Legal
Privacy policy
Last updated: 2026-06-19
Your privacy matters to us. Under Art. 13 and 14 GDPR, this policy explains which personal data we collect when you use theastroacademy.com, for which purposes, on which legal basis, and with which recipients it is shared.
1. Controller
The controller within the meaning of the GDPR is:
Marcus Graf
Bamberger Straße 23
10779 Berlin, Germany
Email: info@tinyaffirmation.de
We have not appointed a data protection officer, as we are not legally required to. For all privacy requests, please use the email address above.
2. Legal bases
Where we process personal data, we rely on the following legal bases:
- Art. 6(1)(a) GDPR — your consent (in particular for analytics, advertising and tracking technologies).
- Art. 6(1)(b) GDPR — performance of a contract or pre-contractual steps (account, course usage, purchase).
- Art. 6(1)(c) GDPR — compliance with legal obligations (e.g. commercial and tax retention duties).
- Art. 6(1)(f) GDPR — our legitimate interest in a secure, stable and user-friendly product.
Storing information on, or accessing information already stored on, your device (e.g. cookies) takes place only on the basis of your consent pursuant to § 25(1) TDDDG, unless it is strictly technically necessary.
3. Consent & cookie banner
On your first visit we show a consent banner. Services that require consent (analytics, advertising pixels, conversion tracking) are only loaded and executed after you have agreed. Strictly necessary services (hosting, login, security, payment) run regardless, as they are required for operation. You can withdraw your consent at any time with effect for the future by changing your selection in the banner or contacting us. Details on the cookies we use are in our cookie policy.
4. Data we process
- Birth data (date, time, place) — to compute your natal chart and personalised content.
- Account and contact data (email address, name or display name) — for sign-in, lesson progress and transactional messages.
- Usage and progress data (lesson progress, streak, XP, settings).
- Payment data — processed solely by our payment provider; we do not store full card details.
- Technical data (IP address, browser, device type, access time) — for delivery, security and error analysis.
5. Server log files
On every request, our infrastructure automatically records access data (e.g. truncated IP address, date/time, requested resource, referrer, user agent). This is technically necessary to deliver the website and ensure its security and stability (legal basis Art. 6(1)(f) GDPR). Log data is retained only briefly and solely for these purposes.
6. Hosting & infrastructure
Vercel
Our website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA, and delivered via its content delivery network. Technical access data is processed in the course of this. The legal basis is Art. 6(1)(f) GDPR. Any transfer to the USA is safeguarded by Vercel's participation in the EU-US Data Privacy Framework and by standard contractual clauses.
Supabase
We operate our database, authentication and file storage via Supabase (Supabase, Inc., 970 Toa Payoh North, Singapore / San Francisco, USA). Data is stored on servers within the EU (region eu-west-1). Account, birth, progress and content data are stored here. The legal basis is Art. 6(1)(b) and (f) GDPR; any third-country transfers are safeguarded by standard contractual clauses.
7. Payment processing — Stripe
Purchases are processed via Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland; where applicable Stripe, Inc., USA). When you make a purchase, the data required for the payment (e.g. name, email, payment method, amount) is transmitted directly to Stripe and processed by Stripe as an independent controller for payment processing and fraud prevention. We only receive the payment-status information from Stripe. The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (fraud prevention). More information: stripe.com/privacy.
8. Email delivery
To send transactional emails (e.g. sign-in links, purchase confirmations) we use Resend (Plus Five Five, Inc., USA). Your email address and the message content are processed in the course of this. The legal basis is Art. 6(1)(b) and (f) GDPR. Any transfer to the USA is safeguarded by standard contractual clauses.
9. AI-generated content — Google Gemini
Personalised text (e.g. daily horoscopes, learning explanations) is generated server-side using the Google Gemini AI model (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Only the largely anonymised inputs needed for generation are transmitted to Google; no profiling takes place. The legal basis is Art. 6(1)(b) and (f) GDPR.
10. Sign-in via third parties
You can optionally sign in via external providers. If you choose this option, you are redirected to the relevant provider and consent there to the transmission of certain profile data (typically name and email address) to us. We use this data solely to set up and manage your account. The legal basis is Art. 6(1)(b) GDPR.
Sign in with Google
"Sign in with Google" is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy notice: policies.google.com/privacy.
Sign in with Apple
"Sign in with Apple" is provided by Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Apple lets you hide your email address ("Hide My Email"). Privacy notice: apple.com/legal/privacy.
11. Analytics — PostHog
After your consent, we use PostHog (PostHog, Inc., 2261 Market Street, San Francisco, USA) to understand and improve how our product is used. We use PostHog's EU Cloud (hosting within the EU). Until you give consent, capturing remains disabled; no automatic capture of form or input values takes place. The legal basis is Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You can withdraw consent at any time.
12. Analytics — Google Analytics
Where enabled and only after your consent, we use Google Analytics (Google Ireland Limited, Dublin, Ireland) to analyse website usage statistically. Cookies or similar identifiers are set and usage data — including the truncated IP address (IP anonymisation) — is processed; a transfer to Google in the USA is possible and is safeguarded by the EU-US Data Privacy Framework and standard contractual clauses. The legal basis is Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You can withdraw your consent at any time with effect for the future.
13. Advertising & conversion tracking
Where enabled, we use — only after your consent — advertising and conversion technologies from the following providers to measure the effectiveness of our campaigns and serve more relevant ads. Cookies or pixels may be set and usage and device data (including IP address) transmitted to the respective provider. The legal basis in each case is Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG; any transfer to the USA is safeguarded by the EU-US Data Privacy Framework and/or standard contractual clauses. You can withdraw your consent at any time.
- Meta (Facebook/Instagram) — Meta Pixel and advertising services, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. facebook.com/privacy/policy
- TikTok — TikTok Pixel and advertising services, TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland. tiktok.com/legal/privacy-policy
- Google Ads — conversion tracking and remarketing, Google Ireland Limited, Dublin, Ireland. policies.google.com/privacy
- Apple Search Ads — campaign attribution, Apple Distribution International Ltd., Hollyhill Industrial Estate, Cork, Ireland. apple.com/legal/privacy
14. Transfers to third countries
Some of the providers named above are based, or have their parent group, in the USA. Where personal data is transferred to a third country, this takes place on the basis of an adequacy decision (EU-US Data Privacy Framework) or appropriate safeguards under Art. 46 GDPR (standard contractual clauses). We will provide further information on request.
15. Retention
We process your data only for as long as necessary for the respective purposes. We keep account data for as long as your account exists; after you delete your account we remove the data, unless statutory retention obligations (in particular commercial and tax law, typically up to 10 years for invoicing records) require otherwise.
16. Your rights
Under the GDPR you have the following rights:
- Access to the data stored about you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing based on legitimate interests (Art. 21 GDPR)
- Withdrawal of consent given, with effect for the future (Art. 7(3) GDPR)
- Complaint to a supervisory authority (Art. 77 GDPR), e.g. the Berlin Commissioner for Data Protection and Freedom of Information
To exercise your rights, an email to info@tinyaffirmation.de is sufficient.
17. Changes to this policy
We update this privacy policy when the legal situation or our processing changes. The current version published here applies in each case.
