Last updated: 13 May 2026.
Astrolium is a practitioner workspace, so we do hold sensitive client data — birth dates, birth locations, session notes, and reading history. We encrypt all of it, host it in the EU, never sell it, never train AI models on it, and give you a one-click export and a one-click delete. GDPR rights apply globally.
This policy describes what data Astrolium collects, how we use it, who we share it with, and your rights under GDPR. We have written it in plain language because legal jargon is how companies hide bad behavior. For the related documents, see the terms of service, the security page, and the contact page.
1. What we collect
Astrolium collects four categories of data.
Account data. Your email address, display name, password (hashed with Argon2id, never stored in cleartext), billing address, VAT number where applicable, and subscription tier. Editable or deletable from account settings at any time.
Practitioner content. The charts you create, the clients you add to your CRM, their birth dates, birth times, birth locations, session notes, tags, and any uploaded documents (consent forms, intake forms, PDFs you generated). This is the substantive content of your practice and we treat it as sensitive.
Telemetry. Anonymous, aggregated usage metrics: which features are opened, error rates, calculation latency, page load times. No chart contents, no client names, no session-note text appears in this stream. We use this data to inform the roadmap, not to profile individual users.
Logs. Server access logs (IP address, request path, response code, timestamp). Retained for 30 days for security monitoring, then permanently deleted.
2. What we do not collect
- No third-party web analytics. No Google Analytics, no Facebook Pixel, no Hotjar, no FullStory, no Mixpanel.
- No device or browser fingerprinting.
- No access to your contacts, calendar, microphone, or filesystem beyond what you explicitly upload.
- No data sent to any AI service for training. The AI interpretation feature sends individual chart data to Anthropic for inference only, with zero-retention contracts in place (see Sub-processors below).
3. How we use what we collect
Account data authenticates you, processes your subscription, and sends transactional email you have consented to (billing receipts always; release notes opt-in). Practitioner content is stored so you can return to it and is processed to compute charts, generate AI interpretations on request, and produce PDF reports. Telemetry informs the roadmap. Logs are reviewed only when investigating a security event or a customer-reported bug.
We do not use any of this data for advertising, marketing profiles, audience sale, or AI training.
4. Legal basis for processing (GDPR Article 6)
- Account, billing, and practitioner content — Article 6(1)(b), performance of a contract. You signed up to use Astrolium; we process what is necessary to deliver it.
- Telemetry and logs — Article 6(1)(f), legitimate interest. We run the service reliably and need usage data and access logs to do so. You can object at any time at
privacy@astrolium.com. - Release-note email and other marketing — Article 6(1)(a), consent. You opt in at signup and can opt out from any email or in account settings.
For special-category data under Article 9 (some practitioners record health-related notes in client records), we rely on explicit consent obtained by the practitioner from the client. Astrolium is the data processor; the practitioner is the data controller for their client records. We provide a Data Processing Agreement on request — email privacy@astrolium.com.
5. Where your data lives
Primary servers are in Frankfurt, Germany. Read replicas and encrypted backups are in Dublin, Ireland. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Daily encrypted backups are kept for 30 days, then permanently deleted.
If you are in the EU or EEA, your data is processed under GDPR. If you are outside the EU, you have the same rights — Astrolium applies GDPR-equivalent protections globally because it is simpler to operate and because we think it is right. We do not transfer practitioner content outside the EU without your explicit consent.
6. Sub-processors
The third parties that touch your data, with their function and region:
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Vercel | Application hosting, edge runtime | EU (Frankfurt) | DPA |
| Supabase | Database, authentication, file storage | EU (Frankfurt) | DPA |
| Anthropic | AI interpretation inference (zero retention) | US (with EU residency option) | DPA |
| Stripe | Payment processing (card data never touches our servers) | EU + US | DPA |
| Resend | Transactional email (receipts, password resets, release notes) | EU | DPA |
| Cloudflare | CDN, DDoS protection, WAF | Global edge | DPA |
This is the complete list as of 13 May 2026. We do not add a sub-processor without updating this page first. Material changes are emailed to all customers 30 days before the new sub-processor goes live.
7. Data retention
| Data type | Retention |
|---|---|
| Account data (active) | For the life of the account |
| Account data (after account deletion) | Purged from primary store within 7 days; from backups within 30 days |
| Practitioner content | For the life of the account; user-initiated export anytime |
| Telemetry (aggregated) | 12 months |
| Server access logs | 30 days |
| Billing records | 10 years (German commercial-law requirement) |
| Closed support tickets | 24 months |
When you delete your account, we delete everything except billing records, which we are legally required to retain.
8. Your rights under GDPR (and equivalents)
You can, at any time, from your account settings:
- Access all data we hold about you, exported as a single JSON archive.
- Correct any data we hold.
- Delete your account and all associated data. Backups purged within 30 days.
- Restrict specific processing (you can disable AI interpretation, for example).
- Object to processing based on legitimate interest, including telemetry.
- Port your data to another service in machine-readable JSON.
- Withdraw consent for any consent-based processing without affecting prior lawful processing.
If you would rather email a request, write to privacy@astrolium.com. We respond within 7 days; the legal cushion is 30 and we do not use it.
You also have the right to file a complaint with a supervisory authority. The lead supervisory authority for Astrolium is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), reflecting the registration jurisdiction of ProCoders OU. EU residents may also file with their local DPA.
9. Cookies
Astrolium uses two cookies:
- A session cookie that keeps you logged in. Expires when you log out or after 30 days of inactivity.
- A preference cookie that remembers your theme (light/dark) and locale. Expires after 12 months.
We do not use tracking, advertising, or third-party analytics cookies. No cookie banner is shown because we do not place anything that requires consent under ePrivacy.
10. Data we share with law enforcement
Astrolium responds to valid legal requests from EU and Estonian law enforcement. We do not respond to informal requests, requests from authorities outside our jurisdiction without an MLAT process, or fishing expeditions. When we receive a request that meets the legal bar, we notify the affected user before responding unless the law specifically prohibits notification.
As of 13 May 2026, we have received zero such requests. If that changes, we will update this paragraph.
11. Children
Astrolium is not directed at children under 16, and we do not knowingly collect data from children under 16. If you believe a child has created an account, email privacy@astrolium.com and we will delete it within 7 days.
Practitioners using Astrolium to keep records of minor clients are responsible for obtaining the appropriate consent from a parent or guardian and for the lawful basis of processing.
12. Changes to this policy
If we materially change this policy, we email all users at least 30 days before the change takes effect. Material changes include adding a sub-processor, expanding the data we collect, or changing the legal basis for processing. Minor changes (clarifications, typo fixes) are made without notice and noted in the "Last updated" date at the top.
We do not retroactively apply policy changes to data already collected — new policies apply only to data collected after the effective date.
13. Contact
For questions about this policy or to exercise any of the rights above:
Email: privacy@astrolium.com
Data Protection Officer: Oleg Kopachovets (DPO duties), reachable at the same address
Mailing address:
ProCoders OU (operating as Astrolium)
Sepapaja 6
Tallinn 15551
Estonia
Operating office: Avenida Defensores de Chaves 15 6B, 1000-091 Lisboa, Portugal.
For related policies, see the terms of service, the security page, and the about page. For service uptime and incident history, see the status page.