Joint Controller Information pursuant to Art. 26 GDPR

The following regulations apply to all cooperations where Stella AI GmbH and a cooperation partner / brand jointly use the Stella AI Tool (for example on a shop website or via QR code in stationary retail).

1. Scope of Application & Joint Responsibility Model

Stella AI GmbH, Kaiserdamm 87, 14057 Berlin ("Stella AI") and each respective cooperation partner / brand are considered joint controllers within the meaning of Art. 26 GDPR in certain usage scenarios, as they jointly decide on the purposes and means of processing personal data.

This joint responsibility relates to all processing activities within the framework of the Stella AI Tool, including both modules Stella Match and Stella Assist, when this tool is integrated on the cooperation partner's website or accessed via QR code.

2. Purposes of Data Processing

The purpose of processing is to:

  • analyze user interests and characteristics,
  • generate personalized product recommendations based on this,
  • and provide the cooperation partner with relevant recommendations.

This is done either through an analysis funnel (e.g., color/skin analysis) or through chat interactions via Stella Assist. The data is processed in Stella AI systems and provided to the respective cooperation partner.

3. Data Categories & Affected Persons

Affected Persons

Visitors, users or interested parties of the cooperation partner's website / application

Data Categories (depending on usage scenario)

  • Voluntarily entered identification data (e.g., name, email address)
  • Image data (e.g., selfies for color analysis)
  • Physical characteristics (e.g., skin color, eye color, skin tone)
  • Analysis results (e.g., color type, product recommendations)
  • Skin condition, skin needs, care preferences
  • Age information
  • Free text entries in the chat function
  • Usage behavior, click and log data

Note: Chat contents are stored and evaluated exclusively in pseudonymized or anonymized form; identification of the person is not possible.

4. Allocation of Responsibilities

Responsible at Stella AI GmbH

  • Receipt and collection of data through the tool
  • Storage and processing in Stella AI systems
  • Technical implementation, further processing for recommendation generation
  • Provision of recommendations to the cooperation partner
  • Information obligations under Art. 13, 14 GDPR (in coordination with the partner)

Responsible at Cooperation Partner / Brand

  • Implementation / integration of the tool (embedding, QR code, etc.)
  • Collection of publicly visible or voluntary information
  • Use of provided recommendation results in shop operations
  • Additional storage in own CRM / systems (if applicable)
  • Ensuring transparency towards users (e.g., references in the privacy policy)

Joint Responsibility (both parties)

  • Definition of purposes and means of joint processing
  • Coordination and responsibility for data subject rights (Art. 15–22 GDPR)
  • Maintenance of documentation and technical & organizational measures (Art. 30 and 32 GDPR)
  • Selection and supervision of subcontractors
  • Coordination in case of data protection incidents (Art. 33, 34 GDPR)
  • Accountability and proof obligations

5. Rights of Affected Persons & Exercise

Each affected person can assert their rights under Art. 15–22 GDPR against any of the joint controllers.

Stella AI and the cooperation partner coordinate to process such requests and ensure that the affected person is provided with all necessary information.

A central contact point for inquiries regarding joint processing is:

Stella AI GmbH

Kaiserdamm 87, 14057 Berlin

Email: privacy@askstella.ai

6. Transparency & Information Obligations

Stella AI and the cooperation partner ensure that necessary information under Art. 12–14 GDPR is coordinated, consistent and easily accessible.

The user is explicitly informed in the cooperation partner's privacy policy about the joint responsibility and the role of Stella AI, as well as about the use of Stella Assist and OpenAI (incl. third country transfer).

7. Data Protection Incidents & Security

In case of data protection incidents affecting joint processing, the data protection coordinator of Stella AI immediately informs the cooperation partner and joint measures for damage limitation are taken.

Both parties are obliged to implement and regularly update appropriate technical and organizational measures in accordance with Art. 32 GDPR.

Only necessary data should be collected (data minimization), employees are to be obliged and trained, and processes are to be continuously documented.

8. Validity & Updates

This agreement enters into force upon publication on this page and applies continuously to all existing and future cooperations, unless expressly a deviating, individually agreed version applies.

Changes to this agreement become effective through publication on this page; cooperation partners are notified by email or contractually.

Internally, Stella AI maintains versioning and records of previous versions.

As of: October 15, 2025