← Noviluna

Privacy Policy

Noviluna (noviluna.app) Last updated: July 3, 2026 · Version: 0.1 (draft)

Noviluna processes data that says a lot about you: when and where you were born, and what you talk about with your guide. We take that seriously. This policy explains, plainly, what data we process, why, on what legal basis, and what rights you have.

The essentials in three lines: your conversations and your birth data are never sold, never shared with third parties for advertising, and never used to train artificial intelligence models — not ours, not anyone's.


1. Data controller

[To be completed before publication: postal contact address and, where applicable, tax ID / final legal form.]

2. What data we process

| Category | Data | Source | |---|---|---| | Account | Email, password (encrypted), language, country | Provided by you at sign-up | | Astral profile | Date, time, and place of birth (yours and of any additional profiles you create) | Provided by you during onboarding | | Conversations | The content of your chats with the guide and your tarot readings | Generated by you while using the service | | Subscription and payments | Plan, subscription status, purchase history. We do not store card details — they are handled by our payment processor | Purchase process | | Technical usage | Technical logs (errors, performance) and aggregate analytics. With Plausible, always cookieless; with Google Analytics, with cookies only if you accept the cookie banner | Use of the service |

On the sensitivity of this data: your date, time, and place of birth — and above all the content of your conversations (which may include relationships, work, or emotional wellbeing) — are data of high practical sensitivity, even where they do not all formally qualify as "special categories" under Article 9 GDPR. We treat all of it at the highest protection level: encryption at rest and in transit, per-user isolation at the database level, and internal access restricted to the strict minimum. If, in a conversation, you disclose data that does fall under a special category (for example, about your health), it is processed only to deliver the service you requested, on the basis of your explicit consent, and with the same safeguards.

Data minimization: we do not ask for data we do not use. Your astral chart is calculated from your birth data and stored; we collect nothing else "just in case."

3. Why we use your data and on what legal basis

| Purpose | Legal basis (GDPR) | |---|---| | Providing the service: calculating your chart, generating readings, maintaining your conversation memory | Performance of contract (Art. 6(1)(b)) | | Processing sensitive content you choose to share in your conversations | Explicit consent (Art. 9(2)(a)), which you may withdraw at any time | | Managing your subscription, payments, and billing | Performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) | | Sending transactional emails (confirmations, billing notices, security) | Performance of contract (Art. 6(1)(b)) | | Sending product updates (optional) | Consent (Art. 6(1)(a)) — one-click unsubscribe in every email | | Security, fraud prevention, and debugging | Legitimate interest (Art. 6(1)(f)) | | Aggregate, anonymous usage analytics with Plausible (cookieless) | Legitimate interest (Art. 6(1)(f)) | | Usage analytics with Google Analytics (with cookies) | Consent (Art. 6(1)(a)) — withdraw anytime, see Cookie Policy |

4. What we do NOT do with your data

5. Who we share data with (processors)

Only with the providers strictly required to run the service, all under data processing agreements (Art. 28 GDPR) and, where transfers outside the EEA are involved, covered by Standard Contractual Clauses or another valid mechanism:

| Provider | Role | Data | |---|---|---| | Supabase | Database and authentication | Account, astral profile, conversations (encrypted) | | Vercel | Application hosting | Technical request data | | Anthropic | AI inference (response generation) | The conversation content needed, with no training use | | Lemon Squeezy (Merchant of Record) | Charges, invoicing, and taxes (VAT/OSS) | Email and payment data (we never see your card) | | Resend | Transactional email | Email | | Plausible | Aggregate, cookieless analytics | Aggregate data, no personal identifiers | | Google Analytics | Usage analytics with cookies, only if you accept the banner | Aggregate browsing data, truncated IP | | Sentry | Error logging | Technical data, scrubbed of personal content where possible |

All these providers operate under valid international transfer mechanisms (EU Standard Contractual Clauses or an equivalent safeguard where the provider sits outside the EEA).

6. How long we keep your data

7. Your rights

You may exercise, at any time and free of charge, your rights of:

Write to privacidad@noviluna.app and we will respond within one month at most. If you believe we have mishandled your data, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es) or with your local supervisory authority.

8. Minors

Noviluna is for people aged 16 and over. We do not direct the service at minors nor knowingly collect their data; if we detect an account belonging to someone under 16, we will delete it.

9. Security

We apply encryption in transit (TLS) and at rest, per-user data isolation (row-level security), internal access controls, and incident logging. In the event of a security breach posing a risk to your rights, we will notify you and the supervisory authority in accordance with Arts. 33 and 34 GDPR.

10. Changes to this policy

If we change anything material, we will notify you by email or in the app before it takes effect, with a clear summary of what changes. We will never weaken your essential guarantees (no selling, no advertising, no AI training) without your express consent.


Draft generated — pending professional legal review.