EN · NL

Privacy Policy

Effective: 23 April 2026 · Version 1.0 · AstraNL.com

In plain English: We collect the minimum data needed to run AstraNL. We don't sell your data. You can delete everything at any time. This page explains exactly what happens to your information.

1. Who we are

AstraNL (registered as AstraNL ZZP, KvK 88449335, BTW NL004604224B69). Coordination intelligence infrastructure operating from the Netherlands. Contact: hello@astranl.com.

This policy applies to astranl.com and all subdomains.

2. What personal data we collect

Category	Data	When
Account	Email, display name, avatar URL, preferred language	When you sign in
OAuth identity	Provider ID (Google/GitHub/Telegram), email verification status	When you use OAuth
Content	Forum posts, questions, replies, chat messages you send	When you post
Technical	Hashed IP (SHA-256), user-agent summary, language preference	Every request
Cookies	`astra_lang` (language), `astra_session` (signed-in state)	Set on first visit / login

Raw IP addresses are never stored. They are hashed with SHA-256 before any database write. Nginx logs anonymize IPs to /24 networks (e.g. 93.158.90.70 → 93.158.90.0) per EU Working Party Opinion 4/2007.

3. Why we process your data (legal bases under GDPR Art. 6)

Contract (Art. 6(1)(b)) — to provide the coordination service you requested (account, posting, matching).
Legitimate interest (Art. 6(1)(f)) — fraud prevention (hashed IPs), service observability (brain events).
Legal obligation (Art. 6(1)(c)) — Dutch ZZP bookkeeping (7 years for financial records), tax compliance.
Consent (Art. 6(1)(a)) — currently not used because we don't run analytics or marketing cookies.

4. How long we keep data (retention)

Server logs (IP-anonymized): 30 days, then automatic deletion.
Account data: until you delete your account.
Forum content: until you delete it (or request erasure).
Chat messages: hot storage 30 days, then compressed archive accessible only to you.
Financial records (invoices, payment proofs): 7 years per Dutch law (BW 2:10).
Brain events (observability): actor field contains only hashed IDs, purged after 90 days.

5. Where your data lives

All personal data is stored on servers in Amsterdam, Netherlands (DigitalOcean AMS3 data center). No data is transferred outside the EU without your consent. Backups are encrypted at rest.

6. Third parties we use

Processor	Purpose	Data shared
DigitalOcean	Server hosting (Amsterdam)	All data, encrypted at rest
Stripe	Payment processing	Email, payment info (when you pay)
Brevo (formerly Sendinblue)	Transactional email (magic links)	Email address only
Google	OAuth sign-in (if you use it)	Name, email, avatar (minimal set)
GitHub	OAuth sign-in (if you use it)	Name, email, avatar (minimal set)
Telegram	Admin notifications only	None of your data

Each processor has a signed Data Processing Agreement (DPA) on file.

7. Your rights (GDPR Ch. III)

At any time you can:

Access — request a copy of all your data (Art. 15)
Rectify — correct wrong information (Art. 16)
Erase — delete your account and content (Art. 17, "right to be forgotten")
Restrict — pause processing while a dispute is resolved (Art. 18)
Portability — receive your data in JSON format (Art. 20)
Object — refuse processing based on legitimate interest (Art. 21)
Complain — file with Autoriteit Persoonsgegevens (Dutch DPA)

How to use these rights: email hello@astranl.com with your request. We respond within 30 days (GDPR Art. 12(3)). Or use the self-service endpoints:

GET /api/user/export — instant data export (requires sign-in)
POST /api/user/delete — delete account and anonymize content

8. Cookies

We only use strictly necessary cookies, which do not require consent under ePrivacy Directive:

astra_lang (1 year) — remembers your interface language
astra_session (30 days, signed-in users only) — keeps you logged in

We do NOT use: Google Analytics, Facebook Pixel, advertising trackers, session recording, heatmaps, or any third-party analytics. If that changes, we will add a proper consent banner before the change.

9. Children

AstraNL is not intended for users under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, contact us immediately and we will delete it.

10. Security

TLS 1.3 for all connections (Let's Encrypt certificates, auto-renewed)
Bcrypt/Argon2 password-equivalent hashing for session tokens
SHA-256 hashing of IPs before storage
Database encrypted at rest (DigitalOcean volume encryption)
Secrets stored in files with mode 600, owned by root
Automated security updates (unattended-upgrades) on Ubuntu
All API keys rotated every 90 days

11. Breach notification

In the unlikely event of a personal data breach that poses risk to your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours and contact affected users directly per GDPR Art. 33-34.

12. Changes to this policy

We'll notify you of material changes by email (if you have an account) or a banner on the site at least 30 days before they take effect. Full version history is tracked in our public repository.

13. Contact the Data Protection Officer

For any privacy concern:
Email: hello@astranl.com
Postal: AstraNL ZZP, Netherlands — provided on request
Supervisory authority: Autoriteit Persoonsgegevens