Privacy Policy
Last updated: 2026-05-14 · These terms are reviewed by Astra periodically and effective on the Last updated date above.
This Privacy Policy explains what personal data the Astra platform collects, why we collect it, who we share it with, and what rights you have. Read alongside our Terms of Service and Cookie Policy.
Where a defined term is used (controller, processor, special category, legitimate interest) we mean the term as used in the EU/UK General Data Protection Regulation ("GDPR"). The same protections apply by analogy under the California Consumer Privacy Act / CPRA ("CCPA"), the Canadian PIPEDA, the Brazilian LGPD, and similar laws.
1. Who is the data controller
The controller is Sunstone Venture Capital LLC, doing business as Sunheir Culture ("Astra"), [Sunstone Venture Capital LLC, address — fill in], United States.
- Privacy / data-rights contact: hello@astraplatform.ai
- EU/UK representative under GDPR Art. 27: [EU representative — appoint and fill in]
- Data Protection Officer (DPO): [DPO contact — appoint if required by Art. 37, fill in]
2. The personal data we collect
2.1 Account data
Email, display name, handle, avatar, hashed password (we never store plaintext passwords), language preference, two-factor authentication status.
Lawful basis (GDPR Art. 6): performance of a contract.
2.2 Sensitive birth data — special category (GDPR Art. 9)
Birth date, birth time, and birth city are required to compute astrology charts, BaZi pillars, Zi Wei plates, and numerology profiles. Under GDPR Art. 9 these are special-category data because they may reveal information about religious or philosophical belief (you are choosing to engage with a divination system).
We process this data only with your explicit consent (GDPR Art. 9(2)(a)), captured at onboarding and re-confirmable in Settings → Privacy. You can withdraw consent at any time, in which case we delete the derived charts and stop personalising readings using that data.
We do not share your birth data with other users without your separate, granular consent (e.g. when you opt in to a compatibility match).
2.3 Profile data
Gender identity, pronouns, who you'd like to meet, bio, photos, audio notes. All optional. Sexual-orientation or political-belief fields, where present, are also special-category data and use the same explicit-consent basis.
2.4 Reading and journal data
Questions you ask, prompts you select, AI-generated and human- generated responses, private journal entries, saved cards or charts.
Lawful basis: contract for delivery; consent for any optional AI-training use.
2.5 Social data
Follows, "gaze" / "resonate" / "orbit" interactions, direct messages, live-stream chat, gifts sent and received, reactions, reports filed.
2.6 Voice data
Audio streams during voice readings are transient: streamed to Deepgram (speech-to-text), Anthropic Claude (response generation) and Cartesia (text-to-speech), and not retained by us by default. We may retain a 30-day audit log of voice-session metadata (start time, duration, voice persona) for trust & safety. Transcripts are stored on Astra only if you enable the Transcript history setting.
2.7 Payment data
Handled by Stripe. Astra receives only the last four card digits, card brand, billing country, and transaction status. We never store full card numbers, CVV, or bank-account numbers.
2.8 Device / technical data
IP address, browser user-agent, operating system, approximate city-level location, device fingerprints used solely for fraud prevention.
Lawful basis: legitimate interest in fraud prevention and service security.
2.9 Cookies and similar technologies
See the Cookie Policy.
2.10 Data we do not collect
We do not request your real legal name, government identifier, home address, or biometric data unless you are a reader or live broadcaster going through identity verification for monetisation (handled by Stripe Identity).
3. Why we process your data and on what lawful basis
| Purpose | Lawful basis |
|---|---|
| Provide the core service (account, charts, readings) | Contract + explicit consent for birth data |
| Process payments, prevent fraud | Contract + legitimate interest |
| Trust & safety, moderation, abuse prevention | Legitimate interest; legal obligation |
| Improve AI quality with de-identified samples | Opt-in consent only — controlled in Settings → AI training and off by default |
| Send transactional email (receipts, password resets) | Contract |
| Send marketing email | Opt-in consent only; withdraw any time |
| Comply with legal orders | Legal obligation |
4. Who we share data with (sub-processors)
We share data only with the providers we need to operate the Platform. Each is bound by a written data-processing agreement and GDPR-compliant safeguards. The current list:
- Stripe, Inc. — payment processing, payouts, identity verification · https://stripe.com/privacy
- Supabase, Inc. — Postgres database, auth, file storage · https://supabase.com/privacy
- Anthropic, PBC — Claude language-model inference · https://www.anthropic.com/legal/privacy
- Deepgram, Inc. — speech-to-text · https://deepgram.com/privacy
- Cartesia, Inc. — text-to-speech and voice clone hosting · https://cartesia.ai/legal/privacy
- LiveKit, Inc. — real-time audio / video media routing · https://livekit.io/legal/privacy-policy
- Ably Real-time Ltd — real-time chat / presence delivery · https://ably.com/privacy
- Resend, Inc. — transactional email · https://resend.com/legal/privacy-policy
- Vercel, Inc. — hosting / CDN / edge compute · https://vercel.com/legal/privacy-policy
- Cloudflare, Inc. — CDN, DDoS protection · https://www.cloudflare.com/privacypolicy/
- Plausible Insights OÜ / PostHog Inc. — privacy-respecting analytics, only after you opt in in the cookie banner
We do not sell personal data and do not share it for cross-context behavioural advertising (CCPA definitions). We do not trade or rent personal data. We may disclose data:
- to comply with a valid legal request, subpoena or court order;
- to protect the rights, property, or safety of Astra, our users, or the public; or
- in a corporate transaction (merger, acquisition), in which case we will notify you and you may close your account.
5. International data transfers
Astra is headquartered in the United States. We store data primarily in the US (Supabase US region). For EU/UK/EEA/Swiss users we additionally replicate identifiers to an EU region where available for performance.
Cross-border transfers from the EU/UK to the US and to other third countries rely on the European Commission Standard Contractual Clauses (Module 2 / Module 3) signed with each sub-processor, plus the UK International Data Transfer Addendum and Swiss amendments where applicable. For sub-processors operating under the EU-US Data Privacy Framework (DPF) we additionally rely on that framework.
Request the full list of safeguards by emailing hello@astraplatform.ai.
6. How long we keep your data (retention)
| Category | Retention |
|---|---|
| Active account data | While your account is open + 24 months after last login |
| Deleted account | 30-day soft-delete (restorable) → irreversibly purged within 90 days |
| Birth data | Deleted on consent withdrawal; otherwise as account data |
| Voice audio | Not retained beyond the live session (default) |
| Voice transcripts | Only if you enable Transcript history; deletable any time |
| Reader-session recordings | 30 days (Reader / Live policy) |
| Live-stream VOD | 30 days unless the broadcaster sets longer |
| Payment / financial records | 7 years (US IRS, FinCEN, equivalent) |
| Trust & safety case files | 24 months from case close, or as required by legal hold |
| Crash logs, request logs | 90 days |
| AI training samples (opt-in) | De-identified; retained until you opt out, then deleted within 90 days |
7. Your rights
Depending on where you live you have some or all of the following rights. We respond within 30 days (GDPR / UK GDPR) or 45 days (CCPA / CPRA, extendable to 90 with notice).
- Access — get a copy of the personal data we hold
- Rectification / correction — fix inaccurate data
- Erasure — close your account and have your data deleted (subject to legal retention rules above)
- Portability — receive a machine-readable export
- Restriction — pause processing while we resolve a dispute
- Objection — object to processing based on legitimate interest or for direct marketing (we will stop)
- Withdraw consent — for AI training, marketing, or birth-data processing, at any time without affecting prior lawful processing
- Lodge a complaint with your supervisory authority (EU/EEA), the UK ICO, the California Privacy Protection Agency, or the equivalent body where you live
7.1 How to exercise rights
- Most rights can be exercised in Settings → Privacy → Data rights.
- Or email hello@astraplatform.ai with subject "Data rights request: <type>".
- We may ask you to verify identity before fulfilling a request.
7.2 California-specific notices (CCPA / CPRA)
In the past 12 months we have collected the categories of data described in section 2 and disclosed them only to the sub-processors listed in section 4 for the business purposes described in section 3. We have not sold personal data and have not shared personal data for cross-context behavioural advertising. We do not use sensitive personal information for purposes beyond those listed in CPRA § 7027(m).
California residents may exercise rights to know, delete, correct, opt-out of sale/sharing, and limit use of sensitive personal information via Settings → Privacy → Data rights or by emailing hello@astraplatform.ai. We do not discriminate against users who exercise their CCPA rights.
If we ever introduce features that would meet the CCPA definition of "sale" or "share", we will publish a "Do Not Sell or Share My Personal Information" link in the footer and honour the Global Privacy Control (GPC) browser signal.
7.3 EU / UK-specific notice
You have the right to lodge a complaint with the supervisory authority in your member state of habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77).
8. Children's privacy
- Under 13 — not permitted on the Platform. We delete any account we discover to be under 13 (COPPA + global child-safety norms).
- 13 to 15 — in jurisdictions where the GDPR-K minimum is 16 (most EU member states), users below the local digital-consent age may use the Platform only with verifiable parental consent.
- 13 to 17 — Explore-only mode (read public content, follow brands, watch public live). Direct messaging, gift transactions, voice readings, live broadcasting and marketplace purchases are blocked.
- 18+ — full experience.
See the Safety & Age Policy for the detailed treatment.
9. Security
We use industry-standard administrative, technical, and organisational measures:
- TLS 1.3 in transit; AES-256 at rest for sensitive fields
- Row-level security in our database
- Hashing of passwords with bcrypt (cost factor 12) or stronger
- SSO / multi-factor authentication available
- Annual third-party penetration test (planned; commercial launch)
- Incident-response playbook and 72-hour breach notification under GDPR Art. 33
No system is perfectly secure. If you discover a vulnerability, please email hello@astraplatform.ai instead of testing in production.
10. Automated decision-making
We do not carry out automated decision-making that produces legal effects on you within the meaning of GDPR Art. 22. Trust & safety classifiers may flag content for human review, but we do not auto-ban accounts solely based on AI output for serious matters.
11. Changes
We may update this Privacy Policy. For material changes we will email subscribers at least 30 days in advance and post a banner on the Platform.
12. Contact
- Privacy / data rights: hello@astraplatform.ai
- EU representative: [appoint + fill in]
- DPO: [appoint + fill in]
- Postal: Sunstone Venture Capital LLC dba Sunheir Culture, [Sunstone Venture Capital LLC, address — fill in], United States
These terms are reviewed by Astra periodically and effective on the Last updated date above. It is not legal advice.
Related
Questions about this document?
Email us — we reply within 24h (12h for Pro & creators).