GDPR-ready astrology API for EU developers
The first astrology API with full EU-residency. If you’re building a B2C product for the European market, GDPR compliance becomes a question before you write your first line of code. AstroWay solves it by default — no extra tier, no legal gymnastics.
Why this matters
Section titled “Why this matters”Every other astrology API (DivineAPI, AstrologyAPI, Prokerala) is US/India-hosted. That means:
- Your
birth.date,birth.time,birth.lat,birth.lon(=PII under GDPR) flows through US/India. - Subprocessor disclosure for your privacy policy: you have to list their jurisdiction.
- DPA (Data Processing Agreement) — either unavailable, or only on Enterprise via separate contract.
- EU Data Protection Authority audit risk: cross-border transfer without SCC = €10M+ fines.
AstroWay on the Pro tier ($59/mo) gives you EU-residency by default: all data is processed in Hetzner Nuremberg, no cross-border transfer.
Technical stack
Section titled “Technical stack”| Layer | Location / provider |
|---|---|
| Compute | Hetzner CPX32, Nuremberg (Germany) |
| Database | EU-resident on the same VPS — data never leaves the Nuremberg infrastructure |
| CDN / DNS | Cloudflare with EU-region cache rules (EU requests served by EU edges) |
| Email transactional | Brevo (formerly Sendinblue), EU-based, GDPR-compliant SMTP |
| PDF storage | Hetzner Storage Box (Nuremberg) — signed-URL TTL 24h, no cross-border replication |
| Analytics | GA4 with anonymize_ip + no PII in events (Plausible self-hosted on roadmap) |
| Logs | structured JSON, IP-hash only (no raw IPs), 30-day retention |
GDPR — what we provide
Section titled “GDPR — what we provide”By default (all Pro+ keys)
Section titled “By default (all Pro+ keys)”- ✅ EU-only data flow — birth-data never leaves Nuremberg
- ✅ No cross-border PII transfer — confirmed at the infrastructure level
- ✅ IP hashing — logs store SHA-256 hash + first 16 bits only (for rate-limiting)
- ✅ 30-day log retention — auto-deleted after that
- ⚠️ Anonymized analytics (GA4) —
anonymize_ipenabled, no PII in events. Plausible self-hosted (cookie-free) is on the roadmap. Until then, use your own cookie banner on B2C frontends. - ✅ Right to erasure:
DELETE /v1/me/account(Bearer JWT, body{"confirmation": "DELETE"}) — instantly removes your account and all associated data from our system
On request (Pro+ subscribers)
Section titled “On request (Pro+ subscribers)”- 📄 DPA (Data Processing Agreement) — standard GDPR Art. 28 template, countersigned within 5 business days. Email
legal@astroway.info. - 📋 Sub-processor list — full breakdown (Hetzner, Cloudflare, our SMTP provider, Stripe for Stripe customers) with each provider’s compliance docs. Brevo as the SMTP vendor is named in the DPA appendix for customers who sign it.
- 🗂️ DPIA (Data Protection Impact Assessment) input — if your legal team runs a DPIA on your product, we provide the technical sheet from our side.
For Enterprise customers (custom-tier)
Section titled “For Enterprise customers (custom-tier)”- 🛡️ SOC 2 Type II — on the roadmap (audit firm not yet engaged, ETA TBD). If this blocks your integration — email legal@astroway.info; we’re open to a dedicated audit engagement.
- 🇪🇺 EU-only legal entity — current legal form is a Ukrainian sole-trader (Maxim Burkhan). If your procurement requires an EU GmbH (Germany / Estonia), we’ll discuss case-by-case via legal@astroway.info; standard timeline 4-8 weeks.
- 🔐 Dedicated infra option — separate VPS in Nuremberg, isolated DB, no shared compute
- 📞 Direct security contact —
security@astroway.infofor incident response
Comparison: AstroWay vs US-hosted competitors
Section titled “Comparison: AstroWay vs US-hosted competitors”| Critical for the EU developer | AstroWay Pro $59 | DivineAPI | AstrologyAPI | Prokerala |
|---|---|---|---|---|
| EU-hosted compute | ✅ Hetzner Nuremberg | ❌ US | ❌ US | ❌ India |
| Standard DPA available | ✅ on Pro+ | ❌ enterprise only | ❌ enterprise only | ❌ enterprise only |
| GDPR-compliant by default | ✅ infrastructure-level | ⚠️ via SCC | ⚠️ via SCC | ⚠️ via SCC |
| Cookie-free analytics | ⚠️ GA4 anonymized (Plausible roadmap) | ❌ GA4 | ❌ GA4 | ❌ GA4 |
| EU-only data flow guarantee | ✅ in writing | ❌ | ❌ | ❌ |
| DPIA technical input | ✅ provided | ❌ | ❌ | ❌ |
| Right to erasure endpoint | ✅ DELETE /v1/me/account | ❌ ticket-based | ❌ ticket-based | ❌ ticket-based |
Pricing
Section titled “Pricing”EU-residency, DPA, infrastructure-level GDPR — everything included in Pro $59/mo. No separate tier, no sales call, no custom pricing.
This is a deliberate strategy: Hetzner-residency costs us nothing extra (our VPS is in Nuremberg anyway), and DPA is a standard template signed once over email. There’s no reason to charge for privacy that should have been the default.
Can I use the Free tier for a GDPR-sensitive project?
Section titled “Can I use the Free tier for a GDPR-sensitive project?”Yes — Free runs on the same infrastructure (Hetzner Nuremberg), the same anonymized analytics, the same 30-day log retention. DPA is not available on Free (it’s an admin overhead that only pays off on a paid tier), but technically the data is processed identically.
If your legal team requires a signed DPA, Indie ($5/mo) doesn’t get it either. The cheapest tier with DPA is Pro $59.
What about Schrems II? Cloudflare CDN is a US company, isn’t it?
Section titled “What about Schrems II? Cloudflare CDN is a US company, isn’t it?”Cloudflare is a US company, but we use EU-region cache rules (EU IP requests are served by EU edges), and the origin server (where data is actually processed) is Hetzner Nuremberg. PII (birth-data) traverses the Cloudflare edge in the same region and is not stored on the edge — only in transit.
For ultra-sensitive use cases (medical apps, B2G), Cloudflare can be bypassed with DNS pointing directly at the origin — email legal@astroway.info.
How fast do I get the DPA after subscribing to Pro?
Section titled “How fast do I get the DPA after subscribing to Pro?”- Standard DPA (our template) — instantly; the file
astroway-dpa-v1.pdfis available in the dashboard after the first charge. - Custom redlines from your lawyer — 3-5 business days. We don’t aggressively negotiate standard Art. 28 clauses.
Do I need a DPA if I’m a B2B developer without my own PII?
Section titled “Do I need a DPA if I’m a B2B developer without my own PII?”If your end product handles PII (and birth-data is PII), your lawyer will likely want a signed DPA with all sub-processors. We provide it as standard. If your integration is internal (employees only), DPA is probably not critical, but it’s still a good idea to sign it.
What does AstroWay do when I call DELETE /v1/me/account?
Section titled “What does AstroWay do when I call DELETE /v1/me/account?”- API keys — soft-deleted (
is_active = 0for anti-abuse cooldown) - Account-to-key link — severed; key cannot be re-associated
- User profile — flagged as deleted with timestamp
- Usage logs — IP-hash no longer PII, kept for billing audit
- Order history — retained (legal financial requirement, 7 years per GDPR Art. 17 §3 e)
- Transactional email — auto-cleaned by our SMTP provider after 90 days
Full flow available on request via legal@astroway.info.
Contacts
Section titled “Contacts”- Legal/DPA: legal@astroway.info
- Security incidents: security@astroway.info
- Subprocessor list / DPIA: hello@astroway.info