Privacy Policy

Welcome to Astraea-Pro LegalTech Suite ("Astraea-Pro," "we," "us," or "our"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our platform.

This Privacy Policy should be read in conjunction with our Terms of Service, which includes comprehensive intellectual property protection clauses (Sections 7 & 7A). By using Astraea-Pro, you acknowledge that you have read and understood both documents.

1.1 Account & Identity Information

When you create an account or use our services, we collect:

• Name and email address
• Google account information (if you sign in with Google via Supabase Auth)
• Profile information (role, jurisdiction, case details)
• Payment and billing information (processed securely through Stripe)
• Communication preferences and subscription status

1.2 Usage & Diagnostic Data

We automatically collect certain information when you use Astraea-Pro:

• Browser type, operating system, screen resolution, and timezone
• A one-way SHA-256 hash of your browser fingerprint (never your raw IP address)
• Usage patterns — pages visited, features used, time spent per page
• Session identifiers and authentication event logs
• Error logs and diagnostic information

1.3 Case, Document & Wellness Data

When you use our legal and wellness tools, we may collect and process:

• Case documents and legal filings you upload for AI analysis
• Form data and legal analysis outputs generated by the Insight Engine
• Journal entries, wellness check-ins, mood logs, and therapeutic content
• Mediation session data and settlement agreements
• Recovery path progress and module completion data

1.4 Locally Stored Data

Significant portions of your working data are stored locally on your device only and are never transmitted to our servers unless you explicitly export or sync them:

• IndexedDB (browser storage): Case analysis sessions, document uploads, AI-generated reports, Teller Engine financial data, and Insight Engine outputs are stored in your browser's IndexedDB. This data does not leave your device unless you export it.
• Local Storage: UI preferences, theme settings, session tokens, and short-lived state values.
• Cache Storage: Temporary document processing buffers.

2.1 Your Content Ownership

You retain ownership of all personal case documents, journal entries, and content you submit to Astraea-Pro. We do not claim ownership of your personal data or case materials.

2.2 Platform IP Protection

All platform features, AI models, therapeutic exercises, legal workflows, source code, UI designs, and business concepts remain the exclusive intellectual property of Astraea-Pro. As detailed in our Terms of Service (Section 7), users are strictly prohibited from:

• Copying, reverse engineering, or replicating platform features
• Using platform content to train competing AI models
• Scraping, data mining, or extracting proprietary workflows
• Creating derivative works based on our IP

2.3 AI Model Training

We do NOT use your personal case documents, journal entries, or user-submitted content to train our AI models. Your sensitive legal and therapeutic data remains private and is used solely to provide you with personalized services.

Our AI agents (Nuana, Kai, Insight Engine, etc.) are powered by Google Gemini and are trained on general legal knowledge, therapeutic frameworks, and publicly available information — never on individual user data.

We use your information to:

• Provide and maintain our services
• Authenticate your identity and manage your session securely
• Process your subscription and payments via Stripe
• Route your AI prompts securely through our Gemini proxy (your prompts are sanitized and never logged)
• Personalize your experience and deliver AI-powered insights
• Send important updates, security alerts, and subscription notifications
• Detect and prevent fraud, abuse, and unauthorized access via security event logging
• Enforce rate limits to ensure fair platform usage
• Comply with legal obligations and enforce our Terms of Service

4.1 Third-Party Service Providers

We share your information with the following trusted third-party providers who are contractually obligated to protect your data:

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect the rights, safety, and security of Astraea-Pro, our users, or the public.

4.3 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We implement the following security measures to protect your data:

• AES-256-GCM encryption with PBKDF2 key derivation (100,000 iterations) for session bundle exports
• Supabase Auth for all authentication — email/password and Google OAuth
• Row Level Security (RLS) on all database tables — users can only access their own data
• Immutable audit logs — security events cannot be updated or deleted by any user
• Persistent rate limiting — AI proxy requests are tracked per user per minute in the database, surviving server restarts
• SHA-256 browser fingerprinting — raw IP addresses are never stored; only one-way hashes
• Gemini API key isolation — the API key is stored only in Supabase Edge Function secrets and never exposed to the browser
• Input sanitization — all AI prompts are sanitized to strip XSS and injection patterns before processing

While we strive to protect your information, no method of transmission over the internet is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

Different categories of data are retained for different periods:

• Account data: Retained for the lifetime of your account. Deleted or anonymized within 90 days of account deletion.
• Security event logs: Retained for 12 months for security audit purposes. These logs are immutable and cannot be deleted by users.
• Rate limit logs: Automatically purged after 24 hours.
• Locally stored case data (IndexedDB): Stored only on your device. We have no access to this data and cannot recover it if lost.
• Payment records: Retained as required by Stripe and applicable financial regulations.

Depending on your jurisdiction (including PIPEDA in Canada and GDPR in the EU), you may have the following rights:

• Access: Request a copy of your personal data held on our servers
• Correction: Update or correct inaccurate information via your profile settings
• Deletion: Request deletion of your account and server-side data
• Portability: Export your data using the built-in export features
• Opt-Out: Unsubscribe from marketing communications at any time
• Withdraw Consent: Revoke consent for data processing where applicable

To exercise these rights, contact us at gratienceltd@gmail.com. We will respond within 30 days.

8.1 AI Processing Consent

By using AI-powered features of the Service, you consent to your inputs being processed by AI systems, including third-party AI APIs (Google Gemini), subject to this Privacy Policy. All prompts are sanitized before processing to remove personally identifiable information.

8.2 No Training on User Data

Your case documents, journal entries, and personal content are never used to train, fine-tune, or improve our AI models or any third-party AI models. AI processing is performed solely to generate outputs for your immediate use.

8.3 AI Output Ownership

You retain ownership of all AI-generated outputs created through your use of the Service. However, you acknowledge that AI outputs may not be unique and similar outputs may be generated for other users with similar inputs.

8.4 Data Minimization

We practice data minimization when sending prompts to third-party AI providers. Only the minimum necessary context is included in AI requests, and all personally identifiable information is stripped before transmission.

9.1 Canadian Privacy Law

Astraea-Pro is committed to full compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. We adhere to the ten fair information principles set out in PIPEDA.

9.2 Accountability

We have designated a Privacy Officer responsible for ensuring compliance with PIPEDA and handling privacy-related inquiries. Contact our Privacy Officer at gratienceltd@gmail.com.

9.3 Consent

We obtain meaningful consent for the collection, use, and disclosure of your personal information. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

9.4 Limiting Collection, Use, and Disclosure

We collect only the personal information necessary to fulfill the purposes identified. We do not use or disclose personal information for purposes other than those for which it was collected, except with your consent or as required by law.

9.5 Accuracy and Safeguards

We keep personal information as accurate, complete, and up-to-date as necessary. We protect personal information with security safeguards appropriate to the sensitivity of the information.

9.6 Individual Access

Upon request, we will inform you of the existence, use, and disclosure of your personal information and provide access to that information. You may challenge the accuracy and completeness of your information and have it amended as appropriate.

10.1 Mandatory Breach Reporting

In accordance with PIPEDA's mandatory breach reporting requirements, we will notify you and the Office of the Privacy Commissioner of Canada of any breach of security safeguards involving your personal information if it is reasonable to believe that the breach creates a real risk of significant harm to you.

10.2 Notification Timeline

We will notify affected individuals and the Privacy Commissioner as soon as feasible after we determine that a reportable breach has occurred. Notification will not be delayed except as necessary to determine the scope of the breach and restore the integrity of our systems.

10.3 Notification Content

Breach notifications will include: (a) a description of the circumstances of the breach; (b) the date or time period during which the breach occurred; (c) a description of the personal information involved; (d) an assessment of the risk of harm; (e) steps we have taken to reduce the risk of harm; and (f) steps you can take to reduce the risk of harm.

10.4 Record Keeping

We maintain records of all breaches of security safeguards for 24 months, including breaches that do not meet the threshold for mandatory reporting.

11.1 Google Gemini API

We use Google's Gemini API to power our AI analysis features. When you use AI-powered features, sanitized prompts (with PII removed) are sent to Google's servers for processing. Google's use of this data is governed by their Privacy Policy and Terms of Service.

11.2 ElevenLabs TTS

We use ElevenLabs for text-to-speech functionality. Only text strings (without personal identifiers) are sent to ElevenLabs for audio synthesis. ElevenLabs' data practices are governed by their privacy policy.

11.3 Data Processing Agreements

We maintain data processing agreements with all third-party AI providers to ensure they handle your data in accordance with applicable privacy laws and do not use your data for their own purposes.

11.4 No Third-Party Training

Our agreements with third-party AI providers explicitly prohibit them from using your data to train, improve, or develop their AI models. Your data is processed solely to generate outputs for your immediate use and is not retained by third-party providers.

12.1 Legal Privilege

Astraea-Pro is not a law firm, and communications through the platform are not protected by solicitor-client privilege. Do not input information that you would only share with your lawyer under privilege.

12.2 Third-Party Information

Do not input personal information about third parties (including your ex-partner, children, or other parties to your legal matter) unless you have their consent or a legal basis to do so. You are responsible for ensuring you have the right to share any information you input into the platform.

12.3 Financial Information

While the Teller Engine is designed to help you organize financial disclosure, do not input full credit card numbers, banking passwords, or other highly sensitive financial credentials. Use account numbers and transaction summaries instead.

12.4 Health Information

The wellness features (Nuana, Inner Compass) may involve sensitive health information. This information is stored locally on your device by default. Be aware that if you export or sync this data, it will be transmitted to our servers.

12.5 Children's Information

If your legal matter involves children, be mindful of their privacy rights. Do not input unnecessary personal information about children, and ensure any information you do input is relevant to your legal matter and handled in accordance with applicable child privacy laws.

13.1 Right to Access

You have the right to request a copy of all personal information we hold about you. We will provide this information in a structured, commonly used, and machine-readable format within 30 days of your request.

13.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal information. You can update most information directly through your profile settings. For other corrections, contact us at gratienceltd@gmail.com.

13.3 Right to Erasure

You have the right to request deletion of your personal information. We will delete your data within 90 days of your request, except where we are required to retain it by law or for legitimate business purposes (e.g., financial records, security logs).

13.4 Right to Data Portability

You have the right to receive your personal data in a portable format and to transmit it to another service provider. Use our built-in export features to download your data in JSON or PDF format.

13.5 Right to Object

You have the right to object to certain types of data processing, including processing for direct marketing purposes. You can opt out of marketing communications at any time through your account settings or by clicking "unsubscribe" in any marketing email.

13.6 Right to Restrict Processing

You have the right to request that we restrict processing of your personal information in certain circumstances, such as while we verify the accuracy of disputed information.

13.7 Right to Lodge a Complaint

If you believe we have not handled your personal information in accordance with applicable privacy laws, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

14.1 International Data Transfers

Astraea-Pro is operated from Canada. However, some of our service providers (including Supabase, Stripe, Google, and ElevenLabs) may store or process your data in the United States or other countries. By using our services, you consent to the transfer of your information to these jurisdictions.

14.2 Adequacy and Safeguards

We ensure that all international data transfers are protected by appropriate safeguards, including: (a) standard contractual clauses approved by privacy regulators; (b) data processing agreements with third-party providers; and (c) technical and organizational security measures.

14.3 U.S. Data Storage

Data stored with Supabase and Google may be processed in the United States. The United States does not have the same data protection laws as Canada. However, our service providers are contractually obligated to protect your data in accordance with applicable privacy laws.

14.4 Your Rights Abroad

When your data is transferred outside Canada, you retain all rights granted under PIPEDA and applicable provincial privacy legislation. You may exercise these rights by contacting us at gratienceltd@gmail.com.

15.1 Age Restriction

Astraea-Pro is not intended for use by children under the age of 18 (or the age of majority in your jurisdiction, whichever is greater). We do not knowingly collect personal information from children.

15.2 Parental Consent

If you are a parent or guardian and you believe your child has provided us with personal information without your consent, please contact us immediately at gratienceltd@gmail.com. We will delete such information from our systems within 30 days.

15.3 Information About Children

If your legal matter involves children (e.g., custody, child support), you may input information about your children as necessary for your legal case. However, you should: (a) only input information that is necessary and relevant; (b) be mindful of your children's privacy rights; and (c) ensure you have a legal basis to share such information.

15.4 Child Privacy Laws

We comply with applicable child privacy laws, including PIPEDA's provisions regarding children's personal information. We recognize that children's personal information requires enhanced protection and handle such information with additional care.

16.1 Types of Storage Technologies

We use the following browser storage technologies:

• Session cookies: Maintain your authentication state via Supabase Auth. These are essential for the Service to function and cannot be disabled.
• Local Storage: UI preferences, theme settings, and short-lived state values. Used to remember your settings across sessions.
• IndexedDB: Long-term local storage of case data, documents, and AI outputs. This data never leaves your device unless you explicitly export it.
• Cache Storage: Temporary document processing buffers. Automatically cleared when processing is complete.

16.2 No Third-Party Tracking

We do not use third-party advertising cookies, analytics cookies, or cross-site tracking technologies. We do not participate in ad networks or share your browsing behavior with third parties for marketing purposes.

16.3 Managing Storage

You can clear all locally stored data through your browser settings. However, this will erase locally stored case sessions, preferences, and authentication state. We recommend exporting important work before clearing browser data.

16.4 Cookie Policy

Our use of cookies is limited to essential functionality only. We do not use cookies for advertising, analytics, or tracking purposes. The only cookies we use are:

• Supabase authentication cookies (essential for login)
• Session management cookies (essential for maintaining your session)

17.1 Right to Modify

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform features. We will notify you of significant changes by: (a) posting the updated policy on this page with a new "Last Updated" date; (b) sending an email notification to the address associated with your account; or (c) displaying a prominent notice within the Service.

17.2 Material Changes

For material changes that significantly affect how we collect, use, or disclose your personal information, we will provide at least 30 days' advance notice and obtain your consent where required by law.

17.3 Continued Use

Your continued use of the Service after any changes to this Privacy Policy take effect constitutes your acceptance of the revised policy. If you do not agree to the modified policy, you must immediately stop using the Service and may request deletion of your account.

17.4 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed of how we protect your information. The date at the top of this page indicates when this policy was last updated.

18.1 Privacy Inquiries

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We will respond to all inquiries within 30 days.

18.2 Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing our privacy compliance program and handling privacy-related inquiries. You may contact our DPO directly for privacy matters.

18.3 Privacy Commissioner

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with: