Your data, handled carefully.

1 · Who we are

Cosmic Scroll is operated by Asen Borisov, sole proprietor, based in Sofia, Bulgaria. For the purposes of the EU General Data Protection Regulation (GDPR), Asen Borisov is the data controller for personal information collected through cosmicscroll.com.

You can reach us any time at info@cosmicscroll.com.

2 · What we collect

When you order a Cosmic Blueprint, the form on the home page asks for the following fields. We only collect what we need to produce and deliver your reading.

• First name · used in your reading and email greeting.
• Last name · used together with your first name for numerology calculations.
• Date of birth · required for both astrology and numerology.
• Time of birth (optional) · sharpens your rising sign and house placements.
• City and country of birth · required to locate the sky over your birthplace.
• Email address · where we send your blueprint and order confirmation.
• Focus area · the topic you want the reading to emphasize (Love, Money, Purpose, Spiritual, or Healing).
• Free-text answer (optional) · anything specific you want the reading to address.

In addition, our payment processor Stripe collects the billing data needed to take your payment (card details, billing address, country). We never see or store your full card number. Stripe shares back the last 4 digits, card brand, billing country, and the email associated with the payment.

Our hosting provider Vercel automatically logs standard request metadata (IP address, user-agent, timestamp, requested URL) for security and abuse prevention. These logs are retained for a short window and not linked to your reading.

3 · Why we collect it

Your data is used for three narrow purposes, in this order:

1. To generate your reading. Your birth data and answers are fed into the chart and numerology calculations and into the prompt that writes your blueprint.
2. To deliver your reading. Your email is used to send the PDF and order confirmation.
3. To run the business. Order records are kept so we can respond to support emails, honour the founder's promise, prevent payment fraud, and meet our tax and accounting obligations.

We do not sell your data. We do not share it with advertisers. We do not use it to train any machine-learning model that is not your own private reading.

4 · Legal basis (GDPR)

Under the GDPR, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) · we need your birth data and email to deliver the blueprint you bought.
• Legitimate interest (Art. 6(1)(f)) · for fraud prevention, security logging, and basic accounting records. Our interest is keeping the service safe and legally compliant. We balance this against your privacy by collecting the minimum data needed and keeping access tightly scoped.
• Legal obligation (Art. 6(1)(c)) · for invoice and tax records we are required to retain under Bulgarian and EU law.
• Consent (Art. 6(1)(a)) · if at any point we add a newsletter or marketing email, you will be asked to opt in clearly. We will never add you to a marketing list silently.

5 · Third-party processors

We use a small number of trusted vendors to run the service. Each one only receives the data it needs to do its job. All of them are bound by their own published privacy terms and, where relevant, by data processing agreements with us.

• Stripe (USA) · payment processing. Receives your name, email, billing address, and card details. Stripe is PCI-DSS compliant.
• Resend (USA) · transactional email delivery. Receives your first name, email address, and the PDF attachment.
• Vercel (USA, EU-US Data Privacy Framework certified) · website hosting, serverless functions, and request logs. Receives your form submission in transit and stores short-term request logs for security. Also provides Web Analytics and Speed Insights for aggregate, anonymous traffic and performance measurement (see the Cookies section below for details).
• OpenRouter (USA) · LLM API gateway. Relays the prompt that writes your blueprint to OpenAI. Receives the chart and numerology data plus your free-text answer and focus area. Does not receive your email address.
• Upstash (USA) · short-lived key-value storage used during generation to track order state between Stripe and our delivery webhook. Holds your order ID and a copy of the form payload for up to 72 hours.
• ImprovMX (USA) · inbound email forwarding for info@cosmicscroll.com. Forwards any email you send us to the founder's personal inbox.
• Better Stack (USA) · uptime monitoring. Pings our health endpoint only. Receives no customer data.

6 · How long we keep your data

Your blueprint is yours forever. We keep your order record (name, email, birth data, answers, and the PDF we generated) indefinitely so that you can re-download your reading if you lose it or change devices. Customers sometimes ask for a re-send long after their purchase, and we want to be able to say yes.

You can request deletion at any time and we will erase everything we hold within 30 days, except for the minimum invoice and tax records we are legally required to keep under Bulgarian and EU law (typically 5 to 10 years for accounting purposes).

Short-lived processing data (Upstash KV state, server logs) is deleted automatically within days of your order being fulfilled.

7 · Your rights under GDPR

If you are in the EU, UK, or EEA, you have the following rights over your personal data. You can exercise any of them by emailing info@cosmicscroll.com from the address you used to place your order. We respond within 30 days.

• Right of access · ask us for a copy of everything we hold about you.
• Right to erasure · ask us to delete your data (subject to the legal-retention exception above).
• Right to rectification · ask us to correct any data you believe is wrong.
• Right to data portability · receive your data in a structured, machine-readable format.
• Right to object · object to any processing we do under legitimate interest.
• Right to restrict processing · ask us to pause processing while a dispute is resolved.
• Right to withdraw consent · withdraw any consent you previously gave (e.g. for marketing) at any time.
• Right to lodge a complaint · contact your local data-protection supervisory authority. In Bulgaria that is the Commission for Personal Data Protection (CPDP). EU residents may contact the authority in their country of residence.

We will not charge you a fee unless your request is clearly excessive or repetitive, in which case we will tell you before doing any work.

8 · Cookies and analytics

Cosmic Scroll uses no advertising cookies and no third-party tracking cookies. The site sets only the small number of essential cookies required for the checkout session to work safely (set by Stripe during payment) and basic Vercel session cookies for security.

We use Vercel Web Analytics and Vercel Speed Insights to measure aggregate traffic (page views, top referrers, country, device type) and page performance (load times, Core Web Vitals). Both are cookieless and do not store any data on your device. They generate a short-lived anonymous identifier from a hash of your IP address, user-agent, and the visited domain so that we can count unique visits without identifying individuals. The raw IP address is not stored. No personal data such as your name or email is sent to these services.

Because no non-essential cookies are set, no cookie consent banner is required under the EU ePrivacy Directive. If we ever add advertising or cross-site tracking, we will update this policy and ask for your consent first.

9 · International data transfers

Several of our processors (Stripe, Resend, Vercel, OpenRouter, Upstash, ImprovMX, Better Stack) are based in the United States. When your data is transferred to them, we rely on the EU-US Data Privacy Framework where the processor is certified, and on the European Commission's Standard Contractual Clauses (SCCs) in all other cases. These transfers are necessary to perform the contract you entered into with us.

10 · Children

Cosmic Scroll is intended for adults. By placing an order you confirm that you are at least 18 years old. We do not knowingly collect data from anyone under 18. If you believe a minor has placed an order, please email us and we will delete the record and refund the purchase.

11 · Changes to this policy

We may update this policy as the service grows. The effective date at the top of the page always reflects the most recent version. If we make a material change that affects how we handle data you have already given us, we will email past customers before the change takes effect.

12 · Contact

Questions, requests, or complaints about your data:

Asen Borisov · Sofia, Bulgaria
info@cosmicscroll.com