Privacy Policy
Effective date: April 22, 2026
This Privacy Policy explains how AstroTrainer collects, uses, shares, protects, and retains personal information through astrotrainer.app, the AstroTrainer mobile app, beta programs, support channels, waitlist/contact forms, and related services.
AstroTrainer is currently a beta-stage training product. This policy describes the current data flows in the product and will be updated if we add new analytics, advertising, push-notification, payment, or cloud-sync providers.
1. Minimum Age
AstroTrainer is intended for users who are at least 17 years old. If a younger person has provided personal information, contact us and we will take appropriate steps to delete it. App Store and Google Play age-rating settings will be configured consistently with this minimum-age statement before public release.
2. Personal Information We Collect
| Category | Examples | Source | Why We Use It | Typical Retention |
|---|---|---|---|---|
| Account identifiers | Email address, Supabase user ID, optional display name, authentication/session tokens managed by Supabase. | You, Supabase Auth. | Create accounts, authenticate users, sync progress, provide support, secure the service. | While your account is active; deleted or de-identified after account deletion except limited backup/legal records. |
| Profile fields | Optional first name, last name, birthdate, nationality/country code, age-confirmation status, public-profile visibility choices. | You. | Personalize the app, support leaderboard/public profile choices, and help you manage account settings. | While your account is active; deleted with account data unless retention is legally required. |
| Training and performance records | Drill IDs, scores, XP, accuracy, reaction/performance metrics, session timestamps, duration, difficulty, completion state, leaderboard metrics. | Your app activity. | Show progress, calculate daily missions, recommend weak-lane practice, maintain training history, and sync between devices. | While your account is active; local-only records remain on your device until app data is cleared. |
| Program and study records | Training plan preferences, availability, focus domains, adherence, rebalance history, study-card results, spaced-repetition due dates, intervals, lapses, and review timestamps. | Your app activity and plan setup. | Run adaptive program logic, spaced repetition, progress review, and long-term roadmap features. | While your account is active; deleted/de-identified after account deletion subject to backups/legal obligations. |
| Interview-prep data | Practice category selections, response drafts you enter, review/import scores, session timestamps, mock-panel metrics, saved notes. | You and your app activity. | Provide interview practice, self-review, framework guidance, progress coverage, and saved session history. | While your account is active or locally on your device if not synced; deleted when account/local data is removed. |
| Device, network, and diagnostics | Device type, operating system, app version, crash diagnostics, IP address, timestamps, approximate region, server logs, security/rate-limit events. | Your device, app, hosting providers, Supabase, Sentry if enabled, form providers. | Keep the app reliable, investigate crashes, prevent abuse, protect accounts, and comply with platform/security obligations. | Usually up to 12 months unless needed for security, fraud, legal, or incident response. |
| Subscription and purchase status | RevenueCat customer/app user ID, Supabase billing customer/user ID, entitlement state, weekly/monthly/yearly product ID, renewal date, expiry date, trial/grace/billing-issue/cancellation/restore state, webhook event IDs, and app-store purchase metadata. We do not store payment-card numbers. | AstroTrainer app/backend, Supabase, RevenueCat, Apple, Google. | Unlock premium features, restore purchases, keep subscription status consistent across devices, manage subscriptions, audit webhook delivery, and troubleshoot billing. | As needed for active subscriptions, accounting, fraud prevention, refunds, security, app-store records, and limited legal/audit retention. |
| Website waitlist/contact data | Name, email address, message body, submission timestamp, form metadata, IP address handled by form/hosting providers. | You and website form providers. | Respond to messages, manage beta/waitlist interest, send launch updates where permitted. | Waitlist: until launch/beta communication is no longer needed or you opt out. Support/contact: generally up to 3 years after last interaction. |
| Optional marketing preferences | Marketing opt-in choice, consent timestamp/source, email subscription status. | You. | Send optional product, launch, or educational updates only where permitted. | Until you unsubscribe or withdraw consent; suppression records may be retained to honor opt-out. |
3. How We Use Personal Information
- To operate the website, app, account sync, training history, study queues, interview practice, beta access, and waitlist.
- To personalize daily missions, adaptive programs, weak-lane recommendations, spaced repetition, and progress summaries.
- To respond to messages, support requests, partnership notes, privacy requests, and beta feedback.
- To send account, service, safety, support, and optional marketing communications where permitted.
- To protect against abuse, scraping, fraud, unauthorized access, rate-limit evasion, and service misuse.
- To analyze aggregate performance, reliability, retention, feature usage, and product quality.
- To comply with legal obligations, app-store obligations, tax/accounting obligations, and our Terms of Use.
4. GDPR/UK GDPR Legal Bases
| Processing Activity | Typical Legal Basis | Explanation |
|---|---|---|
| Account creation, authentication, account sync, premium entitlement access. | Contract performance. | Needed to provide account-based app features you request. |
| Training plans, drill history, SRS study queues, interview practice, progress review. | Contract performance; legitimate interests for improving reliability and relevance. | Needed to provide the training product and make recommendations explainable and useful. |
| Security logs, rate limiting, abuse prevention, debugging, fraud prevention. | Legitimate interests; legal obligation where applicable. | Needed to protect users, accounts, backend systems, and app-store/payment systems. |
| Crash diagnostics and product analytics. | Legitimate interests, unless local law or a specific SDK requires consent. | Used to understand reliability, regressions, feature quality, and aggregate performance. |
| Optional marketing, launch updates, beta newsletters. | Consent where required; legitimate interests for limited non-sensitive beta communications where permitted. | You can withdraw consent or unsubscribe at any time. |
| Tax, accounting, legal, app-store refund, and compliance records. | Legal obligation; legitimate interests. | Needed to comply with law, enforce terms, and respond to disputes or platform requirements. |
5. Third-Party Processors And Services
We use service providers to operate AstroTrainer. Before public monetization, AstroTrainer will enable and retain appropriate data-processing agreements/addenda for each provider that processes personal information.
- Supabase for authentication, database, billing entitlement records, webhook audit logs, backend services, and Edge Functions. Supabase also publishes a Data Processing Addendum.
- RevenueCat, Apple, and Google for subscription entitlement, purchase status, store lifecycle events, refunds, and billing support. RevenueCat publishes a Data Processing Addendum. Apple and Google process store payments under their own terms and privacy policies.
- Sentry for crash reporting/diagnostics if enabled by production configuration. Sentry DPA setup will be completed in Sentry's legal/compliance account settings where available.
- Expo services, including push-notification infrastructure where remote push tokens are enabled.
- Formspree and/or FormSubmit for website waitlist and contact-form submissions if configured.
- Hosting, DNS, email, security, and app-store providers needed to deliver the website and app.
Mixpanel and OneSignal are not active processors in the current codebase. If AstroTrainer adds them or any similar analytics, attribution, email, or push provider later, this policy, the data inventory, the app-store disclosures, and deletion/export workflows must be updated before activation.
6. Sale/Sharing Disclosure For California Residents
AstroTrainer does not sell personal information for money. AstroTrainer does not currently share personal information for cross-context behavioral advertising as those terms are used in the CCPA/CPRA. If this changes, we will update this policy and provide a clear "Do Not Sell or Share My Personal Information" mechanism. You can still contact us at astrotrainer.app@gmail.com with the subject "Do Not Sell or Share" to record an opt-out preference.
7. Cookies And Local Storage
The website currently uses local storage for theme preference and form-safety/rate-limit helpers. The current public website does not intentionally set advertising cookies. If analytics cookies, remarketing tags, or similar tracking tools are added, AstroTrainer will deploy a consent-management platform appropriate for GDPR/ePrivacy and CCPA/CPRA disclosures before those tools go live.
8. Your Privacy Rights
Depending on your location, you may have rights to access, rectify, erase, restrict processing, object, receive data portability, and withdraw consent. This includes the GDPR Article 17 right to erasure where applicable.
California residents may request to know, access, delete, correct, opt out of sale/share where applicable, limit use of sensitive personal information where applicable, and avoid discrimination for exercising privacy rights.
You can submit requests by using in-app account deletion where available, visiting Data Deletion, or emailing astrotrainer.app@gmail.com. We may need to verify your identity before completing a request. Some data may be retained when required for security, fraud prevention, app-store billing, legal claims, tax/accounting, backups, or compliance.
9. Account And Data Deletion
If you created an AstroTrainer account, you can request deletion from the app settings where the delete-account flow is available. You can also submit a web request at astrotrainer.app/data-deletion.html. Account deletion is designed to remove your cloud account and associated Supabase profile, leaderboard rows, XP totals, session history, and app-owned active billing customer/entitlement rows. Local-only data on your device may remain until you clear app data or uninstall the app. Store purchase records, RevenueCat records, webhook audit logs, backup records, and limited billing/security/legal records may be retained where required or permitted for accounting, fraud prevention, refunds, platform obligations, dispute handling, or legal compliance.
10. International Transfers
AstroTrainer may be operated from the United States, Europe, or other countries and may use service providers in multiple regions. If GDPR/UK GDPR applies, AstroTrainer relies on appropriate safeguards, such as data-processing agreements and transfer mechanisms, where required.
11. Security
We use technical and organizational safeguards designed to protect personal information, including account controls, input validation, rate-limit protections, backend authorization rules, least-privilege service keys, and provider security controls. No system is perfectly secure, so please use a strong password and contact us if you suspect unauthorized access.
12. Changes
We may update this policy as AstroTrainer evolves. Material updates will be reflected by changing the effective date and, when appropriate, providing additional notice in the app or on the website.
13. Contact
For privacy questions, rights requests, or deletion requests, email astrotrainer.app@gmail.com.