Privacy Policy
Last Updated: March 16, 2026
1. Introduction & Data Controller
This Privacy Policy describes how Efebia Srl (“Efebia,” “we,” “us,” or “our”), located at Via Nicola Antonio Porpora 63, Milan, Italy, collects, uses, stores, and protects your personal information when you use the Thea mobile application (“Thea,” “the App”) and all related services.
For any privacy-related inquiries, please contact us at info@efebia.com.
This Policy applies to the Thea mobile application available on iOS (Apple App Store) and Android (Google Play Store) and all services delivered through the App.
2. Information We Collect
2.1 Information You Provide Directly
When you create an account and use Thea, you may provide:
- Account information: email address, password, full name
- Birth data: date of birth (including exact time of birth), birthplace
- Preferences: timezone, primary intent (health, wealth, business, or relationships), language preference
- Chat messages: questions and messages you send to the AI chat assistant
2.2 Information from Third-Party Sign-In
If you sign in using a third-party provider, we receive:
- Google OAuth: Google account identifier, email address, display name
- Apple Sign-In: authentication token, email address (which may be an Apple private relay address)
We do not access any other data from your Google or Apple accounts beyond what is listed above.
2.3 Information Collected Automatically
- Device location (limited): We request your device’s latitude and longitude solely to detect your timezone. This location data is used transiently for timezone lookup and is not stored permanently.
- No analytics: We do not use analytics SDKs or collect usage analytics.
- No crash reporting: We do not use third-party crash reporting services.
- No advertising identifiers: We do not collect or use advertising IDs (IDFA, GAID).
2.4 Payment Information
- Subscription tier: Your selected subscription plan (Explorer, Harmony, or Calibration)
- Platform purchase tokens and transaction IDs: Used to verify your subscription status with Apple App Store or Google Play
All payment processing is handled entirely by Apple (App Store) or Google (Play Store). We do not collect, process, or store your credit card number, bank details, or other financial payment information. We retain only the platform purchase tokens and transaction IDs necessary for subscription verification.
2.5 Derived Information
Through your use of the App, we generate and store:
- AI-generated content: Readings, deep dives, and chat responses produced by our AI system based on your provided data
- Usage metrics: Number of readings and deep dives consumed per subscription period
3. How We Use Your Information
3.1 Core Service Delivery
- Generating personalized readings across metaphysical systems (astrology, numerology, Human Design, and others)
- Producing deep dive analyses on specific topics
- Powering the AI chat assistant to respond to your questions
- Translating content into your preferred language
3.2 Account Management
- Authenticating your identity and managing your account
- Verifying your email address
- Managing your subscription and verifying purchase status
3.3 Legal Bases for Processing (GDPR Article 6)
| Legal Basis | Processing Activities |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Account creation, service delivery (readings, deep dives, chat), subscription management |
| Consent (Art. 6(1)(a)) | Processing of birth data for metaphysical readings, optional location access for timezone detection |
| Legitimate interest (Art. 6(1)(f)) | Service security, fraud prevention, enforcing Terms of Service |
4. AI Processing Disclosure
4.1 AI Provider
Thea uses Google Gemini AI (models: gemini-2.5-pro and gemini-2.5-flash) to generate all personalized content.
4.2 Data Shared with Google Gemini AI
To generate your personalized content, the following data is sent to the Google Gemini API:
- Full name
- Date of birth (including exact time)
- Birthplace
- Timezone
- Primary intent (health, wealth, business, or relationships)
- Language preference
- Chat message history (for chat interactions)
- Reading context (for follow-up questions and deep dives)
4.3 Purposes of AI Processing
- Reading generation: Personalized readings across 9 metaphysical modules (Akashic Records, Brahma Method Astrology, Chaldean Numerology, Evangeline Adams Business Astrology, Human Design, Pythagorean Numerology, Tesla Numerology, Vedic Astrology, Western Astrology) plus a synthesized overview
- Deep dive analysis: In-depth exploration of specific topics within reading results
- Chat responses: Conversational AI responses to your questions
- JSON translation: Translating structured reading content into your preferred language
4.4 Google’s Data Usage Policy
Data sent to Google Gemini via the API is subject to Google’s API data usage policy. As of the date of this Privacy Policy, data sent through the paid Gemini API is not used by Google to train its models. For the most current information, please refer to Google’s published API terms.
4.5 Storage of AI Outputs
AI-generated content (readings, deep dives, chat responses) is stored in our infrastructure (AWS S3 and our database) to allow you to access your past readings and maintain conversation history.
5. Special Categories of Data (GDPR Article 9)
Your birth data (date, time, and place of birth), when used to generate astrological and metaphysical readings, may reveal or relate to philosophical or spiritual beliefs. Under GDPR, such data may constitute a special category of personal data.
We process this data based on your explicit consent, which you provide during the onboarding process when you voluntarily enter your birth details and select your primary intent.
You may withdraw this consent at any time by deleting your account (see Section 9).
6. Data Sharing & Third-Party Services
We share your personal data only with the following third parties, and only for the purposes described:
| Third Party | Data Shared | Purpose | Location |
|---|---|---|---|
| Google Gemini AI | Name, birth data, timezone, intent, language, chat history, reading context | AI content generation | US / Global |
| Google OAuth | Authentication token | Account sign-in | US / Global |
| Apple Sign-In | Authentication token | Account sign-in | US / Global |
| Apple App Store | Purchase token, transaction ID | Subscription verification | US / Global |
| Google Play | Purchase token, transaction ID | Subscription verification | US / Global |
| Google Maps Timezone API | Latitude, longitude (transient) | Timezone detection from location or birthplace | US / Global |
| AWS S3 | AI-generated content (readings, deep dives) | Content storage | EU (eu-central-1, Frankfurt) |
| AWS SES | Email address | Email verification and notifications | EU (eu-west-1, Ireland) |
We do not:
- Sell your personal data to anyone
- Share data with advertising networks
- Share data with data brokers
- Share data with any parties not listed above
7. Data Storage & Security
7.1 Server-Side Storage
| Storage System | Data Stored | Location |
|---|---|---|
| PostgreSQL database | User accounts, birth data, preferences, reading metadata, subscription data, chat history | EU |
| AWS S3 | AI-generated reading outputs, deep dive content | EU (eu-central-1, Frankfurt) |
| MongoDB | Application logs (no personally identifiable information) | EU |
7.2 Local (On-Device) Storage
| Technology | Data Stored |
|---|---|
| MMKV (encrypted key-value store) | User preferences, cached data |
| AsyncStorage | Authentication token (JWT), cached user profile |
7.3 Security Measures
- Authentication: JSON Web Tokens (JWT) with secure token handling
- Password hashing: Argon2 algorithm (industry-leading password hashing)
- Transport: All data transmitted over HTTPS (TLS encryption)
- Local encryption: MMKV provides encrypted on-device storage
- Session management: Authentication tokens are cleared on logout; all cached data is cleared when switching accounts
8. International Data Transfers
8.1 EU-Based Infrastructure
Our primary data storage infrastructure is located in the European Union:
- AWS S3: eu-central-1 (Frankfurt, Germany)
- AWS SES: eu-west-1 (Ireland)
8.2 International Transfers
Certain third-party services may process data outside the EU:
- Google services (Gemini AI, OAuth, Timezone API, Play Store): May process data in the United States or other countries
- Apple services (Sign-In, App Store): May process data in the United States or other countries
8.3 Safeguards
Where data is transferred outside the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Data Processing Agreements (DPAs) with our service providers
- Adequacy decisions where applicable
9. Data Retention & Deletion
9.1 Active Accounts
While your account remains active, your personal data and AI-generated content are retained to provide the service.
9.2 Account Deletion
When you delete your account:
- Soft deletion: Your email and identifiers are randomized to anonymize the record
- Content deletion: All associated readings, chat history, deep dives, and module execution outputs are cascade-deleted from the database
- S3 objects: A cleanup process for removing AI-generated content from S3 storage is being implemented. Until fully complete, some content may persist in S3 storage after account deletion
- Subscription records: Basic subscription and transaction records may be retained as required for financial reporting and legal obligations
9.3 How to Delete Your Account
You can delete your account at any time through: Profile > Data Privacy in the App.
10. Your Rights
10.1 Rights Under GDPR (EU/EEA Residents)
If you are in the European Union or European Economic Area, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data (“right to be forgotten”) |
| Restriction | Request that we limit processing of your data |
| Data portability | Receive your data in a structured, machine-readable format |
| Object | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time (without affecting prior processing) |
| Lodge a complaint | File a complaint with your local data protection supervisory authority |
10.2 Rights Under CCPA (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt out of sale of personal information — we do not sell your personal information
- Non-discrimination for exercising your rights
10.3 How to Exercise Your Rights
- Account deletion and data editing: Use the in-app feature at Profile > Data Privacy
- All other requests: Contact us at info@efebia.com
We will respond to your request within 30 days (or as required by applicable law).
11. Children’s Privacy
Thea is not directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 18.
If we discover that we have inadvertently collected personal data from a person under 18, we will promptly delete their account and all associated data.
If you believe that a child under 18 has provided us with personal information, please contact us at info@efebia.com.
12. Local Storage (Mobile)
The Thea mobile app uses on-device storage technologies (not traditional browser cookies):
| Technology | Purpose | Encrypted |
|---|---|---|
| MMKV | User preferences, cached data | Yes |
| AsyncStorage | Authentication token (JWT), cached user profile | No (standard device storage) |
- Logout: All authentication tokens and cached query data are cleared when you log out
- Account switching: Cached data is cleared when switching between accounts
- Uninstall: All local data is removed when you uninstall the App
- No cookies: The mobile app does not use traditional HTTP cookies
- No cross-app tracking: Local storage is sandboxed to the Thea app and cannot be accessed by other apps
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through an in-app notice.
Your continued use of Thea after any changes to this Privacy Policy constitutes your acceptance of the updated Policy.
We encourage you to review this Privacy Policy periodically.
14. Contact Information
For any questions or concerns about this Privacy Policy or our data practices:
- Email: info@efebia.com
- Postal address: Via Nicola Antonio Porpora 63, Milan, Italy