Privacy Policy

Data Controller

The data controller for the personal data processed through zenit.app is Diego Alvarez (sole operator), Santiago, Chile, reachable at [email protected]. Zenit does not have an EU establishment and has not appointed a Representative under Article 27 of the GDPR; you can still exercise every right described below by contacting us at the address above.

Information We Collect

Account data: your email address and password (stored as a salted bcrypt hash, never in plaintext), your declared timezone, and your language preference. Identity provider data: if you sign in with Google or Apple, the unique identifier and verified email they return. Birth data: date, time, place of birth and resolved coordinates of every native you create in your account, which you provide voluntarily for natal chart calculation. Computed data: planetary positions, house cusps, aspects and any astrological interpretations the agent produces from your birth data. Chat data: the messages you exchange with the astrological agent, together with the tool calls the agent makes on your behalf. Billing data: if you subscribe, the email and country LemonSqueezy returns to us; we never receive your card number. Technical and audit data: IP address (truncated where possible), user agent, request paths, error stack traces, and a timestamped audit log of consent decisions and GDPR-relevant actions you take in your account.

Legal Basis for Processing

Under Article 6 GDPR we process your data under one of the following bases. Performance of contract (Art. 6(1)(b)) — running your account, calculating natal charts and transits, generating interpretations, providing the chat agent, processing your subscription. Consent (Art. 6(1)(a)) — analytics and error reporting (you can withdraw this at any time in /settings), processing of birth data as data revealing your interest in astrological frameworks (see Sensitive Categories below). Legitimate interest (Art. 6(1)(f)) — basic security, fraud prevention, and aggregate operational metrics that cannot be tied to you; we balance this interest against your rights and welcome objections at [email protected]. Legal obligation (Art. 6(1)(c)) — tax records (LemonSqueezy invoices) and responding to lawful requests from authorities.

Sensitive Categories

Astrology is a personal practice. Your birth data and the interpretations we generate from it can reveal your interest in astrology as a philosophical or spiritual framework, which the GDPR classifies as a special category of personal data (Art. 9). We process this data only on the basis of your explicit consent, given when you first save a native or send a chat message that includes such information. You can withdraw that consent at any time by deleting the native or your account, after which we cease the processing. We do not infer, store, or process data about your race, ethnicity, political opinions, trade union membership, sex life, or health.

How We Use Your Data

We use your data exclusively to operate Zenit: calculating natal charts and planetary transits using Swiss Ephemeris, generating astrological interpretations through our knowledge graph and the Azure OpenAI Service, maintaining your account and preferences, processing your subscription, and responding to GDPR rights requests. We do not sell your data, do not run advertising, do not build behavioral profiles for marketing, and do not feed your data into model training programs at any external provider.

Automated Decisions and Profiling

Zenit produces astrological interpretations through a Large Language Model. These outputs are textual readings based on your chart and chosen framework; they are not used to make legal or similarly significant decisions about you (e.g. credit, insurance, employment). You always remain free to disregard, edit, or delete any interpretation. If you want a human review of a specific reading, write to [email protected].

Data Storage & Security

Your data is stored in a managed PostgreSQL database on Microsoft Azure with encryption at rest. Passwords are hashed using bcrypt with per-user salts. All transport is TLS/HTTPS. Access to the production database is limited to the controller and is logged. Backups are encrypted and retained for 30 days. We notify you of any data breach affecting your personal data within 72 hours of discovery, in line with Article 33-34 GDPR.

Retention

Account, birth, and computed data are retained while your account exists and for 30 days after you request deletion (the cancellation grace period; see /settings). Chat history is retained for the lifetime of your account and is wiped along with your account. Audit logs of GDPR actions are retained for 24 months to evidence compliance, then deleted. Tax and invoicing records (LemonSqueezy) are retained for the period required by Chilean and EU VAT law (typically 5-10 years). After the applicable retention period ends we delete or irreversibly anonymise the data.

Sub-processors and Disclosure

We do not sell, rent or trade your personal data. To operate Zenit we rely on a small number of data processors that handle data on our instructions: Microsoft Azure for hosting, database and LLM inference (the chat agent submits your messages and chart data to Azure OpenAI for the duration of a request); LemonSqueezy for payment processing and tax compliance; Langfuse for LLM observability; Sentry for error reporting (only if you enable analytics); Cloudflare for CDN and DDoS protection; and Google or Apple if you sign in with their identity. The complete and current list lives at /sub-processors. We disclose data to law enforcement only where compelled by a lawful order and only the minimum necessary to comply.

Sub-processors →

International Transfers

Some sub-processors are based in or operate from the United States. When personal data is transferred to a US entity, we rely on the EU-US Data Privacy Framework where the entity is certified, on Standard Contractual Clauses (SCCs) where it is not, and on supplementary measures (encryption in transit and at rest, access controls) in either case. You can request a copy of the relevant transfer safeguards from [email protected].

Your Rights

You can: access and download a copy of every piece of personal data we hold on you (Art. 15, 20), correct or update inaccurate data at any time in /settings (Art. 16), request erasure of your account and associated data with a 30-day cancellation window (Art. 17), restrict or object to specific processing including profiling (Art. 18, 21), withdraw consent for analytics or sensitive-category processing at any time without affecting the legality of past processing (Art. 7(3)), and not be subject to solely automated decisions with legal or similarly significant effect (Art. 22). To exercise these rights write to [email protected] or use the controls in /settings. We respond within 30 days, free of charge unless the request is manifestly unfounded or excessive.

Right to Lodge a Complaint

If you believe we are mishandling your personal data, you have the right to complain to the data protection authority in your country of residence. In Spain this is the AEPD (aepd.es); in France, the CNIL (cnil.fr); in Germany, the federal or relevant Land DPA; in Chile, the Consejo para la Transparencia. You may also complain directly to us at [email protected] — we would always prefer to resolve concerns with you first.

Cookies & Similar Technologies

Zenit uses strictly necessary cookies for authentication, session continuity, and language preference; these are always active because the service cannot function without them. We also use a single optional category for analytics and error reporting (Sentry). This category is off by default and only loads after you accept it in the cookie banner or in /settings. You can change your decision at any time; turning analytics off stops further data collection immediately. We do not use advertising, marketing, or profiling cookies and we do not embed third-party trackers.

Children's Privacy

Zenit is not intended for users under 16 in the EU/EEA, or under the digital consent age set by national law where it is lower (for example 14 in Spain, 13 in many other jurisdictions). We do not knowingly collect personal data from minors below the applicable age. If you believe a minor has provided us with personal data without verifiable parental consent, write to [email protected] and we will delete it.

Changes to This Policy

We may update this Privacy Policy as the product or the law evolves. We will post the new version on this page with a refreshed effective date, and we will email registered users at least 30 days before any material change takes effect, giving you time to review and, if you wish, close your account before the change applies to you.

Contact

For privacy questions, DPA documentation requests, or to exercise any right listed above, write to [email protected]. We commit to a substantive response within 30 days.