OpenEphemeris · Spirit River Inc

Privacy Policy

Effective Date: March 13, 2026 · Last Updated: March 13, 2026

1. Overview and Scope

Spirit River Inc (“Spirit River,” “we,” “us,” or “our”), a Delaware corporation, operates the OpenEphemeris API (api.openephemeris.com) and website (openephemeris.com) (collectively, the “Service”). This Privacy Policy describes how Spirit River collects, uses, stores, shares, and protects information in connection with your use of the Service.

This Policy applies to:

  • Registered API customers and their authorized account holders
  • Visitors to the openephemeris.com website
  • Recipients of transactional emails sent by Spirit River

This Policy does NOT govern personal data that you, as a Developer, independently collect from your own end users. You are solely responsible for your own privacy compliance with respect to your end users' data.

2. Information We Collect

2.1 Account and Billing Data (Stored)

Data TypeStorageRetentionPurpose
Email addressSupabaseUntil account deletionAuthentication, billing
Hashed API keysSupabaseUntil revocation/deletionAPI authentication
Stripe customer IDSupabaseUntil account deletionPayment processing
Usage countersSupabaseMonthly rolling; 12-month summaryBilling, enforcement
API request logsFly.io stdout~7 days (ephemeral)Rate limiting, security

2.2 Computation Inputs — NOT Stored

Core Privacy Commitment: We Do Not Store Your Calculation Inputs

Birth dates and times, geographic coordinates (latitude/longitude), subject names, and any other parameters submitted to the API for ephemeris computation are processed entirely in working memory. These inputs are NEVER written to any database, cache, persistent log, file system, or third-party service. Spirit River retains no record of your computation inputs. This is a fundamental and permanent architectural commitment of the Service.

The API receives a request, performs mathematical computations, returns the structured response, and the input parameters are immediately and irrecoverably discarded from memory.

2.3 Website Data

The website uses functional session cookies provided by Supabase for authentication purposes only. These cookies are strictly necessary for the operation of the Service and do not track your browsing activity across other websites. Spirit River does not deploy analytics cookies, tracking pixels, or behavioral advertising technologies.

2.4 Communications

Support communications are retained for the purpose of responding to inquiries. Transactional emails are delivered via Resend (resend.com).

3. Legal Bases for Processing (GDPR)

For individuals located in the EEA, United Kingdom, or Switzerland:

ActivityLegal Basis
Account registration and authenticationArt. 6(1)(b) — Performance of Contract
Billing and payment via StripeArt. 6(1)(b) — Performance of Contract
API usage metering and rate limitingArt. 6(1)(b) — Performance of Contract
Security monitoring, fraud preventionArt. 6(1)(f) — Legitimate Interest
Website server logs (Vercel)Art. 6(1)(f) — Legitimate Interest
Compliance with legal obligationsArt. 6(1)(c) — Legal Obligation

4. How We Share Your Data

Spirit River does not sell, rent, or trade your personal data. We share information only with trusted service providers:

ProviderData SharedRole
StripeEmail, payment method, billing addressPayment processing
SupabaseEmail, hashed credentials, session tokensAuthentication & database
Fly.ioHTTP request metadata (IP, timestamp)API compute infrastructure
VercelHTTP request metadata for websiteWebsite hosting & CDN
ResendEmail address, transactional email contentEmail delivery
PostHogPage views, feature usage analytics (anonymized)Product analytics

A current list of subprocessors is maintained at openephemeris.com/subprocessors and will be updated at least thirty (30) days before any new subprocessor is engaged.

5. International Data Transfers

Spirit River's infrastructure is located primarily in the United States. For transfers from the EEA, UK, or Switzerland, Spirit River relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914). You may request a copy by contacting privacy@openephemeris.com.

6. Data Retention

DataRetentionDeletion
Account emailUntil deletion requestHard delete from Supabase
API keysUntil revocation/deletionHard delete from database
Usage countersMonthly reset; 12-month summaryAutomated reset & purge
Infrastructure logs~7 days (Fly.io)Automatic platform expiration
Support communications3 years from last interactionManual deletion on request
Computation inputsNOT RETAINEDN/A (never stored)

Upon receiving an account deletion request, Spirit River will delete your personal data from active systems within thirty (30) days. Residual copies in encrypted backups will be overwritten within ninety (90) days.

7. Your Rights

7.1 Rights for All Users

7.2 Rights Under GDPR (EEA, UK, Switzerland)

RightGDPR ArticleHow to Exercise
AccessArt. 15Email privacy@openephemeris.com
RectificationArt. 16Dashboard or email
ErasureArt. 17Email privacy@openephemeris.com
Data PortabilityArt. 20JSON format via email
ObjectArt. 21Email privacy@openephemeris.com

Spirit River will respond to GDPR requests within one (1) calendar month of receipt.

7.3 Rights Under CCPA/CPRA (California Residents)

Spirit River does not “sell” or “share” personal information as defined under CCPA/CPRA. California residents may submit verifiable requests by emailing privacy@openephemeris.com with the subject line “CCPA Rights Request.” Spirit River will respond within forty-five (45) calendar days.

8. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). Spirit River does not knowingly collect personal information from children under thirteen (13). If you believe a child under 13 has provided data, contact privacy@openephemeris.com.

9. Security

  • API keys are stored exclusively as irreversible cryptographic hashes; plaintext keys are never stored or logged
  • All data transmission is encrypted using TLS 1.2 or higher
  • Data at rest in Supabase is encrypted using AES-256
  • Access to production systems is restricted via role-based access controls
  • Spirit River conducts periodic security reviews

10. Data Breach Notification

In the event of a personal data breach, Spirit River will:

  • Notify relevant supervisory authorities within seventy-two (72) hours (GDPR Art. 33)
  • Notify affected individuals where the breach poses high risk (GDPR Art. 34)
  • Comply with applicable U.S. state breach notification laws (Virginia, Delaware, and others as applicable)

11. Automated Decision-Making

Spirit River does not use personal data for automated decision-making or profiling that produces legal effects. API usage metering and rate limiting are automated functions necessary to enforce subscription terms and do not constitute profiling.

12. Changes to This Policy

For material changes that expand the scope of data collection, alter the purposes of processing, or reduce your rights, Spirit River will provide at least thirty (30) days' advance notice by email and through the customer dashboard.


13. Contact Information and Data Controller

Spirit River Inc is the data controller for personal data processed in connection with the Service.

CompanySpirit River Inc (Delaware corporation)
General Supportsupport@openephemeris.com
Privacy & Data Rightsprivacy@openephemeris.com
Legal Noticeslegal@openephemeris.com

EEA individuals may lodge a complaint with their local supervisory authority (edpb.europa.eu). UK individuals may contact the ICO (ico.org.uk). Swiss individuals may contact the FDPIC (edoeb.admin.ch).

— End of Privacy Policy —