Privacy Policy

The controller responsible for data processing within the meaning of Art. 4(7) GDPR is:

Moonphase Apps GmbH
Ferdinand-Koch-Straße 31
26133 Oldenburg
Germany

Represented by Managing Directors (Geschäftsführer): Philipp Marx & Joshua van Vliet

• Email: contact@astrobella.app
• Commercial Register: Amtsgericht Oldenburg, HRB 219941
• VAT ID (USt-IdNr): DE365749986

The following table provides a summary of the personal data we collect and the purposes for which we process it. Detailed descriptions follow in the sections below.

3.1. Account & Identity Data

When you create an account, we collect:

• Name and email address (provided via Apple Sign-In, Google Sign-In, or email registration).
• Username (chosen by you).
• Gender (optional, provided during onboarding).
• Your unique user identifier.

Legal basis: Art. 6(1)(b) GDPR — necessary for the performance of the contract (providing you with our Services).

3.2. Birth & Astrological Data

To generate your birth chart and personalized horoscopes, we collect:

• Date of birth.
• Time of birth.
• Place of birth (latitude and longitude, resolved via the Google Places API).

This data is sent to our backend servers for astrological calculations and may also be included in AI chat sessions (see Section 3.4).

Legal basis: Art. 6(1)(b) GDPR — necessary for the core functionality of the App.

3.3. Social & Friend Data

• Friends list — usernames, zodiac signs, and birthdays of your connected friends within the App.
• Custom friends — name, birth date, birth time, and birthplace of friends you manually add (stored locally on your device only).
• Friend requests sent and received.
• Device contacts — if you grant permission, the App can access your device contacts to enable the invite feature. Your contacts are only read locally and are never uploaded to our servers.

Legal basis: Art. 6(1)(b) GDPR for friend features; Art. 6(1)(a) GDPR (consent) for device contacts access.

3.4. AI Chat & User-Generated Content

When you use the AI Astrological Advisor, the following data is sent to our backend for processing:

• Your chat messages (full conversation history per session).
• Your birth chart data, current transit data, and moon phase data for context.
• Your username and birth date.

Our backend processes AI requests using OpenAI's API. This means your chat messages and astrological profile data are transmitted to OpenAI, Inc. (USA) for generating responses. OpenAI processes this data solely on our behalf and does not use it for training its models (as governed by our Data Processing Agreement with OpenAI).

We also collect:

• Transit comments you post within the App.
• Feedback and ratings you submit (app feedback, chat feedback, tarot feedback).
• Tarot reading history (stored locally on your device).

Legal basis: Art. 6(1)(b) GDPR — necessary for providing the AI advisor and content features.

3.5. Subscription & Payment Data

• Subscription status, plan type, and purchase receipts are processed through RevenueCat, Inc. (USA) and the respective app stores (Apple App Store / Google Play Store).
• We do not directly process or store your credit card or payment method details. These are handled entirely by Apple, Google, or Stripe.

Legal basis: Art. 6(1)(b) GDPR — necessary for managing your subscription.

3.6. Push Notifications

• If you opt in, we collect your Firebase Cloud Messaging (FCM) device token to deliver push notifications (e.g., daily horoscopes, transit alerts, friend activity).
• You can manage your notification preferences in the App settings or revoke them at any time via your device settings.

Legal basis: Art. 6(1)(a) GDPR — consent. You may withdraw consent at any time.

3.7. Device & Technical Data

• Device model, operating system version, and app version.
• Crash logs and stack traces (via Firebase Crashlytics) — used to identify and fix errors.
• Your internal user identifier may be associated with crash reports to help us diagnose user-specific issues.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in maintaining app stability and resolving errors. You can object to this processing at any time (see Section 10).

4.1. Firebase Analytics (Google LLC)

We use Firebase Analytics to understand how users interact with the App. The following data may be collected:

• Screen views and user interactions (events).
• User properties: user ID, email, first name, country, login method, platform, birthday date, and astrological sign.
• Purchase events (subscription type, currency).

Firebase Analytics data is processed by Google LLC (USA). Data may be stored on Google servers in the United States.

Legal basis: Art. 6(1)(a) GDPR — consent.

4.2. AppsFlyer (AppsFlyer Ltd.)

We use AppsFlyer for mobile attribution — measuring the effectiveness of our marketing campaigns. AppsFlyer may collect:

• Install attribution data (media source, campaign, ad group, keyword).
• Advertising identifiers: IDFA (iOS, only after App Tracking Transparency consent) and Google Advertising ID (Android).
• Deep link and conversion data.

AppsFlyer Ltd. is based in Israel. Data transfers are protected under an EU adequacy decision for Israel.

Legal basis: Art. 6(1)(a) GDPR — consent. On iOS, AppsFlyer only starts after you respond to the App Tracking Transparency prompt.

4.3. Singular (Singular Labs, Inc.)

We use Singular as an additional attribution analytics provider. Singular may collect:

• Attribution data and deep link information.
• IDFA (iOS, only after App Tracking Transparency consent).
• FCM push notification token.
• SKAdNetwork conversion values (iOS).

Singular Labs, Inc. is based in the USA. Data transfers are protected by Standard Contractual Clauses (SCCs).

Legal basis: Art. 6(1)(a) GDPR — consent.

4.4. Facebook SDK (Meta Platforms, Inc.)

We use the Facebook SDK for app event tracking and install attribution. It may collect:

• App events (installs, opens).
• Facebook anonymous identifier.
• Meta Install Referrer data.

Meta Platforms, Inc. is based in the USA. Data transfers are protected by Standard Contractual Clauses (SCCs).

Legal basis: Art. 6(1)(a) GDPR — consent. The Facebook SDK respects App Tracking Transparency settings on iOS.

4.5. Advertising Identifiers

Depending on your device and consent choices, the following identifiers may be collected and shared with attribution providers:

• IDFA (Identifier for Advertisers, iOS) — collected only after you grant consent via Apple's App Tracking Transparency prompt.
• IDFV (Identifier for Vendors, iOS) — a non-advertising device identifier used by RevenueCat.
• Google Advertising ID (Android) — used for attribution and subscription management.

Legal basis: Art. 6(1)(a) GDPR — consent. You may reset or disable advertising identifiers at any time in your device settings.

5.1. Contact & Application Forms

• Contact form — name, email address, and your message.
• Application form — name, email address, zodiac sign, and experience level.

Form data is sent via Brevo (Sendinblue SAS, France) for email delivery. Application form submissions are also forwarded to a private Discord channel for internal review.

Legal basis: Art. 6(1)(b) GDPR — necessary for responding to your inquiry or processing your application.

5.2. Stripe Checkout (Purchases)

• When you purchase a yearly horoscope through the Website, your email address and payment information are processed by Stripe, Inc. (USA).
• During checkout, your IP address is processed server-side for tax jurisdiction detection. We do not store your IP address.

Legal basis: Art. 6(1)(b) GDPR — necessary for processing your purchase.

5.3. Vercel Web Analytics

• The Website uses Vercel Web Analytics, which collects aggregated, anonymous usage data (page views, referrers, device type, country).
• Vercel Web Analytics is entirely cookie-free and does not collect personally identifiable information or track individual users across sessions.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in understanding how our Website is used to improve it.

5.4. Cookies

The AstroBella Website does not use cookies — neither first-party nor third-party cookies. No cookie consent banner is required.

We process your personal data on the following legal bases:

• Performance of a contract — Art. 6(1)(b) GDPR: Processing necessary to provide you with our Services, including account creation, astrological calculations, AI advisor features, subscription management, and payment processing.
• Consent — Art. 6(1)(a) GDPR: Processing based on your explicit consent, including push notifications, analytics (Firebase Analytics), marketing attribution (AppsFlyer, Singular, Facebook SDK), advertising identifiers (IDFA, Google Advertising ID), and access to your device contacts. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate interests — Art. 6(1)(f) GDPR: Processing necessary for our legitimate interests, including crash reporting (Firebase Crashlytics) to maintain app stability, anonymous website analytics (Vercel), and general security measures. Our legitimate interest is to ensure the reliable operation and continuous improvement of our Services. You have the right to object to processing based on legitimate interests at any time (see Section 10).
• Legal obligation — Art. 6(1)(c) GDPR: Retaining payment and transaction records as required by German tax and commercial law (§ 147 AO, § 257 HGB).

We engage the following third-party service providers to process personal data on our behalf in accordance with Art. 28 GDPR. We have entered into Data Processing Agreements (Auftragsverarbeitungsverträge) with each processor.

Several of our service providers are based outside the European Economic Area (EEA), primarily in the United States. When personal data is transferred outside the EEA, we ensure adequate protection through one or more of the following mechanisms:

• EU-US Data Privacy Framework — where the recipient is certified under the framework (e.g., Google, Apple, Stripe).
• Standard Contractual Clauses (SCCs) — approved by the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented by additional technical and organizational measures where necessary.
• EU adequacy decisions — for transfers to countries recognized by the European Commission as providing an adequate level of data protection (e.g., Israel for AppsFlyer).

Please be aware that the United States may not offer the same level of data protection as the EU. We take appropriate steps to ensure your data remains protected in accordance with GDPR requirements. You may request a copy of the applicable safeguards by contacting us.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Account & profile data (App) — retained for the duration of your account. Deleted upon account deletion or upon request.
• Birth & astrological data — retained for the duration of your account, as it is necessary for the App's core functionality.
• AI chat history — stored locally on your device. Server-side session data is deleted after processing.
• Contact and application form data (Website) — retained for up to 12 months, then deleted.
• Payment and subscription records — retained as required by German tax and commercial law: 10 years (§ 147 Abs. 1 AO, § 257 Abs. 1 HGB).
• Firebase Analytics data — retained for 14 months (Google default), then automatically anonymized.
• Firebase Crashlytics data — retained for 90 days, then automatically deleted.
• Push notification tokens — retained until you disable notifications or uninstall the App.
• Website analytics (Vercel) — aggregated and anonymized. No personally identifiable information is retained.

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at contact@astrobella.app. We will respond to your request within one month.

• Right of access (Art. 15 GDPR) — You have the right to request confirmation of whether we process your personal data and to receive a copy of that data free of charge.
• Right to rectification (Art. 16 GDPR) — You have the right to request correction of inaccurate data or completion of incomplete data.
• Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data when the data is no longer necessary for its original purpose, you withdraw consent, or the data was processed unlawfully. This right is subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your data — for example, if you contest the accuracy of the data or if processing is unlawful but you oppose deletion.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Art. 21 GDPR) — You have the right to object to processing based on our legitimate interests (Art. 6(1)(f) GDPR) at any time, for reasons relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent via the App settings, your device settings (for notifications and tracking), or by contacting us.
• Right not to be subject to automated decision-making (Art. 22 GDPR) — We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. The AI Astrological Advisor is provided for entertainment purposes only and does not produce legal or similarly significant effects.

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR.

The competent supervisory authority for our company is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Germany

• Phone: +49 511 120-4500
• Email: poststelle@lfd.niedersachsen.de
• Website: www.lfd.niedersachsen.de

In accordance with Art. 13(2)(e) GDPR, we inform you of the following:

• Account and birth data — providing this data is required to use the App. Without it, we cannot create your account or generate personalized astrological content.
• Contact form data — providing your name and email is required for us to respond to your inquiry. Without it, we cannot process your message.
• Payment data — required for processing purchases. Without it, we cannot complete transactions.
• Analytics, attribution, and push notification data — providing this data is voluntary. You can use our Services without consenting to analytics, attribution tracking, or push notifications.

You can delete your account at any time through the App settings. When you delete your account:

• Your profile data, birth data, friends list, and user-generated content are deleted from our servers.
• Your Firebase Authentication account is terminated.
• Your RevenueCat subscription profile is disassociated.
• Crash report associations are cleared.
• Locally stored data (chat history, custom friends, tarot history) remains on your device until you uninstall the App.
• Payment records may be retained as required by law (see Section 9).

You may also request account deletion by emailing us at contact@astrobella.app.

Our Services are not directed at children under the age of 16. In accordance with Art. 8 GDPR and German law, users under 16 require parental or guardian consent to use the App. The App's Terms of Service require users to be at least 18 years old or to have obtained parental consent. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data without appropriate consent, please contact us immediately so we can take appropriate steps to delete that data.

In accordance with Art. 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of data at rest by our infrastructure providers (Firebase, Vercel).
• Authentication and access control for all backend systems.
• Regular security reviews and updates.
• Pseudonymization and data minimization where possible.

Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR and, where required, inform affected users without undue delay in accordance with Art. 34 GDPR.

We may update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or Services. Material changes will be communicated through in-app notifications or on our Website. Where required by law, we will obtain your renewed consent before applying changes that affect the scope of data processing. We encourage you to review this policy periodically. The "Last Updated" date at the top indicates when this policy was most recently revised.

For any questions, concerns, or requests regarding this privacy policy or your personal data, please contact us:

Moonphase Apps GmbH
Ferdinand-Koch-Straße 31
26133 Oldenburg
Germany

Geschäftsführer: Philipp Marx & Joshua van Vliet

• Email: contact@astrobella.app
• Commercial Register: Amtsgericht Oldenburg, HRB 219941
• VAT ID (USt-IdNr): DE365749986