Reports Privacy Policy
Version: 1.0
Last Updated: 2026-06-06
Effective Date: 2026-06-06
⚖️ DRAFT — pending review by qualified legal counsel (BG/EU). Do not treat as final legal text. Clauses marked
[[NEEDS LAWYER]]require explicit counsel sign-off.
This policy covers one-off report purchases at starbind.me/reports ("StarBind Reports"). The StarBind app is a separate product with heavier account features and its own Privacy Policy. If you use both, each policy covers its own product; your data is not merged beyond what Section 7 describes.
1. Data Controller
- Controller: STORMVIBE Ltd. (EOOD), EIK 208809995, VAT BG208809995, 27E Srebarna Street, Bldg. 7, Entr. A, Apt. A2, Lozenets District, Sofia 1407, Bulgaria — [email protected]
- The Company is established in the European Union (Bulgaria); a GDPR Article 27 representative is not required.
2. What We Collect and Why
StarBind Reports is deliberately light: no account, no password, no age verification, no advertising or cross-site tracking. We collect only what a purchase needs:
| Data | When | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Email address | At checkout (collected by Stripe), gift redemption, or library sign-in | Deliver your report, operate your library, send order emails | Art. 6(1)(b) contract |
| Birth data — date, time (or "unknown"), birth place and its coordinates; for compatibility reports, the same for the second person | Order form | Compute the chart and generate the report | Art. 6(1)(b) contract |
| Report preferences — report type, language, relationship flavor or focus area | Order form | Generate the right report | Art. 6(1)(b) contract |
| Consent record — your email, IP address, the terms version you accepted, timestamp | At checkout | Prove the contract and your withdrawal-waiver consent | Art. 6(1)(c) legal obligation + Art. 6(1)(f) |
| Payment data | Stripe checkout | Payment processing — handled by Stripe; we never receive card numbers | Art. 6(1)(b) contract |
| Gift details — recipient email (optional), your name and message (optional) | Gift purchase | Deliver the voucher and show your message to the recipient | Art. 6(1)(b) contract |
| One-time sign-in codes | Library sign-in | Passwordless access to your library | Art. 6(1)(b) contract |
| Share/download access events — hashed IP (SHA-256, daily-rotating salt — original IP unrecoverable), country code, browser user-agent, referrer, timestamp | When a report download link is opened | Fraud prevention, aggregated download statistics | Art. 6(1)(f) legitimate interest |
| Anti-abuse verification (Cloudflare Turnstile) | Checkout and data-deletion forms | Block bots and abuse — Turnstile is cookieless | Art. 6(1)(f) legitimate interest |
Birth-place autocomplete: when you type a birth place, the text you type is sent through our server to a geocoding service (Photon) to suggest matching places with coordinates. No name, email, or other identifier accompanies these queries.
What we deliberately do not do: no marketing or advertising trackers, no advertising cookies, no selling of data, no profiling, and no cross-site tracking. The only analytics we use is Cloudflare Web Analytics — cookieless, aggregate page-view statistics that store nothing on your device and cannot identify you (see Section 8). The only browser storage we use is also described in Section 8.
3. AI Generation
Report text and artwork are generated by Microsoft Azure OpenAI Service, deployed in EU regions only, under Microsoft's Data Protection Addendum. The generation request includes the birth data and chart data needed to write the report. Microsoft does not use this data to train its models. [[NEEDS LAWYER/OPS: confirm the Azure OpenAI abuse-monitoring human-review opt-out is in force before launch, per the DPA register.]]
4. Who We Share Data With
We do not sell personal data. We use these processors:
| Processor | Role | Data | Region / transfer |
|---|---|---|---|
| Stripe | Payment processing and checkout | Email, payment data; order details including your birth data are attached to the checkout session so your report can be generated after payment | Stripe Payments Europe (Ireland); transfers to Stripe, Inc. (US) covered by SCCs in Stripe's DPA [[NEEDS LAWYER: confirm Stripe entity + transfer description]] |
| Microsoft (Azure) | Report AI generation; API, database, and infrastructure hosting | Birth/chart data and generated report content; all stored data at rest | European Union (EU Data Boundary) |
| Brevo (Sendinblue SA) | Email delivery — order confirmation, download links, sign-in codes, gift vouchers, deletion confirmations | Email address, message content | European Union (France) |
| Cloudflare | Website hosting/CDN, Turnstile anti-abuse, and cookieless website analytics (Cloudflare Web Analytics) | IP address and standard web request metadata; aggregate page-view and performance metrics | US with EU edge network; SCCs |
| Photon geocoder | Birth-place autocomplete | The place text you type (no identifiers) | [[NEEDS LAWYER/OPS: confirm upstream instance + its region before launch]] |
5. How Long We Keep It
| Data | Retention |
|---|---|
| Report + its birth data | 24 months from purchase. The report then expires and its contents (birth data, chart data, generated text) are deleted. Download your PDF before expiry to keep it. |
| Purchase consent records | Retained to demonstrate consent and defend legal claims [[NEEDS LAWYER: exact period — accounting law requires up to 10 years for accounting documents; consent/limitation analysis needed]] |
| Accounting records | As required by Bulgarian tax and accounting law (typically up to 10 years) |
| One-time sign-in codes | Expire after 10 minutes; purged shortly after |
| Library sessions | Up to 24 hours (sign-in) / 60 minutes (post-checkout) |
| Payment-event records | 90 days, then deleted (Stripe retains its own records under its policy) |
| Share/download access logs | 90 days |
| Unredeemed gift vouchers | 12 months from purchase, then expire |
6. Your Rights — Including One-Click Erasure
You have the GDPR rights of access, rectification, erasure, restriction, portability, and objection. Two are built directly into the product:
- Erasure (Art. 17): use the Delete my data page. We email you a confirmation link (valid 24 hours); confirming permanently erases your purchased reports, gift vouchers you bought, sign-in codes, and your email address from our records. Retained afterwards, under legal obligation: purchase consent records and accounting entries, plus an anonymous, hash-only audit entry recording the erasure itself.
- Access/portability: your library lists everything we hold for your email; each report is downloadable as a PDF. For a structured data export beyond that, email [email protected].
For anything else: [email protected] — we respond within 30 days. You may lodge a complaint with the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria — https://www.cpdp.bg.
7. Third Parties' Data, Gifts, and the StarBind App
- Someone else's birth data (compatibility reports, redeeming a gift for another person's chart): the buyer confirms they may share it with us; it is used only to generate that report, is covered by the same 24-month retention, and is included in the buyer's erasure. If your data was used in someone else's report and you want it removed, contact [email protected].
[[NEEDS LAWYER: confirm Art. 14 information-duty handling for chart subjects who are not the buyer.]] - Gift purchases involve two people: the buyer (payment, consent) and the recipient (their email and the chart's birth data at redemption). Each can erase their own data via the deletion flow.
- App crossover: report purchases include a small bonus for the StarBind app (stardust credit) recorded against your purchase email. If you never use the app, this is never linked to anything else. If you have or later create an app account with the same email, the bonus attaches to it. The app's own Privacy Policy governs the app account.
8. Cookies and Browser Storage
StarBind Reports sets no cookies and uses no advertising or cross-site trackers. The only analytics we use is cookieless. We use:
| Item | Type | Purpose |
|---|---|---|
| Library sign-in token | localStorage (first-party) |
Keeps you signed in to your library — strictly necessary |
| One-time UI dismissal flag | localStorage (first-party) |
Remembers you dismissed an informational note |
| Cloudflare Turnstile | Embedded widget, cookieless | Anti-bot verification on forms |
| Cloudflare Web Analytics | Cookieless, no device storage | Aggregate page-view and performance statistics for the site |
The strictly necessary items above are exempt from consent under ePrivacy Directive Art. 5(3); Cloudflare Web Analytics is exempt because it is cookieless and stores nothing on your device. Payment happens on Stripe's own checkout pages (checkout.stripe.com), where Stripe's cookie policy applies. If we ever introduce non-essential cookies or analytics that require consent, we will ask first and update this policy.
9. Security
TLS for all transport; encryption at rest; access to production data restricted to authorized staff; unguessable single-purpose tokens for downloads, shares, sign-in, and erasure links; rate limiting and Turnstile on abuse-prone endpoints. No method of transmission or storage is 100% secure.
10. Children
StarBind Reports is not directed at children. Charts for minors may only be purchased by a parent or guardian. We do not knowingly process a child's data outside of birth data supplied by their parent/guardian for a report. [[NEEDS LAWYER: confirm this framing — gift/family chart purchases for minors are a normal use case.]]
11. Changes
We may update this policy. Material changes will be posted on this page with a new date; the version you accepted at purchase is recorded with your order.
12. Contact
- Email: [email protected]
- Address: STORMVIBE Ltd. (EIK 208809995, VAT BG208809995), 27E Srebarna Street, Bldg. 7, Entr. A, Apt. A2, Lozenets District, Sofia 1407, Bulgaria
This Reports Privacy Policy was last updated on 2026-06-06.