✦

Privacy Policy

Last updated: April 3, 2026

Version 1.2 — Effective date: April 3, 2026

This Privacy Policy explains how ZodAI ("we," "our," or "us"), operated by Rico Schurter (Bellinzona, Switzerland), collects, uses, shares, and protects your personal information when you use the ZodAI mobile application ("App") and related services.

By downloading, installing, or using ZodAI, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the App.

Who We Are
Information We Collect
How We Use Your Information
AI & Third-Party Processing (OpenAI)
Third-Party Services
International Data Transfers
Data Sharing and Selling
Data Retention
Security
Your Rights — California Residents (CCPA/CPRA)
Your Rights — Other US States
Your Rights — Swiss & EU Residents (nDSG/GDPR)
Children's Privacy (COPPA)
Email Communications (CAN-SPAM)
Automated Decision-Making
Changes to This Policy
Contact Us

1. Who We Are

ZodAI is operated by:

Rico Schurter
Bellinzona, Canton Ticino, Switzerland
Email: support@zodai.io
Support: support@zodai.io
Website: https://zodai.io

Rico Schurter acts as the data controller for personal data collected through the ZodAI application, as defined under the Swiss Federal Act on Data Protection (nDSG/FADP), the EU General Data Protection Regulation (GDPR), and applicable US privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

Identity data: First name, email address
Birth data: Date of birth, time of birth (optional), city and country of birth
Account credentials: Password (stored in encrypted form by Supabase Auth — we never see your plain-text password)
Chat content: Messages and questions you send to Lyra, our AI astrologer
Referral code: If you generate or use a referral code

2.2 Information Collected Automatically

Usage data: Features used, screens visited, interactions with the App, message counts
Device information: Device type, operating system version, app version
Push notification token: Device token used to deliver daily reading notifications (if you grant permission)
Subscription data: Subscription status, plan type, trial period usage (managed by RevenueCat and Apple)

2.3 Derived Information

Astrological profile: Birth chart (planetary positions, signs, degrees) calculated from your birth data
Geographic coordinates and timezone: Latitude, longitude, and IANA timezone derived from your birth city via Google Places API (processed server-side; only the city name is transmitted to Google)
AI-generated content: Daily readings, chat responses, and compatibility analyses personalized to your chart

2.4 Categories Under CCPA (California)

Category	Examples	Collected?
Identifiers	Name, email address, account ID	Yes
Personal information (Cal. Civ. Code §1798.80(e))	Name	Yes
Characteristics of protected classifications	Date of birth (age)	Yes
Commercial information	Subscription history, purchases	Yes
Internet or network activity	App usage, feature interactions	Yes
Geolocation data	Birth city/country (not real-time location)	Yes
Inferences	Astrological profile, reading preferences	Yes
Sensitive personal information	None beyond date of birth	Limited

We do NOT collect: real-time location, contacts, photos, payment card numbers (handled by Apple), or any biometric data.

3. How We Use Your Information

Purpose	Data Used	Legal Basis (nDSG/GDPR)
Calculate your personal birth chart (10 planets)	Birth date, time, place + coordinates	Contract performance
Geocode your birth city to coordinates and timezone	Birth city name → Google Places API (server-side)	Contract performance
Generate your daily AI reading via Lyra	Birth chart data, name → OpenAI	Contract performance + Consent
Power your chat conversations with Lyra	Messages, birth chart → OpenAI	Contract performance + Consent
Generate Cosmic Compatibility readings	Your chart + partner's data → OpenAI	Contract performance + Consent
Manage your account and authentication	Email, password hash	Contract performance
Process and manage subscriptions	Subscription status via RevenueCat/Apple	Contract performance
Cache daily readings (one per user per day)	Reading text stored in Supabase	Legitimate interest
Store recent chat history (last 60 messages)	Chat messages stored in Supabase	Contract performance
Send daily reading push notifications	Push token via Expo	Consent
Send transactional and waitlist emails	Email address via Brevo	Contract performance + Consent
Referral program	User ID, referral code	Legitimate interest
Improve the App and fix bugs	Aggregated usage data	Legitimate interest
Comply with legal obligations	As required by applicable law	Legal obligation

4. AI & Third-Party Processing (OpenAI)

⚡ AI DISCLOSURE — Required under Apple App Store Guidelines 5.1.2(i)

When you use the daily reading, chat with Lyra, or request a compatibility analysis, your birth chart data (planetary positions and signs) and your messages are transmitted to OpenAI, LLC (San Francisco, California, USA) via their API.
OpenAI's model GPT-4o-mini processes this data to generate your personalized response.
Your name may be included in the prompt to personalize the response.
Your email address and password are never sent to OpenAI.
OpenAI retains input/output data for a maximum of 30 days solely for abuse monitoring.
OpenAI does NOT use your data to train their AI models (API customers are opted out by default as of March 1, 2023).

Before using Lyra for the first time, the App displays a consent dialog requesting your explicit agreement to this data sharing. You may decline, in which case AI-powered features will not be available.

OpenAI's Privacy Policy: https://openai.com/privacy

ZodAI has executed a Data Processing Agreement (DPA) with OpenAI Ireland Ltd. (effective March 18, 2026), ensuring compliance with Swiss nDSG, EU GDPR, and applicable US privacy law.

5. Third-Party Services

Provider	Purpose	Data Shared	Privacy Policy
OpenAI, LLC	AI content generation (Lyra responses, readings)	Birth chart, name, chat messages	openai.com/privacy
Supabase, Inc.	Database, authentication, Edge Functions (hosted on AWS)	All account and app data	supabase.com/privacy
RevenueCat, Inc.	Subscription management and analytics	Device ID, subscription status	revenuecat.com/privacy
Apple, Inc.	App distribution, in-app purchases, push notifications (APNs)	As per App Store terms	apple.com/privacy
Expo (Expo Go / EAS)	App build infrastructure and push notification delivery	Push notification token, device info	expo.dev/privacy
Google LLC	Geocoding birth city to geographic coordinates and IANA timezone (Google Places API + Google Timezone API). Called server-side at onboarding and profile edit — only the city name is transmitted to Google's servers to retrieve latitude, longitude, and timezone. The result is stored in our database; no further data is shared with Google.	Birth city name only	policies.google.com/privacy
Brevo (Sendinblue SAS)	Transactional emails (account confirmation, password reset) and waitlist communications	Email address, first name	brevo.com/legal/privacypolicy

All providers are contractually bound to process your data only as instructed by ZodAI and in compliance with applicable data protection law.

Google LLC is based in the United States. Data transferred to Google is governed by Google's Terms of Service and Privacy Policy. Google may process this data in accordance with its own retention policies. ZodAI does not receive or store any data from Google beyond the coordinates and timezone returned for the queried city name.

6. International Data Transfers

ZodAI is operated from Switzerland. Our service providers are primarily located in the United States. When we transfer your personal data from Switzerland or the EU/EEA to the USA, we rely on:

Swiss-US Data Privacy Framework (Swiss-US DPF): Recognized by the Swiss Federal Council on September 15, 2024. Covers processors participating in the DPF program.
EU-US Data Privacy Framework: For data originating from EU/EEA users, where applicable.
Standard Contractual Clauses (SCCs): For processors not covered by the DPF, we rely on SCCs approved under EU/Swiss data protection law.
OpenAI DPA: Our signed Data Processing Agreement with OpenAI Ireland Ltd. (effective March 18, 2026) includes SCCs and adequacy safeguards for Swiss and EEA data.

You may request a copy of applicable transfer safeguards at support@zodai.io.

We do NOT sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising or targeted advertising purposes.

We share your data only in these limited circumstances:

Service providers: As described in Section 5, solely to operate the App.
Legal requirements: If required by applicable law, court order, or governmental authority.
Business transfer: In connection with a merger, acquisition, or sale of substantially all assets, with prior notice to you.
Safety: To protect the rights, property, or safety of ZodAI, our users, or others.

8. Data Retention

Data Category	Retention Period
Account data (name, email, birth data)	Until account deletion, then immediately purged
Daily readings cache	Retained while account is active (one reading per day)
Chat messages with Lyra	Last 60 messages stored per user in Supabase. When the 60-message limit is exceeded, the oldest messages are automatically deleted. All messages are permanently deleted upon account deletion.
Compatibility readings	Until account deletion
Data sent to OpenAI	Maximum 30 days at OpenAI for abuse monitoring, then deleted per OpenAI's API policy
Data sent to Google (birth city name)	Not retained by ZodAI beyond the geocoding response. Google's own retention applies per their Privacy Policy.
Subscription data (RevenueCat)	Per RevenueCat's data retention policy
Push notification tokens	Until account deletion or notification permission revoked
Email address (Brevo — waitlist)	Until you unsubscribe or request deletion
App usage logs	12 months rolling

When you delete your account through the App (Profile → Delete Account), all your personal data on our servers is permanently and irreversibly deleted within seconds, including your profile, birth data, readings, chat history, and referral records.

9. Security

Encryption in transit: All data uses TLS 1.2 or higher.
Encryption at rest: Supabase (AWS) encrypts data at rest using AES-256.
Authentication: Passwords are hashed using bcrypt; we never store or access plain-text passwords.
Access controls: Row-Level Security (RLS) policies ensure users can only access their own data.
API key protection: All service API keys, including the Google Places API key, are stored as server-side environment variables (Supabase Secrets) and are never exposed in client code or the App bundle.

In the event of a data breach that affects your rights and freedoms, we will notify you and applicable authorities within 72 hours of becoming aware, as required by law.

10. Your Rights — California Residents (CCPA/CPRA)

Right to Know: Request disclosure of categories and specific pieces of personal information collected, their sources, business purposes, and third-party recipients.
Right to Delete: Request deletion of your personal information (subject to certain exceptions).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for targeted advertising. No opt-out required, but you may confirm at support@zodai.io.
Right to Limit Sensitive PI: We do not use sensitive personal information beyond providing the App's core features.
Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights.
Right to Data Portability: Receive your personal information in a portable, machine-readable format.

Submit requests via: in-app deletion (Profile → Delete Account) or email support@zodai.io with subject "CCPA Privacy Request." We respond within 45 days.

11. Your Rights — Other US States

Residents of Colorado, Connecticut, Virginia, Texas, Florida, Montana, Oregon, and other states with comprehensive privacy laws have similar rights including access, deletion, correction, portability, and opt-out of targeted advertising. Contact support@zodai.io to exercise these rights.

Texas residents: Under the Texas Data Privacy and Security Act (TDPSA), you may submit a complaint to the Texas Attorney General.

12. Your Rights — Swiss & EU Residents (nDSG/GDPR)

Under the Swiss Federal Act on Data Protection (nDSG, effective September 1, 2023) and the EU General Data Protection Regulation (GDPR), you have the following rights:

Right of access (Art. 15 GDPR / Art. 25 nDSG): Request a copy of your personal data and information about how it is processed.
Right to rectification (Art. 16 GDPR / Art. 32 nDSG): Request correction of inaccurate data.
Right to erasure (Art. 17 GDPR / Art. 32 nDSG): Request deletion of your data ("right to be forgotten").
Right to restriction of processing (Art. 18 GDPR): Request that we limit how we process your data in certain circumstances.
Right to data portability (Art. 20 GDPR / Art. 28 nDSG): Receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR / Art. 30 nDSG): Object to processing based on legitimate interests.
Right regarding automated decisions (Art. 22 GDPR / Art. 21 nDSG): Request human review of decisions made solely by automated processing that significantly affect you.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights: support@zodai.io

Swiss residents may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch

EU residents may lodge a complaint with the supervisory authority in their country of residence or establishment.

13. Children's Privacy (COPPA)

ZodAI is not directed at children under the age of 13.

We do not knowingly collect personal information from children under 13 years of age. The App includes an age verification mechanism at registration: if a user's date of birth indicates they are under 13, their account will not be created and no personal data will be stored.

If you are a parent or guardian and believe your child under 13 has provided personal information to ZodAI, contact us immediately at support@zodai.io. We will promptly delete any such information.

Users between 13 and 18 years of age should review this Privacy Policy with a parent or guardian before using ZodAI.

This policy is maintained in compliance with the Children's Online Privacy Protection Act (COPPA).

14. Email Communications (CAN-SPAM)

ZodAI sends transactional emails (account confirmation, password reset) via Brevo from support@zodai.io and, with your consent, promotional communications about new features or offers.

In compliance with the CAN-SPAM Act:

All promotional emails clearly identify themselves as commercial communications.
All emails include our physical address: Rico Schurter, Bellinzona, Switzerland.
Every promotional email includes a clear unsubscribe mechanism.
We process opt-out requests within 10 business days.

To unsubscribe: click the "Unsubscribe" link in any email or email support@zodai.io.

15. Automated Decision-Making

ZodAI uses automated processing (AI) to generate personalized astrological readings. These outputs are for entertainment and personal insight only and do not produce legal effects or similarly significant decisions affecting users.

If you wish to question any AI-generated output, contact support@zodai.io. We will provide human review upon request.

16. Changes to This Privacy Policy

When we make material changes, we will:

Update the "Last updated" date at the top of this policy.
Notify you via email or in-app notification before changes take effect.
For significant changes to how we process your data, request renewed consent where required by law.

17. Contact Us

Rico Schurter — ZodAI Data Controller
Bellinzona, Canton Ticino, Switzerland
Email: support@zodai.io
Support: support@zodai.io
Website: https://zodai.io

We aim to respond to all privacy-related inquiries within 30 days.