Privacy Policy
Last updated: 7 July 2026
1. Who we are
Astronomy Core (“we”, “us”) operates the hosted API and MCP server at
astronomycore.com,
api.astronomycore.com, and
mcp.astronomycore.com.
2. Scope
This policy applies to account registration, dashboard use, API/MCP access, and OAuth connections with third-party AI assistants (Claude, ChatGPT, Perplexity). It does not govern those third-party platforms — review their policies separately.
3. Data we process
- Account data: email address, Firebase user identifier (UID), sign-in provider metadata, email verification status.
- API credentials: API key names, SHA-256 hashes of keys (never plaintext after creation), issuance metadata (
issuedVia, OAuth client id when applicable), status, usage counters, last-used timestamps. - OAuth connections: which registered client (Claude, ChatGPT, or Perplexity) you authorized, connection timestamps, consent events (structured logs without secrets).
- Usage & billing context: tier, module entitlements, quota consumption (aggregated request counts).
- Technical logs: request metadata (timestamps, endpoints, outcome codes, client id for OAuth events). We do not log authorization codes, PKCE verifiers, or plaintext API keys.
- Support communications you send us voluntarily.
We do not require birth data, location, or chart inputs to be stored in your account profile. Query parameters you send to computation endpoints are processed to produce responses and are not retained as profile data unless required for abuse prevention (short-lived operational logs).
4. OAuth and third-party AI platforms
When you connect Astronomy Core via OAuth in Claude, ChatGPT, or Perplexity, you authorize
that platform to obtain an API key on your behalf. Access to your Astronomy Core
account entitlements is shared with the platform you chose for as long as the
connection remains active. Each platform is identified by name in our systems
(claude, chatgpt,
perplexity).
You can revoke any connection at any time from your dashboard (Connected AI Assistants), which immediately invalidates the linked credential.
5. Purposes and legal bases (GDPR — EEA/UK users)
- Provide the service (account, API/MCP access, OAuth token issuance) — Art. 6(1)(b) contract.
- OAuth consent flow (authorization approval screen) — Art. 6(1)(a) consent; you may withdraw by revoking the connection.
- Security, abuse prevention, and operational logging — Art. 6(1)(f) legitimate interests (proportionate; no secrets in logs).
- Legal compliance where applicable — Art. 6(1)(c).
6. Processors and transfers
We use Google Firebase / Google Cloud (hosting, authentication, Firestore, Cloud Functions, Cloud Logging) as infrastructure processors. Third-party AI platforms you connect via OAuth act as separate controllers for their apps. Data may be processed outside your country; where required we rely on appropriate safeguards (e.g. Standard Contractual Clauses).
7. Retention
- Account data: until you delete your account or request erasure.
- API keys: until revoked or deleted; hashes retained only while the key record exists.
- OAuth authorization codes: short TTL (~10 minutes), single-use.
- Operational logs: limited retention per cloud provider defaults unless longer retention is required for security investigations.
8. Your rights
If GDPR applies, you may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interests. You may withdraw OAuth consent by revoking the connection. You may lodge a complaint with your supervisory authority. Contact us.
9. Changes
We may update this policy. Material changes will be indicated by updating the date above. Continued use after publication constitutes acceptance where permitted by law.