InnerAtlas is a European product built for people who care about their inner life. That care extends to your data. This policy explains what we collect, why we collect it, and what rights you have over it. It is written in plain language. If anything is unclear, email hello@inneratlas.io.
1. Who we are
The controller of personal data processed through inneratlas.io is VIBOA UG (haftungsbeschränkt), operating under the trade name InnerAtlas. Our registered office is Kopernikusstr. 14, 30167 Hannover, Germany. The company is registered with the Amtsgericht Hannover under HRB 22/14/82. For privacy questions, contact hello@inneratlas.io.
2. What we collect
Birth data. Your date, time, and place of birth. This is used to calculate an astronomical chart and generate your personality reading. Birth data is not a "special category" under Article 9 GDPR, but we treat it as sensitive because it is personal.
Contact data. If you make a purchase, we collect your email address to deliver your reading and send a receipt. No account is created.
Purchase data. Stripe processes your payment on our behalf. We receive a confirmation that you paid and a partial card identifier for receipts. We never see or store full card numbers.
Technical data. Your IP address and user-agent are visible to our hosting provider (Vercel) and appear in short-lived access logs. This is necessary to serve the site and to prevent abuse.
Analytics data. If you accept analytics cookies, PostHog records anonymised events about how you use the product (e.g. which pages you viewed, whether you completed the reading). You can decline this at any time.
3. What we do not do
We do not run third-party advertising trackers. We do not sell or rent your data. We do not build behavioural profiles for marketing. We do not share your reading content with anyone outside the processors listed below.
4. Legal basis for processing
Contract performance (Art. 6(1)(b) GDPR) — to generate, deliver, and store the reading you requested.
Consent (Art. 6(1)(a) GDPR) — for analytics cookies and for optional marketing email. You can withdraw consent at any time.
Legitimate interests (Art. 6(1)(f) GDPR) — to prevent fraud, debug errors, and keep the service reliable. We balance this against your rights and have concluded that this processing is minimal and expected.
Legal obligation (Art. 6(1)(c) GDPR) — to retain invoices and tax records as required by German law (§ 147 Abgabenordnung, § 257 Handelsgesetzbuch).
5. How long we keep your data
Birth data and readings are retained for as long as the reading exists — so you can return to it at any time. You may request deletion at any time and we will remove them within 30 days, except where law requires retention. Email privacy@inneratlas.io to request deletion.
Access logs are kept for 90 days and then deleted automatically.
Error reports (Sentry) are kept for 90 days and do not contain your reading content.
Invoices are kept for 10 years to comply with German tax and commercial law (§ 147 AO, § 257 HGB).
6. Your rights
Under GDPR you have the right to:
Access — ask for a copy of the data we hold about you. Rectification — correct inaccurate data. Deletion — ask us to erase your data ("right to be forgotten"). Portability — receive your data in a machine-readable format. Restriction — limit how we process your data. Objection — object to processing based on legitimate interests. Complaint — lodge a complaint with your national supervisory authority. The competent authority for VIBOA UG (haftungsbeschränkt) is the Landesbeauftragte für den Datenschutz Niedersachsen (https://www.lfd.niedersachsen.de); consumers may also complain to the supervisory authority of their country of residence.
To exercise any of these rights, email hello@inneratlas.io. We respond within one month.
7. Data processors
We use the following companies to run InnerAtlas. Each one has a data processing agreement with us.
Vercel (USA) — hosting and edge delivery. Neon (EU, eu-central-1 / Frankfurt) — managed PostgreSQL database. Upstash (EU region) — Redis cache and QStash message queue for email scheduling. Anthropic (USA) — AI provider (Claude). Does not use your data to train models on business API traffic. Stripe (Ireland / USA) — payment processing. Handles your card details; we never see them. Inngest (USA) — workflow orchestration for reading generation. Processes reading IDs and event metadata; does not receive birth data or reading content. PostHog (EU region) — product analytics. Only active if you accept analytics cookies. Resend (USA) — transactional email delivery. Sentry (USA) — error monitoring. Does not capture reading content.
8. International transfers
Some processors (Vercel, Anthropic, Stripe, Inngest, Resend, Sentry) are based in or transfer data to the United States. Transfers rely on the EU–US Data Privacy Framework where the recipient is certified, and on the European Commission's Standard Contractual Clauses otherwise. We apply additional safeguards (encryption in transit and at rest). Neon, Upstash, and PostHog process data within the European Union.
9. Cookies
We use essential cookies to run the site (session, security). These do not require consent. We use analytics cookies only after you accept them on the consent banner. You can change your choice at any time by clearing site data.
10. Children
InnerAtlas is not directed at people under 16. We do not knowingly process data of minors. If you believe a minor has used the service, email us.
11. Changes to this policy
We may update this policy as the product evolves. If we make a material change, we will notify registered users by email and update the date at the top.