Privacy Policy

1. Who we are (the controller)

The controller of your personal data is Vasiliy Uvarov, a sole trader based in the United Kingdom, trading as "Cosmic Copilot" (referred to in this policy as "we", "us", or "our"). We decide what personal data we collect and how it is used. You can contact us using the channels listed at the end of this policy.

2. What personal data we collect

We only collect the data we need to run the service. The categories are:

• Account data: email address, authentication identifiers, and (where you choose to add them) display name and profile photo.
• Birth data you provide for chart calculations: date, time, and place of birth. We use this to compute your astrology chart and personalised insights.
• Relationship data you voluntarily add: names, nicknames, and birth data for people you add to the app (for compatibility features).
• Subscription and payment status: which plan you are on, renewal status, and a payment-provider reference. We do not store your full card number. Web payments are processed by Stripe; iOS purchases are processed by Apple.
• Device and usage data: device type, operating system, app version, language, time zone, general location inferred from IP (city level), and product events (for example, which screens you view and which features you use).
• Support and feedback content: messages you send through the in-app Feedback form or the public contact form, plus any files or context attached.
• Cookies and similar technologies on the web: see the Cookies section below.

3. How we collect it

We collect personal data in three ways:

• Directly from you when you create an account, fill in your birth details, add relationships, send feedback, or contact us.
• Automatically from your device when you use the app (technical logs, crash reports, product events).
• From third parties that help us run the service: Apple (subscription status for iOS), Stripe (subscription status for web), Supabase (authentication), and our analytics provider (see Subprocessors below).

4. Why we use your data and our legal bases

Under UK GDPR, every use of your personal data must rest on a legal basis. Here is ours:

• Provide the service you asked for — including creating your account, calculating your chart, generating personalised insights, delivering daily content, and processing your subscription. Legal basis: performance of a contract (Article 6(1)(b) UK GDPR).
• Keep the service secure, stable, and free from abuse — including rate limiting, fraud prevention, and basic diagnostics. Legal basis: our legitimate interests in operating a safe, reliable service (Article 6(1)(f)), balanced against your rights.
• Understand how people use the app so we can improve it — including anonymised or pseudonymised product analytics. Legal basis: our legitimate interests (Article 6(1)(f)); where local law requires, your consent (Article 6(1)(a)).
• Send you service messages, notifications you opted into, and marketing or product updates where relevant. Legal basis: contract performance for service messages; your consent for marketing (Article 6(1)(a)), which you can withdraw at any time.
• Comply with legal obligations, respond to lawful requests, and defend legal claims. Legal basis: legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)).

We do not rely on special-category processing (Article 9 UK GDPR). We do not ask for or use data about your health, religion, sexuality, ethnicity, political opinions, or trade-union membership.

5. Who we share your data with (subprocessors)

We do not sell your personal data. We share what is needed with a small set of vetted service providers who process data on our behalf under written terms:

• Supabase, Inc. (United States) — authentication, database hosting, and file storage.
• Stripe, Inc. and Stripe Payments UK Ltd — payment processing and subscription management on the web. Stripe is an independent controller for fraud-prevention purposes under its own policy.
• Apple Inc. — App Store distribution and in-app purchases on iOS. Apple is an independent controller under its own privacy policy for purchases made through the App Store.
• PostHog, Inc. — product analytics and error tracking. We pseudonymise identifiers where practical.
• Resend (resend.com) — sending transactional emails such as sign-in links and receipts.
• OpenAI, L.L.C. and Anthropic PBC — generating certain AI-assisted astrology insights. Your prompts may include pseudonymised references to your chart (for example, planetary positions) but not your full name, birth location, or email. These providers process prompts under their zero-retention or short-retention enterprise terms.
• Law enforcement, regulators, or other third parties where we are legally required or permitted to share data (for example, to respond to a valid court order or to protect life).

A current list of subprocessors is maintained; material changes will be communicated via this policy.

6. International transfers

Some of our subprocessors are based outside the UK, primarily in the United States. Where we transfer personal data outside the UK, we rely on one of the following safeguards: the UK-US Data Bridge (Data Privacy Framework) where the recipient is certified, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses. You can request a copy of the safeguard that applies to a specific transfer using the contact details at the end of this policy.

7. How long we keep your data

We keep personal data only as long as we need it:

• Account and profile data: while your account is open, and up to 90 days after you request deletion, to allow for reversal and ensure secure removal from backups.
• Birth and relationship data: same as your account.
• Subscription and billing records: for up to 7 years after the last transaction, to meet UK tax and accounting obligations.
• Product analytics events: up to 24 months in identifiable form, then aggregated.
• Support and feedback messages: up to 24 months after resolution.
• Server logs and security telemetry: up to 90 days.

8. How we protect your data

We use industry-standard security measures including encryption in transit (HTTPS/TLS) and at rest, least-privilege access controls, audit logging, and routine backups. No system is perfectly secure. If a personal data breach happens and it is likely to result in a risk to your rights, we will notify the ICO within 72 hours and tell you without undue delay where the law requires.

9. Your rights under UK GDPR

You have the following rights in relation to your personal data, exercisable free of charge (save for manifestly unfounded or excessive requests):

• Right of access — to be told whether we process your data and to receive a copy.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to have your data deleted in certain circumstances.
• Right to restriction of processing — to pause our use of your data in certain circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — where we rely on consent, at any time, without affecting the lawfulness of processing before withdrawal.
• Right not to be subject to solely automated decisions producing legal or similarly significant effects (see Automated decisions below).

10. How to exercise your rights

You can exercise any of these rights by:

• Using the in-app Feedback screen (Settings → Feedback) and selecting the category "Privacy request" if you are signed in on web or iOS.
• Using the public contact form at https://www.cosmic-copilot.com/contact if you are not signed in.
• Deleting your account directly from Settings, which starts our deletion workflow.

We aim to respond within one calendar month. We may ask you for information to verify your identity before acting on a request, to prevent unauthorised access to your data.

11. Cookies and similar technologies

On the web we use a small number of cookies and similar technologies. They fall into two categories:

• Strictly necessary — session, authentication, CSRF protection, and consent-preference cookies. These do not require consent because the service would not work without them.
• Analytics and performance — cookies and device identifiers used by our analytics provider. Where local law requires consent (for example, under UK PECR and the EU ePrivacy Directive), we load these only after you consent.

You can change your cookie choices at any time through the cookie settings link in the site footer, or by clearing your browser cookies.

12. Children

Cosmic Copilot is not directed at children. We do not knowingly collect personal data from children under the age of 16 in the UK or EEA, or under 13 in the United States. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Automated decisions and AI-generated content

Our astrology insights are generated using a combination of deterministic calculations and AI models. These outputs are for self-reflection and entertainment and do not produce legal or similarly significant effects on you. We do not use your personal data to make solely automated decisions in the sense of Article 22 UK GDPR. AI-generated content can be imperfect; you should not rely on it as professional advice in health, finance, legal, or relationship matters.

14. Marketing communications

We will only send you marketing emails or push notifications where you have opted in (or where you are an existing customer and have not opted out under the UK "soft opt-in" rule). You can opt out at any time by using the unsubscribe link in the message, the notification settings in the app, or by contacting us.

15. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top tells you when it last changed. For material changes we will give you reasonable prior notice (typically through an in-app notice or email) before the change takes effect, and where the law requires, we will ask for your renewed consent.

16. Your right to complain

If you think we have handled your personal data incorrectly, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk or 0303 123 1113, or with the data protection authority in your country of residence.

17. Contact us

Vasiliy Uvarov (trading as Cosmic Copilot), United Kingdom.

• Signed-in users: Settings → Feedback → select "Privacy request".
• Public: https://www.cosmic-copilot.com/contact

We do not publish a direct contact email. The channels above are monitored and are the correct way to reach us for any privacy, data-protection, or support matter.