Astravera

Privacy Policy

Son güncelleme 1 Haziran 2026 · Sürüm 1.3

This Privacy Policy explains how Astravera ("we", "us") collects, uses, stores, and shares the personal data you provide when you create an account, use one of our applications (Hermes, Kairos, Nomia, Athena), or visit our website. It applies to the Astravera suite as offered by PegaSync, the company currently publishing the suite. A dedicated Astravera entity may be incorporated later; if that happens, this Policy will be re-issued under the new controller and existing customers will receive direct notice.

Who we are

The controller of your personal data is PegaSync ("we"), the company that developed and operates the Astravera suite for v1. You can reach us at:

  • General privacy and data-protection enquiries: [email protected]
  • Postal address: PegaSync, Dover, Delaware, United States.

We have not appointed a statutory Data Protection Officer under GDPR Article 37, as we are not currently required to. Data-protection matters reach the person responsible for them at the address above.

If you are a workspace member invited by your employer or organisation, the workspace owner is the controller for the content stored in that workspace (cards, comments, documents, attachments). For your account identity (name, email, password, profile photo, language and theme preferences, multi-factor settings), we remain the controller regardless of how your account was created.

What we collect

We collect only what we need to operate the product. Specifically:

Account identity

  • Name, work email, and password (hashed with bcrypt — we never store passwords in plaintext).
  • Optional profile photo, language preference, theme preference.
  • Authentication metadata: passkey credentials, MFA settings, session timestamps, IP addresses captured at login for security forensics.
  • Age confirmation (you confirm you are at least 16 years old when you sign up).

Workspace content

  • Boards, lists, cards, comments, attachments, plans, dependencies — anything you create inside Kairos.
  • Documents, envelopes, signatures, recipient details — anything you create inside Nomia.
  • Athena chat history, attached files and screenshots, generated responses.
  • Audit logs of meaningful actions inside your workspace.

Communications

  • Emails you send us (support, sales, privacy enquiries).
  • Form submissions on this site (contact form, signup intake).

We do not collect: advertising identifiers, third-party analytics data, behavioural tracking across sites, biometric data beyond what your device exposes to a passkey, or location data beyond an approximate IP-derived country.

How we use it

We use your personal data only for the following purposes:

  1. To provide the service you signed up for — authenticate you, render your workspace, route emails, deliver push notifications you opted into.
  2. To secure the service — detect abuse, throttle suspicious activity, investigate incidents.
  3. To communicate with you about your account — transactional emails (invitations, password resets, deletion confirmations), service notices, and replies to your enquiries.
  4. To comply with our legal obligations — retain records required by law, respond to lawful requests from regulators.

We do not use your personal data to train AI models. Athena queries and responses are processed only to give you the answer in front of you. We do not aggregate your prompts into a training set, and we do not share them with any third-party AI vendor.

Athena is an AI assistant: when you use it, you are interacting with an automated system, not a human. Athena does not make decisions that produce legal or similarly significant effects about you within the meaning of GDPR Article 22 — it generates responses to assist you, and you remain in control of any action taken on them.

Lawful bases (GDPR Article 6)

For users in the EU, UK, and other GDPR-aligned jurisdictions, our lawful bases are:

  • Contract (Art. 6(1)(b)) — for everything required to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — for keeping the service secure and preventing abuse (for example, throttling suspicious authentication activity and investigating incidents). We do not run analytics or behavioural tracking, so this basis does not extend to usage profiling or product analytics.
  • Legal obligation (Art. 6(1)(c)) — for records we are required to keep.
  • Consent (Art. 6(1)(a)) — for push notifications and any future optional features. You can withdraw consent at any time.

We do not process special-category data (Art. 9) as a routine part of the service. If you upload such data into a workspace (for example a health record into a card attachment), the workspace owner is responsible for establishing and documenting the applicable lawful basis. We do not encourage uploading special-category data without first confirming the lawful basis with qualified legal counsel.

Subprocessors

We use a small set of subprocessors to deliver the service. The current list, including purpose, data exposed, region, and status, is maintained at /subprocessors. We give at least 30 days advance notice before adding a new subprocessor; B2B customers can object under the DPA.

Data residency

We tell you exactly where your data lives. This is the truth as of the date at the top of this page:

  • Main apps (Hermes, Kairos, Nomia, this website) and their databases run on Amazon Web Services (AWS) EC2 in us-east-1, N. Virginia, USA. AWS is a data processor under the AWS GDPR DPA, which invokes the EU Standard Contractual Clauses (2021/914) and the UK IDTA. AWS is self-certified under the EU-US Data Privacy Framework.
  • Outbound transactional email (invitations, password resets, deletion confirmations) is sent via AWS SES, same legal entity, same region.
  • Authoritative DNS for the astravera.app domain is provided by Cloudflare, Inc. in DNS-only (grey-cloud) mode. Cloudflare does not see or terminate HTTP traffic to our services.
  • Athena AI conversations are processed on Hetzner Online GmbH servers in Nuremberg, Germany (eu-central). Hetzner is subject to EU GDPR obligations as an EU-established processor. As the Athena service scales we may migrate this processing to AWS (us-east-1, USA); that would move Athena conversation processing to the United States under the same EU-US Data Privacy Framework and Standard Contractual Clauses safeguards described above. Any change to Athena's hosting infrastructure will be reflected in the /subprocessors list with at least 30 days advance notice to customers before it takes effect.

We do not sell or share your personal data with third parties for advertising or any other purpose.

Cookies

We use only functional cookies that are strictly necessary to operate the service:

  • hermes_session — your authenticated session.
  • XSRF-TOKEN — CSRF defence.
  • astravera_locale — your language preference.
  • astravera_theme — your light/dark theme preference.

No analytics cookies. No advertising cookies. No third-party cookies. Full detail at /legal/cookies.

Your rights

You have rights over your personal data. Depending on where you live, these include:

  • Access — download a copy of everything we hold on you.
  • Portability — receive your data in a machine-readable format (JSON).
  • Rectification — correct inaccurate data via your profile page.
  • Erasure — delete your account in two clicks; we hard-delete identity data after a 30-day grace period.
  • Restriction — limit how we process your data.
  • Object — to processing based on legitimate interests.
  • Withdraw consent — for any processing based on consent.
  • Lodge a complaint — with your local supervisory authority (in the EU, your national DPA; in the UK, the ICO; in California, the Attorney General).

Most rights are self-serve from your Hermes profile page. For rights that cannot be exercised in-product — such as objecting to processing, restricting processing, or submitting a formal request under US state law — use our Privacy Requests page or email [email protected]. For GDPR requests we respond within 30 days and, under GDPR Art. 12(3), may extend by a further 60 days for complex requests, with notice. For requests under US state privacy laws we confirm receipt within 10 business days and respond within 45 days, extendable once by a further 45 days where reasonably necessary, with notice.

Your US state privacy rights

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia — or another US state with a comprehensive consumer privacy law — you have rights over your personal information in addition to those described above. (Some of these laws apply to us only above certain size or revenue thresholds; where a law applies, the rights below are available to its residents. Florida's Digital Bill of Rights, in particular, applies only to a narrow set of large for-profit entities.)

The personal information we collect. In the past 12 months we have collected the categories described in What we collect: identifiers (name, work email, IP address), account credentials and authentication metadata, your profile preferences, and the content you create in your workspace. We collect it directly from you or generate it as you use the service. We use and disclose it only for the business purposes described in How we use it — to operate, secure, support, and communicate about the service — and we disclose it only to the subprocessors listed at /subprocessors.

We do not sell or share your personal information. We do not sell personal information, and we do not "share" it for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act as amended by the CPRA. Because we do not sell or share, there is nothing to opt out of, and we have no need to act on Global Privacy Control (GPC) signals — but we never engage in such practices regardless of signal.

Sensitive personal information. We do not collect sensitive personal information in order to infer characteristics about you. Account credentials are used only to authenticate you.

Your rights. Subject to your state's law, you may request to:

  • Know / access the categories and specific pieces of personal information we hold about you;
  • Delete your personal information;
  • Correct inaccurate personal information;
  • Opt out of sale, sharing, or targeted advertising (not applicable — we do none of these); and
  • Not receive discriminatory treatment for exercising any of these rights.

How to exercise them. Use our Privacy Requests page or email [email protected]. We confirm receipt within 10 business days and respond within 45 days, extendable once by a further 45 days where reasonably necessary. We verify your request against the information associated with your account. You may use an authorised agent; we may ask the agent for proof of authorisation.

Appeal (Virginia, Colorado, Connecticut, and similar states). If we decline your request, you may appeal by replying to our decision. If your appeal is denied, you may contact your state Attorney General.

Children

Astravera is not directed at children. You confirm at signup that you are at least 16 years old — our minimum age applies regardless of your local age of digital consent. If you believe a child has created an account, contact [email protected] and we will delete it.

Retention

We retain personal data for as long as your account is active and for a limited period after deletion:

  • Identity data — hard-deleted 30 days after you request account deletion.
  • Authentication and security logs (including login IP addresses) — retained for 12 months, then deleted.
  • Workspace audit logs — retained for a default of 24 months, which the workspace owner (as controller of workspace content) can configure.
  • Signed legal documents (Nomia) — retained for 7 years by default, in line with the most conservative legal-evidence and statutory-retention requirements. Retention may be required to comply with a legal obligation (GDPR Art. 17(3)(b)) or for the establishment, exercise, or defence of legal claims (Art. 17(3)(e)); either provides a lawful basis to refuse erasure.
  • Athena chat history — hard-deleted when you delete your account.
  • Tombstone records — {user_id, deleted_at, hash_of_email} retained for 90 days after deletion so we can prove the deletion happened if a regulator asks. Lawful basis: legitimate interests (demonstrating compliance with erasure obligations under GDPR Art. 17).
  • Support and enquiry emails — retained for 3 years from last contact, then deleted.

Security

How we protect your data is described at /security. Highlights: passkey-first authentication, bcrypt password hashing, encryption in transit (TLS 1.3) and at rest, isolated per-workspace storage, rate-limited authentication endpoints, comprehensive audit logging.

Changes to this policy

We will post any material changes here with at least 30 days advance notice for B2B customers under the DPA. The "Last updated" date at the top of this page reflects the most recent edit. We keep version history in git and can produce a diff on request.

Contact