Privacy Policy

From the parent (you)

• Account email address and password (Supabase Auth).
• Optional display name.
• Subscription metadata (plan, status, renewal date).
• Beta-code redemption history if you redeem a beta code.
• Payment app handles you choose to save for Wishwell (for example Venmo, PayPal, or Cash App usernames), if you add them.

From your device

• Session cookies required to keep you logged in.
• A local copy of schedule data in your browser's localStorage so the builder can load quickly and work offline; this syncs with our database when you are signed in.
• In our current configuration, we do not use analytics, advertising, or third-party tracking pixels.

About each child (entered by you)

• First name or nickname.
• Schedule data: activities you assign and blocks arranged for that child in the builder.
• Wishwell registry data, if you use it: Sparks and Roots you create (names, descriptions, optional links, goal amounts, claim status, and similar fields you enter).

We do not intentionally collect children's locations, photos, voices, biometrics, contact information, school information, or messages. We do not provide open-ended chat or comment functionality in the app.

From gift givers (when someone uses your shared Wishwell link)

If you share a Wishwell link, people who visit it without signing in may submit:

• Name and email when contributing to a Spark.
• Optional note with a contribution or Root claim.
• Claimant name when claiming a Root.

We store this so you can see contribution history in your account and, when email is configured on our servers, so we can send the giver an optional confirmation email with a link to their printable Spark certificate.

• To run the schedule builder for your account.
• To run Wishwell when you create a registry and share a link, including showing givers the information you listed and your configured payment handles so they can pay you outside Astrabloom.
• To process your subscription via Stripe. We do not receive or store card numbers.
• To send essential transactional emails related to your account and billing, and—when our email provider is configured—optional Wishwell gift confirmation emails to contributors.
• To protect public gift endpoints with rate limiting (which may use a hashed IP address when configured).
• To debug and improve reliability via server-side logs.

We do not sell or share personal information for cross-context behavioral advertising.

Most of your account data stays behind your login. Wishwell is different by design: when you share a Wishwell link, anyone with that link can view a public page without signing in. Depending on what you entered, that page may show:

• The child's first name (derived from the name you entered).
• Sparks and Roots you listed, including descriptions and links.
• Contribution progress and claim status.
• Your configured payment app handles, formatted for display, so givers know where to send money.

You control whether to create Wishwell items and whether to share the link. Sharing the link is your choice—it is not the same as selling data to advertisers, but it does make limited child-related information visible to people you give the URL to (and anyone they forward it to).

• Supabase — hosts our database and authentication.
• Stripe — processes subscription payments and stores card information on our behalf.
• Vercel — hosts the website and application.
• Resend — sends optional Wishwell gift confirmation emails when email delivery is configured in our environment.
• Upstash — optional rate-limiting for public gift API endpoints when configured; otherwise rate limits use ephemeral in-server memory.

Each provider acts as a service provider or processor under contract. Based on our agreements with these providers, they are not permitted to sell or use your data for their own marketing purposes. You may wish to review each provider's own privacy documentation for their independent data practices.

California (CCPA / CPRA)

• Right to know / access: email hello@astrabloom.app to request disclosure of the categories and specific pieces of personal information we maintain, subject to identity verification where applicable law requires it.
• Right to correct: you may edit your profile and your children's profiles in the app at any time.
• Right to delete: the “Delete account” button on your Account page removes your account data, including schedules, Wishwell registry data, and beta redemptions, and initiates cancellation of your Stripe subscription. Certain data may be retained as required by law or by our service providers' own compliance obligations.
• Right to limit sensitive data: we do not knowingly collect sensitive personal information as defined under CPRA.
• No sale or share: we do not sell or share personal information for cross-context behavioral advertising. See Do Not Sell or Share My Personal Information.

EU/UK (GDPR / UK GDPR)

You have the same access, correction, and deletion rights described above. Our lawful bases are: performance of contract (subscription services) and consent (child profile data, provided via parental attestation at signup). You may lodge a complaint with your local supervisory authority.

Astrabloom is designed for parents. We do not knowingly collect personal information directly from anyone under 13 (US) or under 16 (EU/UK, where applicable by jurisdiction).

Child profiles contain only what the parent enters. A child may use the schedule builder on a parent's logged-in device, but they do not have their own account. Parents may edit or delete a child's profile at any time from Account settings; deletion is designed to cascade to associated schedules and Wishwell registry data for that child.

If you choose to share a Wishwell link, you are deciding to make limited information about that child visible to gift givers. That is separate from children signing up or us collecting information directly from them.

We retain your data while your account is active. Following account deletion, we aim to purge personal data within approximately 30 days, except where retention is required by law or by our service providers' compliance obligations. Stripe retains payment records pursuant to their own compliance requirements, currently understood to be approximately 7 years, though this is subject to Stripe's policies.

Printable Spark certificate links use opaque tokens and may remain usable until they expire or the related contribution is removed with account deletion.

We use Supabase Auth with hashed passwords, HTTPS for data in transit, and Postgres row-level security intended to limit each parent's access to their own family's data. Public Wishwell pages are intentionally accessible without login to anyone who has the link. No security measure is infallible, and we cannot guarantee absolute protection against all threats.