Privacy Policy
Last updated: 2026-05-24 · Version: 1.1
Ashoka ("we", "us", "the service", at withashoka.com) is a Vedic companion that generates personalised astrological readings from your birth details. This policy explains what personal data we collect, why, who we share it with, how long we keep it, and the rights you have over it.
We are the data controller for the personal data described here. If you have any question about this policy or your data, contact us at privacy@withashoka.com.
Who this applies to and minimum age
The service is intended for people aged 16 or older. If you are under the age of majority for data consent in your country — for example, under 18 in India under the Digital Personal Data Protection Act (DPDP) — you may use the service only with the consent of a parent or legal guardian, who accepts this policy on your behalf. We do not knowingly collect data from anyone below these thresholds; if you believe a child has provided us data, contact privacy@withashoka.com and we will delete it.
What data we collect
| Category | What it includes | How we get it |
|---|---|---|
| Account | Email address, display name, hashed password, and (if you sign in with Google) your social-login identifier and verified email. | You provide it when registering. |
| Birth details | For each chart you create: a name/label, birth date, birth time, birth place, and the derived latitude, longitude, and timezone. | You enter it. |
| Readings | The astrological readings we generate for you (natal, daily, and "today" readings), and the chart data they are based on. | Generated by the service for you. |
| Usage telemetry | Per-request AI model, feature, token counts, and estimated cost. | Recorded automatically when a reading is generated. |
| Product analytics | Pages you visit, when, time spent on each, your preferred language, key actions (signup, verification, login, chart created, reading generated), and an anonymous identifier (a random UUID stored only in your browser, used to link any pre-signup activity to your account once you register). | Captured automatically as you use the service. |
We use first-party-only product analytics, kept in our own database, to understand how the service is used and improve it. We do not use third-party tracking, advertising, marketing email, or any data sharing for these purposes.
How your data is stored on your device
To keep you signed in and to remember your last-entered birth details for convenience, we store the following in your browser. These are strictly necessary for the service to function:
- A login token (JWT) in
localStorage. - A refresh token in a secure,
HttpOnlycookie. - Your most recent birth-form entry and any local feedback note in
localStorage. - An anonymous identifier (random UUID) in
localStorage, used to count visits and link any pre-signup activity to your account once you register. It holds no personal data; you can clear it any time from your browser settings.
We set no advertising cookies and no third-party tracking. The
anonymous identifier above is a first-party localStorage value (not a
cookie), processed under legitimate interest with your right to object,
so no cookie-consent banner is required.
Why we use your data (lawful basis)
- To provide the service — creating your account, calculating your chart, and generating your readings. Lawful basis: performance of a contract with you.
- To send essential account email — verification and password-reset messages. Lawful basis: performance of a contract / our legitimate interest in securing accounts.
- To understand and control operating costs — the usage telemetry above. Lawful basis: our legitimate interest in running the service sustainably.
- To understand product usage and improve the service — the product analytics above (pages visited, time spent, key actions). The data identifies pages and actions, not people; the anonymous identifier is not tied to your real identity until you register, and the data is never shared with third parties. Lawful basis: our legitimate interest in improving the service. You can object by emailing privacy@withashoka.com.
Your birth details are used solely to generate your readings. Given the nature of the service, we treat them as sensitive and protect them accordingly (see Security).
Who we share data with
We do not sell your data. We share it only with the infrastructure providers needed to run the service, each acting as our processor:
| Provider | Purpose | Notes |
|---|---|---|
| Anthropic (Claude API) | Generates your readings from chart data we send. | Anthropic does not use API inputs or outputs to train its models. API data is automatically deleted within 30 days; content flagged for trust-and-safety review may be retained longer. |
| Supabase | Hosts our database (where your account, charts, and readings are stored) and verifies Google sign-in. | Acts as a data processor under its DPA; data encrypted at rest. |
| Resend | Sends verification and password-reset email. | Acts as a data processor. |
| Railway | Hosts the application backend. | Encrypts data at rest. |
| Vercel | Hosts the website. | — |
Some of these providers may process data outside your country; where they do, they rely on recognised safeguards (such as standard contractual clauses or data-privacy-framework certification).
How long we keep your data
- Account, birth details, and readings — kept for as long as your account exists, as part of your history. When you delete your account, they are permanently deleted.
- Usage telemetry — when you delete your account, it is anonymised (disconnected from you) and retained only in aggregate for cost analysis; it contains no personal identifiers after this point.
- Product analytics — granular event rows (individual page views and actions) are kept for 90 days, after which they are aggregated into daily counts and the row-level data is deleted. The aggregated counts (for example, "X new signups on date Y") contain no personal identifiers and are kept indefinitely. When you delete your account, your event rows are anonymised immediately (the link to your user ID is removed) ahead of the 90-day rollup.
- We do not keep separate database backups, so deletion is complete with no backup retention period.
- Data held by the providers above is subject to their own retention periods (for example, Anthropic's 30-day API deletion).
Your rights
Under UK GDPR, India's DPDP Act, and similar laws, you have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate data (you can edit your birth details in the app).
- Delete your account and all associated personal data.
- Port your data (receive a copy in a machine-readable format).
- Object to or restrict certain processing.
You can exercise these from your account settings where available, or by emailing privacy@withashoka.com. We will respond within the timeframes required by law (generally one month under UK GDPR). You also have the right to complain to your data protection authority — in the UK, the Information Commissioner's Office (ICO); in India, the Data Protection Board.
Security
We protect your data with measures including:
- Passwords stored only as bcrypt hashes; email verification and password-reset tokens stored only as hashed values.
- Database access mediated entirely by our backend; the database's public API surface is default-denied by row-level security so it cannot be read directly.
- Encryption at rest for stored data.
- Transport secured with HTTPS.
No system is perfectly secure, but we take reasonable steps to protect your data and to address issues promptly if they arise.
Jurisdiction
This policy is governed by UK GDPR and, for users in India, the DPDP Act. We aim to meet the stricter standard where they differ.
Changes to this policy
If we make material changes, we will update the Last updated date and, where appropriate, ask you to re-accept the policy the next time you sign in.
Contact
Questions, requests, or complaints: privacy@withashoka.com.
withashoka.com