GDPR · Personal data

Privacy Policy

Last updated: May 31, 2026

AstroPath places essential importance on the protection of your personal data. This policy explains what data we collect, why, how long we keep it, and what your rights are.

1. Data Controller

The data controller for personal data is:

Identity: Kylian Stomp — sole proprietor (auto-entrepreneur)
Address: 200 rue de la Croix Nivert, 75015 Paris, France
SIRET: 843 079 526 00037
Email: [email protected]

For any question regarding your personal data or to exercise your rights, you can contact us at the email address above with the subject: "GDPR — [your request]".

2. Data collected

We only collect data strictly necessary for the provision of our services.

Category of data	Data concerned	When is it collected?
Identity	Last name, first name(s), birth name where applicable	During the order, via the product form
Contact details	Email address	During the order
Birth data	Date, time, place (city, zip code, country) of birth	During the order (essential for calculating the birth chart or numerological profile)
Business data (where applicable)	Company name, creation date, registered office address, sector of activity	When ordering a "business" product
Payment data	Card number, expiration date, CVC (processed exclusively by Stripe)	At checkout — never stored on our servers
Connection data	Technical logs from our host (IP address, browser, timestamp)	Automatically when visiting the site

3. Purposes of processing

Your data is collected and processed for the following purposes:

Performance of the contract: preparation and sending of your personalized reading;
Customer relationship management: answering your questions, order tracking, after-sales service;
Legal and accounting obligations: billing, accounting bookkeeping, tax compliance;
Site security: fraud and abuse prevention.

We never use your data for commercial prospecting purposes without your prior consent.

4. Legal bases for processing

The legal bases on which we rely are:

Contract performance (article 6.1.b of the GDPR) for data necessary to fulfill your order;
Compliance with legal obligations (article 6.1.c of the GDPR) for the retention of invoices and accounting data;
Legitimate interest (article 6.1.f of the GDPR) for site security and fraud prevention.

5. Retention period

Category	Duration
Order data (identity, contact, birth data)	3 years from the last order, for customer relationship purposes
Invoices and accounting data	10 years (legal obligation — article L123-22 of the French Commercial Code)
Payment data (at Stripe)	In accordance with Stripe's retention policy — see https://stripe.com/privacy
Server technical logs	13 months maximum (CNIL recommendation)

6. Recipients and subcontractors

Your data is never sold, rented or given to third parties. However, it may be transmitted to the following technical subcontractors, strictly within the framework of their missions:

Stripe (payment processing)

Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (United States). Processes bank payments. PCI-DSS Level 1 compliant.
Privacy policy: https://stripe.com/privacy

Formspree (form reception)

Formspree, Inc. (United States). Receives your form data and transmits it to us by email.
Privacy policy: https://formspree.io/legal/privacy-policy/

Cloudflare (hosting)

Cloudflare, Inc. (United States) hosts the site and operates the CDN network that accelerates its consultation.
Privacy policy: https://www.cloudflare.com/privacypolicy/

Wise Business (bank transfers)

Wise Payments Limited (United Kingdom). Receives funds from payments via Stripe. No customer data is directly shared with Wise.
Privacy policy: https://wise.com/privacy-policy

7. Transfers outside the European Union

Some of our subcontractors (Stripe, Formspree, Cloudflare) are based in the United States. These transfers are governed by the Standard Contractual Clauses approved by the European Commission and/or by certification to the EU-US Data Privacy Framework, ensuring an adequate level of protection for your data.

8. Security

We implement technical and organizational measures to protect your data against loss, unauthorized access, modification or disclosure. In particular:

Secure HTTPS connection of the site;
Payment processed exclusively via Stripe (PCI-DSS Level 1 certified);
Access to data limited to the person responsible for processing;
Encrypted professional email (Proton Mail).

9. Your rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights at any time:

Right of access: obtain a copy of the data we hold about you;
Right of rectification: have inaccurate or incomplete data corrected;
Right of erasure ("right to be forgotten"): have your data deleted, subject to our legal retention obligations;
Right of limitation: temporarily suspend the use of your data;
Right of portability: receive your data in a structured format;
Right of objection: object to the processing of your data on legitimate grounds;
Right to set post-mortem directives on the fate of your data after your death.

To exercise these rights, write to us at [email protected] with the subject "GDPR — [your request]". We will respond within a maximum of one month.

10. Complaint to the CNIL

If you consider that your rights are not respected, you can lodge a complaint with the French National Commission for Information Technology and Civil Liberties (CNIL):

Address: 3 place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07, France
Website: https://www.cnil.fr

11. Cookies

This site does not use any advertising tracking cookies or behavioral analytics tools (Google Analytics, Facebook Pixel, etc.). Only cookies strictly necessary for the operation of the site (user session, cart, security) may be deposited — these cookies do not require your prior consent within the meaning of the ePrivacy Directive.

12. Modifications

This policy may be modified at any time to adapt to legal or technical changes. The date of the last update appears at the top of this page. We invite you to consult it regularly.