Privacy Policy

Version 1.5 | Last updated: May 19, 2026

1. Introduction

TriAstra ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (the "Service").

We understand that astrological birth data is deeply personal and sensitive. This policy describes our practices regarding this information and your rights to control it under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Japan's Act on the Protection of Personal Information (APPI), and Korea's Personal Information Protection Act (PIPA).

2. Data Controller Information

For the purposes of data protection law, TriAstra is the data controller responsible for your personal information.

Data Controller: TriAstra

Contact Email: support@triastra.ai

Website: https://triastra.ai

3. Information We Collect

3.1 Birth Data (Special Category Data)

To generate accurate astrological charts, we collect:

  • Date of birth
  • Time of birth (optional but recommended for accuracy)
  • Place of birth (city and country)
  • Geographic coordinates (automatically derived from place of birth)
  • Timezone information

Note: Birth data is considered "special category data" under GDPR and "sensitive personal information" under CCPA. We process this data only with your explicit consent.

3.2 Account Information

TriAstra authenticates via Google Sign-In, Sign in with Apple, and email-based Magic Links. We do not store user-set passwords. Account-level data we collect includes:

  • Email address (provided by your identity provider, or used directly for Magic Link sign-in)
  • Display name (provided by your identity provider, where available)
  • OAuth identifiers (subject ID from Google or Apple)
  • Magic-link tokens and click metadata (single-use token, IP address, click and completion timestamps; tokens are single-use and expire automatically)
  • Internal user ID generated by TriAstra
  • Profile preferences and settings

3.3 Usage Data and Analytics

  • Device information (type, operating system, anonymous device identifiers used by analytics SDKs)
  • Log data (IP address, browser type, pages visited, timestamps)
  • Feature usage patterns and interaction events (via PostHog)
  • Astra AI conversation history (sent to Google Gemini for response generation; retained for service provision)
  • Crash reports and error logs (via Sentry)
  • Performance metrics and diagnostics (via Sentry)
  • Push notification tokens (Firebase Cloud Messaging on Android, Apple Push Notification Service on iOS)
  • Subscription state (active tier, renewal status, retrieved from RevenueCat and the platform stores)

3.4 Payment Information

Payment transactions are processed through third-party payment providers:

  • Apple App Store: In-app purchases (iOS)
  • Google Play Store: In-app purchases (Android)
  • Paddle: Web-based payments (ChatGPT App, triastra.ai)

We do not store your full credit card information. We receive only transaction confirmations, subscription status, and anonymized payment identifiers.

Full billing records — card details, billing address, tax invoices — are held by Apple, Google, and Paddle respectively, who act as independent data controllers for that data. To exercise data-portability or deletion rights over billing-only records, please contact the relevant payment processor directly. TriAstra can only act on the transaction state we receive from those processors.

3.5 Location Data

We collect location data solely for the purpose of calculating accurate birth charts. We do not track your real-time location or use location data for advertising purposes.

4. How We Use Your Information

We use the collected information for the following purposes:

  • Chart Calculation: Generate precise Western, Vedic, and Saju astrological charts using Swiss Ephemeris
  • AI Interpretation: Provide personalized insights through Astra AI powered by Google Gemini
  • Service Provision: Maintain your account, deliver premium features, and provide customer support
  • Service Improvement: Analyze usage patterns to enhance features, fix bugs, and improve user experience
  • Communication: Send service updates, security alerts, subscription confirmations, and support messages
  • Security: Detect and prevent unauthorized access, fraud, and abuse
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes
  • Aggregated Analytics: Create anonymized, aggregated statistics for research and business purposes

We do NOT use your birth data or personal information for advertising, marketing to third parties, or selling to data brokers.

6. Third-Party Services

We use the following third-party services that may collect or process your data:

6.1 Cloud Infrastructure

  • Google Cloud Platform: Data storage, database hosting (Cloud SQL for PostgreSQL), and infrastructure
  • Purpose: Host application data and provide reliable service delivery
  • Data Transferred: All user data (encrypted at rest and in transit)

6.2 AI Services

  • Google Gemini AI: Powers Astra AI interpretations and insights
  • Purpose: Generate personalized astrological interpretations
  • Data Transferred: Birth chart data, planetary positions, and user questions (anonymized where possible)

6.3 Payment Processors

  • Apple App Store: iOS subscription and in-app purchase processing
  • Google Play Store: Android subscription and in-app purchase processing
  • Paddle.com Market Limited: Web-based payment processing (triastra.ai and ChatGPT App)
  • Data Transferred: Payment amount, transaction ID, subscription status (no full credit card numbers)

6.3.1 Paddle as Independent Data Controller

When you make a web purchase through triastra.ai or the ChatGPT App integration, your payment data is processed by Paddle.com Market Limited acting as merchant of record. For these transactions, Paddle collects and processes the following data as an independent data controller (not as our processor):

  • Payment method details (card number, expiry — held by Paddle, not TriAstra)
  • Billing address and email address
  • Transaction records for tax and invoicing purposes

Paddle's handling of this data is governed by Paddle's own Privacy Policy: https://www.paddle.com/legal/privacy. We receive only transaction confirmations and subscription status from Paddle — we do not receive or store your full payment method details.

6.4 Monitoring and Error Tracking

  • Sentry: Application monitoring, crash reporting, and error tracking
  • Purpose: Identify and fix bugs, improve application stability
  • Data Transferred: Error logs, stack traces, device information, internal user ID (no birth data)

6.5 Product Analytics

  • PostHog: Product analytics and feature usage tracking
  • Purpose: Understand which features are used, diagnose UX friction, prioritize improvements
  • Data Transferred: Pseudonymous user identifier, internal user ID, screen views, tap events, feature interactions (no birth data, no chat content)

6.6 Push Notifications

  • Firebase Cloud Messaging (Google) / Apple Push Notification Service: Delivery of push notifications
  • Purpose: Send daily fortune reminders, subscription receipts, and product updates that you have opted into
  • Data Transferred: Device push token, notification payload (no birth data)

6.7 Subscription Management

  • RevenueCat: Subscription entitlement tracking across Apple App Store and Google Play Store
  • Purpose: Determine which premium features the user is entitled to, deliver receipts, and manage renewals
  • Data Transferred: Internal user ID, store transaction identifiers, subscription tier, renewal state (no birth data, no card numbers)

These third parties have their own privacy policies. We encourage you to review them. We use Data Processing Agreements (DPAs) with processors handling personal data to ensure GDPR compliance.

7. Data Storage and Security

Security Measures:

  • All data is encrypted in transit using TLS 1.3
  • Birth data and sensitive information are encrypted at rest using AES-256
  • Access to personal data is restricted to authorized personnel only
  • Regular security audits and vulnerability assessments
  • Data is stored on secure cloud infrastructure with automatic backups
  • Multi-factor authentication for administrative access

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your information.

Breach notification. In the event of a personal-data breach we will notify affected users and the relevant supervisory authorities within the timeframes required by law:

  • GDPR (EU/UK/EEA): notification to the competent supervisory authority within 72 hours of becoming aware of the breach, and to affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • PIPA (South Korea): notification to the Personal Information Protection Commission and affected users within 72 hours; breaches affecting 1,000 or more data subjects are also reported to the Korea Internet & Security Agency (KISA).
  • APPI (Japan): preliminary report to the Personal Information Protection Commission within 3-5 days and a detailed report within 30 days (60 days where unlawful purpose is suspected), with prompt notification to affected users.
  • CCPA / CPRA (California): notification to affected residents in the most expedient time possible and without unreasonable delay.

Notifications are sent by email to your registered address and, where appropriate, via in-app notice.

7.5 Cookies and Tracking Technologies

We use a minimal set of cookies and similar storage mechanisms across the TriAstra website. We do not use advertising cookies, fingerprinting, or cross-site tracking, and we do not load tag managers or third-party ad SDKs.

  • Essential (always on): sign-in session tokens, CSRF protection, language preference, and your cookie-consent decision itself. These are required to deliver the Service.
  • Pseudonymous analytics (consent-gated): PostHog product analytics and Core Web Vitals are loaded only after you explicitly accept analytics via our cookie banner. Used to measure page performance, diagnose UX friction, and prioritize improvements. No advertising audiences, no data brokers.
  • No advertising, marketing, or cross-site tracking cookies.

You can change your analytics preference at any time by clearing the triastra_cookie_consent entry in your browser's local storage; the banner will re-prompt on your next visit. On mobile, PostHog runs in the TriAstra app for product analytics and session replay (with text and personal images masked by default); device-level analytics opt-outs (iOS Settings → Privacy & Security → Tracking; Android Settings → Privacy → Ads) also apply.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right to Access: Request a copy of your personal data we hold
  • Right to Correction: Update or correct inaccurate information
  • Right to Deletion: Request deletion of your account and associated data ("right to be forgotten")
  • Right to Export: Download your birth charts and data in a portable format (JSON)
  • Right to Opt-Out: Unsubscribe from marketing communications
  • Right to Restriction: Limit how we process your data
  • Right to Objection: Object to certain types of data processing
  • Right to Withdraw Consent: Withdraw consent for data processing at any time
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at support@triastra.ai. We will respond within:

  • 30 days (general requests)
  • 1 month (GDPR requests, extendable to 3 months for complex requests)
  • 45 days (CCPA requests, extendable to 90 days)

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services.

  • Active Accounts: Data retained while account is active
  • Deleted Accounts: When you request deletion, your account is suspended immediately and your Astra AI conversation history is erased. After a 14-day cancellation grace window your account and remaining personal data are permanently removed from our active systems.
  • Legal Retention: Some data may be retained longer for legal compliance, fraud prevention, or dispute resolution (e.g., transaction records for tax purposes, retained for up to 7 years)
  • Backups: Deleted data may persist in encrypted backups for up to 90 days before being permanently overwritten through normal backup rotation

10. Children's Privacy

TriAstra is intended for users 18 years of age and older worldwide, regardless of any lower minimum age permitted under local data protection law (such as COPPA in the United States, GDPR in the European Union, or PIPA in South Korea). We do not direct the Service to children or knowingly collect personal information from anyone under 18.

If we become aware that we have collected personal data from a user under 18, we will delete the data and terminate the account. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@triastra.ai and we will take prompt action.

Mobile-app age signals. TriAstra does not currently consume Apple's Declared Age Range API or Google Play's Age Signals API. We enforce our 18+ minimum through the birth-date data you enter during onboarding and through the age-related representations you make when creating an account. When we add support for the Apple or Google age-signal APIs (driven by Texas, Utah, Louisiana, and similar state laws), we will update this section to describe how those signals are used; signals will be used only for compliance gating and will not be stored long-term or used for advertising.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. In compliance with PIPA Article 28-8, APPI Article 28, and GDPR Chapter V transparency obligations, the table below lists each recipient, its country of processing, the purpose of transfer, the categories of data transferred, and the retention period.

Recipient Country Purpose Data transferred Retention
Google Cloud Platform (hosting + Cloud SQL for PostgreSQL) United States Application hosting and database All account data, profiles, charts, Astra history Account lifetime; up to 90 days in encrypted backups after deletion
Google LLC (Gemini API) United States AI interpretation of birth charts and user questions User prompts, chart positions, conversation context 55 days (Google paid-tier abuse-monitoring window); data is not used to train Google's models
Paddle.com Market Limited (Merchant of Record) United Kingdom / Ireland Web and ChatGPT App payment processing, tax, invoicing Billing email, billing country, payment-method details (held by Paddle), transaction records Per Paddle's independent retention policy (tax and accounting periods)
RevenueCat United States Subscription entitlement tracking across iOS and Android Internal user ID, store transaction identifiers, subscription tier and renewal state Account lifetime
Sentry United States Error tracking and crash reporting Stack traces, device information, internal user ID. No birth data. Per Sentry's default retention (typically 30-90 days)
PostHog United States Product analytics and session replay (text and images masked by default) Pseudonymous user identifier, screen views, tap events, feature interactions. No birth data, no chat content. PostHog default retention (typically 12 months for analytics events)

For transfers from the EEA, UK, or Switzerland to non-adequate countries we rely on the EU Standard Contractual Clauses (SCCs); Google Cloud Platform additionally maintains certification under the EU-U.S. Data Privacy Framework. Data Processing Agreements (DPAs) are in place with all processors. Korean and Japanese users consent to transfers to the United States at account creation, having been informed via the table above that the United States is not on Japan's adequacy whitelist and that contractual safeguards apply. You may withdraw consent at any time by emailing support@triastra.ai.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: What personal information is collected, used, shared, or sold
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell or share your data)
  • Right to Correct: Correct inaccurate personal information
  • Right to Limit: Limit use of sensitive personal information (birth data)
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

We do NOT sell your personal information. We do not share personal information for cross-context behavioral advertising.

To exercise your CCPA rights, email us at support@triastra.ai with the subject line "CCPA Request." We will verify your identity before processing your request.

How to exercise the right to limit use of sensitive personal information (birth data). Email us at support@triastra.ai with the subject line "CCPA Limit Request". Upon verification of your identity we will restrict use of your birth data to chart calculation and disable any AI processing involving it that is not strictly necessary to deliver the service you requested.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

  • Right of Access: Obtain confirmation of data processing and a copy of your data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Restrict processing in certain circumstances
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of prior processing)
  • Right to Lodge a Complaint: File a complaint with your supervisory authority
  • Right Regarding Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. Astra AI's astrological interpretations are not such decisions: TriAstra does not use them for credit, employment, insurance, housing, or any other legally significant determination. For human review of any AI-generated output, contact support@triastra.ai.

To exercise your GDPR rights, email us at support@triastra.ai with the subject line "GDPR Request."

EU Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en. UK residents may complain to the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.

EU Representative (GDPR Article 27). TriAstra does not maintain an establishment in the European Union and does not currently designate an EU representative. EU data subjects may exercise all GDPR rights by contacting support@triastra.ai; we will respond within applicable statutory timeframes. If and when the scale or nature of our processing makes designation appropriate, we will appoint a representative and name them in this Privacy Policy.

14. Japan Privacy Rights (APPI)

If you are located in Japan, you have rights under the Act on the Protection of Personal Information (APPI):

  • Right to Disclosure: Request disclosure of your personal information
  • Right to Correction: Request correction of inaccurate personal information
  • Right to Deletion: Request deletion or cessation of use of personal information
  • Right to Suspension: Request suspension of provision to third parties

To exercise your APPI rights, email us at support@triastra.ai with the subject line "APPI Request (Japan)." We will respond within a reasonable period (typically 30 days).

Japanese Supervisory Authority: Personal Information Protection Commission (PPC) https://www.ppc.go.jp/en/

15. Korea Privacy Rights (PIPA)

If you are located in South Korea, you have rights under the Personal Information Protection Act (PIPA):

  • Right to Access: Request to view your personal information
  • Right to Correction: Request correction of errors in personal information
  • Right to Deletion: Request deletion of personal information
  • Right to Suspension: Request suspension of processing
  • Right to Opt-Out: Opt-out of marketing communications
  • Right Regarding Automated Decision-Making (PIPA Article 37-2): You may request that we explain or refuse fully automated decisions that significantly affect your rights or obligations. Astra AI's astrological interpretations are not such decisions; for human review of any AI-generated output, contact support@triastra.ai.

To exercise your PIPA rights, email us at support@triastra.ai with the subject line "PIPA Request (Korea)." We will respond within 10 days as required by PIPA.

Korean Supervisory Authority: Personal Information Protection Commission (PIPC) https://www.pipc.go.kr

Retention and Destruction: We comply with PIPA requirements for data retention periods and secure destruction methods.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. We will notify you of material changes via:

  • Email notification to your registered email address
  • In-app notification
  • Notice on our website

Material changes will take effect 30 days after notification. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you do not agree to the modified Privacy Policy, you must stop using the Service and may request account deletion.

17. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us:

TriAstra — sole proprietor: Mingyun Chae

Postal Address: 323 Incheon tower-daero, Yeonsu-gu, Incheon 22007, Republic of Korea

Email: support@triastra.ai

Website: https://triastra.ai

Please include your jurisdiction and the nature of your request (GDPR, CCPA, APPI, PIPA) in the subject line for faster processing.