Legal

Privacy Policy

Last updated: 2026-05-20

AstroEquip is a free, vendor-neutral software suite, the Gear Finder wizard and the Telescope Simulator. We do not sell physical products, do not process payments, do not run advertising, and do not use cross-site tracking. This policy explains every category of data the apps touch, the lawful basis for each processing activity, who acts as a sub-processor, and how to exercise your rights under the GDPR.

1. Who we are (the data controller)

The data controller for the personal data described below is:

We have not appointed a Data Protection Officer because the scale and sensitivity of processing does not require one under GDPR Art. 37.

2. What we collect, why, and on what lawful basis

The table below is exhaustive. If a category is not listed, we do not collect it. "Identifier" categories never include name, email or address for anonymous visitors.

Category What exactly Purpose Lawful basis (Art. 6)
Anonymous device ID A random string in browser localStorage (key af_device_v1), e.g. dev_1715…_a9f3. Never linked to your real identity. So the Gear Finder remembers your saved setups across sessions on the same browser. Art. 6(1)(b), performance of the service you requested. Strictly necessary, no consent banner required.
Wizard state (anonymous) Your in-progress and saved setups in localStorage (keys af_setup_v1, af_setups_v1, af_build_v1, af_customs_v1). Lives on your device only. Resume the wizard, switch between named setups, keep your custom-gear list. Art. 6(1)(b), service performance.
Saved gear setups (signed in) When you are signed in to a Shopify customer account on our storefronts, your setup JSON is also stored against your Shopify customer ID as a customer metafield, and a copy is logged in our Neon database (table customer_setups) with your numeric Shopify customer ID. Cross-device sync of your saved setup; eligibility check for the opt-in follow-up email. Art. 6(1)(b), service performance.
Anonymous match analytics Every time you click Find my matches, an anonymous row is written to our database tables submissions and match_events: random session ID, your gear specs, Bortle scale, owned filters, the matched products, score breakdowns and rules fired. No email, no IP, no customer ID is stored in these tables. Improving the matching engine, spotting categories where users see zero matches, prioritising catalog expansion. Art. 6(1)(f), legitimate interest in improving a free service. Balancing test: the data is genuinely anonymous and discarded after 90 days, so the impact on you is negligible.
Result-click engagement (result_clicks) When you click "Add to build" on a recommended product, click "Swap" on a slot in My Setup, or interact with a bundle, we write one row containing the same random session ID issued for your match, plus the product ID, its category, the action you took, the engine's score for it, and its rank in the result list at click time. No email, no IP, no customer ID. Validating whether the matching engine actually surfaces the gear you want; spotting cases where the top pick is regularly ignored in favour of a lower-ranked one (the engine has a bug or a weight is off). Art. 6(1)(f), legitimate interest in service-quality measurement. Pseudonymous via the same per-match UUID; impact on you is negligible.
Catalog-gap signal (catalog_misses) When you type a brand or model into a wizard autocomplete field and the dropdown returns no match, we write one fully-anonymous row containing the typed query (trimmed, max 64 chars), which field it was typed into, its length, and the wizard locale. No session ID, no IP, no cookie, no customer ID. Per-page-load dedup so the same typed query is logged at most once per session. Catalog roadmap input. If hundreds of users type a brand we don't carry, we should add it. Art. 6(1)(f), legitimate interest in improving the catalogue. The query is unlinkable to any individual.
Follow-up email (opt-in) Only when you tick "Email me follow-up tips for this setup" on the Review step. We store the boolean consent_followup = TRUE on your saved-setup row. Your email address itself is not stored in our database. We read it fresh from Shopify at the moment we send and never cache it. One short follow-up email with imaging tips for the gear you saved. Art. 6(1)(a), explicit consent, freely given, unbundled from the rest of the service. Withdraw at any time via the one-click unsubscribe link in the email footer or by emailing us.
Webhook bookkeeping If you place an order on a storefront, Shopify forwards orders/paid and inventory webhooks to us; we record only the Shopify order ID (table processed_webhooks) to avoid processing the same event twice. Idempotency of webhook processing. Art. 6(1)(f) legitimate interest in reliable service; Art. 6(1)(c) for GDPR compliance webhooks (customers/data_request, customers/redact, shop/redact).
Operational metadata HTTP request metadata (timestamps, status codes, user agent, the path requested) and rate-limit counters keyed by an anonymised bucket derived from your IP address. The raw IP is never persisted by our application. Security, rate limiting, debugging, abuse prevention. Art. 6(1)(f), legitimate interest in service security.
GDPR audit log When Shopify sends a customers/data_request, customers/redact or shop/redact compliance webhook, we write one row to gdpr_audit_log recording the action, the customer ID it concerned, the timestamp, and per-table counts of rows touched. Demonstrate compliance with Art. 12 / 17 / 28(3)(h). Art. 6(1)(c), legal obligation.

3. What we explicitly do NOT collect

  • Payment data. We do not process payments and have no card-handling infrastructure.
  • Geolocation server-side. The Telescope Simulator may ask your browser for coordinates so it can centre the sky map on your location, but that is opt-in inside the browser, processed locally, and never sent to our servers.
  • Browser fingerprints, canvas fingerprints, or device fingerprints.
  • Marketing identifiers, advertising IDs, cross-site cookies, or behavioural-advertising data.
  • Email or address fields for anonymous visitors. The Gear Finder does not ask for them.
  • Special-category data under GDPR Art. 9 (health, ethnicity, religion, biometrics, etc.). There is no point in our service where that would be relevant.
  • Data on children. The service is not directed at children under 16.

4. Cookies and similar storage

We only use strictly-necessary first-party storage; no consent banner is required under the ePrivacy Directive (Art. 5(3)).

Our storefronts display Shopify's customer-privacy cookie banner (Required, Personalization, Marketing, Analytics categories). The banner is part of Shopify's platform, not ours. Our anonymous match-time analytics is processed under the legitimate-interest basis in Section 2, not under consent, so the banner choice does not legally gate that processing.

Where Shopify's Customer Privacy API is loaded by the storefront's theme, the Gear Finder also reads it at runtime and treats an explicit decline of the Analytics category as a GDPR Art. 21 objection: it drops result-click events, catalog-gap events, and the match-time analytics row before any network call is made. On themes that do not expose this API, the banner is informational only; in either case you can object at any time by emailing us and we will stop processing your data. The Marketing category is unused by AstroEquip regardless: we do not run advertising or marketing cookies.

Storage Where it lives Purpose Lifetime
af_device_v1 localStorage Anonymous device ID Until you clear browser storage
af_setup_v1 localStorage Current wizard state Until you clear browser storage
af_setups_v1 localStorage List of named saved setups Until you clear browser storage
af_build_v1 localStorage Your currently assembled "My Setup" Until you clear browser storage
af_customs_v1 localStorage Custom gear you added that isn't in our catalog Until you clear browser storage
Tutorial-seen flag sessionStorage Suppress the simulator tutorial on re-entry Until tab is closed
cust_token (request body) In-memory only Single-use HMAC token so the simulator iframe can load your saved setups 5 minutes; consumed on first use

We do not use third-party tracking cookies, advertising pixels, or cross-site identifiers. There is no Google Analytics, no Meta pixel, no Hotjar, no session replay.

5. Sub-processors and where data lives

We engage the following processors, each under a written Data Processing Agreement that meets the standards of GDPR Art. 28.

Processor What they do for us Region Transfer mechanism
Shopify International Ltd. Hosts the storefront, customer accounts, and the customer metafield where your saved setup is stored. Forwards mandatory compliance webhooks to us. EU / Ireland (with global infrastructure) Adequacy + Shopify's DPA + Standard Contractual Clauses where applicable.
Neon, Inc. Postgres database hosting all server-side data described in section 2. EU, Frankfurt region (eu-central-1). Backups remain in the EU. Intra-EU; no third-country transfer.
Vercel Inc. Serverless hosting of our API endpoints and operational logs. Functions execute in the EU; logs retained for 30 days in EU regions. PII is scrubbed before it reaches the log stream. Vercel's DPA, SCC where any cross-border processing is required.
Resend, Inc. Sends the opt-in follow-up email if (and only if) you consented. United States. Standard Contractual Clauses (Art. 46) plus Resend's published DPA.
Upstash, Inc. Distributed rate-limit counters keyed by an anonymised IP bucket. No PII transits this processor. EU region. Intra-EU.
Centre de Données astronomiques de Strasbourg (CDS) Provides the public Aladin Lite and Simbad APIs the Telescope Simulator queries for sky-survey tiles and object catalogues. Queries are anonymous and contain no PII. France (EU). Intra-EU.
Ko-fi Labs Ltd. (optional donations only) Processes voluntary donations made via the "Support development" button. Collects donor name + email + payment data on Ko-fi's own platform; we never see card details. Used only if you click through and complete a donation. United Kingdom (post-Brexit adequacy decision). Adequacy decision; Ko-fi's published DPA.

We do not sell, lease, or share personal data with any party outside this list, and none of the parties listed above are advertising networks.

6. Retention

We keep data only for as long as it is needed for the purpose it was collected. Retention windows are enforced by an automated daily cleanup job at 03:00 UTC.

Data Kept for
Saved gear setups (customer_setups) Until you delete or unsubscribe; erased within 30 days of an erasure request.
Anonymous device records (device_setups, dev_* only) 90 days of inactivity, then automatically erased.
Match analytics (submissions, match_events) 90 days, then automatically erased.
Result-click engagement (result_clicks) 90 days, then automatically erased.
Catalog-gap signal (catalog_misses) 90 days, then automatically erased.
Processed-webhook bookkeeping 60 days, then erased.
Rate-limit counters 1 hour.
Single-use API tokens (token_nonces) 1 day past expiry.
GDPR audit log Indefinite; required for compliance evidence under Art. 28(3)(h).
Vercel operational logs 30 days (Vercel platform default).

7. Your rights under the GDPR

Under Articles 15–22 of the GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data (Art. 17, the "right to be forgotten").
  • Restrict processing while a dispute is resolved (Art. 18).
  • Port your data to another controller in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, for any consent-based processing (Art. 7(3)). Withdrawal is as easy as giving it. One click in the email footer or one email to us.
  • Not be subject to fully automated decisions with legal effect (Art. 22). Our gear-matching engine produces recommendations only; nothing it returns has legal consequences for you.

How to exercise these rights

  • Through Shopify (signed-in customers). Use Shopify's built-in "Request my data" or "Delete my account" flow on any of our storefronts. Shopify dispatches a customers/data_request or customers/redact webhook to us, we respond within 30 days, and erasure is completed within 10 days of a deletion request.
  • One-click unsubscribe (follow-up email). Every follow-up email contains a signed one-click link that withdraws your consent. We do not require you to sign in to use it.
  • Directly by email. Write to alvesastrofotografi@gmail.com and include either your Shopify customer ID or, for anonymous visitors, the device ID visible in your saved-setups panel. We will reply within 30 days (Art. 12(3)).

8. Merchants installing the AstroEquip app

If a Shopify merchant installs our app on their own store and later uninstalls it, Shopify dispatches a shop/redact webhook 48 hours after uninstall. On receipt we permanently erase all data tied to that shop from our Neon database and write a single audit row recording the action.

9. International transfers

Our processors operate primarily in the EU (Neon in Frankfurt, Vercel in EU regions, Upstash in EU, CDS in France). Two processors involve transfer to a third country:

  • Resend (United States) is used only when you have given consent for follow-up email. We rely on the EU Commission's Standard Contractual Clauses (Art. 46(2)(c)) and Resend's published DPA.
  • Shopify's own infrastructure is global; we rely on Shopify's published DPA and its SCCs. You can read Shopify's privacy statement for their position.
  • Ko-fi (United Kingdom) operates under the EU's adequacy decision for the UK and its own DPA. Used only for voluntary donations you initiate yourself.

You may request a copy of the safeguards in place by emailing us.

10. Security

The technical and organisational measures we use include:

  • TLS 1.2+ for every connection between your browser, our API and our processors.
  • Encryption at rest for the Neon database (provider default).
  • HMAC-signed requests on every Shopify App Proxy endpoint, including timing-safe verification, anti-replay windows, and shop-domain pinning.
  • Single-use, time-limited HMAC tokens for the simulator-iframe handshake.
  • Per-customer and per-IP rate limits on every write endpoint.
  • Strict log scrubbing: email addresses, names, phone numbers, addresses, and postal codes are redacted from logs before they leave our application.
  • Principle of least privilege: the Shopify API token requested by the app holds only read_products, read_inventory, read_orders, read_locations, write_customers.
  • Daily automated cleanup of expired rows in line with the retention table above.

11. Children

The service is not directed at children under 16. We do not knowingly collect personal data from anyone under that age. If you believe a child has provided personal data to us, contact us and we will erase it.

12. Automated decision-making and profiling

Our matching engine ranks products by compatibility with the gear you describe. This is automated processing but does not produce legal or similarly significant effects (Art. 22). The output is a list of suggestions; you decide what, if anything, to do with it. The full scoring approach is documented in the How the engine matches guide.

13. Complaints

If you believe we have mishandled your data, you have the right to lodge a complaint with a supervisory authority:

Swedish residents may also use Allmänna reklamationsnämnden (ARN) for out-of-court consumer dispute resolution.

14. Changes to this policy

Material changes are signalled by updating the "Last updated" date at the top of this page. Substantive revisions will be announced on the storefronts at least 14 days before they take effect, with a brief summary of what changed.

15. Contact

Email alvesastrofotografi@gmail.com for any privacy question, data-subject request, or to request a postal address for written correspondence.

Document version: 2026-05-20.