Estrevia
Open App

Legal

Privacy Policy

Effective date: April 6, 2026

Overview

Estrevia is built on a privacy-first principle: your birth data is personal. We collect only what is necessary to provide the Service, encrypt sensitive data at rest, and give you full control over your information.

1. Data We Collect

Birth Data (PII)Encrypted
  • Date of birth
  • Time of birth (optional — required for house calculations)
  • Place of birth (city, country, coordinates)

Encrypted with AES-256-GCM before storage. The encryption key lives in Vercel's secret environment — it never touches the database.

Account Data
  • Email address (required to create an account)
  • Authentication tokens managed by Clerk
Cosmic Passport Share DataNot PII
  • Sun sign, Moon sign, Ascendant sign
  • Element, ruling planet, rarity percentage

Share data contains derived astrological results only — never raw birth data.

Usage Data (Analytics)Anonymised
  • Pages visited, features used
  • Chart calculation count
  • Passport share events

Collected only with your consent via cookie acceptance. Processed by PostHog (EU region).

Payment Data
  • Billing information (card last 4 digits, expiry) — processed by Stripe
  • Subscription status and plan

We never store full card numbers. All payment processing is handled by Stripe, Inc.

2. How We Use Your Data

  • Calculate and store your natal charts
  • Generate and display your Cosmic Passport
  • Authenticate you via Clerk
  • Process subscription payments via Stripe
  • Send transactional emails (chart saved, subscription confirmation) via Resend
  • Analyse product usage to improve the Service (with your consent)
  • Monitor errors and performance via Sentry

We do not sell your data, use it for advertising targeting, or share it with data brokers.

3. Birth Data Encryption

Birth date, time, and location are classified as personal data under GDPR. We protect this data with AES-256-GCM encryption before it is written to the database.

  • Each record uses a unique IV (initialisation vector)
  • Encryption key stored in Vercel environment variables — not in the database
  • Decryption happens only at request time, inside secure server functions
  • Decrypted data is never logged or stored in intermediate systems

4. Third-Party Services

Clerk

Authentication and session management

Data shared: Email, OAuth tokens

Stripe

Payment processing

Data shared: Billing information, subscription events

PostHog

Product analytics (EU region)

Data shared: Anonymised usage events — only with cookie consent

Neon

Serverless PostgreSQL database

Data shared: Encrypted user data at rest

Vercel

Hosting and edge infrastructure

Data shared: Request logs (IP, headers) — retained per Vercel policy

Resend

Transactional email delivery

Data shared: Email address, email content

Sentry

Error monitoring

Data shared: Error stack traces, anonymised user context

5. Data Retention

DataRetention
Temporary charts (no account)7 days
Saved charts (with account)until account deletion
Cosmic Passport share dataUntil chart is deleted
Account data (email)Until account deletion
Analytics events12 months (PostHog default)

6. Your Rights (GDPR)

If you are in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

Access

Request a copy of all data we hold about you.

Rectification

Correct inaccurate personal data.

Deletion

Delete your account and all associated data.

Export

Download your data in machine-readable JSON.

Restriction

Restrict processing of your data.

Objection

Object to processing based on legitimate interests.

To export your data: GET /api/v1/user/data-export (authenticated) — returns JSON with all charts and profile data.

To delete your account: Account Settings → Delete Account, or DELETE /api/v1/user/account — permanently deletes all data with cascade.

To exercise any other right, email privacy@estrevia.app. We will respond within 30 days.

7. Cookies and Tracking

We use cookies and localStorage for:

  • Authentication — Clerk session tokens. Necessary for the Service to function. No consent required.
  • Analytics — PostHog client identifier (localStorage). Requires explicit consent via the cookie banner.

You can withdraw analytics consent at any time by clearing your browser's localStorage or contacting us. We do not use advertising cookies.

8. International Data Transfers

Our analytics data (PostHog) is processed in the EU. Database infrastructure (Neon) may store data in the US. Where applicable, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Children's Privacy

Only users aged 13 or older may create an account. We do not knowingly collect personal data directly from children under 13.

Charts for family members.An adult account holder may enter a child's birth data (date, time, location) to calculate a natal chart. In this case the adult acts as the data controller for that information, is responsible for obtaining any required parental consent, and may delete or export the data at any time via /settings. Birth data is stored encrypted with AES-256-GCM and is never used to profile the child, serve advertising, or train AI models.

If you believe a child has created their own account or that personal data of a minor has been collected without proper consent, contact us at privacy@estrevia.app and we will delete the data within 30 days.

10. Contact and Data Controller

Estrevia operates as the data controller for personal data processed through the Service.

Privacy enquiries, GDPR requests, and data breach reports: privacy@estrevia.app

You also have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France).