Privacy Policy

How we protect your data

Effective Date: February 21, 2026Version 1.2

1. Who We Are

Aurathea, PBC (Public Benefit Corporation) is a Delaware company that provides an astrology platform offering natal chart generation, astrological interpretations, AI-powered chatbot discussions, daily horoscopes, and related educational content. We are the data controller responsible for your personal information.

For privacy inquiries, contact us at privacy@aurathea.com.

2. Information We Collect

We collect information in the following categories:

  • Account Information: Email address, password (hashed), display name, language preference, timezone
  • Birth Data (for chart generation): Date of birth, time of birth, place of birth (converted to latitude/longitude/timezone for calculation)
  • Payment Information: Processed by Stripe. We do not store credit card numbers. We retain: subscription status, plan type, purchase history, Stripe customer ID
  • Usage Data: Pages visited, features used, chart generation requests, chatbot interactions (message count and messages used), language preference, session information
  • Technical Data: IP address (for geo-location and security), browser type, device information, referral source
  • Email Leads: If you sign up for our newsletter or provide your email before creating an account, we collect your email address and the context in which it was provided (page, timestamp, user agent for fraud prevention). This data is processed under your consent and retained until you unsubscribe.

3. How We Use Your Information

  • Service Delivery: Generate your natal charts, interpretations, horoscopes, and AI chatbot responses
  • Account Management: Create and maintain your account, process payments, manage subscriptions
  • Communication: Send transactional emails (account confirmation, password reset, purchase receipts), marketing emails (only with your explicit consent)
  • Improvement: Analyze usage patterns to improve features and content quality
  • Security: Detect and prevent fraud, abuse, and unauthorized access
  • Legal: Comply with applicable laws, regulations, and legal processes

4. AI Processing Disclosure

We use artificial intelligence in the following ways:

  • Chart Interpretations: Chart Interpretations — Generated using OpenAI's language models based on your astrological data. Birth data (date, time, location) is sent as astronomical positions, not personally identifiable information.
  • AI Chatbot: AI Chatbot — Powered by Anthropic's Claude. Your chat messages are sent to Anthropic for response generation. Chat sessions are summarized and archived; raw transcripts are not permanently stored.
  • Daily Horoscopes: Daily Horoscopes — Generated using AI with astronomical ephemeris data. No personal data is used in horoscope generation.
  • Rare Configurations: Rare Aspect Configurations — AI-generated narrative interpretations of geometric chart patterns. Uses only astronomical data.

We do not use your personal data to train AI models. Our AI providers (Anthropic, OpenAI) process data under data processing agreements and do not retain your data for their own training purposes.

Mobile Application

When you use the Aurathea mobile application, the following additional data practices apply. These are specific to the mobile app and supplement the data practices described above for the web service.

Voice Input Processing

The Aurathea mobile app offers voice input for the AI chatbot feature. Voice processing (speech-to-text conversion) occurs entirely on your device using your operating system's built-in speech recognition. Audio is never recorded, transmitted to, or stored on Aurathea servers. Only the resulting text transcript is sent to our API for processing, subject to the same AI processing practices described in Section 4. We do not create, collect, store, or transmit voiceprints, voice biometric data, or any audio recordings. The on-device speech recognition is governed by your device manufacturer's privacy practices (Apple or Google), not by Aurathea.

On-Device Secure Storage

The mobile app stores limited data locally on your device using the operating system's secure storage facility (iOS Keychain via SecureStore on Apple devices; EncryptedSharedPreferences on Android). This includes: your authentication token (JWT), your language preference, and app configuration settings. This data remains on your device, is encrypted by the operating system, and is automatically deleted when you uninstall the app or sign out.

Push Notifications

If you enable push notifications, your device's push notification token (a unique identifier assigned by Apple Push Notification service or Google Firebase Cloud Messaging) is transmitted to and stored on Aurathea servers for the purpose of delivering notifications. Push notification tokens are not linked to your device identity and cannot be used to identify you personally. You may disable push notifications at any time through your device settings, which will cause us to stop sending notifications. We will delete your push notification token from our servers within 30 days of your disabling notifications or uninstalling the app.

5. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data under these legal bases:

  • Contract: Performance of Contract (Art. 6(1)(b)) — Chart generation, subscription services, chatbot responses
  • Consent: Consent (Art. 6(1)(a)) — Marketing emails, newsletter subscriptions, email lead collection, and optional data processing
  • Legitimate Interest: Legitimate Interest (Art. 6(1)(f)) — Security, fraud prevention, service improvement, analytics
  • Legal Obligation: Legal Obligation (Art. 6(1)(c)) — Tax records, regulatory compliance

6. Data Sharing and Third Parties

We share your data only with the following service providers, each under appropriate data processing agreements:

  • Stripe: Stripe — Payment processing. Receives payment details and billing information. PCI DSS Level 1 certified.
  • Anthropic: Anthropic — AI chatbot responses. Receives chat messages and astrological context. Data processing agreement in place.
  • OpenAI: OpenAI — Batch interpretation generation. Receives astrological positions (not personally identifiable data). Used for pre-generating content, not real-time user interactions.
  • AWS: Amazon Web Services — Infrastructure hosting. All data stored in AWS US-East-2 (Ohio). Data encrypted at rest and in transit.
  • MaxMind: MaxMind GeoLite2 — Local geolocation database for regional pricing. No data is sent to MaxMind; the database runs locally on our servers.

We do not sell your personal information. We do not share your data with advertisers or data brokers.

7. Cookies and Tracking

Aurathea uses only essential cookies:

  • Session Token: Session Token (JWT) — Strictly necessary for authentication. Expires when you log out or after inactivity.
  • Language Preference: Language Preference — Functional cookie storing your selected language. Persists across sessions.

We do NOT use: third-party tracking cookies, advertising cookies, social media pixels, Google Analytics or similar analytics services, or any cross-site tracking technology.

8. Data Retention

We retain your data according to the following schedule:

  • Account data — Retained while account is active. Deleted upon account deletion.
  • Charts and interpretations — Retained while account is active. Deleted upon account deletion.
  • Chat sessions — Summarized and archived to S3 after 90 days. Raw transcripts deleted. Summaries retained while account is active.
  • Payment records — Retained for 7 years after transaction as required by tax law.
  • Security logs — Retained for 90 days, then deleted.
  • Email leads — Retained until unsubscribed, then deleted within 30 days.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Right to Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate or incomplete data
  • Right to Erasure — Request deletion of your personal data
  • Right to Data Portability — Receive your data in a structured, machine-readable format
  • Right to Restrict Processing — Request that we limit how we use your data
  • Right to Object — Object to processing based on legitimate interest
  • Right to Withdraw Consent — Withdraw consent for marketing or optional processing at any time

To exercise any of these rights, contact privacy@aurathea.com. We will respond within 30 days (or 15 days for LGPD requests from Brazil).

10. International Data Transfers

Your data is stored and processed in the United States (AWS US-East-2, Ohio). If you access our Service from outside the United States, your personal data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legally recognized transfer mechanisms to ensure your data receives adequate protection:

  • EU-US Data Privacy Framework (DPF) — Several of our key service providers, including Stripe and Amazon Web Services, are certified under the EU-US Data Privacy Framework, which has been recognized by the European Commission as providing adequate protection for personal data transferred from the EU to the US.
  • Standard Contractual Clauses (SCCs) — Where the Data Privacy Framework does not apply, we enter into Standard Contractual Clauses approved by the European Commission (Decision 2021/914) with our data processors. Our data processing agreements with Anthropic, OpenAI, and other providers incorporate these clauses.
  • Supplementary Measures — In addition to the legal transfer mechanisms above, we implement technical safeguards including encryption in transit (TLS 1.2+) and at rest, access controls, network isolation, and continuous security monitoring.

EU Representative (GDPR Article 27) — As Aurathea does not have a physical establishment in the EEA, we have designated [EU Representative Name and Contact] as our representative in the European Union in accordance with Article 27 of the GDPR. You may contact our EU representative regarding any data protection matter.

UK Representative (UK GDPR Article 27) — For users in the United Kingdom, we have designated [UK Representative Name and Contact] as our representative in the UK in accordance with Article 27 of the UK GDPR.

You may request information about the specific safeguards applied to transfers of your personal data by contacting us at privacy@aurathea.com.

11. Children's Privacy

Aurathea is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If you are a parent or guardian and believe your child has provided us with personal information, please contact privacy@aurathea.com and we will promptly delete such information.

12. Security

We implement industry-standard security measures including: HTTPS/TLS encryption for all data in transit, encryption at rest for stored data, secure password hashing, rate limiting and abuse prevention, regular security reviews, and non-root container deployment.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33; notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34; for users in Brazil, comply with LGPD breach notification requirements to the ANPD (Autoridade Nacional de Proteção de Dados); maintain internal records of all data breaches, their effects, and remedial actions taken. If you believe your data has been compromised, please contact us immediately at security@aurathea.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before they take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

privacy@aurathea.com

General inquiries: contact@aurathea.com

Additional Information for Users in Brazil (LGPD)

Under the Lei Geral de Proteção de Dados (LGPD), you have additional rights including the right to confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. Contact privacy@aurathea.com with subject line 'LGPD Request' for a response within 15 days.

Data Protection Officer (Encarregado): In accordance with LGPD Article 41, our designated Data Protection Officer can be reached at privacy@aurathea.com. The Encarregado is responsible for accepting complaints and communications from data subjects and the ANPD, advising on data protection practices, and carrying out other duties as determined by the controller.

Additional Information for California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information.