Astrabloom

Privacy Policy

Effective: May 16, 2026

1. Who we are

Astrabloom (“Astrabloom”, “we”, “us”) operates this website. We are based in California. The person responsible for our privacy practices can be reached at hello@astrabloom.app.

2. Who can use Astrabloom

Astrabloom is a parent-facing planner. Only the adult parent or legal guardian creates an account and pays for the subscription. Children are not intended to sign up, access a sign-in screen, or enter personal information themselves. Our service is not directed at children under 13, and we do not knowingly collect personal information from children under 13. (See “Children's privacy” below.)

3. Information we collect

From the parent (you)

  • Account email address and password (Supabase Auth).
  • Optional display name.
  • Subscription metadata (plan, status, renewal date).
  • Beta-code redemption history if you redeem a beta code.

From your device

  • Session cookies required to keep you logged in.
  • In our current configuration, we do not use analytics, advertising, or third-party tracking pixels.

About each child (entered by you)

  • First name or nickname.
  • Activities you assign and schedule blocks the child arranges.

We do not intentionally collect children's locations, photos, voices, biometrics, contact information, school information, or messages. We do not provide open-ended chat or comment functionality in the app.

4. How we use the information

  • To run the schedule builder for your account.
  • To process your subscription via Stripe. We do not receive or store card numbers.
  • To send essential transactional emails related to your account and billing.
  • To debug and improve reliability via server-side logs.

We do not sell or share personal information for cross-context behavioral advertising.

5. Service providers

  • Supabase — hosts our database and authentication.
  • Stripe — processes payments and stores card information on our behalf.
  • Vercel — hosts the website.

Each provider acts as a service provider or processor under contract. Based on our agreements with these providers, they are not permitted to sell or use your data for their own marketing purposes. You may wish to review each provider's own privacy documentation for their independent data practices.

6. Your rights

California (CCPA / CPRA)

  • Right to know / access: email hello@astrabloom.app to request disclosure of the categories and specific pieces of personal information we maintain, subject to identity verification where applicable law requires it.
  • Right to correct: you may edit your profile and your children's profiles in the app at any time.
  • Right to delete: the “Delete account” button on your Account page removes your account data, including schedules and beta redemptions, and initiates cancellation of your Stripe subscription. Certain data may be retained as required by law or by our service providers' own compliance obligations.
  • Right to limit sensitive data: we do not knowingly collect sensitive personal information as defined under CPRA.
  • No sale or share: we do not sell or share personal information for cross-context behavioral advertising. See Do Not Sell or Share My Personal Information.

EU/UK (GDPR / UK GDPR)

You have the same access, correction, and deletion rights described above. Our lawful bases are: performance of contract (subscription services) and consent (child profile data, provided via parental attestation at signup). You may lodge a complaint with your local supervisory authority.

7. Children's privacy (COPPA, GDPR-K)

Astrabloom is designed for parents. We do not knowingly collect personal information from anyone under 13 (US) or under 16 (EU/UK, where applicable by jurisdiction). Child profiles contain only what the parent enters. Parents may edit or delete a child's profile at any time from the Kids dialog; deletion is designed to cascade to associated schedules.

8. Data retention

We retain your data while your account is active. Following account deletion, we aim to purge personal data within approximately 30 days, except where retention is required by law or by our service providers' compliance obligations. Stripe retains payment records pursuant to their own compliance requirements, currently understood to be approximately 7 years, though this is subject to Stripe's policies.

9. Security

We use Supabase Auth with hashed passwords, HTTPS for data in transit, and Postgres row-level security intended to limit each parent's access to their own family's data. No security measure is infallible, and we cannot guarantee absolute protection against all threats.

10. Changes

If we make material changes to this policy, we will endeavor to notify account holders by email at least 30 days before the change takes effect.

11. Contact us

Email hello@astrabloom.app. We aim to respond to verifiable consumer requests within the timeframes required by applicable law, including the 45-day window under CPRA where it applies.