Privacy Policy

Version: 1.0

Last Updated: 2026-07-02

Effective Date: 2026-06-06

STORMVIBE Ltd., a Bulgarian limited liability company (EOOD), EIK 208809995, VAT BG208809995 ("Company," "we," "us," or "our"), operates StarBind, including our website at https://starbind.me, our mobile applications for iOS and Android, and all related services (collectively, the "Service").

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service. It also describes your rights and choices regarding your data.

One-off report purchases at the StarBind Reports storefront (starbind.me/reports) are a separate, account-free product covered by the Reports Privacy Policy — this policy governs the StarBind app and your StarBind account.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy is incorporated into and forms part of our Terms of Service.


1. Data Controller

For the purposes of applicable data protection laws:

2. Information We Collect

2.1 Information You Provide

Data Type Purpose Required
Email address Account creation, authentication, communications Yes
Password Account security (stored as a salted hash, never in plaintext) For email/password sign-up
Date of birth Natal chart calculation, Sun sign determination, daily horoscope, age verification (16+) Yes
Time of birth Natal chart calculation (Ascendant, house placements) Optional
Place of birth Natal chart calculation (geographic coordinates for house system) Yes
Birth coordinates Derived from place of birth for astronomical calculations Derived
House system preference Natal chart house system selection Optional
Birth data for other people you add Calculate compatibility charts, and save people to your circle for quick chart access Optional
Username / nickname Display in profile and shared content Optional
Full birth name To calculate name-based numerology values (Expression number, Soul Urge number). The name is processed transiently on our server to derive these two numbers and is not stored, logged, or sent to any LLM provider — only the resulting integers are saved Optional
Chat messages and dream journal entries Free text you write to the AI guide or record in your dream journal, used to generate the responses and readings you request. Stored under your account until deleted (see Section 7) Optional
Referral code Credit attribution for invite rewards Optional
Acceptance of Terms and Privacy Policy Legal record of consent (GDPR Art. 7) — version and timestamp stored Yes

Birth-place autocomplete: when you type a birth place, the text you type is first matched against our own server-side place database; only if there is no match is the text — with no name, email, or other identifier attached — sent to a third-party geocoding service (Photon, operated by Komoot GmbH in Germany) to find matching places and their coordinates.

Data about other people you add: Some features let you enter another person's birth details (date, time, place) — to calculate a compatibility chart, or to save someone to your circle for quick access. You provide this data and are responsible for having the right to share it (see our Terms of Service). We use it only to compute the chart you requested and store it under your account; you can delete it at any time, and deleting your account removes it. Because we typically hold only a name and birth details for these people — with no way to contact them — we rely on the disproportionate-effort exception in GDPR Art. 14(5)(b) rather than notifying each person individually. If your birth details were entered by someone else and you want them removed, contact [email protected].

2.2 Information Collected Automatically

Data Type Purpose
IP address Security, abuse prevention, and rate limiting. We do not derive your location from your IP address, and IP addresses are not written to our usage or crash telemetry
Device information OS type, version, device model — for compatibility and debugging
Device identifier Stable per-install ID used to bind your account to the device that registered it
Device timezone Read once at signup to seed your profile timezone, which schedules notifications and daily content in your local time. Changed only explicitly in your account settings — never silently re-synced
Device attestation token Apple App Attest / Google Play Integrity attestation, used at signup and for in-app purchases to confirm requests originate from a genuine, unmodified app instance
App version Troubleshooting, feature availability
Usage data Screens visited and feature-usage events, recorded under a random per-session identifier that is never stored on your device and never linked to your account — for first-party analytics and product improvement. No third-party analytics service receives this data
Crash and error reports Identifying and fixing technical issues. Reports contain the technical error and the screen it occurred on; they are not linked to your account
Report download access events When a sharable report download link is opened, we log a hashed IP (SHA-256 with a daily-rotating salt — we cannot recover the original IP), 2-letter country code, browser user-agent, HTTP Referer header (when sent), and timestamp. Used for fraud prevention and aggregated download analytics. We do not set tracking cookies or share these logs with third-party analytics providers.

2.3 Information from Third Parties

We may receive information from:

You can create an account either with an email address and password or with Sign in with Apple or Sign in with Google. We do not support Facebook or other social-login providers.

2.4 Information We Retain After Account Deletion

When you delete your account, we hard-delete all of the data above except for one record: a counter of how many StarBind accounts have been created from your physical device (via the device identifier in §2.2). We keep only the count — not your account or any of its contents — in a separate table that has no link back to you. We rely on this counter under GDPR Art. 6(1)(f) (legitimate interests) to limit account-creation abuse.

We also retain anonymized audit-log entries (event type, hashed email, timestamp) sufficient to demonstrate that deletion, consent, and other security-relevant events occurred (GDPR Art. 5(2) accountability). These anonymized entries are retained for 24 months from the date of the event, after which they are deleted.

3. How We Use Your Information

We use your personal information for the following purposes:

Purpose Legal Basis (GDPR)
Provide the Service — calculate natal charts, generate horoscopes, deliver readings Contract performance
Create and manage your account Contract performance
Process payments for premium features Contract performance
Generate AI-powered content — daily horoscopes and interpretive readings via LLM Contract performance / Legitimate interest
Send transactional communications — account verification, password resets, subscription updates, billing notifications Contract performance
Send marketing communications — emails or push notifications about new features, content, or promotions Consent — withdrawable at any time via your account settings or the unsubscribe link in any marketing email, without affecting the lawfulness of prior processing
Improve the Service — analyze usage patterns, fix bugs, develop new features Legitimate interest
Limit account-creation abuse — count of accounts created per device (see §2.4) Legitimate interest
Ensure security — detect fraud, prevent abuse, enforce our Terms Legitimate interest
Operate sharable report download links — count downloads, log referrer and hashed IP for fraud prevention and aggregated analytics Legitimate interest
Compute and store charts for other people you add — compatibility charts and people you save to your circle Legitimate interest
Comply with legal obligations — respond to lawful requests, meet regulatory requirements Legal obligation

3.2 Automated Decisions and Profiling

We will never use your birth data, account information, or content you submit to make decisions based solely on automated processing that produce legal or similarly significant effects on you (GDPR Article 22). The natal-chart calculations and automatically generated readings the Service provides are entertainment content; they have no legal or contractual consequences for you.

4. AI and LLM Data Processing

We use third-party large language model (LLM) providers to generate personalized astrological content such as daily horoscopes and readings.

5. How We Share Your Information

We do not sell your personal information. We rely on the following named sub-processors to operate the Service:

Sub-processor Purpose Data shared Region Transfer mechanism
Google LLC (Vertex AI / Gemini + Firebase Cloud Messaging) Automatically generated horoscopes, readings, chat responses, and astrology reports; push notification delivery De-identified astrological data; free-text you submit in chat or dream entries; push device tokens; notification body LLM processing: European Union (Vertex AI EU multi-region). Push delivery: United States EU-US Data Privacy Framework (Google LLC self-certified) and EU Standard Contractual Clauses (Google Cloud Data Processing Addendum)
OpenAI, L.L.C. (OpenAI API) Automatically generated images, such as shareable cosmic artwork The de-identified prompt text describing the image to generate (astrological themes — no name or birth details) United States EU Standard Contractual Clauses (OpenAI Data Processing Addendum); we request zero data retention and OpenAI does not use API data to train its models
Brevo (Sendinblue SA) Transactional email — account verification, password reset, billing notifications Email address; subject line and body of the message European Union (France) No third-country transfer required (EU→EU)
Cloudflare, Inc. Static website hosting (landing pages, learn site, blog), content delivery network, DNS, share-link Worker, object storage (R2 — generated images, shareable report files, and app-update bundles), and privacy-preserving website analytics (Cloudflare Web Analytics — cookieless, no cross-site tracking) IP address; standard web request data (URL, headers, user-agent); images and report files generated for you and stored in R2; aggregate page-view and performance metrics United States with EU edge network EU Standard Contractual Clauses
Microsoft Corporation (Microsoft Azure) Primary server infrastructure for the API, database, and caching; application monitoring (server logs plus the usage and crash telemetry described in Section 2.2) All data described in Section 2, at rest European Union No third-country transfer required (EU→EU); processing governed by the Microsoft Products and Services Data Protection Addendum
Komoot GmbH (Photon geocoder) Birth-place autocomplete — turning the place name you type into coordinates for your chart, queried only as a fallback when our own server-side place cache has no match The place text you type (e.g. "Sofia"); no name, email, or other identifier is attached European Union (Germany) No third-country transfer required (EU→EU)
Apple Inc. (App Store) In-app purchase processing, subscription management, receipt validation Payment confirmations, subscription state, transaction identifiers (we never receive card numbers) United States Apple Paid Apps Agreement
Google LLC (Google Play) In-app purchase processing, subscription management, receipt validation Payment confirmations, subscription state, transaction identifiers (we never receive card numbers) United States Google Play Developer Distribution Agreement
Law enforcement and regulators When legally required or to protect our rights, your rights, or the rights of others As required by applicable law Varies As permitted by applicable law

We require all sub-processors to process your data only on our behalf, in accordance with our written instructions, and subject to confidentiality and applicable data protection laws. We will update this list before engaging a new sub-processor; material changes will be communicated to you under Section 13.

6. Cookies and Tracking Technologies

6.1 What We Use

Technology Purpose Duration
Essential cookies and local-storage tokens Authentication, session management, security Session / up to 12 months
Cloudflare Web Analytics (public website only — landing, learn, blog) Aggregate page-view and performance statistics — cookieless, no device storage, no cross-site tracking No cookie or stored identifier

The Service uses only strictly necessary cookies and similar local-storage tokens (such as your authentication token) required to operate. These are exempt from prior consent under ePrivacy Directive Article 5(3) and the Bulgarian Electronic Communications Act.

We do not use advertising, behavioral-tracking, or third-party tracking cookies, and we do not profile you or track you across other websites. Our first-party usage telemetry (Section 2.2) sets no cookies and stores no identifiers on your device. Our public website (landing, learn, and blog pages) uses Cloudflare Web Analytics, a privacy-preserving, cookieless analytics tool: it sets no cookies, stores nothing on your device, does not fingerprint you, and does not track you across websites — so it too is exempt from prior consent under ePrivacy Directive Article 5(3). If we introduce non-essential cookies in the future, we will request your consent through a cookie banner before placing them and update this Privacy Policy.

6.2 Your Choices

You can control cookies through your browser settings. Disabling essential cookies will prevent you from signing in to or using the Service.

6.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no industry-standard protocol for compliance.

6.4 Global Privacy Control (GPC)

We honor Global Privacy Control signals. If your browser sends a GPC signal, we will treat it as a valid opt-out of any data sharing covered by applicable state laws.

7. Data Retention

We keep each category of personal data only for as long as it is needed to provide the Service to you. Where a fixed period isn't meaningful, we delete data after a defined period of inactivity. Specifically:

Data Retention Period
Your account and the content you create or save in it (other than chat conversations) Until you delete it. Inactive accounts are deleted 24 months after the last sign-in.
Chat conversations (the messages you send and the responses you receive) Deleted 12 months after the conversation's last message
Usage and crash telemetry (session-scoped, never linked to your account) Up to 24 months
Anonymized audit-log entries (post-deletion accountability records — see §2.4) 24 months from the date of the event
Payment records As required by Bulgarian tax and accounting law (10 years — Accountancy Act art. 12)
Server logs Up to 90 days
Report download access logs 90 days

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Access by StarBind Staff

We strictly separate the data our staff can routinely view from content you create inside the Service.

Operational metadata — Authorised staff can view your account email, account status, subscription tier and free-credit balances, transaction history (records of purchases, spends, and refunds — without the prompt or response text of any individual feature), device identifier, the IP addresses recorded on security audit events (consent records, password changes, failed device-attestation attempts), and audit-log events. We use this access to provide support, process billing and refunds, prevent fraud, and enforce our Terms.

User-generated content — Conversations you have through the Service, dream journal entries you write, custom names and birth data you save for other people in your circle, and image-generation prompts you submit are not routinely accessible to staff. Staff review such content only when:

Each instance in which staff access user-generated content is logged in our audit log and is auditable.

10. International Data Transfers

Your data is primarily processed and stored on servers located in the European Union. Some sub-processors listed in Section 5 process specific, limited data in the United States under the safeguards described there. If you access the Service from outside the EU, your information may be transferred to and processed in a country with different data protection laws.

For EU/EEA/UK users: Where we transfer personal data outside the EU/EEA/UK, we rely on:

You may request a copy of the applicable safeguards by contacting us.

11. Your Rights

11.1 For All Users

Regardless of your location, you may:

11.2 For EU/EEA/UK Users (GDPR)

Under the General Data Protection Regulation, you have the following additional rights:

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни / КЗЛД), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria — https://www.cpdp.bg.

11.3 For California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

To submit a request, contact us at [email protected]. We will verify your identity before processing your request.

11.4 For Residents of Other US States

If you reside in Colorado, Connecticut, Virginia, Utah, or other states with consumer privacy laws, you may have similar rights to access, delete, correct, and opt out of certain data processing. Contact us at [email protected] to exercise your rights.

12. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will promptly delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EU/EEA data protection inquiries: contact us at the address above. The Company is established in the European Union (Bulgaria) and an Article 27 representative is not required.


This Privacy Policy was last updated on 2026-07-02.

← Back to StarBind