Privacy Policy
We collect what we need to cast your chart and write your reading — and nothing else. This page explains exactly what that means.
1. Who we are
Astra ("we", "us") operates www.astra.report, a service that produces personalized natal-chart readings using astronomical calculations and an AI language model. For questions about this policy or your data, email hello@astra.report.
2. What we collect
When you order a reading, you provide:
- Name and email address — to address you in the reading and deliver the PDF.
- Date of birth — required for chart calculation.
- Time of birth — optional. If unknown, we cast a solar chart at noon and flag time-dependent passages.
- City of birth — and the latitude, longitude, and timezone we derive from it.
We also receive payment information at checkout, but we never see or store your card number. That stays with Stripe. We retain only a Stripe session ID and the amount paid.
3. How we use it
- Chart calculation — your birth data is fed into the Swiss Ephemeris to produce an exact astronomical chart.
- Narrative generation— the chart (not your name or email) is sent to Anthropic's Claude API to write the reading.
- PDF rendering — Cloudflare Browser Rendering generates the PDF; we store it in Cloudflare R2.
- Email delivery — Resend delivers your preview and full report.
- Operations — analytics (PostHog), error tracking (Sentry), and rate limiting (Upstash) for fraud prevention and reliability.
4. Automated decision-making
Your reading is produced entirely by automated processing — Swiss Ephemeris math computes the chart positions, and an AI language model writes the prose interpretation against a structured prompt. There is no human astrologer reviewing your chart before delivery. The reading is interpretive content, not a decision that affects your legal rights or material interests, and it is intended for personal reflection and entertainment.
You have the right to request a human review or explanation of how your chart was generated. Email hello@astra.report and we will respond within 30 days.
5. Legal basis (for users in the EU/UK)
- Contract performance (GDPR Art. 6(1)(b)) — for generating and delivering your reading.
- Legitimate interests (Art. 6(1)(f)) — for fraud prevention, analytics, and service reliability.
- Consent (Art. 6(1)(a)) — for any optional marketing emails (none currently sent).
6. Sub-processors
We use the following third parties to operate the service. Each is bound by their own privacy policy and processing agreement.
| Provider | Purpose | Region |
|---|---|---|
| Stripe | Payment processing | US / EU |
| Anthropic | AI narrative generation (Claude) | US |
| Resend | Email delivery | US / EU |
| Cloudflare | PDF rendering and R2 storage | Global |
| Neon | PostgreSQL database | US / EU |
| Inngest | Background job orchestration | US |
| Vercel | Application hosting | Global edge |
| PostHog | Product analytics | US / EU |
| Sentry | Error monitoring | US / EU |
| Upstash | Rate limiting | Global |
| City geocoding (Places API) | Global |
7. Retention
We are honest about how long we keep things. There are three layers, and they each have different lifetimes.
- Birth inputs and chart data (your date, time, place; the computed chart; the AI-generated narrative; the PDF in R2): retained while your order is active so we can re-deliver the email or re-issue the PDF link if you ask. You can request erasure at any time at hello@astra.report; we honor that within 30 days (GDPR Art. 17).
- Order metadata (your name, email, Stripe session ID, amount, timestamps): retained for the longer of (a) the 30-day refund window and (b) tax and anti-money-laundering recordkeeping obligations — typically up to 7 years. Even after a deletion request, we may retain this minimum financial record where the law requires it.
- Provider-side residuals: our sub-processors (Stripe, Resend, Sentry, R2, PostHog, Neon backups) maintain their own retention and backup windows that we do not control. See their privacy policies for specifics.
8. Cookies and analytics
We use PostHog to record funnel events (such as checkout_started, report_delivered, upsell_converted) so we can understand where the experience falls down. We use Sentry to capture errors. We do not use advertising cookies and we do not sell or share your data for cross-context behavioral advertising.
9. Your rights
Regardless of where you live, you can email hello@astra.report to:
- Access a copy of the data we hold about you.
- Correct anything inaccurate.
- Delete your birth data and PDF.
- Export your data in a portable format.
- Object to a particular processing activity.
- Withdraw any consent you previously gave.
EU and UK users have an additional right to lodge a complaint with your local supervisory authority.
10. Children
Astra is not directed to anyone under 16. We do not knowingly collect data from children. If you believe a child has submitted data, email us and we will delete it promptly.
11. International transfers
Some of our sub-processors operate in the United States. Where data is transferred from the EU/UK to a third country, we rely on Standard Contractual Clauses or equivalent safeguards through our provider agreements.
12. Security
Data is transmitted over HTTPS and stored encrypted at rest by our infrastructure providers. Report links are gated by short-lived signed tokens — see Data Handling for the operational details.
13. Changes
We'll update the "last updated" date at the top of this page when we revise this policy. Material changes will be announced by email to active customers.
14. Contact
Privacy questions, data requests, complaints — all go to hello@astra.report. We aim to reply within a few business days.