CCPA Compliance

Privacy Policy

Last Updated: 2026-04-02

1. Data Controller

Akixa

Inh. Dipl.-Phys. Gerhard H.C. Scheffler

Einzelunternehmen Seesener Str. 43 10711 Berlin Germany

Email: support@atumka.com Website: https://www.atumka.com

2. Overview of Processing

The following overview summarises the types of data processed and the purposes of their processing.

Types of Data Processed

Master data (e.g. names)
Contact data (e.g. email addresses)
Content data (e.g. entries in online forms)
Usage data (e.g. pages visited, interest in content, access times)
Meta and communication data (e.g. IP addresses, timestamps, identification numbers)
Birth data (date, time and place of birth for horoscope creation)
AI-generated content (astrological report texts created based on your birth data)
Categories of Data Subjects
Customers and prospects
Users of our online services
Purposes of Processing
Provision of contractual services (creation of personalised astrological reports)
Authentication and account management
Contact requests and communication
Web analytics and optimisation of our services
Security measures
Compliance with statutory retention obligations

3. Legal Basis

The legal bases for processing your data arise from the GDPR:

Contract performance (Art. 6(1)(b) GDPR) — creation and delivery of your astrological reports, account management
Legitimate interests (Art. 6(1)(f) GDPR) — security and operation of our website, fraud prevention
Consent (Art. 6(1)(a) GDPR) — web analytics, non-essential cookies
Legal obligation (Art. 6(1)(c) GDPR) — retention of invoicing data as required by German commercial and tax law

4. Security Measures

We implement technical and organisational security measures in accordance with Art. 32 GDPR to protect your data:

Encryption in transit: SSL/TLS encryption for all data transmissions
Encryption at rest: AES-256 encryption for all stored data (database and file storage)
Access control: Role-based access restrictions, structured access logging
Data minimisation: Automatic deletion of temporary data through time-based expiry mechanisms (e.g. checkout sessions after 1 hour, activity data after 90 days)
Account deletion: 30-day grace period upon account deletion, followed by complete and irreversible removal from all systems
Regular security updates: Continuous updates of all system components

5. Authentication

For sign-in and account management we use AWS Cognito as our authentication service.

Passwordless Sign-In (Email OTP)

Each time you sign in, a one-time verification code is sent to your email address. No passwords are stored or transmitted. Your email address is processed on the basis of Art. 6(1)(b) GDPR (contract performance).

Passkeys (WebAuthn)

You may optionally use passkeys to sign in. Biometric data (fingerprint, facial recognition) remains exclusively on your device. Only a cryptographic public key is stored on our servers, which does not allow any conclusions about your biometric data.

Data Stored

Email address (sign-in identity)
Public keys of registered passkeys
Sign-in timestamps (security logging)

6. AI-Powered Content Creation

We use AWS Bedrock (AI language models) to generate astrological report texts.

Data Processed

Your first name and astrological calculation data are transmitted to the AI models: planetary positions, house systems, aspects and transit data. Your first name is used to personalise the report. Other personal data (date of birth, place of birth, email) is not transmitted to the AI models. The conversion of your birth data into astronomical positions is carried out in advance by our own calculation software.

No Automated Decision-Making

The generated reports serve exclusively for information and entertainment purposes. No automated decision-making within the meaning of Art. 22 GDPR takes place — the reports have no legal effect and do not constitute decisions that affect you.

Processing Location

AWS Bedrock processes the data in the US-East-1 region (Virginia, USA). As only your first name and no further identifying data is transmitted, the risk of a third-country transfer is minimal. Processing takes place on the basis of the AWS GDPR Data Processing Addendum.

Legal Basis

Art. 6(1)(b) GDPR (contract performance — the creation of the report is the contractually owed service).

7. Web Analytics

Google Analytics 4 (GA4) and Google Tag Manager (GTM)

We use Google Analytics 4 and Google Tag Manager provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to analyse website usage.

Data processed: Pseudonymised usage data (pages visited, time spent, device information). IP anonymisation is enabled — your full IP address is not stored.

Legal basis: Art. 6(1)(a) GDPR (consent). Analysis only takes place with your explicit consent via our cookie banner.

Objection and opt-out: You may withdraw your consent at any time via the cookie settings. Additionally, you can use the browser plugin to disable Google Analytics at https://tools.google.com/dlpage/gaoptout.

A data processing agreement with Google Ireland Ltd. is in place.

8. Data Transmission

Your personal data is only transmitted to third parties in the cases described below:

Payment Processing — Dodo Payments

Dodo Payments acts as Merchant of Record (merchant in the legal sense) for payment processing. Dodo Payments is an independent controller pursuant to Art. 4(7) GDPR for the processing of your payment data (credit card data, billing address). You can find the privacy policy of Dodo Payments on their website. We do not store any payment data ourselves.

Hosting — Vercel Inc.

Our website is hosted by Vercel Inc. The servers are located in the EU. A data processing agreement pursuant to Art. 28 GDPR is in place. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable website operation).

Cloud Infrastructure — Amazon Web Services (AWS)

For authentication, data storage and application logic we use AWS services (Cognito, DynamoDB, S3) in the EU region eu-central-1 (Frankfurt). A data processing agreement is in place via the AWS GDPR Data Processing Addendum. Legal basis: Art. 6(1)(b) and (f) GDPR.

9. Cookies

Our website uses cookies. These are small text files stored on your device.

Essential Cookies

These cookies are strictly necessary for the operation of the website (e.g. session cookies for the sign-in area, language settings). They cannot be disabled. Legal basis: Art. 6(1)(f) GDPR.

Analytics Cookies

With your explicit consent, we use cookies to analyse website usage (see Section 7 — Web Analytics). Legal basis: Art. 6(1)(a) GDPR.

You can delete cookies or prevent their storage in your browser settings at any time. You can also adjust your cookie preferences via our cookie banner.

10. Storage Duration

We only store your data for as long as necessary for the respective purpose or as required by statutory retention obligations:

Invoicing and business records: 10 years (Section 257 HGB, Section 147 AO — commercial and tax law retention requirements)
Contractual data: 3 years after end of contract (Section 195 BGB — standard limitation period)
Astrological reports and birth data: Until deletion by the user via account settings
Activity data: 90 days (automatic deletion)
Checkout sessions: 1 hour (automatic deletion)
Authentication data: One-time codes 5 minutes, sign-in data for the duration of account existence
Cookies: Depending on type, 1 day to 12 months (see Section 9)
After the respective period expires, your data is automatically and irreversibly deleted.

11. Your Rights

You have the following rights regarding your personal data:

Access to your stored data (Art. 15 GDPR)
Rectification of incorrect data (Art. 16 GDPR)
Erasure of your data (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Object to processing (Art. 21 GDPR)
Withdrawal of consent with future effect (Art. 7(3) GDPR)
Exercising Your Rights

For a data export (Art. 15 and 20), an export function is available in your account settings. Account deletion (Art. 17) can also be initiated in your account settings — after a 30-day grace period, all your data will be irreversibly deleted from all systems. For all other requests, please contact us at support@atumka.com. We will process your request within 30 days.

12. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. The AI-generated astrological reports are content for information and entertainment purposes. They do not constitute decisions that have legal effect on you or similarly significantly affect you.

13. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is:

Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219 10969 Berlin Email: mailbox@datenschutz-berlin.de

14. Contact

For questions about data protection, please contact us at: Email: support@atumka.com

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information we collect
The right to delete your personal information
The right to opt-out of the sale of personal information (we do not sell your data)
The right to non-discrimination for exercising your privacy rights
To exercise these rights, please contact us at support@atumka.com.