Privacy Policy
Effective Date: March 27, 2026
1. Overview
This Privacy Policy describes how CelestKin ("we", "our", "the App") collects, uses, stores, shares, and protects your personal information. We are committed to transparency and give you control over your data.
2. Data We Collect
We collect the following categories of information:
Account Data: Name, email address, and profile photo provided through your sign-in method (email or Google OAuth).
Birth Data: Name, date of birth, time of birth (optional), and birth location that you enter for chart calculations and readings. This data is stored locally on your device using encryption and, if signed in, synced to our secure cloud database.
Reading Data: Generated readings, AI analyses, compatibility reports, and cosmic digests associated with your account.
Usage Data: Reading history, selected traditions, feature interactions, preferences, language settings, screen views, and question topics.
Purchase Data: Transaction records from Google Play or Apple App Store (product ID, purchase token, subscription status). We never receive or store your payment card details.
Device & Technical Data: Device type, operating system, app version, crash reports, and performance metrics.
3. How We Use Your Data
• Generate personalized astrology readings (birth data is sent to AWS Bedrock for AI processing)
• Compute charts across 9 astrological traditions
• Maintain your reading history and saved profiles
• Generate daily and weekly cosmic digests (if subscribed)
• Manage your credit balance and subscription status
• Enable compatibility matching between profiles
• Send notifications (cosmic briefings, streak reminders, transit alerts)
• Improve the App through anonymized usage analytics
• Diagnose and fix crashes and performance issues
• Prevent fraud and enforce our Terms of Service
4. Data Sharing
We do NOT sell, rent, or trade your personal data. We share data only with the following service providers who process it on our behalf:
• Supabase — Authentication and database hosting. Row Level Security ensures only you can access your data.
• Amazon Web Services (Bedrock) — AI reading generation. Birth data is sent for processing and is subject to AWS's privacy policy. AWS does not use your data to train models.
• Sentry — Crash reporting and error monitoring. No personal birth data or readings are sent.
• Mixpanel — Anonymized usage analytics only. We send feature interactions, question topics, screen views, and language — NEVER birth data, names, readings, or chart results.
• Google Play / Apple App Store — Payment processing for credit purchases and subscriptions.
All service providers are bound by their own privacy policies, data processing agreements, and applicable data protection laws.
5. Data Storage and Security
On-Device Security:
• Birth profiles and sensitive data encrypted via Flutter Secure Storage (Android Keystore / iOS Keychain)
• Local reading cache encrypted at rest
• All local data cleared on sign-out
Cloud Security:
• Postgres Row Level Security — each user can only access their own data
• All API communication over HTTPS/TLS
• Server-side JWT verification for every authenticated request
• Database queries include explicit user_id filtering as defense-in-depth
• Service-role keys restricted to server-side operations only
• AES-256-GCM encryption for stored readings
6. Data Retention
Active Accounts: Your data is retained as long as your account is active and for a reasonable period afterward to fulfill legal obligations.
Sign-Out: All local data (profiles, readings, cached charts) is immediately cleared from your device.
Account Deletion: You may permanently delete your account and all associated data via the You tab. Deletion is irreversible. Server-side data is purged within 30 days. Anonymized analytics data may be retained.
Crash Logs: Automatically deleted after 90 days.
7. Your Rights
Depending on your jurisdiction, you may have the following rights:
Access: View all your data within the App (profiles, readings, history).
Correction: Edit your profiles and birth data at any time.
Deletion: Delete individual profiles, readings, or your entire account.
Export: Share readings via the built-in share feature.
Portability: Request a copy of your data by contacting us.
Restriction: Use Private Mode to prevent cloud sync.
Objection: Opt out of analytics via the "Don't save questions" toggle.
Withdrawal of Consent: Delete your account to withdraw consent for data processing.
For EU/EEA residents (GDPR): You have additional rights including the right to lodge a complaint with your local data protection authority. Our legal basis for processing is consent (account creation) and legitimate interest (service improvement).
For California residents (CCPA/CPRA): You have the right to know what data we collect, request deletion, and opt out of sale (we do not sell data). We do not discriminate against users who exercise privacy rights.
To exercise any right: [email protected]. We will respond within 30 days.
8. International Data Transfers
Your data may be processed in countries outside your jurisdiction, including the United States (AWS) and within the European Union (Supabase). These transfers are protected by standard contractual clauses, adequacy decisions, or equivalent safeguards as required by applicable law.
9. Children's Privacy
CelestKin is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If we discover we have inadvertently collected data from a child, we will promptly delete it. Parents or guardians who believe their child has provided data should contact us immediately.
10. Private Mode
CelestKin offers a Private Mode toggle. When active, readings are NOT saved to the cloud and remain only in local device memory. Local data is cleared on sign-out. Private Mode does not affect existing cloud-stored data.
11. Cookies and Tracking (Web)
The CelestKin web application uses essential cookies for authentication and session management. Analytics cookies (Mixpanel) collect anonymized usage data. No third-party advertising cookies are used. You may disable non-essential cookies through your browser settings.
12. Automated Decision-Making
CelestKin uses AI (Claude via AWS Bedrock) to generate personalized readings based on your astrological chart data. These are automated outputs for entertainment purposes. No automated decisions with legal or significant effects are made about you. You may request human review of any reading by contacting us.
13. Changes
We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via in-app notification. The "Effective Date" at the top will be updated accordingly.
14. Contact
Data protection inquiries: [email protected]