we protect your data

The full description of our technical and organisational measures is in our Data Security Policy. Highlights:

  • All data in transit is encrypted with TLS 1.3.
  • All data at rest is encrypted with AES-256 by AWS at storage level.
  • Multi-factor authentication is enforced for administrator accounts.
  • Daily encrypted backups, retained for 30 days.
  • If a personal-data breach affects you, we will notify you and the supervisory authority within 72 hours of becoming aware, in line with GDPR Article 33–34.
Section 9

Complaints to a supervisory authority

If you believe we have processed your personal data in a way that infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for Stellar Mentoring UG is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de (opens in new tab)

You may also lodge a complaint with the supervisory authority of your country of residence. We would prefer that you contact us first at privacy@stellarmentoring.com so we can try to resolve your concern directly — but the right to complain to a regulator is yours, regardless.

Section 10

When your data comes from a tenant organisation

Some users reach Stellar via an organisation that has integrated its own systems (e.g. its CRM) with our platform under a signed Data Processing Agreement. If that applies to you, the organisation is a separate data controller for the data they collected before sending it to us, and the executed DPA governs how Stellar processes that data on the organisation's behalf.

Where the DPA's terms conflict with this Privacy Policy, the DPA prevails for the data covered by it. The organisation is responsible for telling you which data they share with us; if you want a copy of the applicable DPA, contact your programme coordinator or the organisation's data-protection contact directly.

Section 11

Data transfers outside the European Union

Stellar Mentoring UG hosts your data within the European Union (AWS eu-central-1, Frankfurt, Germany). Some of our sub-processors (see Section 3) may process limited data outside the EU. When this happens, we rely on:

  • Adequacy decisions by the European Commission, where one applies for the destination country.
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), plus supplementary measures where needed, for all other transfers.

AWS sub-processing remains within eu-central-1 (Frankfurt). Google Analytics 4 may transfer limited aggregated data outside the EU under the EU-US Data Privacy Framework + SCCs. Sentry processes error stack traces in the United States under SCCs. Stripe and Atlassian process data within the EU. Sub-processor list and transfer mechanism are reviewed annually and updated in this Policy when they change.

Section 12

Cookies

Cookies are described in detail in our Cookie Policy, including a full inventory of every cookie we set, its purpose, duration, and how to opt in or out. Non-essential cookies (analytics, marketing) only run if you give explicit consent through the cookie banner — they are off by default.

Section 13

Changes to this policy

We update this Privacy Policy when our processing, sub-processors, or applicable laws change. The "Last updated" and "Effective" dates at the top tell you which version of the document is currently in force.

For material changes (new sub-processor, new processing purpose, expanded retention, change in lawful basis), we will:

  • Notify you in the platform at next sign-in, with a re-acceptance gate where re-consent is required;
  • Where required, also notify you by email;
  • Provide a summary of what changed at the top of this document for at least 12 months after the effective date.