Privacy Policy
The data we collect and how we use it.
Introduction
Your privacy is of utmost importance to us. We have created this privacy policy to inform you about the information we collect from you when you use our website and how we use it.
We never and will never sell your personal information to third parties nor use it for any other purpose other than to provide the services you have requested.
What we collect
We collect the following information from you and our data providers (Discord via Supabase):
- Your Discord ID
- Your Discord username
- Your Discord avatar
- Your Discord email
We automatically assign the following on account creation:
- Stripe Customer ID
When you use our services, we use a self-hosted Shynet (analytics) server. It collects the following information:
- Page URL— we use this to see how many times a page has been viewed
- HTTP referer— we use this to see how many people are coming from certain websites
- Browser— we use this to see what browsers and browser versions are being used
- Operating system— we use this to see what operating systems are being used
- Device type— we use this to see what kinds of devices are being used (desktop, laptop, mobile)
- Visitor country— we use this to get a general idea of where users are from. This is found using the visitor’s IP address, which is only used to find said country and then is discarded. It is never stored in our database or logs.
How we use it
We use the information we collect to provide you with the best possible experience and improve our services.
Specifics
- Discord ID
- Identify you on our Discord server
- Identify you on any Astral bots
- Discord username
- Personalization
- Discord avatar
- Personalization
- Discord email
- Send you critical notifications (we rarely do this!)
- We have no control over collecting this as Supabase requires it.
- Stripe Customer ID
- Used for payment
How we protect your information
Your data is hosted by Supabase and physically stored in the United States (AWS us-east-1).
We have enabled Supabase’s RLS (Row Level Security) to ensure that your data is only accessible to the people who need it.
We also route all database requests through our API to ensure that your data is secure.
Who processes your data
Your data is processed by the following parties:
- Stripe and their subprocessors: They handle credit card information and processing.
- Discord and their subprocessors: They handle account information for signing up and logging in to Astral.
- Roblox and their subprocessors: They handle connections to Roblox to provide our services.
- Supabase and their subprocessors: They handle all database requests, and house all data.
- Hetzner Online GmbH and their subprocessors: They handle anything related to our servers that our services require.
Who has access to this data?
Governments or law enforcement may request data from Stripe, Discord, Roblox, Supabase, or Hetzner at any time, which we have no control over. Supabase can theoretically access database data at any time, but data stored in our databases have proper security measures (see How long is data stored and how is it protected?). Government or law enforcement requests to any of our subprocessors are out of our control, with those entities having their own policies of when to forfeit data over.
We only forfeit information we collect to governments or law enforcement when required to do so by a legal order such as a court order or subpoena.
You are under the following privacy policies:
You may be under the following privacy policies:
What if there’s a data breach?
In the event of a data breach, we will notify users within 72 hours of us becoming aware of the breach via our web app, email, and our Discord server.
How long is data stored and how is it protected?
Data you give to us via Discord and Roblox is stored until you delete your data. Transactions through Stripe are kept up to 3 years after you delete your data to comply with financial regulations in the United States. Analytical data collected with Shynet are stored indefinetely.
All data is encrypted using modern, standardised, and secure methods. Our sites use HTTPS and have strict CSP policies to prevent malicious scripts from being run. We sign DPAs and other privacy agreements to ensure data is handled strictly for the purpose of providing our services with other companies we work with to protect your data. We undergo occasional third-party audits to ensure your data is protected from numerous individuals, organisations, and/or government authorites.
We take appropriate measures, including, but not limited to, hashing and salting to protect the data we store, as well as only use secure methods to configure our servers to prevent data breaches. We do our best to create an environment as secure as possible to protect your data. However, no system is perfect, and we cannot be held responsible if data goes missing because of a misconfiguration, poor setup, or conditions out of our control, such as hijaking via physical access. We encrypt our data with keys that we possess.
Data handling for minors
We do not knowingly collect data on users under the age of 13, or other minimum age required by a user’s country. In the event that we are made aware of someone under this age requirement registers for our service, we take appropriate means to delete that data permanently.
Where can I find past versions of this policy?
We keep past versions of our policy here. When changes are made to this policy, we will notify all users via our web app and email.
Your GDPR and CCPA rights
We believe that you have the right to access, correct, and delete your data.
You can easily request all the data we have on you in your user settings.
You may also request to delete your data from our servers. You can do this in your user settings.
We keep the following data after you delete your account:
- Moderation Actions
- Discord ID
- Blacklist status
- Discord ID
- Astral ID
Contact
You can write to jack [at] astralapp.io to get help as swiftly as possible on amending and fixing this document, getting answers to questions regarding this policy, and for contacting the data controller (if under a jurisdiction of the General Data Protection Regulation (GDPR) act).
