Astrionix Studio.
Legal

Privacy Policy

Effective: May 22, 2026 · Last updated: May 22, 2026

1. Introduction

This Privacy Policy explains how Astrionix LLC ("Astrionix," "we," "us," "our") collects, uses, shares, and protects your personal information when you use Astrionix Studio (the "Service"). Astrionix is the data controller for personal data processed about you when you use the Service.

This policy is designed to comply with the EU General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide

  • Account information: email address, password (stored hashed), artist/display name, optional handle.
  • Profile content: images, audio, video, captions, drafts, and other materials you upload or create.
  • Payment information: handled directly by Stripe; we receive only a customer ID, subscription status, and the last 4 digits of your card.
  • Communications: messages you send us via support email or in-app forms.

2.2 Information Collected Automatically

  • Usage data: pages visited, features used, timestamps, click events.
  • Device & technical data: IP address, browser type, OS, device identifiers, referrer URLs.
  • Cookies: see our Cookie Policy for details.

2.3 Information from Connected Platforms

If you connect a third-party platform (Instagram, TikTok, YouTube, X, Facebook), we receive only the data you authorize during the OAuth consent flow. This typically includes basic profile info, post statistics, and the ability to publish on your behalf. We do not access private messages or unrelated data.

3. How We Use Your Information

We process your personal data for the following purposes:

PurposeLegal basis (GDPR)
To provide, operate, and maintain the ServiceContract
To process payments and manage subscriptionsContract
To send transactional emails (welcome, password reset, trial reminders, billing notices)Contract
To generate AI captions, scheduling suggestions, and other features you requestContract
To detect, prevent, and address fraud, abuse, and security incidentsLegitimate interest
To improve the Service through aggregate analyticsLegitimate interest
To send marketing communications (only if you opt in)Consent
To comply with legal obligationsLegal obligation

4. AI Processing

When you use AI features (caption generation, scheduling assistant, Promote Agent), the inputs you provide are sent to our AI processor Anthropic, PBC for processing. Per Anthropic's API terms, your inputs and outputs are not used to train Anthropic's models. Anthropic processes data under standard contractual clauses and is bound by data-processing agreements consistent with GDPR Article 28.

5. Sub-Processors

We engage the following sub-processors to deliver the Service. Each is contractually bound to protect your data and process it only on our instructions:

Sub-processorPurposeLocation
Anthropic, PBCAI inference (captions, suggestions)United States
Stripe, Inc.Payment processingUnited States
Resend Inc.Transactional email deliveryUnited States
Cloudflare, Inc.CDN, DDoS protection, DNSGlobal
IONOS SEServer hosting and infrastructureUnited States / European Union

For cross-border transfers from the EU/UK to the US, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

6. How We Share Your Information

We do not sell your personal information. We share data only:

  • With the sub-processors listed above, as needed to provide the Service;
  • With platforms you explicitly connect (Instagram, TikTok, etc.), with your authorization;
  • To comply with legal obligations, court orders, or government requests;
  • To enforce our Terms or protect our rights, property, or safety;
  • In connection with a merger, acquisition, or sale of assets, with prior notice to you.

7. Data Retention

  • Active accounts: data retained for the life of the account.
  • Closed accounts: data deleted within ninety (90) days of closure, except where legally required to retain (e.g. tax records, fraud prevention logs).
  • Logs and analytics: retained for up to twelve (12) months in identifiable form.
  • Backups: overwritten on a rolling thirty (30) day cycle.

8. Your Rights

8.1 Rights Under GDPR / UK GDPR (EU & UK residents)

  • Right of access — request a copy of your personal data.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your data.
  • Right to restrict processing — limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — to processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent — at any time, where processing is based on consent.
  • Right to lodge a complaint — with your local supervisory authority.

8.2 Rights Under CCPA/CPRA (California residents)

  • Right to know what personal information we collect, use, and disclose;
  • Right to delete your personal information;
  • Right to correct inaccurate personal information;
  • Right to opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising);
  • Right to non-discrimination for exercising your privacy rights.

8.3 How to Exercise Your Rights

To exercise any of these rights, email privacy@astrionix.io from the email address associated with your account. We will respond within thirty (30) days. We may need to verify your identity before processing certain requests.

9. Security

We implement industry-standard administrative, technical, and physical safeguards including encryption at rest (AES-256-GCM for sensitive fields), TLS for data in transit, access controls, secure password hashing (bcrypt), and audit logging. No system is perfectly secure; we cannot guarantee absolute security but we work hard to protect your data and will notify you of any data breach affecting your information within seventy-two (72) hours of becoming aware, as required by law.

10. Children's Privacy

The Service is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If we learn we have collected such information, we will delete it promptly. If you believe a minor has provided us with personal information, contact privacy@astrionix.io.

11. International Transfers

Astrionix is headquartered in the United States. Personal data we collect may be transferred to and processed in countries other than your country of residence, including the US. We use Standard Contractual Clauses approved by the European Commission and (where applicable) the EU-US Data Privacy Framework to legitimize such transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and/or in-app notice at least thirty (30) days before they take effect.

13. Contact

Astrionix LLC
Data Protection Inquiries: privacy@astrionix.io
Security Incidents: security@astrionix.io
General Support: support@astrionix.io