Privacy Policy
1. Introduction
This Privacy Policy describes how AIRMAN PRODUCTION S.R.L. (hereinafter “the Controller”, “we”, or “MUUNIVERS”), a Romanian legal entity with its registered office at Bucharest, Sector 3, Bd. 1 Decembrie 1918, no. 2, bl. MY9, sc. 1, fl. 2, apt. 9, registered with the Trade Register under no. J40/1552/2016, VAT number 35594720, collects, uses, discloses, and protects your personal data when you use the MUUNIVERS web platform available at muunivers.com. By using the Service you confirm that you have read and understood this Policy.
2. Scope and applicable law
We comply with Regulation (EU) 2016/679 (GDPR), Romanian Law 190/2018 on GDPR implementation, Law 506/2004 on confidentiality in electronic communications, the ePrivacy Directive, the California Consumer Privacy Act (CCPA/CPRA) for California residents, and other applicable data protection laws. We honour the Global Privacy Control (GPC) signal: if your browser transmits it, we treat it as a valid opt-out request from any sharing of data for cross-context behavioural advertising. This Policy applies to the MUUNIVERS web platform; any future native apps will be governed by a separate annex.
3. Categories of data we collect
We collect data directly from you, automatically through your use of the platform, and, in certain cases, from third parties (e.g. the Stripe payment processor). Detailed categories are as follows:
3.1. Account and profile data
When you create an account and customise your profile we collect:
- Email address, password (stored encrypted), display name, username
- Avatar image, biography / astral message, zodiac sign (if you choose to complete it)
- Time zone, preferred interface and horoscope language
- Profile visibility settings (public / private), privacy and notification settings
- Progress statistics: XP, Manifestor Level, daily streak, collected crystals
3.2. User-generated content (wishes, notes, relights, messages)
When you create a wish we collect: title, message, chosen background, precise GPS coordinates (latitude / longitude) provided by you if you choose to attach a location, visibility setting (public / private / Premium only), personal notes attached to the wish, likes and relights received. GPS coordinates are displayed on the public map only if the wish is set to public. For private wishes the location remains attached to your wish but is not accessible to other users.
3.3. Data for numerology and personalised horoscope
For numerology computations (life path, natal chart, Human Design, house energy) and personalised horoscope you may provide your date, time and place of birth, as well as house number. This data is not sensitive data under Art. 9 GDPR (it does not concern health, ethnic origin or religion), but regular personal data which we process based on your explicit consent. It is stored in your profile to let you quickly access the most recent computed results and can be deleted at any time from Settings.
3.4. Public Gratitude chat and moderation reports
Messages published in the public Gratitude chat are visible to all users. When you report an abusive message we log your account identifier and the reporting reason in order to enforce community moderation rules. After 3 distinct reports from different users the message is automatically hidden from the public chat but remains visible to its author. Reports are accessible to the moderation team.
3.5. Vision Board data (Premium)
When you use the Vision Board (available only with an active Premium subscription) we store: (1) the canvas document (shapes, layout, text), (2) the images you upload to your private folder user-uploads/vision-board/{user-id}/, (3) board titles and metadata. Access is strictly limited to you. When your Premium subscription ends access is suspended; if you do not renew within 90 days we will permanently delete your Vision Board data from our servers.
3.6. Referral programme data
If you sign up through another user's referral link or recommend the platform to others we retain the referral code used and the referral relationship between accounts so we can grant the rewards tied to the programme. These data are used solely for managing the referral programme and preventing fraud.
3.7. Automatically collected data
When you access the platform we automatically collect:
- IP address, user agent, browser type, operating system, screen resolution
- Pages visited, visit times, time spent, features used, interactions
- Web push tokens (VAPID) if you enable browser push notifications
- Cookies and similar technologies (see section 14)
3.8. Data processed through artificial intelligence
For AI features (personalised horoscope, dream interpretation, affirmations, wish refinement, daily quotes) we send certain data to OpenAI through the standard enterprise API, under a Data Processing Agreement (DPA) that provides your data is NOT used to train public models. The data sent includes: request type, personalisation parameters (e.g. date of birth, zodiac) and any messages you enter. We do not send authentication credentials.
4. Purposes of processing
We process your data in order to:
- Provide, operate and maintain the MUUNIVERS platform, authenticate users, manage accounts
- Process payments for Premium, diamonds, credits and donations via Stripe
- Personalise content (horoscope, numerology, dream interpretation, quotes, affirmations) using AI
- Send transactional communications (email verification, password reset, purchase confirmations, account-related notifications)
- Send marketing communications (newsletter, manifestation emails) only with your explicit consent
- Analyse platform usage (only if you accept analytics cookies) in order to improve the experience
- Moderate content, prevent fraud, ensure security and legal compliance
- Comply with legal obligations (accounting, tax, notifications to competent authorities)
5. Legal bases for processing
We process your data on the following legal bases (Art. 6 GDPR):
- Consent (Art. 6(1)(a)): For non-essential cookies (analytics), email marketing, push notifications, AI personalisation based on date of birth. You can withdraw consent at any time.
- Performance of a contract (Art. 6(1)(b)): For operating your account and Premium subscription, processing payments and delivering digital content (diamonds, credits).
- Legitimate interest (Art. 6(1)(f)): For platform security, fraud prevention, content moderation and maintenance of technical logs. You have the right to object to this processing.
- Legal obligation (Art. 6(1)(c)): For retention of invoices and accounting documents under the Romanian Fiscal Code, and for requests from competent authorities.
Respect for the Global Privacy Control signal: If your browser sends the GPC signal we automatically interpret it as a valid opt-out request and will not share data for cross-context behavioural advertising, in line with CCPA/CPRA requirements and GDPR best practice.
6. Automated decisions and profiling
We use algorithms and artificial intelligence to generate personalised content (horoscope, dream interpretation, wish refinement, daily quotes, manifestation notifications). These operations constitute profiling within the meaning of Art. 22 GDPR but DO NOT produce legal effects nor significantly affect you (they are entertainment and personal-reflection content). You have the right to request human intervention, to express your point of view and to contest the results by writing to dpo@muunivers.com.
7. Data sharing and sub-processors
We do not sell or trade your data. We share it only with the following sub-processors, each under contract and DPA as required by GDPR:
- Stripe, Inc. (US / Ireland) – payment processing, invoicing, customer location determination, fraud prevention. Stripe acts as an independent controller for anti-fraud and, if we sign up for Stripe Tax in future, for the computation of indirect taxes.
- Supabase, Inc. (EU region) – database hosting, file storage, authentication
- Vercel, Inc. (US / global edge) – web application hosting, content delivery
- OpenAI, LLC (US) – AI processing through the enterprise API with DPA; data is NOT used for training
- Transactional email provider (Resend / SendGrid or equivalent) – sending system and marketing emails
- Google Analytics (US) – usage analytics, only with your consent, with IP anonymisation
- Competent authorities – when required by law (courts, ANSPDCP, investigative bodies)
- Potential legal successors – in the event of a merger, acquisition or business transfer, with prior notice
The list of sub-processors may be updated with notice pursuant to section 18 (Changes).
8. International data transfers
Some of our sub-processors (Stripe, OpenAI, Vercel, Google) are established outside the European Economic Area. Transfers are carried out on the basis of the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework. We have assessed the risks in line with the Schrems II case law and apply additional measures (encryption, minimisation, pseudonymisation) where needed.
9. Data security
We apply appropriate technical and organisational measures to protect your data:
- TLS 1.2+ encryption in transit and at-rest encryption for the database and file storage
- Passwords stored with strong hashing (bcrypt / scrypt / argon2)
- Role-based access controls, least-privilege principle, logging
- Regular security assessments, automated monitoring, internal data protection policies
10. Security incident notification
Pursuant to Art. 33 and 34 GDPR, in the event of a personal data breach that poses a risk to your rights and freedoms, we will notify ANSPDCP within 72 hours of becoming aware. If the risk is high we will also notify you directly, without undue delay, by email and/or an announcement on the platform, describing the nature of the incident, the categories of data affected, the measures taken and the DPO contact.
11. Retention periods
We retain data only for as long as necessary for the purposes described above. Detailed per category:
- User account and profile: 3 years from last activity, then deletion or anonymisation
- Public wishes, likes, relights: Until deleted by the user or the account is deleted; some wishes may automatically expire per platform rules
- Vision Board (canvas + images): Up to 90 days after Premium subscription ends; then permanent deletion
- Public Gratitude chat messages and reports: 2 years or until account deletion; reports remain in the log for up to 2 years for moderation audit
- Payment data and invoices: 10 years under Art. 25 of the Fiscal Code and OMFP 2861/2009; Stripe retains data per its own policy
- Web push tokens and sessions: Until logout or 12 months of inactivity
- Technical and security logs: 12 months
- Non-essential cookies: Maximum 13 months per CNIL / EDPB guidance
- Backups: Maximum 30 days, rolling; deletion from backups takes effect at the next full cycle
12. Your rights
You have the following rights regarding your data, under GDPR, Romanian Law 190/2018 and CCPA/CPRA (for California residents):
- Right of access and information: you can request a copy of your data and the list of categories collected
- Right to rectification: you can correct inaccurate data directly from Settings or by requesting assistance
- Right to erasure (‘right to be forgotten’): you can delete your account at any time from Settings or by requesting manual deletion
- Right to data portability: you can download your data in JSON format via the ‘Download my data’ feature in Settings
- Right to object and restrict: you can object to processing based on legitimate interest
- Right not to be subject to an automated decision: see section 6
- For California residents (CCPA/CPRA): right to know, right to delete, right to opt-out of sale / sharing (we do not sell data), right to non-discrimination
Exercising your rights
You can exercise your rights by sending a request to dpo@muunivers.com or by using the dedicated Settings features (Download data, Delete account). We respond within 30 days of receipt, with the possibility of extension by a further 60 days for complex requests (Art. 12(3) GDPR) with prior notice to you. To confirm your identity we may request reasonable evidence (e.g. email validation). The service is free, but for manifestly unfounded or excessive requests we may charge a reasonable fee.
13. Supervisory authority
You have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania, tel. +40.318.059.211, email anspdcp@dataprotection.ro, website www.dataprotection.ro. If you live in another EEA state you may contact the supervisory authority in your country of residence. We still encourage you to contact us first at dpo@muunivers.com for a prompt resolution.
14. Cookies and similar technologies
We use two categories of cookies and similar technologies (localStorage):
Essential cookies (always on)
Required for the platform to work: authentication, session, language preferences, CSRF token, cart and checkout functionality. Without these the platform cannot function. Consent is not required under Art. 5(3) of the ePrivacy Directive.
Analytics cookies (optional, opt-in)
Used to understand how the platform is used and to improve it (Google Analytics with IP anonymisation, no advertising signals). They only activate if you explicitly accept them in the banner or via ‘Cookie settings’.
You can change your preferences at any time from ‘Cookie settings’ in the platform footer.
15. Email communications and notifications
Transactional emails
We send emails that are essential to account operation (email verification, password reset, purchase confirmations, security alerts, legal notices). These rely on contract performance or legal obligation and cannot be disabled for as long as you use the Service.
Marketing emails and manifestation notifications
We send marketing communications, including recurring ‘manifestation emails’, only if you have explicitly opted in. Every marketing email contains an unsubscribe link in the footer. You can withdraw consent at any time in Settings > Notifications.
16. Geolocation data
GPS coordinates associated with wishes are voluntarily provided by you when creating them and are precise coordinates (latitude / longitude), not an approximate location. Coordinates are displayed publicly on the MUUNIVERS map only for wishes set as public. For private or Premium-only wishes the coordinates remain attached to the wish in the system but are not visible to other users. We do not access your device's location without an explicit action from you.
17. Children's privacy
The Service is intended for people aged at least 16. Children aged 13 to 16 may use the Service only with the express consent of a parent or legal guardian, in line with Romanian Law 190/2018. Children under 13 may not create or use an account. If we learn that we have collected data from a minor below the allowed age without parental consent we will delete the data promptly. Parents can contact dpo@muunivers.com to request deletion of their children's accounts.
18. Changes to this Policy
We may update this Privacy Policy from time to time. The new version becomes effective when posted on this page, with the ‘Last updated’ date refreshed. For material changes (e.g. new categories of data collected, new sub-processors with material impact) we will notify you at least 15 days in advance by email and/or a prominent notice on the platform. Continued use of the Service after the effective date constitutes acceptance.
19. Contact and DPO
Controller:AIRMAN PRODUCTION S.R.L., J40/1552/2016, VAT 35594720
Registered office:Bucharest, Sector 3, Bd. 1 Decembrie 1918, no. 2, bl. MY9, sc. 1, fl. 2, apt. 9
Data Protection Officer (DPO):dpo@muunivers.com
General privacy contact:privacy@muunivers.com
Supervisory authority:ANSPDCP – www.dataprotection.ro
20. Effective date
This Privacy Policy takes effect on the date of publication. Previous versions are available on request by writing to dpo@muunivers.com.