Who operates LunaraStars
LunaraStars is operated by [TODO: legal business name], [TODO: registered address in Spain], [TODO: company registration or tax number if applicable]. For privacy questions, contact us at [TODO: privacy contact email].
For EU/Spain data protection purposes, [TODO: legal business name] is the controller of personal data processed through LunaraStars, except where a third-party service acts as an independent controller for its own processing.
What personal data we collect
We collect account data such as your email address, display name, authentication provider, account status, plan, credit balance, subscription state, onboarding status, and timestamps for account activity.
We collect login and authentication data through Supabase Auth, including email/password login, email verification, password reset events, session cookies or local storage entries, and Google login data if you choose Google sign-in.
We may collect astrology profile data such as birth date, birth time, birth location, zodiac sign, relationship status, main interests, preferred tone, gender where provided, saved partner profiles, and compatibility or synastry inputs. Birth date, birth time, and birth location can be very personal profile data and should be treated carefully even where they are not legally special-category data.
We collect tarot, astrology, journal, dream, ritual, synastry, Fate Timeline, horoscope, and chat content you submit or save, including questions, AI responses, reading history, daily card history, journal entries, dream entries, and related metadata.
For eligible accounts, LunaraStars may create memory records and a memory profile from recent chats, journals, dreams, tarot readings, synastry reports, Fate Timelines, and similar saved activity. This can include short summaries, vector embeddings, recurring themes, emotional patterns, current focus areas, relationship context you provided, supportive preferences, important continuity notes, source counts, timestamps, and a returning-user greeting seed. These memory features are designed to help Lunara respond with continuity, not to make automated decisions with legal or similarly significant effects.
We collect payment and subscription data needed to manage plans and credits, such as Stripe customer IDs, subscription IDs, price IDs, payment status, cancellation status, billing cycle, and credit transactions. LunaraStars does not store full payment card numbers; Stripe handles card entry and payment processing.
We collect technical data such as device type, browser, IP address, request logs, security logs, cookies, consent choices, approximate location inferred from network data, and error diagnostics.
We may collect product analytics and usage data, such as feature use, plan limits, reading counts, chat message counts, conversion events, and admin-facing aggregate statistics. Non-essential analytics tools are only loaded after opt-in where required.
We collect customer support communications, account deletion requests, privacy requests, and related support notes.
How we collect data
We collect data directly from you when you create an account, complete onboarding, ask Lunara a question, generate a reading, enter birth details, save content, buy a subscription or credits, contact support, or change cookie settings.
We collect data automatically when the site needs to operate, secure sessions, prevent abuse, process checkout, remember preferences, and maintain service logs. Optional analytics, marketing, and personalization technologies are controlled by your cookie choices.
Where account memory is available, memory profiles may be generated automatically from recent saved activity or refreshed manually from your account settings. You can pause, resume, clear, or delete individual memory cards from the account page where available.
Why we use data
We use data to provide the LunaraStars service, authenticate users, create tarot and astrology experiences, personalize content where permitted, save reading history, generate and retrieve memory context for eligible accounts, manage subscriptions and credits, send transactional emails, provide support, improve product quality, prevent abuse, comply with legal obligations, and maintain security.
We ask users not to share unnecessary sensitive personal data in tarot questions, chats, journal entries, dreams, or support messages. AI-generated guidance can be personal, but LunaraStars is not designed to process emergency, medical, legal, financial, or crisis information.
Memory features are intended to make Lunara feel more continuous and attentive. They should not be used to infer sensitive facts beyond what you choose to share, and they may be incomplete or inaccurate because they are generated from limited recent activity.
Legal bases under GDPR
Performance of contract: we process account, authentication, readings, AI chat, saved history, credits, and subscription data to provide the service you request.
Performance of contract: for eligible accounts, we process memory profiles, memory cards, and embeddings to provide the paid or trial memory-aware experience you request, subject to your account memory controls.
Consent: we rely on consent for optional cookies, certain marketing communications, and optional personalization or analytics where consent is required. You may withdraw consent at any time. Account memory controls are separate from cookie consent because memory is stored as account data rather than as browser cookies.
Legitimate interests: we may process limited technical, security, fraud-prevention, service improvement, and internal aggregate analytics data where our interests are not overridden by your rights and freedoms.
Legal obligations: we process data where required for tax, accounting, consumer protection, payment, regulatory, dispute, or legal compliance purposes.
AI-generated content and processing
LunaraStars uses AI providers to generate tarot readings, horoscope text, chat responses, journal and dream reflections, rituals, synastry or compatibility reports, Fate Timeline content, daily insights, embeddings for paid memory features, and voice narration where enabled.
Inputs sent to AI providers may include your prompt, relevant profile details, selected tarot cards, astrology context, prior saved content, retrieved memory cards, or summarized memory profile context depending on the feature. We aim to send only what is reasonably needed to generate the requested experience.
Memory synthesis may use AI to convert recent activity into a concise profile of themes, preferences, and continuity notes. Lunara may then use that profile to acknowledge relevant remembered themes in chat or returning-user greetings. You can pause memory, clear the profile, or delete memory cards from the account page where available.
AI output may be incomplete, inaccurate, symbolic, or unsuitable for your personal situation. Do not include unnecessary sensitive information in prompts.
Third-party processors and service providers
Supabase provides authentication, database, storage, and related backend services. Supabase may process account data, sessions, profiles, saved readings, chats, journals, dreams, credits, and app records on our behalf.
OpenAI and the Vercel AI SDK are used for AI generation, embeddings, memory synthesis, and text-to-speech features where configured.
Stripe processes subscription checkout, one-time credit purchases, customer portal sessions, payment fraud prevention, and payment-related records. Stripe may act as a processor or independent controller depending on the activity.
Resend is used for platform-managed transactional email, such as welcome emails and privacy/deletion request notifications, where configured. Supabase Auth may also send account verification and password reset emails.
Google is used if you choose Google login through Supabase Auth. Local Google service account automation may be used for internal content operations and is not intended to process user account content unless later configured otherwise.
Vercel hosts the Next.js application and may process hosting logs, network metadata, and deployment diagnostics.
LunaraStars uses a first-party cookie consent system to store your choices. Analytics or marketing providers are not currently initialized by default; if added later, they must be listed in this policy and loaded only according to your consent choices.
International data transfers
Some providers may process data outside Spain or the European Economic Area. Where this happens, we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, provider data processing terms, and technical or organizational measures where applicable.
Data retention
We keep account data for as long as your account exists and for a reasonable period afterward where needed for legal, tax, security, dispute, or backup purposes.
Saved readings, chats, journals, dreams, daily cards, synastry reports, Fate Timelines, and similar user content remain available until you delete them, request deletion, or the account is deleted, subject to legal and backup retention limits.
Memory profiles and memory cards remain available while account memory is enabled or until you clear, pause, delete specific memory cards, request deletion, or delete your account, subject to legal, security, backup, and technical limits. Clearing memory does not automatically delete the original chats, journals, readings, dreams, or reports from which memory may have been derived.
Payment and subscription records are retained as needed for billing, accounting, fraud prevention, tax, and legal obligations. Consent records are generally retained for up to 12 months unless refreshed or legally required otherwise.
Your GDPR rights
If you are in the EU/EEA, you may have the right to request access, correction, deletion, restriction, objection, portability, and withdrawal of consent. You may also have rights in relation to automated decision-making and profiling where applicable.
You can download an account data export from the account privacy section where available. You can manage Lunara memory from the account page where available, including refreshing, pausing, resuming, clearing, and deleting individual memory cards. You can submit an account deletion request from the account page. Some data may be retained where required by law, fraud prevention, billing, security, or dispute handling.
You may complain to a data protection authority. For Spain, the supervisory authority is the Agencia Espanola de Proteccion de Datos (AEPD): https://www.aepd.es.
Children and minors
LunaraStars is intended for adults. Users must be at least [TODO: confirm minimum age, recommended 18+] or have any consent required by applicable law and platform rules. We do not knowingly provide accounts to children below the required age.
Data security
We use reasonable technical and organizational measures to protect personal data, including authenticated access, Supabase row-level security, server-side API keys, role-based admin access, audit logs, and secure payment processing through Stripe. No online service can be guaranteed to be 100% secure.
Account deletion
You can request account deletion from the account page or by contacting support. Deletion may require a support review first, especially if there is active billing, fraud risk, unresolved disputes, or legal retention obligations.
Marketing communications
Transactional emails are sent when needed for the service, such as account verification, password resets, welcome messages, billing events, privacy notices, and deletion confirmations. Marketing emails, if introduced, will be sent only where legally permitted and can be unsubscribed from.
Changes to this policy
We may update this Privacy Policy when our services, providers, legal obligations, or data practices change. Material changes may be highlighted in the app or by email where appropriate.