Privacy Policy
Noviluna (noviluna.app) Last updated: July 3, 2026 · Version: 0.1 (draft)
Noviluna processes data that says a lot about you: when and where you were born, and what you talk about with your guide. We take that seriously. This policy explains, plainly, what data we process, why, on what legal basis, and what rights you have.
The essentials in three lines: your conversations and your birth data are never sold, never shared with third parties for advertising, and never used to train artificial intelligence models — not ours, not anyone's.
1. Data controller
- Controller: Oscar de la Torre (Spain)
- Privacy contact: privacidad@noviluna.app
- Website: https://noviluna.app
[To be completed before publication: postal contact address and, where applicable, tax ID / final legal form.]
2. What data we process
| Category | Data | Source | |---|---|---| | Account | Email, password (encrypted), language, country | Provided by you at sign-up | | Astral profile | Date, time, and place of birth (yours and of any additional profiles you create) | Provided by you during onboarding | | Conversations | The content of your chats with the guide and your tarot readings | Generated by you while using the service | | Subscription and payments | Plan, subscription status, purchase history. We do not store card details — they are handled by our payment processor | Purchase process | | Technical usage | Technical logs (errors, performance) and aggregate analytics. With Plausible, always cookieless; with Google Analytics, with cookies only if you accept the cookie banner | Use of the service |
On the sensitivity of this data: your date, time, and place of birth — and above all the content of your conversations (which may include relationships, work, or emotional wellbeing) — are data of high practical sensitivity, even where they do not all formally qualify as "special categories" under Article 9 GDPR. We treat all of it at the highest protection level: encryption at rest and in transit, per-user isolation at the database level, and internal access restricted to the strict minimum. If, in a conversation, you disclose data that does fall under a special category (for example, about your health), it is processed only to deliver the service you requested, on the basis of your explicit consent, and with the same safeguards.
Data minimization: we do not ask for data we do not use. Your astral chart is calculated from your birth data and stored; we collect nothing else "just in case."
3. Why we use your data and on what legal basis
| Purpose | Legal basis (GDPR) | |---|---| | Providing the service: calculating your chart, generating readings, maintaining your conversation memory | Performance of contract (Art. 6(1)(b)) | | Processing sensitive content you choose to share in your conversations | Explicit consent (Art. 9(2)(a)), which you may withdraw at any time | | Managing your subscription, payments, and billing | Performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) | | Sending transactional emails (confirmations, billing notices, security) | Performance of contract (Art. 6(1)(b)) | | Sending product updates (optional) | Consent (Art. 6(1)(a)) — one-click unsubscribe in every email | | Security, fraud prevention, and debugging | Legitimate interest (Art. 6(1)(f)) | | Aggregate, anonymous usage analytics with Plausible (cookieless) | Legitimate interest (Art. 6(1)(f)) | | Usage analytics with Google Analytics (with cookies) | Consent (Art. 6(1)(a)) — withdraw anytime, see Cookie Policy |
4. What we do NOT do with your data
- We do not train AI on your data. Your conversations are sent to our inference provider solely to generate the response you requested, under a contract that prohibits their use for model training.
- We do not sell your data. To anyone, ever, under any label ("sharing with partners" included).
- We do not advertise with your data, nor allow third parties to do so.
- We make no automated decisions with legal effects about you (Art. 22 GDPR). Readings are entertainment content, not assessments with legal consequences.
5. Who we share data with (processors)
Only with the providers strictly required to run the service, all under data processing agreements (Art. 28 GDPR) and, where transfers outside the EEA are involved, covered by Standard Contractual Clauses or another valid mechanism:
| Provider | Role | Data | |---|---|---| | Supabase | Database and authentication | Account, astral profile, conversations (encrypted) | | Vercel | Application hosting | Technical request data | | Anthropic | AI inference (response generation) | The conversation content needed, with no training use | | Lemon Squeezy (Merchant of Record) | Charges, invoicing, and taxes (VAT/OSS) | Email and payment data (we never see your card) | | Resend | Transactional email | Email | | Plausible | Aggregate, cookieless analytics | Aggregate data, no personal identifiers | | Google Analytics | Usage analytics with cookies, only if you accept the banner | Aggregate browsing data, truncated IP | | Sentry | Error logging | Technical data, scrubbed of personal content where possible |
All these providers operate under valid international transfer mechanisms (EU Standard Contractual Clauses or an equivalent safeguard where the provider sits outside the EEA).
6. How long we keep your data
- Account and conversations: for as long as your account is active. If you delete it, we erase your data within a maximum of 30 days (except technical backups, purged within a maximum of 90 days).
- Inactive accounts: if you do not use the service for 24 months, we will notify you and, absent a reply, delete the account.
- Billing data: for the periods required by applicable tax and commercial law (generally up to 6 years).
- Technical logs: maximum 12 months.
7. Your rights
You may exercise, at any time and free of charge, your rights of:
- Access — know what data we hold about you.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — delete your account and your data. You can also do this directly from your account, without asking us.
- Objection and restriction of processing.
- Portability — download your data (profile and conversations) in a structured, machine-readable format, directly from your account.
- Withdrawal of consent at any time, without affecting the lawfulness of prior processing.
Write to privacidad@noviluna.app and we will respond within one month at most. If you believe we have mishandled your data, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es) or with your local supervisory authority.
8. Minors
Noviluna is for people aged 16 and over. We do not direct the service at minors nor knowingly collect their data; if we detect an account belonging to someone under 16, we will delete it.
9. Security
We apply encryption in transit (TLS) and at rest, per-user data isolation (row-level security), internal access controls, and incident logging. In the event of a security breach posing a risk to your rights, we will notify you and the supervisory authority in accordance with Arts. 33 and 34 GDPR.
10. Changes to this policy
If we change anything material, we will notify you by email or in the app before it takes effect, with a clear summary of what changes. We will never weaken your essential guarantees (no selling, no advertising, no AI training) without your express consent.
Draft generated — pending professional legal review.