DRAFT — pending legal review. Items marked [TO CONFIRM] must be settled before publication; remove this banner when done.

Privacy Policy

Astro Notes (astronotes.eu) · Last updated: [TO CONFIRM date]

1. Who is responsible

The data controller for Astro Notes is Marco Ferra [TO CONFIRM: trading name and postal address]. Contact for privacy matters: [TO CONFIRM: e.g. privacy@astronotes.eu].

2. What we store — and what we cannot read

Astro Notes is end-to-end encrypted. Your notes — including their titles and tags — are encrypted on your device with keys derived from your password. The server stores only ciphertext; we cannot read, recover, or hand over your note content, and a lost password can only be recovered with your recovery key.

We do store, in readable form, the minimum needed to run the service:

3. Why we process it (legal bases)

We do not profile you, sell data, or show advertising.

4. Who else is involved

ProviderPurposeLocation / transfers
Hetzner Online GmbH Server hosting Germany / EU
Stripe Payments, subscriptions, invoices (we never see card numbers) US — EU-US Data Privacy Framework [TO CONFIRM DPA]
Amazon Web Services (SES) Transactional email (verification messages) US (us-east-1) — EU-US Data Privacy Framework [TO CONFIRM DPA]
Grafana Cloud Aggregate service metrics — counts and latencies only, no personal data [TO CONFIRM stack region]

5. How long we keep it

DataRetention
Account and encrypted notesUntil you delete them or your account
Sessions30 minutes idle, 30 days at most
Security logs (IP addresses)30 days
Deleted-note stubs (id only, for device sync)Up to 90 days
Feedback messages (quota bookkeeping)400 days, or until account deletion
Database backups14 days, rotating; erased accounts are never restored from backup
Invoices (at Stripe)As required by tax law

6. Your rights

Under the GDPR you can:

7. Cookies and local storage

Astro Notes sets no advertising or analytics cookies and loads nothing from third parties. Your browser's local storage holds only what the app needs to function: your session, theme choice, and dismissed notices.

8. Security

Beyond end-to-end encryption: credentials are hashed with Argon2id, connections use TLS, session tokens are stored only as hashes, and the infrastructure is hardened and kept automatically patched. Should a breach nevertheless affect your data, we will notify the supervisory authority and, where required, you, per GDPR Arts. 33–34.

9. Children

Astro Notes is not directed at children under [TO CONFIRM: 16].

10. Changes

We will announce material changes to this policy in the app before they take effect.

← Back to Astro Notes