ASTRAL·READ← Home
Legal

Privacy Policy

Last updated: April 2026

1. Data Controller

The AstralRead website (astralread.com) and service (the "Service") is operated by CINQUE AMICI d.o.o., a limited liability company (društvo sa ograničenom odgovornošću) registered in Montenegro. We are the data controller for personal data collected through the Service within the meaning of the EU General Data Protection Regulation (GDPR) and the Montenegrin Law on Personal Data Protection.

Legal name: CINQUE AMICI d.o.o.
Registration number (MB): 50907846
Tax ID (PIB): 03286177
Registered office: Aleksandrova Obala 33, Zelenika, 85347 Herceg Novi, Montenegro
Director: Mariia Balakireva

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Service.

2. Information We Collect

We collect the following categories of personal data:

  • Account Information: Email address, display name, and password (stored as a bcrypt hash). If you sign in with Google, we additionally receive your Google account email, name, and profile picture URL via Google OAuth.
  • Birth Data: Date of birth, time of birth, and city of birth — required to compute your natal chart.
  • Chat History: Messages exchanged with our AI consultation system, stored to maintain conversation context and improve your experience.
  • Billing Information: If you subscribe to a paid plan, Lemon Squeezy (our Merchant of Record) collects your billing name, address, and payment method on your behalf. We receive only subscription status and non-sensitive transaction metadata (subscription ID, plan code, amount, date) — never your full card details.
  • Usage Data: Basic analytics such as page views, session duration, feature usage, and server logs (IP address, user agent, request timestamps) for security and service improvement.

3. How We Use Your Information

  • To compute and display your natal chart and astrological forecasts.
  • To provide personalised AI-powered astrological and psychological consultations.
  • To authenticate you and secure your account.
  • To send transactional emails (account verification, password resets, subscription receipts) via Resend.
  • To process payments and manage subscriptions through Lemon Squeezy.
  • To maintain, improve, and monitor the quality and security of the Service.
  • To respond to your inquiries and provide customer support.
  • To comply with legal and tax obligations.

4. Legal Basis for Processing (GDPR Art. 6)

Under the GDPR, we process your personal data only when we have a lawful basis:

  • Performance of a contract (Art. 6(1)(b)): account creation, delivery of the Service, processing of subscriptions, and customer support.
  • Compliance with a legal obligation (Art. 6(1)(c)): retention of billing and tax records, responding to lawful requests from public authorities.
  • Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, aggregated usage analytics to improve the Service, server log retention. We balance these interests against your rights and freedoms and only use such data to the extent strictly necessary.
  • Consent (Art. 6(1)(a)): where you have given us specific consent (for example, by choosing to sign in with Google, which transfers your Google profile to us).

5. Third-Party Services and Data Processors

We share personal data with the following third-party service providers acting as data processors under written contracts that require them to protect your data and process it only on our instructions:

  • Anthropic (Claude API) — USA: your consultation queries and relevant chart context are sent to Anthropic's Claude AI to generate responses. Anthropic does not use API inputs to train their models by default.
  • Groq — USA: used as a fallback LLM provider for faster response times. Consultation queries may also be sent here. Groq does not train on API inputs.
  • Lemon Squeezy, Inc. — USA: acts as our Merchant of Record for payment processing. Lemon Squeezy collects billing information directly from you and is responsible for invoices, taxes, chargebacks, and their own privacy policy applies to billing data they collect (lemonsqueezy.com/privacy).
  • Google LLC — USA: if you sign in with Google, Google provides us with your profile information via OAuth. Google's own privacy policy applies to data they collect.
  • Resend — USA: used for transactional emails. Only your email address and the content of the specific message are shared.
  • Cloudflare — USA: provides CDN, DNS, and email-routing services. Cloudflare processes standard web request metadata (IP addresses, request headers) and routes inbound emails for the astralread.com domain.

6. International Data Transfers

Our third-party service providers listed above are primarily located in the United States. When we transfer your personal data outside the European Economic Area or Montenegro, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, which ensure an adequate level of data protection. Copies of the applicable SCCs and data processing agreements are available on request to [email protected].

7. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on secure cloud infrastructure in a European data centre. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Passwords are hashed with bcrypt and never stored in plain text. All traffic between your browser and our servers is encrypted in transit using TLS 1.2 or higher.

8. Data Sharing

We do not sell, rent, or trade your personal data to third parties. We share data only with the processors listed in Section 5, and only to the extent necessary to provide the Service. We may disclose data when required by law, court order, or to protect our rights, users, or the public.

9. Data Retention

We retain different categories of personal data for different periods, based on the purpose of processing and our legal obligations:

  • Account data (email, name, password hash): for the lifetime of your account plus 30 days after account deletion.
  • Birth data and natal chart: same as account data.
  • Chat history: same as account data; you can delete individual conversations at any time from your account.
  • Billing and invoice records: retained for 7 years after the end of the fiscal year, as required by Montenegrin tax and accounting law. Lemon Squeezy separately retains billing records under their own policy.
  • Server and security logs: 90 days, then automatically deleted.
  • Backups: full encrypted backups retained for 30 days on a rolling basis.

You may request deletion of your account and associated personal data at any time by contacting [email protected]. We will delete or anonymise your data within 30 days of receiving your request, except data we are legally required to retain (e.g., billing records).

10. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Montenegro, you have the following rights:

  • Right of Access: request a copy of the personal data we hold about you.
  • Right to Rectification: request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("right to be forgotten"): request deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction of Processing: request that we limit how we use your data.
  • Right to Data Portability: receive your data in a structured, commonly used, machine-readable format.
  • Right to Object: object to processing based on legitimate interests.
  • Right to Withdraw Consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing based on consent before withdrawal.
  • Right to Lodge a Complaint: see Section 11 below.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. There is no fee for reasonable requests; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, as permitted by GDPR Art. 12(5).

11. Supervisory Authority and Complaints

You have the right to lodge a complaint with a data-protection supervisory authority if you believe we have violated your privacy rights.

  • Montenegro: Agency for Personal Data Protection (Agencija za zaštitu ličnih podataka i pristup informacijama) — azlp.me
  • EU residents: your national data-protection authority. A list is available at edpb.europa.eu/members
  • UK residents: Information Commissioner's Office (ICO) — ico.org.uk

We would appreciate the chance to address your concerns directly before you approach a supervisory authority — please contact us first.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly by email, in accordance with GDPR Article 34.

13. Cookies and Local Storage

We use only essential cookies and localStorage for authentication (session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because we rely solely on strictly necessary storage as defined in the ePrivacy Directive, no cookie-consent banner is legally required.

14. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact [email protected].

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Where changes materially affect how we process your data, we will additionally notify you by email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

  • Email: [email protected]
  • Contact page: /contact
  • Postal: CINQUE AMICI d.o.o., Aleksandrova Obala 33, Zelenika, 85347 Herceg Novi, Montenegro
← Back to Home