← Astro Notes

Privacy Policy

Astro Notes (astronotes.eu) · Last updated: 15 July 2026

1. Who is responsible

The data controller for Astro Notes is Marco Ferra, operating astronotes.eu. Contact for privacy matters:privacy@astronotes.eu.

2. What we store — and what we cannot read

Astro Notes is end-to-end encrypted. Your notes — including their titles and tags — are encrypted on your device with keys derived from your password. The server stores only ciphertext. We cannot read, recover, or hand over your note content, and a lost password can only be recovered with your recovery key.

We do store, in readable form, the minimum needed to run the service:

  • Your handle and/or email address (an email is optional).
  • A one-way hash of your login credential — never your password.
  • Encrypted note data, its size, and modification timestamps.
  • Which accounts a note is shared with, and their roles.
  • Hashed session tokens and subscription status.
  • Feedback you choose to send to Mission Control (message text and time), kept in readable form so it can be emailed to us and counted against your yearly allowance.
  • Server access logs containing IP addresses, kept for security and abuse prevention.

3. Why we process it (legal bases)

  • Operating your notes, sync, and sharing — performance of our contract with you (GDPR Art. 6(1)(b)).
  • Billing and invoicing for Orbit (the paid tier) — contract and legal obligations (Art. 6(1)(b), 6(1)(c)).
  • Security logging, rate limiting, and abuse prevention — our legitimate interest in keeping the service safe (Art. 6(1)(f)).

We do not profile you, sell data, or show advertising.

4. Who else is involved

ProviderPurposeLocation / transfers
Hetzner Online GmbHServer hostingGermany / EU
StripePayments, subscriptions, invoices (we never see card numbers)US — EU-US Data Privacy Framework, under a data processing agreement
Amazon Web Services (SES)Transactional email (verification messages)US (us-east-1) — EU-US Data Privacy Framework, under a data processing agreement
Grafana CloudAggregate service metrics — counts and latencies only, no personal dataEU (Frankfurt)
Sentry (Functional Software, Inc.)Error monitoring — diagnostics only, relayed through our own server; never note contentEU region

5. How long we keep it

DataRetention
Account and encrypted notesUntil you delete them or your account
Sessions30 minutes idle, 30 days at most
Security logs (IP addresses)30 days
Error diagnostics (at Sentry, no note content)90 days
Deleted-note stubs (id only, for device sync)Up to 90 days
Feedback messages (quota bookkeeping)400 days, or until account deletion
Database backups14 days, rotating; erased accounts are never restored from backup
Invoices (at Stripe)As required by tax law

6. Your rights

Under the GDPR you can:

  • Access and export — download all notes as Markdown from the app menu at any time.
  • Rectify — change your handle, email, or password in Account settings.
  • Erase — delete your account in Account settings. This destroys your data immediately and cancels any subscription.
  • Restrict or object to processing based on legitimate interest.
  • Complain to a supervisory authority — in Portugal, theCNPD — or the authority of your residence.

7. Cookies and local storage

Astro Notes sets no advertising or analytics cookies, and your browser loads nothing from third parties: the page talks only to our own server. Diagnostics for errors are relayed through that server to our monitoring provider (Sentry), never sent from your browser directly and never including note content. Your browser's local storage holds only what the app needs to function: your session, theme choice, and dismissed notices.

8. Security

Beyond end-to-end encryption: credentials are hashed with Argon2id, connections use TLS, session tokens are stored only as hashes, and the infrastructure is hardened and kept automatically patched. Should a breach nevertheless affect your data, we will notify the supervisory authority and, where required, you, per GDPR Arts. 33–34.

9. Children

Astro Notes is not directed at children under 16.

10. Changes

We will announce material changes to this policy in the app before they take effect.