Privacy Policy
Status: DRAFT. Andrea: read this end-to-end and edit anything that doesn't match how Somastry actually works or how you want to be represented to users. The square-bracket placeholders need real values before this is published. Norwegian translation comes after the English version is locked.
This Privacy Policy explains how Somastry ("we", "us", the "Service") collects, uses, and protects your personal data when you use somastry.app and the Somastry application.
1 — Who we are
The data controller for personal data processed through Somastry is:
Andrea Altier [Sørengkaia, 0194 Oslo] Norway Email: andrea@andreaaltier.com
If you have a question about your personal data or want to exercise any of the rights described in section 8, you can contact us at the email above.
2. What data we collect
We collect only the data we need to provide Somastry. We do not sell or share your personal data with advertisers, data brokers, or third parties except the sub-processors listed in section 6.
2.1 Account data
When you sign up we collect:
- Your email address (used for sign-in and essential service notifications)
- An authentication token (managed by our auth provider, used to keep you signed in)
2.2 Birth data
To calculate your astrological chart, we collect:
- Your name (display only — never used as a public identifier)
- Date of birth
- Time of birth (optional — you can mark "I don't know my time")
- Place of birth (city, country, latitude/longitude)
If you generate a composite chart for two people, we also collect the same fields for the second person. The second person does not need to have an Somastry account to be part of a composite chart, but you are responsible for ensuring you have their permission to provide their birth data to us (see section 4 — Lawful basis).
2.3 Generated chart data
From your birth data we calculate astronomical positions (planets, houses, aspects, angles). This calculated data is stored alongside your account so we can display your chart without recomputing it on every visit.
2.4 Usage data
To run and improve the Service we record minimal usage data:
- Which readings you've viewed
- Your interactions with weekly practices (engagement, optional rating, optional journal entry)
- Errors encountered by your browser (via Sentry, our error-monitoring provider — see section 6) so we can fix bugs
We do not use cross-site tracking pixels, third-party advertising cookies, or analytics that build a profile of you across the web.
2.5 Cookies
Somastry uses only strictly necessary cookies:
- A session cookie issued by our auth provider so you remain signed in
- A locale-preference cookie remembering whether you chose English, Norwegian, or Swedish
We do not use marketing or analytics cookies.
3. How we use your data
We use your personal data to:
- Provide the core Service (calculate and display your chart, generate readings and practices)
- Authenticate you and keep your session active
- Communicate essential service messages (e.g., security notifications, account changes)
- Detect and fix bugs and errors
- Comply with legal obligations
We do not use your data for automated decisions that produce legal or similarly significant effects on you. The astrological readings the Service generates are reflective tools, not decisions about you.
4. Lawful basis
Under the GDPR (Article 6) we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Holding your account & login | Performance of contract (Art. 6(1)(b)) |
| Calculating and storing your chart | Performance of contract (Art. 6(1)(b)) |
| Storing a partner's birth data for a composite chart | Your consent on their behalf (Art. 6(1)(a)) — see note below |
| Sending essential service emails | Performance of contract (Art. 6(1)(b)) |
| Error monitoring | Legitimate interest (Art. 6(1)(f)) — keeping the Service stable |
Note on partner birth data. When you provide birth data for another person, you confirm that you have their permission to share it with Somastry for the purpose of generating a composite chart. If that person asks us to remove their data and identifies the chart it appears in, we will remove it on request even if they do not have an Somastry account.
Note on special-category data. Birth data is not "special-category personal data" under GDPR Article 9, but we treat it as sensitive personal context and apply the same care.
5. How long we keep your data
We keep your personal data for as long as your account is active.
- Active account: retained until you delete it.
- Account deletion: when you request deletion (in Settings, or by emailing us), we delete your account and all data associated with it (charts, partner data you supplied, readings, journal entries) within 30 days. Backups are overwritten on a 30-day rolling cycle.
- Backups: encrypted, retained ≤ 30 days, used only for disaster recovery.
- Logs: error logs in Sentry are retained for [30 / 90] days then auto-deleted.
6. Sub-processors
We use a small number of carefully chosen sub-processors. Each is contractually bound to process your data only on our instructions and to maintain appropriate security measures.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database hosting + authentication | EU (Stockholm, eu-north-1) | None needed — data stays in EU |
| Anthropic (Anthropic PBC) | Claude API — generates personalised readings | United States | Standard Contractual Clauses (SCCs) |
| Sentry (Functional Software Inc.) | Error monitoring | [EU/US — confirm Sentry plan] | [SCCs if US] |
| Server (self-hosted infrastructure) | Application hosting | EU (Finland) | None needed |
| Email provider | Transactional email (sign-in links, account notices) | [Provider TBD — likely Resend or Supabase Auth's default] | [SCCs if applicable] |
| Payment provider | Subscription payments | [Provider TBD] | [SCCs if applicable] |
We do not send your birth data, name, or chart contents to Anthropic in identifiable form. The reading-generation pipeline sends only the abstract astrological context (e.g., "Sun in Aries in 5th house, square Saturn in Capricorn") and never your name, birth date, place, or email.
The list above will be updated whenever we add or change a sub-processor.
7. Where your data is stored and transferred
Your account data and chart data are stored in the European Union (in Stockholm, Sweden, on Supabase infrastructure).
When we use sub-processors located outside the EU/EEA (e.g., Anthropic in the United States), we transfer the minimum necessary data and rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for the transfer, as set out in GDPR Articles 44–46.
8. Your rights
Under the GDPR you have the following rights regarding your personal data. You can exercise most of them directly in the Settings page of the Service; for the rest, email us at andrea@andreaaltier.com and we will respond within 30 days (GDPR Art. 12(3)).
| Right | What it means | How to use it |
|---|---|---|
| Access (Art. 15) | Get a copy of all your personal data | Settings → Export my data |
| Rectification (Art. 16) | Correct inaccurate data | Settings → Edit account |
| Erasure (Art. 17) | Delete your data ("right to be forgotten") | Settings → Delete my account |
| Restriction (Art. 18) | Pause processing in specific cases | Email us |
| Portability (Art. 20) | Receive your data in a machine-readable format | Settings → Export my data (JSON) |
| Object (Art. 21) | Object to processing based on legitimate interest | Email us |
| Withdraw consent (Art. 7) | Withdraw any consent you previously gave | Settings, or email us |
| Lodge a complaint | If you think we've violated your rights | Norwegian DPA — see section 9 |
We will never charge you a fee for exercising these rights, except in the rare circumstance where a request is "manifestly unfounded or excessive" (GDPR Art. 12(5)), in which case we will explain the fee before charging it.
9. Right to complain
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Norway, that authority is:
Datatilsynet (the Norwegian Data Protection Authority) P.O. Box 458 Sentrum NO-0105 Oslo, Norway https://www.datatilsynet.no
You can also contact the supervisory authority of the EU/EEA member state where you live, work, or where the alleged infringement occurred.
10. Security
We protect your data with measures appropriate to the risk:
- All connections use HTTPS (TLS 1.2 or higher)
- Database connections use TLS encryption in transit
- Authentication tokens are stored as httpOnly cookies
- Authentication keys and secrets are rotated regularly
- Database access is restricted by Row-Level Security (RLS) policies — you can only ever see your own data
- Sub-processor access is limited to what is necessary for their function
If a personal-data breach is likely to result in a high risk to your rights and freedoms, we will notify you and the supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33–34).
11. Children
Somastry is not directed at children under 16. If we learn that we've inadvertently collected data from a child under 16 without verifiable parental consent (as required under Norwegian law and GDPR Art. 8), we will delete it.
12. Changes to this policy
If we change this policy in a way that materially affects how we process your personal data, we will notify you (by email or via a prominent notice in the Service) at least 30 days before the change takes effect. Minor clarifications and corrections may be made without notice.
13. Contact
For any question about this policy or your personal data, contact:
Andrea Altier andrea@andreaaltier.com or
Kilo Scheffer kilo@scheffer.com
This policy was last revised on 2026-04-25.