Privacy Policy

Your Data, Your Universe

Celestial Holdings, a Washington state limited liability company ("Company," "we," "us," or "our"), operates the Clairvoya mobile application (the "App"). This Privacy Policy describes how we collect, use, and protect your personal information when you use the App. By using the App, you consent to the practices described in this policy.

1. Information We Collect

We collect information necessary to provide our astrology and spiritual guidance services:

• Email Addresses: Encrypted using AES-256-GCM for newsletter subscriptions and contact forms
• Contact Form Data: Name, email, subject, and message content with HTML sanitization
• IP Addresses: Anonymized and hashed using SHA-256 for security and rate limiting
• Usage Analytics: Microsoft Clarity and Google Analytics 4 for website optimization
• Newsletter Preferences: Subscription status and management tokens
• Device Information: Basic device type and browser information for compatibility

We do not collect payment information directly - all transactions are handled by secure third-party processors.

2. How We Use Your Information

We use your information solely to provide and improve our astrology services:

• Newsletter Delivery: Send astrological insights, monthly horoscopes, and spiritual guidance via encrypted email
• Customer Support: Respond to contact form submissions with sanitized HTML content
• Security Protection: Rate limiting, bot detection, and fraud prevention using anonymized IP data
• Service Improvement: Analytics data to optimize website performance and user experience
• Legal Compliance: Maintain required records for data protection regulations
• Account Management: Process newsletter subscription preferences and unsubscribe requests

We never use your data for marketing purposes beyond our newsletter service, and you can unsubscribe at any time.

3. Data Sharing and Disclosure

We do not sell or rent your personal data. However, we may share your information in the following cases:

• Service Providers: We may share information with third-party providers who assist in operating our App, such as payment processors and cloud hosting services.
• Legal Compliance: If required by law, we may disclose information to comply with legal obligations or protect our rights.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.

4. Data Security

We employ enterprise-grade security measures designed to meet SOC2 standards with comprehensive controls across all trust categories. Our security framework includes:

• Enterprise Security Framework: Comprehensive controls aligned with SOC2 standards across Security, Availability, Processing Integrity, Confidentiality, and Privacy
• Role-Based Access Control: Multi-level permissions with 19 granular access controls and automated quarterly reviews
• Multi-Factor Authentication: TOTP, SMS, and hardware token support with 7-day grace period and 10 backup codes
• Session Management: 30-minute inactivity timeout, 8-hour absolute timeout, maximum 3 concurrent sessions
• Encryption at Rest: All sensitive data encrypted with AES-256-GCM using unique keys per data type
• Password Hashing: Email addresses hashed with Argon2id for newsletter subscriptions
• Content Security Policy: Strict CSP prevents XSS attacks and unauthorized script execution
• Bot Detection: Advanced bot protection on all forms using industry-leading detection services
• Rate Limiting: Contact forms limited to 1 submission per IP per day; newsletter signups rate-limited
• Input Sanitization: All user inputs filtered for malicious content and HTML sanitized
• Timing-Safe Operations: All cryptographic comparisons use timing-safe algorithms
• Data Classification: 5-tier classification system (Public, Internal, Confidential, Restricted, Personal) with automated handling rules
• Automated Security Scanning: Continuous vulnerability scanning using Snyk with SLA-based remediation (Critical: 7 days, High: 30 days)
• Real-time Monitoring: Anomaly detection, threshold-based alerting, and incident response procedures
• Data Retention: Automated cleanup with specific retention periods per data classification (maximum 7 years for audit logs)
• Incident Response: 4-tier severity classification with 5-phase response process and documented timelines

Our comprehensive security framework ensures continuous monitoring, automated control testing, and systematic evidence collection designed to meet SOC2 standards. While we implement enterprise-grade security measures, no method of transmission over the internet is 100% secure. We continuously monitor and update our security practices to maintain the highest standards of data protection.

5. Your Choices and Rights

You have full control over your data with these options:

• Newsletter Unsubscribe: One-click unsubscribe links in every newsletter email
• Preference Management: Secure preference management links for newsletter settings
• Data Deletion: Request complete deletion of all your data by contacting contact@clairvoya.app
• Analytics Opt-Out: Disable Microsoft Clarity and Google Analytics tracking
• Contact History: View and request deletion of contact form submissions
• Data Portability: Request export of your data in a portable format

All data deletion requests are processed within 30 days and include encrypted email data, anonymized IP logs, and newsletter preferences.

6. Third-Party Services

Our App may contain links to third-party services. We are not responsible for their privacy practices, and we encourage you to review their privacy policies.

7. Cookies and Cookie Banner

We use cookies and similar technologies to enhance your experience on our website. When you first visit our site, you'll see a compact cookie banner at the bottom of the page that allows you to control your cookie preferences.

• Functional Cookies: Required for basic website functionality and cannot be disabled
• Analytics Cookies: Help us understand how visitors use our site to improve astrology content and user experience
• Advertising Cookies: Used for personalized marketing and retargeting (optional)
• Cookie Banner: Our compact banner appears once per browser session and respects your choices
• Consent Management: You can change your preferences anytime using the "Settings" button in the banner

The cookie banner is designed to be unobtrusive while ensuring compliance with privacy regulations. Analytics and advertising cookies are only set after you explicitly consent. You can manage your preferences at any time by clicking the settings link in the banner.

8. Analytics and Tracking

We use minimal, privacy-focused analytics to improve our astrology content and website performance:

• Microsoft Clarity: Session recordings and heatmaps to optimize user experience on astrology content pages
• Google Analytics 4: Anonymous traffic analysis with IP anonymization enabled
• Purpose: Improve content delivery, fix technical issues, and enhance astrology guide readability
• Data Retention: Analytics data automatically deleted after 26 months

You can opt out of analytics tracking through browser settings or by contacting us. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement. For Google Analytics, see their Privacy Policy and GA4 privacy controls.

9. Children's Privacy

Our App is not intended for users under 14. We do not knowingly collect personal data from children. If we discover such data has been collected, we will take steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify users of significant changes through the App or via email. Continued use of the App after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us or email contact@clairvoya.app.