Privacy Policy

1. Information We Collect

We collect the following categories of personal data:

• Account Information: Email address and password (hashed, never stored in plaintext).
• Birth Data: Date of birth, time of birth, and place of birth. This data is used solely for chart calculations and profile generation.
• Payment Information: Processed and stored by Stripe, Inc. We do not store credit card numbers on our servers. We retain Stripe customer IDs and subscription status.
• Usage Data: Pages visited, features used, check-in entries, diary entries, and chart generation history.
• Device Information: Browser type, device type, and IP address (for rate limiting and security only).

2. How We Use Your Information

• Chart Calculation: Birth data is used to compute your energy blueprint chart using astronomical algorithms.
• Prime Self Profile Generation: Birth data and chart results are sent to language model providers (Anthropic, Groq) to generate your personalized Synthesis reading.
• Transit Updates: Birth chart data is used to calculate daily transit interactions.
• SMS Digests: If you opt in, your phone number is shared with Telnyx for daily transit digest delivery.
• Account Management: Email is used for authentication, password reset, and service communications.
• Payment Processing: Subscription management via Stripe.

3. Third-Party Data Sharing

We share personal data with the following third-party service providers, strictly for the purposes described:

• Stripe, Inc. — Payment processing and subscription management.
• Anthropic / Groq — Language model providers for Prime Self Profile generation. Birth data (date, time, location) and chart results are sent for text generation only. These providers do not retain your data for model training.
• Telnyx — SMS delivery for users who opt in to daily transit digests.
• Resend — Email delivery for transactional emails (welcome, notifications).
• Cloudflare — Infrastructure hosting, CDN, DDoS protection, and Workers runtime.
• Neon, Inc. — Managed PostgreSQL database hosting. Account data, chart data, session notes, and messages are stored in Neon's serverless Postgres service.
• Plausible Analytics — Privacy-first web analytics (selfprime.net public pages only). Collects anonymised, aggregated page-view data. No cookies; no personal data transmitted.

We do not sell your personal data to any third party.

3b. Push Notifications

If you grant permission, we send push notifications about session updates, practitioner messages, and relevant content changes. To enable this, we store a push subscription endpoint (for web browsers) or a device token (for iOS/Android) associated with your account. You can withdraw permission at any time through your device settings or through the app's notification preferences, at which point we delete your push token from our servers.

3c. Google User Data (Google API Services)

If you choose to connect your Google Calendar, Prime Self requests the Google Calendar scope (https://www.googleapis.com/auth/calendar) through Google's OAuth consent flow. We access this data only after you explicitly grant permission, and only to provide the calendar features you have asked for.

• What we access: your Google Calendar events, so we can display them in Prime Self and keep them in two-way sync (events you create in Prime Self are added to your Google Calendar, and your existing Google Calendar events are imported into Prime Self).
• How we store it: your Google OAuth access and refresh tokens are encrypted at rest and stored only on our infrastructure, associated with your account. Synced event data is stored in your Prime Self account (Neon database).
• How we use it: solely to operate the calendar-sync feature you enabled. We do not use Google user data for advertising, and we do not use it to train, develop, or improve generalized AI or machine-learning models.
• Sharing: we do not sell or transfer your Google user data to third parties, and human access is limited to what is required for security, abuse prevention, legal compliance, or with your explicit consent.
• Revoking access: you can disconnect Google Calendar at any time inside Prime Self, which deletes the stored tokens and synced events. You may also revoke access directly at myaccount.google.com/permissions.

Prime Self's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Data Retention

• Account data: Retained for the life of your account.
• Chart and profile data: Retained for the life of your account.
• Payment records: Retained as required by financial regulations (typically 7 years).
• Usage analytics: Aggregated and anonymized after 90 days.

When you delete your account, all personal data (birth data, charts, profiles, diary entries, check-ins) is permanently deleted. Payment records are retained per legal requirements.

5. Your Rights (GDPR / CCPA)

Regardless of your location, we extend the following rights to all users:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your account and all associated data.
• Data Portability: Export your data in machine-readable format (JSON).
• Objection: Opt out of non-essential data processing.
• Restriction: Request that we limit processing of your data.

To exercise any of these rights, contact us at [email protected].

6. Data Security

We implement appropriate technical measures to protect your data:

• Passwords are hashed using PBKDF2-SHA256 with cryptographic salt.
• All data transmitted over HTTPS/TLS encryption.
• JWT authentication with secure token rotation.
• Rate limiting to prevent abuse.
• Parameterized SQL queries to prevent injection attacks.

7. Cookies and Local Storage

We use browser local storage to maintain your session (authentication token) and user preferences (sidebar state, language). We do not use third-party tracking cookies. Cloudflare may set functional cookies for security purposes.

8. Children's Privacy

Prime Self is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use after changes constitutes acceptance.

11. Contact

For privacy inquiries, data requests, or complaints:

Email: [email protected]

Website: https://selfprime.net