Privacy Policy
This privacy policy applies to the Moonjourn app (iOS and Android) and to moonjourn.app. It reflects the requirements of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / Privacy Rights Act (CCPA/CPRA), and the Republic of Korea's Personal Information Protection Act (PIPA).
1. Controller
Sven Kasek
Hohenzollerndamm 8
10717 Berlin
Germany
Email: hello@moonjourn.app
The same contact handles GDPR, CCPA/CPRA, and PIPA requests. An EU representative under Art. 27 GDPR is not required since we are established in the EU.
2. Overview of Data Processing
We process personal data only as far as necessary to provide the app and website. We do not sell personal data to third parties and use no third-party advertising tracking on this website.
Categories of Data Processed
- Profile: first name, date of birth, birth place (optional), gender (optional), language
- Content: journal entries, drawn cards, reading history, reactions
- Usage: app opens, program progress, Moon-Gems, streak
- Technical: anonymous device ID, app version, OS version, language, time zone
- Billing: subscription status (conveyed by App Store or Google Play and RevenueCat)
3. Purposes and Legal Bases
- App provision (Art. 6 (1)(b) GDPR)
- Personalization (Art. 6 (1)(b) GDPR): birth-chart calculation, card and ritual selection
- Subscription management (Art. 6 (1)(b) GDPR)
- Security and stability (Art. 6 (1)(f) GDPR)
- Contact requests (Art. 6 (1)(b) and (f) GDPR)
- Legal obligations (Art. 6 (1)(c) GDPR)
4. Services and Processors Used
Supabase (Hosting and Database)
Profile, journal entries and reading history are stored on Supabase Inc. servers inside the EU (Frankfurt region). Transfer via TLS. Records isolated per user via Row-Level Security. Data Processing Addendum under Art. 28 GDPR in place.
RevenueCat (Subscription Management)
We use RevenueCat Inc. (San Francisco, USA) to handle Premium subscriptions. Processed: anonymous device IDs and subscription status.
Third-country transfer USA: Transfer is based on the EU-US Data Privacy Framework adequacy decision (Implementing Decision (EU) 2023/1795) and additionally on EU Standard Contractual Clauses under Art. 46 (2)(c) GDPR. More at revenuecat.com/privacy.
Google Gemini (AI Personalization)
For individual interpretations we use Google Gemini (Google Ireland Limited, Ireland, as processor). Requests contain anonymized context data (zodiac, moon phase, focus theme), no real name, no journal entries. Inputs are not used for model training.
NASA JPL Horizons (Ephemerides)
To calculate planet and moon positions we query NASA/JPL Horizons (ssd.jpl.nasa.gov). No personal data.
Apple App Store / Google Play Store
Apple Distribution International Ltd. / Google Commerce Ltd. process your payment data directly as independent controllers. We only receive subscription confirmation. Privacy: Apple, Google.
Hosting (Hostinger)
Website hosted at Hostinger International Ltd. (EU servers). Technical server logs (IP, date, URL, user agent) retained for up to 14 days (Art. 6 (1)(f) GDPR, security).
5. Cookies and Local Storage
This website uses no marketing cookies, no tracking, no web analytics. The app only stores technically necessary data locally (auth token, language, settings).
6. Push Notifications
If enabled, we send reminders for daily card or moon phase. You can disable this at any time in app or device settings.
7. Retention
Data is retained while your account is active. On deletion, personal data is irretrievably deleted within 30 days unless statutory retention applies (e.g. commercial/tax record keeping up to 10 years for billing).
8. Automated Decisions and Profiling
Daily card selection and personalized interpretations are partially automated based on your zodiac, moon phase and focus theme. This processing has no legal effect or similarly significant impact under Art. 22 GDPR; it is entertainment and self-reflection content.
9. Your Rights Under GDPR (EU/EEA)
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Contact hello@moonjourn.app. We respond within one month.
10. California Rights (CCPA/CPRA)
If you are a California resident, under the California Consumer Privacy Act as amended by the California Privacy Rights Act you have the following rights:
- Right to Know: information about categories and specific pieces of personal information we have collected, used, disclosed, or sold in the preceding 12 months.
- Right to Delete: deletion of your personal information, subject to statutory exceptions.
- Right to Correct: correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: opt-out of the sale or sharing of your data for cross-context behavioral advertising. We do not sell your data and do not share it for advertising purposes.
- Right to Limit Use of Sensitive Personal Information.
- Right to Non-Discrimination for exercising your rights.
To exercise these rights, write to hello@moonjourn.app with subject "CCPA Request". We verify your identity before responding.
Categories of personal information collected (CCPA): identifiers (email, device ID), commercial information (subscription status), internet activity (app use), geolocation (only birth place if voluntarily provided), inferences (mood history). No biometric, audio, video or precise location data.
11. Rights of Republic of Korea Residents (PIPA)
Under the Personal Information Protection Act of the Republic of Korea you have these rights:
- Right to Access (개인정보 열람권)
- Right to Correct or Delete (정정·삭제 요구권)
- Right to Suspend Processing (처리정지 요구권)
- Right to Claim Damages (손해배상 청구권)
To exercise: hello@moonjourn.app. For unresolved complaints contact the Personal Information Protection Commission (PIPC) or the Korea Internet & Security Agency (KISA) Privacy Call Center (118 within Korea).
Privacy Officer (개인정보 보호책임자) for Korean users: Sven Kasek, hello@moonjourn.app.
12. Children and Minors
The app is intended for adults. Users under 16 may use it only with parental consent (Art. 8 GDPR). Within COPPA (USA) we knowingly do not process data of children under 13. Within PIPA (Korea) the age threshold for non-parental consent is 14. If we discover processing of data of a child below the applicable threshold without consent, we delete it immediately.
13. Account Deletion
Delete your account in-app at Profile → Settings → Delete Account. Alternatively email hello@moonjourn.app; we confirm within a few days.
14. Security
TLS 1.3 for all transport. Passwords hashed. Auth tokens stored in Apple Keychain / Android Keystore. Server access restricted to authorized personnel with 2FA. Regular security audits.
15. Supervisory Authorities
EU/Germany: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, datenschutz-berlin.de.
California: California Privacy Protection Agency (CPPA), cppa.ca.gov.
Korea: Personal Information Protection Commission (PIPC), pipc.go.kr.
16. Changes
We may update this policy if legal or technical circumstances change. Material changes are communicated in-app and on this page at least 30 days before taking effect.
Last updated: April 2026