Data Handling
A more technical companion to our Privacy Policy. If you want to know exactly how the system protects access to your reading, this is the page.
Two-token model
Every order has two distinct tokens, and they do different jobs.
- Access token— an opaque random string we generate when your order is created. It's the parameter on every link we send you. Possessing it means you're the order owner.
- Render token— a short-lived signature derived from the access token plus a server-side secret, valid for ten minutes. It's used internally so our PDF renderer can prove it has authorization to fetch the report HTML. It's never stored.
Without a valid render token, the report routes serve a read-only consumer view rather than the full PDF source.
How email links stay valid
Email links don't embed direct download URLs. They point at our re-sign endpoint, which validates your access token and then redirects you to a fresh 15-minute signed URL for the PDF in our object store. That means a year-old email still works — but a forwarded link, intercepted in transit, expires within 15 minutes.
Encryption
- In transit: all traffic is HTTPS. The site is served behind a TLS-terminating CDN (Vercel + Cloudflare).
- At rest:our database (Neon Postgres) and object store (Cloudflare R2) encrypt data at rest using their respective providers' managed encryption.
- Secrets:render-signing keys, Stripe webhook secrets, and provider tokens are stored in Vercel's encrypted environment variables and are never logged.
Token TTLs at a glance
| Token | Lifetime | Purpose |
|---|---|---|
| Access token | Lifetime of the order | Identifies you in email links |
| Render token | 10 minutes | Authorizes our PDF renderer |
| R2 presigned URL | 15 minutes | Direct download of the PDF |
What the AI sees
The narrative model receives the computed astronomical chart (planet positions, houses, aspects). It does notreceive your name, email address, or precise birth time and place. The chart numbers go in; prose comes out. We use Anthropic's API with their published data-use policy.
Where things live
| Data | Where | How long |
|---|---|---|
| Order row (name, email, Stripe IDs, status) | Neon Postgres | Up to 7 years (tax / AML) |
| Birth inputs and computed chart JSON | Neon Postgres | While order is active; deleted on request |
| Narrative JSON (the reading text) | Neon Postgres | While order is active; deleted on request |
| PDF report | Cloudflare R2 | While order is active; deleted on request |
| Stripe webhook events (idempotency log) | Neon Postgres | Retained for fraud / dispute investigation |
| Funnel analytics events | PostHog | Per PostHog retention |
| Error reports | Sentry | Per Sentry retention (typically 30–90 days) |
Deletion on request
When you ask us to delete your data, we remove the birth inputs, chart JSON, narrative JSON, and PDF object. We keep a minimal order record (your name, email, Stripe session ID, amount, timestamps) to satisfy financial recordkeeping requirements — those rows are aged out per our retention schedule. Send requests to hello@astra.report; we honor them within 30 days.
Backups
Our infrastructure providers maintain rolling backups of their systems for disaster recovery. We do not control these backup windows directly; deleted data may persist briefly in provider backups before being aged out per their policies.
Questions
Technical or security questions about this page — hello@astra.report.