OpenEphemeris · Spirit River Inc
Privacy Policy
Effective Date: March 13, 2026 · Last Updated: March 13, 2026
1. Overview and Scope
Spirit River Inc (“Spirit River,” “we,” “us,” or “our”), a Delaware corporation, operates the OpenEphemeris API (api.openephemeris.com) and website (openephemeris.com) (collectively, the “Service”). This Privacy Policy describes how Spirit River collects, uses, stores, shares, and protects information in connection with your use of the Service.
This Policy applies to:
- Registered API customers and their authorized account holders
- Visitors to the openephemeris.com website
- Recipients of transactional emails sent by Spirit River
This Policy does NOT govern personal data that you, as a Developer, independently collect from your own end users. You are solely responsible for your own privacy compliance with respect to your end users' data.
2. Information We Collect
2.1 Account and Billing Data (Stored)
| Data Type | Storage | Retention | Purpose |
|---|---|---|---|
| Email address | Supabase | Until account deletion | Authentication, billing |
| Hashed API keys | Supabase | Until revocation/deletion | API authentication |
| Stripe customer ID | Supabase | Until account deletion | Payment processing |
| Usage counters | Supabase | Monthly rolling; 12-month summary | Billing, enforcement |
| API request logs | Fly.io stdout | ~7 days (ephemeral) | Rate limiting, security |
2.2 Computation Inputs — NOT Stored
Core Privacy Commitment: We Do Not Store Your Calculation Inputs
Birth dates and times, geographic coordinates (latitude/longitude), subject names, and any other parameters submitted to the API for ephemeris computation are processed entirely in working memory. These inputs are NEVER written to any database, cache, persistent log, file system, or third-party service. Spirit River retains no record of your computation inputs. This is a fundamental and permanent architectural commitment of the Service.
The API receives a request, performs mathematical computations, returns the structured response, and the input parameters are immediately and irrecoverably discarded from memory.
2.3 Website Data
The website uses functional session cookies provided by Supabase for authentication purposes only. These cookies are strictly necessary for the operation of the Service and do not track your browsing activity across other websites. Spirit River does not deploy analytics cookies, tracking pixels, or behavioral advertising technologies.
2.4 Communications
Support communications are retained for the purpose of responding to inquiries. Transactional emails are delivered via Resend (resend.com).
3. Legal Bases for Processing (GDPR)
For individuals located in the EEA, United Kingdom, or Switzerland:
| Activity | Legal Basis |
|---|---|
| Account registration and authentication | Art. 6(1)(b) — Performance of Contract |
| Billing and payment via Stripe | Art. 6(1)(b) — Performance of Contract |
| API usage metering and rate limiting | Art. 6(1)(b) — Performance of Contract |
| Security monitoring, fraud prevention | Art. 6(1)(f) — Legitimate Interest |
| Website server logs (Vercel) | Art. 6(1)(f) — Legitimate Interest |
| Compliance with legal obligations | Art. 6(1)(c) — Legal Obligation |
4. How We Share Your Data
Spirit River does not sell, rent, or trade your personal data. We share information only with trusted service providers:
| Provider | Data Shared | Role |
|---|---|---|
| Stripe | Email, payment method, billing address | Payment processing |
| Supabase | Email, hashed credentials, session tokens | Authentication & database |
| Fly.io | HTTP request metadata (IP, timestamp) | API compute infrastructure |
| Vercel | HTTP request metadata for website | Website hosting & CDN |
| Resend | Email address, transactional email content | Email delivery |
| PostHog | Page views, feature usage analytics (anonymized) | Product analytics |
A current list of subprocessors is maintained at openephemeris.com/subprocessors and will be updated at least thirty (30) days before any new subprocessor is engaged.
5. International Data Transfers
Spirit River's infrastructure is located primarily in the United States. For transfers from the EEA, UK, or Switzerland, Spirit River relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914). You may request a copy by contacting privacy@openephemeris.com.
6. Data Retention
| Data | Retention | Deletion |
|---|---|---|
| Account email | Until deletion request | Hard delete from Supabase |
| API keys | Until revocation/deletion | Hard delete from database |
| Usage counters | Monthly reset; 12-month summary | Automated reset & purge |
| Infrastructure logs | ~7 days (Fly.io) | Automatic platform expiration |
| Support communications | 3 years from last interaction | Manual deletion on request |
| Computation inputs | NOT RETAINED | N/A (never stored) |
Upon receiving an account deletion request, Spirit River will delete your personal data from active systems within thirty (30) days. Residual copies in encrypted backups will be overwritten within ninety (90) days.
7. Your Rights
7.1 Rights for All Users
- Access your account data by contacting privacy@openephemeris.com
- Correct or update your email through your account dashboard
- Delete your account by contacting support@openephemeris.com
- Opt out of non-essential communications
7.2 Rights Under GDPR (EEA, UK, Switzerland)
| Right | GDPR Article | How to Exercise |
|---|---|---|
| Access | Art. 15 | Email privacy@openephemeris.com |
| Rectification | Art. 16 | Dashboard or email |
| Erasure | Art. 17 | Email privacy@openephemeris.com |
| Data Portability | Art. 20 | JSON format via email |
| Object | Art. 21 | Email privacy@openephemeris.com |
Spirit River will respond to GDPR requests within one (1) calendar month of receipt.
7.3 Rights Under CCPA/CPRA (California Residents)
Spirit River does not “sell” or “share” personal information as defined under CCPA/CPRA. California residents may submit verifiable requests by emailing privacy@openephemeris.com with the subject line “CCPA Rights Request.” Spirit River will respond within forty-five (45) calendar days.
8. Children's Privacy
The Service is not directed to individuals under the age of eighteen (18). Spirit River does not knowingly collect personal information from children under thirteen (13). If you believe a child under 13 has provided data, contact privacy@openephemeris.com.
9. Security
- API keys are stored exclusively as irreversible cryptographic hashes; plaintext keys are never stored or logged
- All data transmission is encrypted using TLS 1.2 or higher
- Data at rest in Supabase is encrypted using AES-256
- Access to production systems is restricted via role-based access controls
- Spirit River conducts periodic security reviews
10. Data Breach Notification
In the event of a personal data breach, Spirit River will:
- Notify relevant supervisory authorities within seventy-two (72) hours (GDPR Art. 33)
- Notify affected individuals where the breach poses high risk (GDPR Art. 34)
- Comply with applicable U.S. state breach notification laws (Virginia, Delaware, and others as applicable)
11. Automated Decision-Making
Spirit River does not use personal data for automated decision-making or profiling that produces legal effects. API usage metering and rate limiting are automated functions necessary to enforce subscription terms and do not constitute profiling.
12. Changes to This Policy
For material changes that expand the scope of data collection, alter the purposes of processing, or reduce your rights, Spirit River will provide at least thirty (30) days' advance notice by email and through the customer dashboard.
13. Contact Information and Data Controller
Spirit River Inc is the data controller for personal data processed in connection with the Service.
| Company | Spirit River Inc (Delaware corporation) |
| General Support | support@openephemeris.com |
| Privacy & Data Rights | privacy@openephemeris.com |
| Legal Notices | legal@openephemeris.com |
EEA individuals may lodge a complaint with their local supervisory authority (edpb.europa.eu). UK individuals may contact the ICO (ico.org.uk). Swiss individuals may contact the FDPIC (edoeb.admin.ch).
— End of Privacy Policy —