Privacy Policy

This Privacy Policy describes how Two Skies (“Two Skies,” “we,” “us,” or “our”), a company incorporated in the State of Washington, United States, collects, uses, discloses, retains, and protects personal information when you visit our website at twoskies.ai (the “Site”) or use our astrology reading products, including the Glimpse, the Story, the Year Ahead, Ask Your Chart, the Unfolding, the Relationship Report, and any related services (collectively, the “Service”).

We are the “controller” (GDPR / UK GDPR) and “business” (CCPA/CPRA and other US state privacy laws) of the personal information described in this Policy. If you are a resident of the European Economic Area, the United Kingdom, California, Washington, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Florida, New Jersey, Minnesota, Maryland, Indiana, Kentucky, Nebraska, Rhode Island, or New Hampshire, see Your Rights below for jurisdiction-specific disclosures.

Questions about this Policy, our practices, or your rights? Email privacy@twoskies.ai or write to our privacy contact at the address in the Contact section.

1. Information we collect

We collect the following categories of personal information:

1.1 Information you provide directly

• Account information: email address, name (optional), and magic-link sign-in tokens.
• Birth data: date of birth, time of birth (if known), place of birth, and derived latitude, longitude, and timezone. This is required to compute an astrological chart.
• Life context answers: optional short answers you provide during reading intake about your current focus area, relationship status, career question, experience level with astrology, and similar topics.
• Ask Your Chart questions and answers: the free-text questions you submit and the AI-generated responses.
• Reading content feedback: thumbs-up/thumbs-down ratings and optional comments you submit on Ask Your Chart answers.
• Relationship / synastry data: if you purchase a Relationship Report, the name and birth data (date, time, place) of your partner or the third party about whom you are requesting analysis. See Section 4 for important limits on third-party data.
• Customer-support correspondence: emails you send us and our replies.

1.2 Information collected automatically

• Server log data: IP address, user-agent string, referrer, request URL, timestamps, and HTTP response codes, collected by our hosting provider (Vercel) for operational, security, and abuse-prevention purposes.
• Device and session data: browser type, operating system, device type, and session identifiers stored in essential cookies or equivalent technologies to keep you signed in and preserve your current reading state.
• Product analytics: aggregated, privacy-preserving usage metrics collected by Vercel Analytics (page views, request counts, approximate geography at country level). Vercel Analytics does not use third-party cookies or cross-site tracking.
• Telemetry about AI usage: for each Ask Your Chart request we record internal metrics such as which Claude model was used, token counts, latency, error codes, safety-classifier decisions, and whether our content validator flagged the response — used for cost monitoring, quality assurance, and fraud prevention. We do not log the plain text of your questions or answers as part of this telemetry.

1.3 Information from third parties

• Payment processor (Stripe): when you purchase a reading or subscription, Stripe provides us with a transaction identifier, subscription status, last-four digits of your card (for your receipt), and billing country. We do not receive or store your full card number, CVC, or full billing address.
• Email delivery provider (Resend): delivery status for transactional email (delivered, bounced, complaint).

2. Sensitive data and Washington My Health My Data Act

Two Skies is not a medical, mental-health, psychological, or crisis-intervention service, and we do not provide medical, diagnostic, or therapeutic products. Our readings are interpretive, literary, and reflective content about astrology.

We recognize that astrology touches themes that can feel personal — mood, relationships, career, bodily constitution, life meaning. Under Washington's My Health My Data Act (“MHMDA”), “consumer health data” can include inferences about a consumer's past, present, or future physical or mental health status. We do not intend to collect or infer consumer health data, and we design the product to avoid doing so:

• Our Ask Your Chart safety layer identifies questions seeking medical diagnosis, treatment advice, or crisis intervention and refuses them, directing users to qualified professionals (including the 988 Suicide & Crisis Lifeline in the United States).
• We do not sell, rent, or lease any information that could be characterized as consumer health data.
• We do not share any such information with advertisers, data brokers, or social-media platforms.
• We do not geofence sensitive locations (such as healthcare facilities) and do not use geolocation beyond what a birth city provides for chart computation.

If you are a Washington resident, you have specific rights under MHMDA in addition to the general rights described in Section 8 below. You can exercise them by emailing privacy@twoskies.ai with the subject line “MHMDA Request.”

Under GDPR Article 9, we do not ask you to provide special-category data (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, or data concerning sex life or sexual orientation). Do not submit such data in free-form fields (life context answers, Ask Your Chart questions, feedback comments). If you voluntarily submit such data, you consent to our processing of it for the purpose of delivering the Service.

3. How we use personal information

We use the information we collect for the following purposes:

• To deliver the Service: compute astrological charts; generate readings; answer Ask Your Chart questions; send magic-link sign-in emails and reading-completion notifications.
• To process payments: charge for one-time purchases and subscriptions; issue receipts and refunds; handle chargebacks; comply with tax and accounting requirements.
• To operate and secure the Service: monitor performance, prevent abuse and fraud, enforce our Terms of Service, investigate security incidents, and maintain backups.
• To improve the product: study aggregated, de-identified usage patterns; debug errors; measure quality and cost of AI-generated content. We do not use your individual chart or Ask Your Chart conversations to train machine-learning models, and we require our LLM provider not to train on our API traffic (see Section 5).
• To communicate with you: respond to support requests; notify you of material changes to this Policy or our Terms; send service-essential messages (e.g., subscription renewal reminders where required by law).
• To comply with law: respond to subpoenas, court orders, and valid legal requests; protect our rights and the rights and safety of others.

3.1 Legal bases (EEA / UK users)

If GDPR or UK GDPR applies to you, we rely on the following legal bases (Article 6):

• Contract (Art. 6(1)(b)): to create and maintain your account, compute your chart, generate and deliver your reading, answer Ask Your Chart questions, process payments, and provide customer support.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, measure aggregate usage, improve product quality, and defend legal claims. We have balanced these interests against your rights and believe they are not overridden; you can object at any time.
• Consent (Art. 6(1)(a)): for any processing we describe as requiring your consent (for example, if we introduce non-essential analytics). You can withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)): to retain financial records for tax and accounting compliance, respond to lawful government requests, and meet other legal duties.

4. Third-party (partner) data in Relationship Reports

When you purchase a Relationship Report, you provide personal information about another person (your “partner”): their name, date of birth, time of birth if known, and place of birth. By submitting a partner's information, you represent and warrant that:

• You have obtained that person's informed consent to submit their information to Two Skies for astrological analysis, or you have another lawful basis to do so under the laws that apply to you.
• You will not use the resulting Relationship Report to surveil, stalk, harass, harm, or make adverse decisions about that person.
• If the partner later requests deletion of their information, you will forward that request to us or permit us to act on it.

If a partner contacts us directly at privacy@twoskies.ai and asks us to delete their information, we will delete it from the associated Relationship Report and take reasonable steps to confirm their identity before doing so.

5. Automated decision-making and AI-generated content

Two Skies uses the Claude large-language model made by Anthropic, PBC (“Anthropic”) to generate the interpretive text of readings and Ask Your Chart answers. This is a form of automated processing. It does not produce legal or similarly significant decisions about you. It is a creative and reflective text product — not a decision that affects your legal rights, credit, employment, housing, insurance, healthcare, or any regulated outcome.

We inject your chart data and, for Ask Your Chart, your question and a bounded history of prior questions and answers into the prompt sent to Anthropic's API. Under our commercial agreement with Anthropic, Anthropic may retain API inputs and outputs for up to thirty (30) days for trust-and-safety review, after which they are deleted. Anthropic does not use our API traffic to train its models.

AI systems can make mistakes, generate plausible-sounding but incorrect statements, or produce content that does not reflect your actual chart. We use a safety classifier and a post-response validator to reduce these issues, but we cannot eliminate them. Treat readings and Ask Your Chart answers as reflective guidance, not as authoritative advice. You have the right to request human review of any AI-generated output you believe is materially wrong by emailing support@twoskies.ai.

6. Who we share information with

We do not sell your personal information for money. We do not “share” your personal information for cross-context behavioral advertising as defined by the California Consumer Privacy Act as amended (CCPA/CPRA). We do not disclose your personal information to data brokers.

We disclose personal information only to the following categories of recipients, and only to the extent needed to operate the Service:

6.1 Service providers (processors / sub-processors)

Each provider processes personal information only on our documented instructions under a written data processing agreement (or EU/UK Standard Contractual Clauses where applicable).

6.2 Legal, safety, and business-transfer disclosures

• Legal process: we may disclose personal information when required by subpoena, warrant, court order, or other valid legal process, or when we have a good-faith belief that disclosure is necessary to comply with law.
• Safety and rights: we may disclose information to protect the rights, property, or safety of Two Skies, our users, or the public, including to investigate fraud, abuse, or threats.
• Business transfers: if Two Skies is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to the protections of this Policy. We will notify registered users of any change of controller.
• With your consent: we may disclose information for purposes not listed above if you direct us to.

7. Data retention

We retain personal information only as long as needed for the purposes for which it was collected, to comply with legal obligations, or to resolve disputes and enforce agreements. Specific retention periods:

• Account and reading data: retained until you delete your account or reading. If your account is inactive for more than three (3) years, we may delete or anonymize the account and its readings.
• Ask Your Chart conversations and feedback: retained with the associated reading on the same schedule.
• Magic-link sign-in tokens: short-lived; expire automatically.
• Server logs (Vercel): up to thirty (30) days.
• AI telemetry (token counts, latency, errors, safety-classifier decisions): up to twenty-four (24) months for cost monitoring and quality assurance; may be retained in aggregated, de-identified form indefinitely.
• Payment records (Stripe and our records): retained for at least seven (7) years to comply with US tax, accounting, and anti-money-laundering requirements, even after account deletion.
• Support correspondence: retained for up to three (3) years.
• Backups: personal information may persist in encrypted database backups for up to ninety (90) days after deletion from active systems; it is not used for any purpose during that window and is overwritten on schedule.

8. Your rights

Depending on where you live, you have some or all of the rights described below. We will not discriminate against you for exercising any of these rights.

8.1 Rights available to all users

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request that we delete your account and associated readings. You can do this yourself from the My Readings page, or email us.
• Portability: request an export of your readings in a machine-readable format.
• Object / restrict: object to or restrict our processing of your information in certain cases.

8.2 California (CCPA/CPRA)

California residents have the right to: (a) know the categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of third parties we disclose to; (b) correct inaccurate personal information; (c) delete personal information we collected from you, subject to exceptions; (d) limit the use and disclosure of sensitive personal information; (e) opt out of “sale” and “sharing” of personal information (we do neither); (f) portability; and (g) freedom from discrimination for exercising these rights.

We honor Global Privacy Control (GPC) signals from supported browsers as an opt-out preference signal where applicable. You may also email privacy@twoskies.ai to submit a request. We do not sell personal information, so no separate “Do Not Sell My Personal Information” link is presented; this disclosure serves the same purpose.

An authorized agent may submit a request on your behalf with your signed permission and sufficient information for us to verify you and the agent.

8.3 Washington (My Health My Data Act)

Washington residents have the right to: (a) confirm whether we are processing consumer health data concerning them and access that data; (b) withdraw any previously granted consent; (c) delete consumer health data; and (d) an appeal of any denied request. To exercise these rights, email privacy@twoskies.ai with the subject line “MHMDA Request.” As described in Section 2, we do not intend to collect consumer health data and design the product to avoid doing so.

8.4 Virginia, Colorado, Connecticut, Utah, and other US state residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), Florida (FDBR), New Jersey (NJDPA), Minnesota (MCDPA), Maryland (MODPA), Indiana (ICDPA), Kentucky (KCDPA), Nebraska (NDPA), Rhode Island (RIDTPPA), and New Hampshire (NHDPA) have broadly similar rights to access, correct, delete, port, and opt out of the sale of personal data or targeted advertising. We do not engage in targeted advertising or profiling with legal or similarly significant effects.

If we deny your request, you have the right to appeal by replying to our denial email within sixty (60) days. If your appeal is unsuccessful, you may contact your state Attorney General.

8.5 European Economic Area, United Kingdom, and Switzerland

If GDPR, UK GDPR, or the Swiss FADP applies to you, in addition to the rights above you have the right to: (a) withdraw consent at any time, without affecting prior processing; (b) object to processing based on legitimate interests; (c) lodge a complaint with your local supervisory authority (for example, the UK Information Commissioner's Office, the Irish Data Protection Commission, or the French CNIL).

8.6 How to submit a request

Email privacy@twoskies.ai with the subject line of your request (e.g., “Access Request,” “Deletion Request,” “MHMDA Request,” “CCPA Request,” “GDPR Request”). We will verify your identity using information we already hold (for example, confirming an email is tied to an existing account) and respond within the timeframes required by applicable law — generally forty-five (45) days (CCPA, most US state laws) or thirty (30) days (GDPR/UK GDPR), with one extension of up to forty-five (45) or sixty (60) additional days where permitted. If your request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to act, and will tell you why.

9. International data transfers

Our primary servers and most of our sub-processors are located in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States and potentially other jurisdictions where our sub-processors operate.

For transfers of personal information originating in the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) with our sub-processors, or on an adequacy mechanism where one has been recognized. You may request a copy of the transfer mechanism in use by emailing privacy@twoskies.ai.

10. Cookies and similar technologies

We use a small number of strictly necessary cookies and similar technologies to: keep you signed in, preserve your current reading state, maintain request security (CSRF tokens), and load balance traffic. These cookies are essential to delivering the Service and do not require consent.

Vercel Analytics collects aggregated, privacy-preserving usage counts without using third-party cookies, cross-site tracking, or device fingerprinting. We do not use advertising or cross-site tracking cookies, and we do not share usage data with advertising networks. If a future feature would introduce non-essential cookies, we will request your consent first and add a cookie banner.

11. Children

The Service is not directed to children under the age of sixteen (16). We do not knowingly collect personal information from children under sixteen. If you are a parent or guardian and believe your child has provided us with personal information, email privacy@twoskies.ai and we will delete it promptly. We do not use personal information to create profiles of children or to deliver targeted content to children.

If you are between sixteen and eighteen (16–18), please use the Service only with a parent or guardian's knowledge and consent.

12. Security

We implement reasonable and appropriate administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption of data in transit (HTTPS/TLS), encryption of data at rest by our hosting providers, access controls and least-privilege database access, written data-processing agreements with sub-processors, secret rotation for API credentials, and logging of administrative actions.

No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify affected users and appropriate regulators within the timeframes required by applicable law (including the GDPR's seventy-two (72) hour notification requirement, Washington's breach-notification statute, and state breach-notification laws in the United States).

13. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will (a) update the “Last updated” and “Effective” dates at the top of this page; (b) email registered users at least thirty (30) days before the changes take effect; and (c) where required by law, request your renewed consent. Non-material changes (for example, typographical corrections or clarifications that do not change our practices) take effect on posting.

14. Contact and complaints

Data controller / business: Two Skies, a Washington corporation.

Privacy contact / DPO: privacy@twoskies.ai

Mailing address: Two Skies, Privacy Office, [street address], Washington, United States.

EU/UK representative (where applicable): Not currently appointed; EU/UK users may contact privacy@twoskies.ai directly.

If you believe we have not addressed your concern, you may lodge a complaint with your state Attorney General (US residents), the Washington Attorney General's office (for MHMDA complaints), or your local data-protection supervisory authority (EEA, UK, Switzerland).