Privacy Policy
Effective date: 2025-08-04
This Privacy Policy explains how Astra collects, uses, and protects information when you use the Astra application and website (the “Service”). By using the Service, you agree to this Policy.
1) Who we are
Controller: Astraeus Intelligence LLC
Address: 254 Chapman Rd, Ste 208 #22873, Newark, Delaware 19702, USA
Contact: sandi@astramd.org
2) Information we collect
- Account data (if you sign in): name, email, authentication identifiers.
- Content you provide: prompts, notes, uploads, feedback, and settings.
- Usage data: feature interactions, timestamps, device/OS, app version, coarse IP/region for security and rate-limiting.
- Diagnostics (optional): crash reports and performance metrics if you opt in.
Protected Health Information (PHI)
Astra is clinical decision support. Do not enter identifiable patient information unless your organization has a signed BAA with us and PHI mode is enabled. When PHI is off, you must de-identify any clinical data you submit.
3) How we use information
- Provide core features (Research, DDx, A&P) and generate responses with citations.
- Maintain security, prevent abuse, and debug issues.
- Improve quality and user experience (aggregated or de-identified where possible).
- Comply with legal obligations and enforce terms.
4) Processors / third-party services
We use service providers acting under contracts that restrict their use of data to our instructions:
- Model inference: OpenAI, Inc. (and other providers if you enable them).
- Search/Retrieval (Research): Perplexity/Tavily or equivalent services to fetch public sources you request.
- Storage/Database: Supabase (Postgres) for accounts and saved conversations.
- Analytics/Crash (optional): Sentry/PostHog/Firebase with IP redaction where supported.
5) Security
- TLS for data in transit; AES-256 encryption at rest for stored data.
- Role-based access, least privilege, and audit logging for administrative access.
- Secrets managed via environment variables and key management services where supported.
6) Data retention
- Conversations: kept until you delete them (or auto-purged after an organization-set period).
- Logs: security/diagnostic logs retained up to 30–90 days unless legally required longer.
- You may request deletion of your account and content at any time (see Rights).
7) Your choices
- Disable saving conversation history.
- Toggle analytics/crash sharing.
- Export or delete conversations and your account.
8) Legal bases & your rights
If you are in the EEA/UK, we process data under GDPR bases including performance of a contract, legitimate interests (security and improvement), and consent where required (analytics). You may request access, correction, deletion, restriction, objection, or portability by contacting us.
If you are in California, we do not sell or share personal information for cross-context behavioral advertising. You have CPRA rights to know, delete, correct, and limit use of sensitive personal information.
9) Data residency & transfers
Data may be processed in the United States and other countries where our providers operate. Where required, we rely on appropriate transfer mechanisms (e.g., Standard Contractual Clauses).
10) Children’s privacy
Astra is not intended for children under 13 or for unsupervised use by minors. We do not knowingly collect data from children.
11) Changes to this Policy
We may update this Policy from time to time. Changes take effect when posted here with an updated effective date. Material changes may be announced in-app or by email.