Privacy Policy
Version: 1.0
Last Updated: 2026-07-02
Effective Date: 2026-06-06
STORMVIBE Ltd., a Bulgarian limited liability company (EOOD), EIK 208809995, VAT BG208809995 ("Company," "we," "us," or "our"), operates StarBind, including our website at https://starbind.me, our mobile applications for iOS and Android, and all related services (collectively, the "Service").
This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service. It also describes your rights and choices regarding your data.
One-off report purchases at the StarBind Reports storefront (starbind.me/reports) are a separate, account-free product covered by the Reports Privacy Policy — this policy governs the StarBind app and your StarBind account.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy is incorporated into and forms part of our Terms of Service.
1. Data Controller
For the purposes of applicable data protection laws:
- Data Controller: STORMVIBE Ltd. (EIK 208809995, VAT BG208809995), 27E Srebarna Street, Bldg. 7, Entr. A, Apt. A2, Lozenets District, Sofia 1407, Bulgaria, [email protected]
- EU/EEA Representative (GDPR Article 27): Not required. The Company is established in the European Union (Bulgaria) and acts as data controller from within the EU.
2. Information We Collect
2.1 Information You Provide
| Data Type | Purpose | Required |
|---|---|---|
| Email address | Account creation, authentication, communications | Yes |
| Password | Account security (stored as a salted hash, never in plaintext) | For email/password sign-up |
| Date of birth | Natal chart calculation, Sun sign determination, daily horoscope, age verification (16+) | Yes |
| Time of birth | Natal chart calculation (Ascendant, house placements) | Optional |
| Place of birth | Natal chart calculation (geographic coordinates for house system) | Yes |
| Birth coordinates | Derived from place of birth for astronomical calculations | Derived |
| House system preference | Natal chart house system selection | Optional |
| Birth data for other people you add | Calculate compatibility charts, and save people to your circle for quick chart access | Optional |
| Username / nickname | Display in profile and shared content | Optional |
| Full birth name | To calculate name-based numerology values (Expression number, Soul Urge number). The name is processed transiently on our server to derive these two numbers and is not stored, logged, or sent to any LLM provider — only the resulting integers are saved | Optional |
| Chat messages and dream journal entries | Free text you write to the AI guide or record in your dream journal, used to generate the responses and readings you request. Stored under your account until deleted (see Section 7) | Optional |
| Referral code | Credit attribution for invite rewards | Optional |
| Acceptance of Terms and Privacy Policy | Legal record of consent (GDPR Art. 7) — version and timestamp stored | Yes |
Birth-place autocomplete: when you type a birth place, the text you type is first matched against our own server-side place database; only if there is no match is the text — with no name, email, or other identifier attached — sent to a third-party geocoding service (Photon, operated by Komoot GmbH in Germany) to find matching places and their coordinates.
Data about other people you add: Some features let you enter another person's birth details (date, time, place) — to calculate a compatibility chart, or to save someone to your circle for quick access. You provide this data and are responsible for having the right to share it (see our Terms of Service). We use it only to compute the chart you requested and store it under your account; you can delete it at any time, and deleting your account removes it. Because we typically hold only a name and birth details for these people — with no way to contact them — we rely on the disproportionate-effort exception in GDPR Art. 14(5)(b) rather than notifying each person individually. If your birth details were entered by someone else and you want them removed, contact [email protected].
2.2 Information Collected Automatically
| Data Type | Purpose |
|---|---|
| IP address | Security, abuse prevention, and rate limiting. We do not derive your location from your IP address, and IP addresses are not written to our usage or crash telemetry |
| Device information | OS type, version, device model — for compatibility and debugging |
| Device identifier | Stable per-install ID used to bind your account to the device that registered it |
| Device timezone | Read once at signup to seed your profile timezone, which schedules notifications and daily content in your local time. Changed only explicitly in your account settings — never silently re-synced |
| Device attestation token | Apple App Attest / Google Play Integrity attestation, used at signup and for in-app purchases to confirm requests originate from a genuine, unmodified app instance |
| App version | Troubleshooting, feature availability |
| Usage data | Screens visited and feature-usage events, recorded under a random per-session identifier that is never stored on your device and never linked to your account — for first-party analytics and product improvement. No third-party analytics service receives this data |
| Crash and error reports | Identifying and fixing technical issues. Reports contain the technical error and the screen it occurred on; they are not linked to your account |
| Report download access events | When a sharable report download link is opened, we log a hashed IP (SHA-256 with a daily-rotating salt — we cannot recover the original IP), 2-letter country code, browser user-agent, HTTP Referer header (when sent), and timestamp. Used for fraud prevention and aggregated download analytics. We do not set tracking cookies or share these logs with third-party analytics providers. |
2.3 Information from Third Parties
We may receive information from:
- App stores — Apple App Store and Google Play share purchase, subscription, and refund events for the products you buy from us.
- Push notification providers — Firebase Cloud Messaging issues a device token we use to deliver notifications you have opted into.
- Sign-in providers — if you choose Sign in with Apple or Sign in with Google, we receive a signed identity token containing your email address and a stable account identifier, used only to create and authenticate your account. We never receive your password for those accounts and do not post to them.
You can create an account either with an email address and password or with Sign in with Apple or Sign in with Google. We do not support Facebook or other social-login providers.
2.4 Information We Retain After Account Deletion
When you delete your account, we hard-delete all of the data above except for one record: a counter of how many StarBind accounts have been created from your physical device (via the device identifier in §2.2). We keep only the count — not your account or any of its contents — in a separate table that has no link back to you. We rely on this counter under GDPR Art. 6(1)(f) (legitimate interests) to limit account-creation abuse.
We also retain anonymized audit-log entries (event type, hashed email, timestamp) sufficient to demonstrate that deletion, consent, and other security-relevant events occurred (GDPR Art. 5(2) accountability). These anonymized entries are retained for 24 months from the date of the event, after which they are deleted.
3. How We Use Your Information
3.1 Purposes and Legal Bases
We use your personal information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the Service — calculate natal charts, generate horoscopes, deliver readings | Contract performance |
| Create and manage your account | Contract performance |
| Process payments for premium features | Contract performance |
| Generate AI-powered content — daily horoscopes and interpretive readings via LLM | Contract performance / Legitimate interest |
| Send transactional communications — account verification, password resets, subscription updates, billing notifications | Contract performance |
| Send marketing communications — emails or push notifications about new features, content, or promotions | Consent — withdrawable at any time via your account settings or the unsubscribe link in any marketing email, without affecting the lawfulness of prior processing |
| Improve the Service — analyze usage patterns, fix bugs, develop new features | Legitimate interest |
| Limit account-creation abuse — count of accounts created per device (see §2.4) | Legitimate interest |
| Ensure security — detect fraud, prevent abuse, enforce our Terms | Legitimate interest |
| Operate sharable report download links — count downloads, log referrer and hashed IP for fraud prevention and aggregated analytics | Legitimate interest |
| Compute and store charts for other people you add — compatibility charts and people you save to your circle | Legitimate interest |
| Comply with legal obligations — respond to lawful requests, meet regulatory requirements | Legal obligation |
3.2 Automated Decisions and Profiling
We will never use your birth data, account information, or content you submit to make decisions based solely on automated processing that produce legal or similarly significant effects on you (GDPR Article 22). The natal-chart calculations and automatically generated readings the Service provides are entertainment content; they have no legal or contractual consequences for you.
4. AI and LLM Data Processing
We use third-party large language model (LLM) providers to generate personalized astrological content such as daily horoscopes and readings.
- What we send: De-identified astrological data (planetary positions, aspects, sign placements), plus any free text you choose to submit to an AI feature (such as chat messages or dream descriptions) and the display nicknames you set for yourself or for people in your circle, where a feature uses them (for example, compatibility readings). We do not send your email, birth date, birth location, full birth name, or any other directly identifying account information to LLM providers.
- Data retention by LLM providers: We contractually require that LLM providers do not retain your data beyond the immediate processing request.
- No training: Your data is not used to train third-party AI models.
5. How We Share Your Information
We do not sell your personal information. We rely on the following named sub-processors to operate the Service:
| Sub-processor | Purpose | Data shared | Region | Transfer mechanism |
|---|---|---|---|---|
| Google LLC (Vertex AI / Gemini + Firebase Cloud Messaging) | Automatically generated horoscopes, readings, chat responses, and astrology reports; push notification delivery | De-identified astrological data; free-text you submit in chat or dream entries; push device tokens; notification body | LLM processing: European Union (Vertex AI EU multi-region). Push delivery: United States | EU-US Data Privacy Framework (Google LLC self-certified) and EU Standard Contractual Clauses (Google Cloud Data Processing Addendum) |
| OpenAI, L.L.C. (OpenAI API) | Automatically generated images, such as shareable cosmic artwork | The de-identified prompt text describing the image to generate (astrological themes — no name or birth details) | United States | EU Standard Contractual Clauses (OpenAI Data Processing Addendum); we request zero data retention and OpenAI does not use API data to train its models |
| Brevo (Sendinblue SA) | Transactional email — account verification, password reset, billing notifications | Email address; subject line and body of the message | European Union (France) | No third-country transfer required (EU→EU) |
| Cloudflare, Inc. | Static website hosting (landing pages, learn site, blog), content delivery network, DNS, share-link Worker, object storage (R2 — generated images, shareable report files, and app-update bundles), and privacy-preserving website analytics (Cloudflare Web Analytics — cookieless, no cross-site tracking) | IP address; standard web request data (URL, headers, user-agent); images and report files generated for you and stored in R2; aggregate page-view and performance metrics | United States with EU edge network | EU Standard Contractual Clauses |
| Microsoft Corporation (Microsoft Azure) | Primary server infrastructure for the API, database, and caching; application monitoring (server logs plus the usage and crash telemetry described in Section 2.2) | All data described in Section 2, at rest | European Union | No third-country transfer required (EU→EU); processing governed by the Microsoft Products and Services Data Protection Addendum |
| Komoot GmbH (Photon geocoder) | Birth-place autocomplete — turning the place name you type into coordinates for your chart, queried only as a fallback when our own server-side place cache has no match | The place text you type (e.g. "Sofia"); no name, email, or other identifier is attached | European Union (Germany) | No third-country transfer required (EU→EU) |
| Apple Inc. (App Store) | In-app purchase processing, subscription management, receipt validation | Payment confirmations, subscription state, transaction identifiers (we never receive card numbers) | United States | Apple Paid Apps Agreement |
| Google LLC (Google Play) | In-app purchase processing, subscription management, receipt validation | Payment confirmations, subscription state, transaction identifiers (we never receive card numbers) | United States | Google Play Developer Distribution Agreement |
| Law enforcement and regulators | When legally required or to protect our rights, your rights, or the rights of others | As required by applicable law | Varies | As permitted by applicable law |
We require all sub-processors to process your data only on our behalf, in accordance with our written instructions, and subject to confidentiality and applicable data protection laws. We will update this list before engaging a new sub-processor; material changes will be communicated to you under Section 13.
6. Cookies and Tracking Technologies
6.1 What We Use
| Technology | Purpose | Duration |
|---|---|---|
| Essential cookies and local-storage tokens | Authentication, session management, security | Session / up to 12 months |
| Cloudflare Web Analytics (public website only — landing, learn, blog) | Aggregate page-view and performance statistics — cookieless, no device storage, no cross-site tracking | No cookie or stored identifier |
The Service uses only strictly necessary cookies and similar local-storage tokens (such as your authentication token) required to operate. These are exempt from prior consent under ePrivacy Directive Article 5(3) and the Bulgarian Electronic Communications Act.
We do not use advertising, behavioral-tracking, or third-party tracking cookies, and we do not profile you or track you across other websites. Our first-party usage telemetry (Section 2.2) sets no cookies and stores no identifiers on your device. Our public website (landing, learn, and blog pages) uses Cloudflare Web Analytics, a privacy-preserving, cookieless analytics tool: it sets no cookies, stores nothing on your device, does not fingerprint you, and does not track you across websites — so it too is exempt from prior consent under ePrivacy Directive Article 5(3). If we introduce non-essential cookies in the future, we will request your consent through a cookie banner before placing them and update this Privacy Policy.
6.2 Your Choices
You can control cookies through your browser settings. Disabling essential cookies will prevent you from signing in to or using the Service.
6.3 Do Not Track
We currently do not respond to "Do Not Track" browser signals, as there is no industry-standard protocol for compliance.
6.4 Global Privacy Control (GPC)
We honor Global Privacy Control signals. If your browser sends a GPC signal, we will treat it as a valid opt-out of any data sharing covered by applicable state laws.
7. Data Retention
We keep each category of personal data only for as long as it is needed to provide the Service to you. Where a fixed period isn't meaningful, we delete data after a defined period of inactivity. Specifically:
| Data | Retention Period |
|---|---|
| Your account and the content you create or save in it (other than chat conversations) | Until you delete it. Inactive accounts are deleted 24 months after the last sign-in. |
| Chat conversations (the messages you send and the responses you receive) | Deleted 12 months after the conversation's last message |
| Usage and crash telemetry (session-scoped, never linked to your account) | Up to 24 months |
| Anonymized audit-log entries (post-deletion accountability records — see §2.4) | 24 months from the date of the event |
| Payment records | As required by Bulgarian tax and accounting law (10 years — Accountancy Act art. 12) |
| Server logs | Up to 90 days |
| Report download access logs | 90 days |
Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
8. Data Security
We implement industry-standard technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest.
- Salted password hashing (passwords are never stored in plaintext).
- Access controls limiting employee access to personal data on a need-to-know basis.
- Regular security assessments.
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
9. Access by StarBind Staff
We strictly separate the data our staff can routinely view from content you create inside the Service.
Operational metadata — Authorised staff can view your account email, account status, subscription tier and free-credit balances, transaction history (records of purchases, spends, and refunds — without the prompt or response text of any individual feature), device identifier, the IP addresses recorded on security audit events (consent records, password changes, failed device-attestation attempts), and audit-log events. We use this access to provide support, process billing and refunds, prevent fraud, and enforce our Terms.
User-generated content — Conversations you have through the Service, dream journal entries you write, custom names and birth data you save for other people in your circle, and image-generation prompts you submit are not routinely accessible to staff. Staff review such content only when:
- it is automatically flagged by our safety systems (for example, content blocked by the provider's safety classifiers or matched against patterns we use to detect prompt injection or abuse),
- you report it to us through an in-app or written report, or
- we are required to produce it under valid legal process.
Each instance in which staff access user-generated content is logged in our audit log and is auditable.
10. International Data Transfers
Your data is primarily processed and stored on servers located in the European Union. Some sub-processors listed in Section 5 process specific, limited data in the United States under the safeguards described there. If you access the Service from outside the EU, your information may be transferred to and processed in a country with different data protection laws.
For EU/EEA/UK users: Where we transfer personal data outside the EU/EEA/UK, we rely on:
- EU-US Data Privacy Framework (where the receiving organization is certified under the Framework), or
- Standard Contractual Clauses approved by the European Commission.
You may request a copy of the applicable safeguards by contacting us.
11. Your Rights
11.1 For All Users
Regardless of your location, you may:
- Access your personal data through your account settings, including a full JSON export of everything we hold about you.
- Update or correct your information through your account settings.
- Delete your account and associated data through the Service. Deletion is hard — all account data is removed in a single transaction, except as described in §2.4.
11.2 For EU/EEA/UK Users (GDPR)
Under the General Data Protection Regulation, you have the following additional rights:
- Right of access — request a copy of all personal data we hold about you.
- Right to rectification — request correction of inaccurate data.
- Right to erasure ("right to be forgotten") — request deletion of your data.
- Right to restrict processing — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests, including profiling.
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни / КЗЛД), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria — https://www.cpdp.bg.
11.3 For California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:
- Know what personal information we collect, use, and share.
- Delete your personal information.
- Opt out of the sale or sharing of your personal information. We do not sell your personal information.
- Non-discrimination — we will not discriminate against you for exercising your rights.
To submit a request, contact us at [email protected]. We will verify your identity before processing your request.
11.4 For Residents of Other US States
If you reside in Colorado, Connecticut, Virginia, Utah, or other states with consumer privacy laws, you may have similar rights to access, delete, correct, and opt out of certain data processing. Contact us at [email protected] to exercise your rights.
12. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will promptly delete such information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Posting the updated policy on the Service with a new "Last Updated" date.
- Sending you an email notification at least 30 days before the changes take effect.
Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Address: STORMVIBE Ltd. (EIK 208809995, VAT BG208809995), 27E Srebarna Street, Bldg. 7, Entr. A, Apt. A2, Lozenets District, Sofia 1407, Bulgaria
For EU/EEA data protection inquiries: contact us at the address above. The Company is established in the European Union (Bulgaria) and an Article 27 representative is not required.
This Privacy Policy was last updated on 2026-07-02.