Privacy Policy

Last updated: May 27, 2026 (rev. 4) · GDPR & ePrivacy compliant

Who we are
What we collect
Why we collect it
Legal basis (GDPR)
Who we share with
Advertising (Free tier)
How long we keep it
Your rights
Cookies
Security
Children
Where your data is processed
Changes
Contact

1. Who we are

EML MEDIA DOO ("we", "us", "AstroNoir.ai") is the data controller of your personal data. We are registered in the Republic of Serbia at Heroja Maričića 93, 36000 Kraljevo (Reg. 21632392 · PIB 112236243). For all privacy questions, contact [email protected].

2. What we collect

Account & profile data

Name, email address, password (stored as a bcrypt hash — never in plaintext)
Birth date, birth time (where known), birth place — required for astrological calculations
Gender, current city, language preference, persona preference

Content data

Dream-journal entries you submit
AI chat messages with our astrology assistant
Report ratings and feedback

Profile insights (derived data)

From your conversations with our AI Chat, your dream-journal entries, your ratings, and your interactions with the Service, we build an internal "personality profile" that helps us calibrate the tone, depth, and focus of the content we generate for you. This profile is:

derived only from data you have already provided to us (chat, journal, ratings) — we do not buy or import data from third parties;
stored alongside your account on our infrastructure, never sold, never shared with anyone outside our processing chain;
visible to you on request — email [email protected] for a snapshot;
deleted when you delete your account, and resettable on request at any time.

Usage & technical data

Pages visited, features used, timestamps (for product analytics and abuse detection)
IP address, browser type, device type, operating system
Session cookie identifier

Payment data

Processed entirely by our payment channels — Google Play (Google LLC) for Android-app purchases, and Dodo Payments, Inc. for web/PWA purchases. We never see or store your payment card details, CVV, or bank information on either channel.
For Android purchases: we receive a Google Play purchase token, the email address associated with your Google account, and the subscription status.
For web/PWA purchases: we receive a Dodo Payments customer ID and subscription/payment ID, the email address you used at checkout, billing country (for tax routing), and the subscription status.

Advertising data (Free tier)

If you use the Free tier, Google AdMob may collect device identifiers (Android Advertising ID), IP address, and contextual signals to serve relevant ads. This data is processed by Google LLC under their own privacy policy. We do not receive or store any individual-level advertising data.

3. Why we collect it

To calculate your personalized astrological charts and reports
To deliver daily, weekly, monthly, and alert content tailored to you
To process subscription payments and manage billing through our payment channels (Google Play for Android-app purchases, Dodo Payments for web purchases)
To display Google-served advertisements to Free tier users (see section 5a)
To send transactional emails (welcome, password reset, billing notifications, alerts)
To send push notifications (only with your explicit consent)
To detect abuse, fraud, and to enforce our Terms of Service
To improve the Service through aggregated, non-identifying analytics

4. Legal basis (GDPR)

Contract performance — for delivering the Service you signed up for and processing your subscription.
Consent — for push notifications, optional analytics, and marketing emails. You can withdraw consent at any time from your settings.
Legitimate interest — for security, fraud prevention, and product improvement, balanced against your privacy rights.
Legal obligation — for tax, accounting, and consumer-protection record-keeping.
AI model training — improving our self-hosted AI engine on anonymized service content, under legitimate interest, with the right to object as described in section 10a of our Terms of Service.

We do not sell your personal data. We share it only with the following processors, each bound by a Data Processing Agreement:

Google LLC (Google Play) — payment processing, subscription management, billing, and tax handling for purchases made inside the Android app.
Dodo Payments, Inc. (Delaware, USA) — payment processing, subscription management, billing, sales-tax / VAT collection, and invoicing for purchases made on the AstroNoir.ai website and installed PWA. Dodo acts as our Merchant of Record for these transactions: they invoice the customer, collect and remit applicable taxes in your jurisdiction, and handle refund and chargeback flows under their own policies. Importantly, for the payment data Dodo collects from you directly at checkout (name, billing address, card identifiers, payment records), Dodo is an independent data controller, not our processor — that data is governed by Dodo's own Privacy Policy, and Dodo decides how long to retain it and under what safeguards.
Google LLC (AdMob / Google Ads) — advertising delivery to Free tier users. Google may use device identifiers and contextual signals to serve relevant ads in accordance with Google's Privacy Policy.
Google LLC (Maps Geocoding API) — resolving birth place to coordinates and timezone. Only the place name string is sent; no personal data beyond that.
Google LLC (Google Analytics 4 / Tag Manager) — first-party product analytics measuring feature usage and engagement across our website and app. Loaded only with your consent in the UK/EU/EEA/Switzerland (Google Consent Mode v2). Governed by Google's Privacy Policy.
Twilio SendGrid Inc. (US) — transactional email delivery.
AI inference — handled in-house by our self-hosted AI engine, with all language models, prompt architecture, and inference orchestration operated by us end-to-end. Your data is never shared with any third-party AI provider. See the dedicated note below.

We may disclose data if required by law, court order, or to protect our legal rights.

A note on AI processing — and why we built AstroNoir this way

Every AI feature on AstroNoir — chat, dream interpretation, horoscope generation, personality profiling — runs on our own self-hosted AI engine: language models we operate, an astrology-specialized prompt architecture we have engineered ourselves, and a continuous calibration system that adapts the AI to each user's history. The entire stack is built and run by us, in-house, end-to-end.

We do not send your data to OpenAI, Anthropic, Google Gemini, or any other third-party AI provider. Your conversations, your dream entries, and the personality profile derived from them stay inside the AstroNoir system and never leave it — we control the model, the inference stack, and the storage.

This is a deliberate privacy and architectural choice. It is one of the reasons we built AstroNoir, and we intend to keep it that way as we grow — even when we eventually need more compute than a single server can provide, the AI processing will remain inside our own controlled environment, never outsourced to an external AI API.

5a. Advertising (Free tier)

Free tier users may see advertisements delivered by Google AdMob. In connection with ad delivery, Google LLC may collect and process:

Android Advertising ID (AAID) — a resettable device identifier used for ad targeting and frequency capping;
IP address and approximate location — for geo-targeted ads and fraud prevention;
App usage signals — to serve contextually relevant ads.

This processing is carried out by Google LLC under its own privacy policy and is governed by Google's ad technology terms. We do not receive or process any individual-level advertising data from Google. You can reset or opt out of ad personalisation at any time in your Android device settings under Privacy → Ads, or at adssettings.google.com. Upgrading to a paid plan removes all advertising from the Service.

6. How long we keep it

Account & profile data — retained until you delete your account.
Generated reports — retained until you delete your account.
Dream-journal entries & chat history — retained until you delete them, or your account.
Activity logs — 90 days, then deleted.
Payment & invoice records — 5 years (legally required for tax and accounting).

7. Your rights

Under the GDPR and similar laws, you have the right to:

Access — request a copy of the personal data we hold about you;
Rectification — correct inaccurate data (most fields are editable in your settings);
Erasure — request deletion of your account and associated data ("right to be forgotten");
Portability — receive your data in a machine-readable format;
Restriction — ask us to limit how we use your data;
Objection — object to processing based on legitimate interest;
Withdraw consent — at any time, for any consent-based processing;
Lodge a complaint — with the Serbian Commissioner for Information of Public Importance and Personal Data Protection, or your local EU supervisory authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies

We use a single essential session cookie (astronoir_session / connect.sid) required to keep you logged in. For product analytics we also use Google Analytics 4, loaded via Google Tag Manager (both Google LLC), which set first-party measurement cookies (e.g. _ga) so we can understand feature usage and engagement. Analytics cookies are consent-based: in the UK, EU/EEA and Switzerland they load only after you accept our cookie banner — we run Google Consent Mode v2, which denies analytics and advertising storage by default until you consent; in other regions they are enabled by default and you can opt out via the banner. We do not run cross-site advertising or behavioural-profiling cookies on our web pages. On the Android app, Google AdMob may use the Android Advertising ID (not a browser cookie) to deliver ads to Free tier users — see section 5a above. For full details see our Cookie Policy.

9. Security

All traffic is transmitted over HTTPS/TLS.
Passwords are hashed with bcrypt (never stored or logged in plaintext).
Sessions use signed, HTTP-only cookies.
Database backups are encrypted at rest.
Access to production systems is restricted and logged.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to [email protected].

10. Children

The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16 without verifiable parental consent. If you believe a minor has registered, contact us and we will delete the account.

11. Where your data is processed

AstroNoir runs on a deliberately split infrastructure so that we can apply the right level of control to each kind of data:

AI processing (chat, dream interpretation, personality profile, horoscope generation) — handled by our self-hosted AI engine: language models we operate, a domain-specialized prompt architecture, and a continuous calibration layer, all running on infrastructure under our direct control. We operate the models, the inference orchestration, and the storage; nothing in this layer is delegated to a third-party AI provider. Today this runs from a private GPU server operated by EML MEDIA DOO; as we grow, this layer may expand to dedicated GPU instances at infrastructure providers (e.g. Vultr, Hetzner) under enterprise data-processing agreements that prohibit any inspection or use of your data by the host. The principle does not change: the AI runs inside our pipeline and within our system.
Web application & primary database — hosted by Vultr (Constant Connect Inc.). This is where account data, generated reports, dream-journal entries, and metadata live. Where data leaves the EU (including transfers to the US), it is covered by appropriate safeguards (Standard Contractual Clauses under GDPR Article 46).
Email delivery — Twilio SendGrid Inc., under SCCs.
Payment processing — Android app — Google LLC (Google Play), under Google's own privacy and transfer safeguards.
Payment processing — web / PWA — Dodo Payments, Inc. (Delaware, USA), acting as Merchant of Record under its own privacy policy and tax-registration footprint. Dodo handles tax remittance in EU, UK, US and other jurisdictions where required. For payment data Dodo collects directly from you at checkout, Dodo is an independent controller (not our processor); transfers of that data to the US are covered by Dodo's own Standard Contractual Clauses and other Article 46 safeguards.
Maps & geocoding — Google LLC; only the place-name string you submit is sent.

EML MEDIA DOO is a Serbian-registered company subject to Serbia's Personal Data Protection Act (largely modeled on GDPR). Any transfer of EU-origin data outside the EU — to Serbia, the US, or any other jurisdiction — is covered by Article 46 safeguards. We may move portions of this infrastructure into EU regions in the future, and we will update this page if we do.

12. Changes

We may update this Privacy Policy from time to time. Material changes will be announced by email and/or a banner on the Service. The "Last updated" date at the top of this page reflects the current version.

13. Contact

Questions, requests, or complaints? Email [email protected] or write to EML MEDIA DOO, Heroja Maričića 93, 36000 Kraljevo, Republic of Serbia.