Privacy Policy

Full Privacy Policy

Effective date and scope

Effective Date: April 28, 2026

Last Updated: April 28, 2026

AstraSomnia, Inc. doing business as EdAstra, together with our affiliates and subsidiaries, respects your privacy. This Privacy Policy explains how we collect, use, disclose, store, retain, and otherwise process information when you access or use EdAstra’s websites, mobile applications, AI features including Luna, school or educator dashboards, support channels, and related services (collectively, the “Services”).

This Privacy Policy is intended to be read together with our Terms of Service, any school or district agreement, and any separate consent or notice we provide at or before the point of collection.

If a school, district, tutor organization, or other institution provides you access to the Services, some processing may also be governed by that organization’s contract with us and by education privacy laws. See the sections titled Children’s Privacy, School, Parent, and Student Privacy, and State Privacy Rights below. FERPA can apply when a school discloses education records to a contractor acting as a school official and under the school’s direct control.

Who we are

For most direct-to-consumer uses, AstraSomnia, Inc. is the business or controller responsible for your information.

Contact Information

AstraSomnia, Inc.

[Company Address]

Email: [privacy@company.com]

Webform: [Privacy Request URL]

Support: [Support URL]

If we have appointed a data protection contact for particular jurisdictions, that contact will be listed here: [DPO or Privacy Lead Contact].

Information we collect

We collect the following categories of information, depending on how you use the Services:

Information you provide directly

Name, email address, phone number, username, password, school affiliation, grade level, parent or educator contact details, and similar registration information
Study responses, essays, practice answers, notes, bookmarks, uploads, feedback, survey responses, and user-generated content
Messages, prompts, attachments, and other content you submit to Luna or other AI-powered features
Payment and billing information if you purchase a subscription or service, typically through our payment processors
Support requests, screenshots, recordings, and correspondence

Information we collect automatically

Device, browser, operating system, app version, IP address, approximate location inferred from IP, crash logs, diagnostics, and security logs
Usage, engagement, and telemetry information, including pages viewed, taps, clicks, study sessions, feature usage, time stamps, referrals, and session activity
Cookies, SDK events, local storage, pixels, and similar technologies

Education and personalization information

Practice-test results, question-level performance, time on task, accuracy patterns, review behavior, streaks, goal progress, and engagement history
Personalization outputs, learning recommendations, mastery estimates, pacing suggestions, and similar inferences generated from your use of the Services
We may refer to these outputs as part of our proprietary Neurocognitive Learning Model or “NLM” profile. These are educational personalization inferences, not medical or psychological diagnoses.

Information from third parties

Single sign-on providers
Schools, districts, tutors, parents, or educators who provision access to the Services
Payment processors, analytics providers, security vendors, and communications providers
Public or lawful third-party sources where permitted

California expressly treats “inferences” used to create a profile about a consumer’s preferences, behavior, intelligence, abilities, or aptitudes as personal information. That means NLM-style study profiles should be treated as personal information for California compliance purposes.

How we use information

We use information for the following business and operational purposes:

To create, maintain, authenticate, and secure accounts
To provide SAT-prep content, scheduling, dashboards, and core app functionality
To personalize study plans, recommendations, question selection, pacing, reminders, and coaching interactions
To operate Luna and other AI features, including generating responses, summaries, explanations, nudges, and productivity assistance
To troubleshoot, test, improve, and develop the Services and new products or features
To measure activation, retention, learning consistency, and product performance
To communicate with you about the Services, updates, support, safety issues, billing, and marketing, subject to your choices and applicable law
To enforce our Terms, prevent fraud, detect abuse, investigate incidents, and protect users, AstraSomnia, and the public
To comply with law, regulation, legal process, and contractual obligations
To create de-identified or aggregated analytics, benchmarks, reports, research outputs, and product improvements as permitted by law

California requires businesses to disclose, at or before the point of collection, the categories collected, the purposes of collection or use, whether information is sold or shared, and the retention period or criteria used to determine it. California also requires collection, use, retention, and sharing to be reasonably necessary and proportionate to the disclosed purpose. GDPR likewise requires purpose limitation, storage limitation, and appropriate security safeguards.

Legal bases and purposes for processing

For U.S. users, our processing is generally based on business, contractual, security, support, and legal-compliance needs as described in this Policy.

If GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases depending on the processing:

Contract: to provide the Services you request, manage your account, deliver paid subscriptions, and operate core study features
Legitimate interests: to improve the Services, secure the platform, prevent fraud, conduct internal analytics, and develop new features, provided our interests are not overridden by your rights
Consent: where required, such as certain marketing, certain cookies, certain sensitive-data uses, or child-consent scenarios
Legal obligation: to comply with law, valid legal process, tax rules, or regulatory duties
Vital interests: in limited emergency circumstances involving safety

EU guidance confirms organizations need a lawful basis for processing, and individuals have rights including access, rectification, erasure, restriction, portability, and objection. The European Commission also notes people should not be subject to solely automated decisions that are legally binding or similarly significant without appropriate safeguards.

User content, personalization, and AstraSomnia’s processing rights

By submitting, uploading, transmitting, or otherwise making content available through the Services, including study answers, notes, essays, prompts, chat messages, feedback, and other user content, you grant AstraSomnia a worldwide, non-exclusive, royalty-free, transferable, sublicensable license to host, store, reproduce, process, modify, adapt, analyze, create derivative works from, display, and otherwise use that content:

to provide, operate, maintain, personalize, and support the Services;
to develop, improve, test, evaluate, debug, and secure the Services and related models, systems, and features;
to create insights, reports, analytics, and recommendations;
to comply with law and enforce our agreements; and
to create and use de-identified, pseudonymized, or aggregated information, statistics, evaluation sets, and other derivative materials for product, research, benchmarking, operational, and commercial purposes, to the extent permitted by law.

As between you and AstraSomnia, you retain whatever rights you may have in your raw user content, but AstraSomnia owns the Services, software, systems, NLM methodology, Luna workflows, prompts, model evaluations, taxonomies, annotations, dashboard outputs, usage analytics, product telemetry, de-identified or aggregated data, derived statistics, and all improvements, models, features, and intellectual property created from or informed by the operation of the Services, subject to applicable law.

Important carve-outs:

We do not claim ownership over your personal information as a matter of law.
We do claim broad rights to process personal information as described in this Policy.
For education records received under FERPA, for school-official processing, or for under-13 data collected under school or parental authorization, our use may be limited by law, parental rights, and school contracts. FERPA contractor use must remain under the school’s direct control and for the purpose for which the records were disclosed. COPPA school consent is limited to educational purposes and not unrelated commercial purposes.

AI providers, subprocessors, and service providers

We may disclose information to vendors and subprocessors that help us run the Services, such as cloud hosting providers, analytics providers, customer support tools, authentication providers, payment processors, communications tools, security vendors, AI model or inference providers, data storage providers, and education-technology integrations.

We may send prompts, study context, or selected user content to AI or model providers to generate responses and support Luna and related features. Where feasible and appropriate, we configure vendors to act as processors, contractors, or service providers and to process data only on our behalf and under contractual restrictions. California’s service-provider concept requires written contractual restrictions against selling, sharing, or using information beyond the business purpose specified in the contract.

We may also disclose information:

to a school, educator, parent, or district connected with your use of the Services;
in connection with a merger, financing, acquisition, bankruptcy, asset sale, or similar transaction;
to comply with law, subpoena, court order, or lawful request;
to protect rights, safety, and security;
with your direction or consent.

Cookies, SDKs, analytics, and similar technologies

We use cookies, SDKs, local storage, device identifiers, pixels, and similar technologies to:

keep you signed in,

remember settings,
understand usage,
improve performance,
detect fraud and abuse,
measure campaigns, and
support product analytics and communications.

Where required by law, we will obtain consent before using non-essential technologies. We may also present region-specific notices and controls.

We do not currently represent that we respond to every “Do Not Track” browser signal. However, where required by applicable law, we honor recognized opt-out preference signals for sale or sharing, such as the Global Privacy Control or other valid California opt-out preference signals. California guidance states businesses must honor qualifying opt-out preference signals, and Colorado requires acceptance of universal opt-out mechanisms for certain opt-out requests.

Marketing communications

We may send service-related messages, push notifications, reminders, newsletters, offers, or other communications. You may opt out of marketing emails by using the unsubscribe link, adjusting settings, or contacting us. Transactional or service messages may still be sent when necessary.

If we use personal information for marketing based on consent, we will allow withdrawal of consent. If we market to children or teens in jurisdictions with heightened protections, we will apply additional restrictions and controls.

Retention and deletion

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business needs. We may retain different categories of information for different periods.

Where required by law, we provide the retention period for each category or the criteria used to determine it. California requires businesses to provide that retention information at or before collection; GDPR requires data to be stored no longer than necessary for the purposes collected. COPPA requires children’s personal information to be retained only as long as necessary and then deleted using reasonable measures.

When you delete your account or request deletion:

we will delete or de-identify eligible data from active systems within a reasonable period, typically within [30-45] days unless law, security, billing, fraud prevention, or a school contract requires longer retention;
certain data may remain in logs, backups, and disaster-recovery systems for a limited period, typically up to [90] days, after which it is overwritten or deleted in the ordinary course;
de-identified and aggregated information may be retained indefinitely to the extent permitted by law.

Security

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, loss, or destruction. These measures may include authentication controls, access limitations, encryption in transit, encryption at rest where appropriate, logging, monitoring, vendor due diligence, incident response procedures, and workforce confidentiality obligations.

No system is perfectly secure, and we cannot guarantee absolute security.

Apple requires appropriate security measures for user data handling. Google Play requires privacy policies to describe secure data handling procedures, retention, and deletion practices. COPPA also requires reasonable steps to protect children’s information.

Your privacy rights and choices

Depending on where you live and how you use the Services, you may have rights to:

access or know about the personal information we maintain about you,
correct inaccurate information,
delete your information,
obtain a portable copy of certain information,
opt out of sale, sharing, targeted advertising, or certain profiling,
limit use or disclosure of sensitive personal information where applicable,
withdraw consent where consent is the basis for processing,
appeal certain denied requests, and
not be discriminated against for exercising privacy rights.

You may exercise rights by contacting us at [privacy@company.com], using [Privacy Request URL], or using in-app settings where available.

We will verify requests as required by law and may ask for information sufficient to match the request to your account or records. We will not ask for more information than reasonably necessary. Under California rules, opt-out requests must not require account creation or unnecessary information. California regulations also allow use of authorized agents with signed permission, while limiting authorized-agent use of consumer information to request fulfillment, verification, or fraud prevention.

California notice at collection and California privacy rights

If you are a California resident, this section applies to you.

At or before collection, we will tell you the categories of personal information and sensitive personal information we collect, the purposes for which we collect or use them, whether they are sold or shared, and how long we retain each category or the criteria used to determine that period. California also requires collection, use, retention, and sharing to be reasonably necessary and proportionate to the disclosed purposes.

California residents may have the right to:

know categories and specific pieces of personal information we collected,
know categories of sources,
know categories of third parties to whom information was disclosed, sold, or shared,
delete personal information,
correct inaccurate personal information,
opt out of sale or sharing,
limit use and disclosure of sensitive personal information where applicable, and
not receive discriminatory treatment for exercising rights. California guidance states delete, correct, and know requests must generally be confirmed within 10 business days and substantively answered within 45 days, with one 45-day extension when reasonably necessary. Valid California opt-out preference signals must also be honored.

Notice regarding sale or sharing.

We do not currently sell personal information for money. We do not currently share personal information for cross-context behavioral advertising. If we ever change that practice, we will update this Privacy Policy and provide any notice, consent, opt-out signal handling, or minor opt-in controls required by law before doing so. California defines “sell” broadly to include disclosure for monetary or other valuable consideration and defines “share” as disclosure to a third party for cross-context behavioral advertising, whether or not money changes hands.

Sensitive personal information.

We do not currently use or disclose sensitive personal information for purposes that require a California “Limit the Use of My Sensitive Personal Information” link, unless and until we separately disclose that practice. If our practices change, we will provide the required notice and controls. California gives consumers the right to limit certain uses of sensitive personal information.

Authorized agents and verification.

California residents may designate authorized agents to submit certain requests on their behalf. We may require signed permission, direct identity verification by the consumer, or direct confirmation from the consumer, except where a valid power of attorney applies.

Minors.

If we have actual knowledge that a California consumer is under 16, we will not sell or share that minor’s personal information unless the minor is at least 13 and under 16 and has affirmatively opted in, or the parent or guardian has affirmatively opted in for a child under 13. We would also wait at least 12 months before requesting consent again after a refusal, as required by California law.

Children’s privacy

EdAstra is generally intended for teens and older students preparing for standardized tests and is not directed to children under 13 unless we expressly launch a parent-authorized or school-authorized experience for younger users.

If we are a child-directed service, or if we have actual knowledge that we are collecting personal information from a child under 13, we will comply with COPPA. That means, among other things, posting a clear children’s privacy notice, providing direct notice to parents, obtaining verifiable parental consent unless an exception applies, allowing parents to review and delete their child’s information, allowing parents to stop further collection or use, using reasonable security, and retaining child data only as long as necessary. The FTC’s 2025 COPPA amendments further strengthen protections around third-party advertising, data minimization, and retention.

If we allow child access under a school-authorized educational context, we may rely on school consent where COPPA allows it, but school consent is limited to the educational purpose and is not a blanket authorization for unrelated commercial uses. The FTC specifically states schools may consent on behalf of parents only in the educational context and not for other commercial purposes.

If we need to determine whether a user is under 13 or otherwise apply age-appropriate protections, we may use age screens, date-of-birth collection, or other age-assurance tools. The FTC has stated that certain age-verification steps may be used under conditions without prior parental consent when used solely to determine age.

School, parent, and student privacy

If EdAstra is used through a school, district, or educator:

the school may be the institution responsible for certain education records;
AstraSomnia may act as a school official or contractor if the school outsources an institutional function to us;
our handling of those records will be limited by the school contract, FERPA, other student privacy laws, and our instructions from the school.

FERPA applies to education records maintained by schools that receive U.S. Department of Education funds. When a school discloses education records to a contractor under the school-official exception, the contractor must perform a function the school would otherwise use employees to perform, remain under the school’s direct control regarding use and maintenance, and be subject to FERPA’s rules on use and redisclosure. Parents and eligible students generally have rights to inspect and review education records within 45 days.

For school-pilot uses, AstraSomnia recommends a separate school agreement or data protection addendum that addresses:

whether AstraSomnia is a school official or service provider,
the educational purpose for the disclosure,
direct-control language,
confidentiality and redisclosure limits,
deletion and return obligations,
subprocessors,
security controls,
incident notice,
de-identification practices,
parent and student request routing, and
restrictions on model training or secondary use of raw school records.

If a parent or eligible student makes a FERPA-related request to us directly, we may direct the request to the school where the information is maintained as an education record on the school’s behalf. We will cooperate with the school as required by contract and law.

International transfers and optional GDPR and UK GDPR addendum

If you are located in the European Economic Area, the United Kingdom, or Switzerland, or if those laws otherwise apply to our processing, the following additional terms apply.

We may process personal data in the United States and other countries. Where required, we use appropriate safeguards for cross-border data transfers, such as Standard Contractual Clauses and complementary contractual, technical, and organizational measures. The European Commission states SCCs may be used for transfers from the EU or EEA to controllers or processors outside those regions, and the EDPB explains that cross-border transfers must satisfy GDPR Chapter V conditions.

If GDPR or UK GDPR applies, you may have rights to:

be informed,
access,
rectification,
erasure,
restriction,
portability,
objection, and
not be subject to certain solely automated decisions with legal or similarly significant effects.

For children’s consent:

in the EU, the age for parental consent for online services depends on Member State law and ranges from 13 to 16;
in the UK, children aged 13 and over may generally consent for themselves for online-service processing that relies on consent, and under-13 users generally require parental authorization.

If your product is likely to be accessed by children in the UK, the ICO’s Children’s Code expects age-appropriate design, transparent explanations for children, and careful treatment of profiling and marketing to children. The ICO also notes profiling of children can require a DPIA and special care.

State privacy rights beyond California

If the thresholds or minors provisions of other state laws apply, residents of those states may also have rights.

Virginia. Virginia’s Consumer Data Protection Act generally provides rights to access, delete, portability, and opt-out, requires responses within 45 days with a possible 45-day extension, and allows a known child’s parent or legal guardian to invoke rights on the child’s behalf. Processing of sensitive data generally requires consent.

Colorado. Colorado’s Privacy Act provides rights including access, correction, deletion, portability, and opt-out for targeted advertising, sale, and certain profiling. Controllers must respond within 45 days, and Colorado requires acceptance of recognized universal opt-out mechanisms. Colorado also has enhanced minors protections effective October 1, 2025 for online services with a heightened risk of harm to minors, and those protections can apply regardless of the ordinary CPA thresholds.

Connecticut. The CTDPA provides rights, requires responses within 45 days with a possible extension, requires consent for sensitive data, provides an appeal right for denied requests, and includes enhanced minors protections, including consent requirements around sale, targeted advertising, and profiling for certain minors.

Utah. Utah’s law provides access, deletion for data the consumer provided, portability, and opt-out rights for certain uses. Controllers must provide a clear privacy notice, respond to requests within 45 days, and generally must provide clear notice and an opportunity to opt out before processing sensitive data, while known-child processing must comply with COPPA.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version with a new effective date and provide additional notice where required. California law requires businesses not to make materially inconsistent retroactive changes without sufficient notice and the ability to exercise choices consistently with the law.

Data inventory table

Sample notices, DSAR language, and sign-up text

Sample short-form notice at collection

We collect account, device, study, and AI interaction data to operate EdAstra, personalize your study experience, support Luna, secure the service, improve our products, and communicate with you. We do not currently sell personal information or share it for cross-context behavioral advertising. For more details, including retention and your rights, see our Privacy Policy.

This short-form notice should link to the full Privacy Policy and be shown at sign-up, upload, or AI prompt entry points where appropriate. California requires these disclosures at or before collection.

Sample account-creation checkbox text

Required checkbox

By creating an account, I agree to the Terms of Service and acknowledge that I have read the Privacy Policy.

Optional checkbox if you want separate AI-improvement consent

I agree that AstraSomnia may use my prompts, study activity, responses, and feedback to improve EdAstra’s AI features and related products, as described in the Privacy Policy.

Parent or guardian consent checkbox if needed

I am the child’s parent or legal guardian, and I consent to AstraSomnia’s collection, use, and disclosure of my child’s information as described in the Privacy Policy.

If you plan to use raw identifiable child data or school data for model training beyond core service delivery, a separate, explicit consent flow is strongly recommended and may be required depending on context. COPPA requires direct notice and verifiable parental consent for children under 13, and school consent is limited to the educational context.

Sample privacy request form fields

Use a webform and in-app form with:

full name
email used for account
state or country of residence
right requested: access, correction, deletion, portability, opt-out, limit use, appeal
whether requesting as parent, guardian, or authorized agent
school or district name if request concerns a school account
proof of authority if agent request
optional description box

For California opt-out requests, do not require account creation or more information than necessary to honor the request.

Sample response-verification language

To protect your privacy and security, we may ask you to log into your account, confirm a code sent to your email, or provide other information reasonably necessary to verify your identity and the scope of your request. If you use an authorized agent, we may request signed permission and may ask you to verify directly with us, unless a valid power of attorney applies.

Operational checklist and implementation notes

Consent flows and UI

Publish the Privacy Policy at a public, stable HTML URL, not a PDF, and link it in-app and in both app-store listings. Google Play requires a non-geofenced, non-editable public URL, and Apple requires a link both in metadata and within the app.
If accounts can be created in-app, implement account deletion both in-app and through an external web page, and add the deletion URL in Google Play Console.
Add short notices at sign-up, AI prompt windows, upload flows, and contact forms.
Decide whether raw user content will be used for model training. If yes, separate that from core-service processing and use clear consent language where needed.
Do not market the app as “for kids” unless you truly want Apple’s Kids Category obligations. Apps outside that category should avoid suggesting their primary audience is children. Kids Category apps face stricter rules around third-party analytics and ads.

DSAR and state-rights handling

Build a DSAR intake flow for access, deletion, correction, portability, opt-out, and appeal.
For California, confirm delete/correct/know requests within 10 business days and respond within 45 days unless extended once.
Support authorized-agent workflows, including signed authorization and direct confirmation where allowed.
Honor Global Privacy Control or other recognized California opt-out preference signals if you ever sell or share data.
If Colorado-targeted advertising or sale is ever used, support Colorado universal opt-out mechanisms.
Implement an appeals process for states that require it, especially Connecticut and Virginia.

Children, schools, and age gating

Set a clear default age policy, for example 13+ unless parent-authorized or school-authorized.
If under-13 access is possible, implement COPPA direct notice and verifiable parental consent unless a narrow exception applies.
If relying on school consent, keep that experience limited to the educational purpose and avoid unrelated commercial repurposing of raw child data.
For school pilots, use a separate school data addendum with FERPA school-official language, direct-control language, redisclosure restrictions, deletion terms, and training restrictions.
Because EdAstra targets teens, review Colorado’s 2025 minor-data law and Connecticut’s minors amendments before Colorado and Connecticut launches.

Vendor management and contracts

Map every SDK, cookie, API, AI provider, and subprocessor.
Sign DPAs, service-provider or contractor terms, and confidentiality/security commitments.
Ensure vendor terms address prompt retention, model training on customer data, security, cross-border transfers, deletion, and audit rights.
For California, ensure service-provider or contractor contracts prohibit selling, sharing, or off-purpose use.
Keep a current subprocessor list for enterprise and school customers.

Retention schedules and deletion operations

Approve a category-by-category retention schedule and document business justifications.
Build deletion jobs for active systems, tombstones or suppression records for fraud or compliance, and backup aging logic.
Make sure backup deletion statements are accurate.
Ensure litigation hold, tax, fraud, security, and school-contract exceptions are documented.

Security and incident readiness

Adopt written access controls, encryption, key management, logging, vulnerability management, MFA, vendor review, and incident response.
Document role-based access and admin approvals for student and school data.
Maintain breach-notification playbooks by state and by contract.
Train support and engineering teams on privacy request routing and school-data restrictions.

App-store and public-disclosure alignment

Align this Privacy Policy with Apple’s Privacy Nutrition Labels and Google Play’s Data safety section. Apple requires you to disclose data collected by you and third-party SDKs. Google requires the policy and Data safety details to be accurate and consistent.
Re-review the Privacy Policy whenever you add SDKs, ads, new AI providers, school products, or age-assurance features.
Update the policy at least annually.

Open questions and limitations

This draft is strong, but the final version depends on several business decisions that were not fully specified:

Whether AstraSomnia will ever use third-party advertising, retargeting, or cross-context behavioral advertising
Whether raw identifiable chat logs, answers, essays, or school records will be used for model training, evaluation, or prompt-improvement outside core service delivery
Whether the product will permit under-13 users outside school-authorized contexts
Which exact vendors and AI providers receive prompts or student content, and whether those vendors use customer data to train their own models
Whether school pilots involve FERPA-covered education records, direct roster imports, SSO, or district dashboards
Whether you want one global policy or a U.S.-first policy with separate EEA and UK notices

Page updated

Google Sites

Report abuse