Triple Moon Goddess · triplemoongoddess.com · Lisa@TripleMoonGoddess.com
Privacy Policy v2026-06 · Last reviewed June 8, 2026
Triple Moon Goddess is a wellness journaling and medical astrology application operated by Lisa Hagan ("we", "us", "our"). For all data protection enquiries, please contact:
Triple Moon Goddess
Lisa Hagan
3654 Thornton Ave, Unit #748
Fremont, CA 94536
United States
Email: Lisa@TripleMoonGoddess.com
Website: triplemoongoddess.com
This policy applies to all users of the Triple Moon Goddess ecosystem: the natal chart generator, the Health Journal (PWA), the Health Blueprint app, the Tea Moon app, and the phone widget application, together with the paid practitioner applications (Integrative Practitioner, Soul Pattern, and Constitutional Health) and any associated email communications.
This policy applies to users worldwide. Where additional rights apply in your jurisdiction — EU/EEA/UK (GDPR), California (CCPA), Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act) — those rights are addressed in Section XI.
Collected only if you voluntarily provide it:
| Data | Purpose |
|---|---|
| First name or nickname | Stored separately from health data |
| Email address | Account lookup, chart delivery, reminders only |
| Birth date, time & location | Natal chart generation |
user_identities) from your health records. No single database document contains both your identity and your health data.This is health data under GDPR Article 9. It includes daily body scores (mood, energy, optimism, physical/mental stamina), sleep data, symptoms, medication and supplement logs, food and beverage log, tongue observations (Traditional Chinese Medicine), personal notes and reflections, and astrology transit journal responses.
Anonymous Firebase Authentication UID, FCM push notification tokens, app preferences (tab config, reminder times, food plan, house system), timezone, and rate-limit counters keyed by anonymous UID.
We do not collect precise device geo-location (GPS). The only location data we process is the birth location you enter for natal chart calculation — it is supplied by you, not derived from your device's location services.
We use Firebase (Google) infrastructure. Firebase collects basic performance and crash data per its own terms. We do not use Google Analytics, Facebook Pixel, any advertising trackers, session replay tools, or heatmap software.
Legal basis: Legitimate interests / Contract (GDPR Art 6(1)(b) and (f)) — providing app functionality, authentication, push notifications, email reminders, and rate limiting.
Legal basis: Explicit consent (GDPR Art 9(2)(a)) — storing/displaying journal entries, generating PDF exports, enabling Practitioner Mode. You may withdraw consent at any time via Settings → Danger Zone.
Legal basis: Explicit consent (GDPR Art 6(1)(a) and Art 9(2)(a)). AI features are entirely optional and require deliberate setup. New users receive 5 complimentary AI uses; after that, AI is only available if you choose to add your own Anthropic API token in Settings → AI. Removing your token immediately and permanently disables all AI processing — no token means no data is ever sent to Anthropic.
When any AI feature is used, only the data relevant to that interaction is sent to Anthropic's API. No name, email, or access code is ever included. Anthropic does not use this data to train models. There are three AI touchpoints across the apps, each with a just-in-time privacy notice displayed before data is sent:
| Location | Trigger | Data sent to Anthropic | Notice type |
|---|---|---|---|
Journal — AI Dialog (SummaryTab.tsx) | First message send per session (including starter chips) | Message text plus today’s journal context: health scores, symptoms, notes, astrology data | Modal on first send; sessionStorage key tmg_ai_dialog_noticed suppresses on subsequent messages |
Practitioner — AI Summary (JournalTab.tsx) | Tab load when AI summaries are present | Client session data: pattern scores, comparison signals, practitioner notes, astrological context. No client name, email, or birth data. | Inline notice card above entry list; summaries hidden until acknowledged. SessionStorage key tmg_practitioner_summary_noticed. |
Practitioner — AI Dialog (AITab.tsx) | First message send per session (Send button or Enter key) | Message text plus session context: pattern scores, comparison signals, practitioner notes, astrological outputs. No client name, email, or birth data. | Modal on first send; sessionStorage key tmg_practitioner_dialog_noticed suppresses on subsequent messages |
Provides database, authentication, hosting, and cloud functions. Stores all Firestore data, authentication UIDs, and push tokens across US and EU data centres.
firebase.google.com/support/privacyProvides the Claude AI API for optional AI summaries and AI dialog features. Data sent varies by touchpoint — see Section IV for the full breakdown. No name, email, or access code is ever included. Anthropic does not use this data to train models. This processor is only engaged when an AI feature is actively used by a user who has completed the opt-in setup.
anthropic.com/privacyHosts our Swiss Ephemeris calculation API for astrological positions. Data sent: birth date, time, and location — not linked to your identity. Migrated from Railway to Google Cloud Run in May 2026.
cloud.google.com/terms/cloud-privacy-noticeUsed for sending reminder emails and PDF delivery. Google's standard privacy terms apply.
Our primary infrastructure is based in the United States. EU/EEA/UK transfers are covered by Standard Contractual Clauses (SCCs) and, for Firebase, participation in the EU-US Data Privacy Framework. You may request a copy of the relevant transfer mechanisms by emailing Lisa@TripleMoonGoddess.com.
| Data Type | Retention Period |
|---|---|
| Journal entries & health data | Indefinitely until you delete via Settings → Danger Zone |
| Identity data (name/email) | Until deletion request or chart deletion |
| Notification log | Auto-deleted after 3 days |
| AI rate limit counters | Expire naturally as new days begin (keyed by date) |
| FCM push tokens | Until push disabled or token becomes invalid |
| Email queue | Processed immediately; not retained after delivery |
The Integrative Practitioner and Soul Pattern apps use client-side encryption to protect sensitive practitioner data at rest in Firestore. Encryption and decryption happen entirely in the practitioner's browser. No plaintext ever leaves the device for encrypted fields, and no key material is ever sent to any server.
Encrypted data includes: practitioner clinical notes, psychological readings, and client email records. Client emails are encrypted and the plaintext email field is deleted from Firestore at the moment of client assignment. Even if the Firestore database were fully compromised, these records would be unreadable without the practitioner's passphrase.
The cryptographic stack uses XSalsa20-Poly1305 authenticated encryption (confidentiality and tamper detection) with scrypt key derivation. The practitioner's passphrase is never stored or transmitted — not in the browser, not in Firestore, not in any server log. The encryption key exists only in browser sessionStorage for the duration of the active tab and is cleared when the tab closes or the practitioner signs out.
Passphrase recovery is not possible. There is no server-side escrow, no recovery key, and no reset flow. If a passphrase is lost, encrypted data cannot be recovered. This is intentional.
The following data is protected by Firestore security rules but not by client-side encryption: natal chart data, client intake answers, intake match results, journal entries, and Soul module session data.
All data transmitted over HTTPS (TLS 1.2+). Data encrypted at rest via Firebase/Firestore encryption. API keys stored in Google Cloud Secret Manager — never in code. Firebase Security Rules restrict database access to each authenticated user's own data. Admin portal restricted to a single authorised account. Health data and identity data are physically separated in distinct Firestore collections — no single record contains both.
If a personal data breach occurs, we will act without undue delay to investigate and contain it. Where the breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in line with GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, in line with GDPR Article 34. For users in the United States, we will provide notification as required by applicable state breach-notification laws, including California Civil Code §§ 1798.29 and 1798.82. Because your identity data and your health data are held in physically separate Firestore collections, a breach affecting one does not necessarily expose the other.
We do not use advertising cookies or tracking pixels. We use browser local storage and sessionStorage only for strictly necessary app functions:
| Key / Purpose | Storage type | Who it applies to |
|---|---|---|
| Access code (session continuity) | localStorage | All users |
| Consent decision and timestamp | localStorage | All users |
| Firebase authentication session cache | localStorage | All users |
| Widget email preference (phone widget only) | localStorage | Widget users |
tmg_minor_chart — natal chart data for the age-appropriate 13–17 experience. Device-local only; no data written to any TMG server. | localStorage | Users aged 13–17 only |
tmg_ai_dialog_noticed — records that the Journal AI Dialog privacy notice has been shown this session. | sessionStorage | Journal users who use AI Dialog |
tmg_practitioner_summary_noticed — records that the Practitioner AI Summary privacy notice has been acknowledged this session. | sessionStorage | Practitioners with AI summaries enabled |
tmg_practitioner_dialog_noticed — records that the Practitioner AI Dialog privacy notice has been shown this session. | sessionStorage | Practitioners who use AI Dialog |
No third-party tracking cookies are used. None of the above keys are shared with any third party. SessionStorage keys expire automatically when the browser tab closes.
The full TMG platform — Health Journal, Tea Moon, Health Blueprint, and practitioner apps — is intended for adults aged 18 and over. We do not knowingly collect personal data from children under 13 (or under 16 in the EU/EEA). If you believe a child under 13 has submitted data to us, please contact Lisa@TripleMoonGoddess.com and we will delete it immediately.
The main natal chart app offers a limited, age-appropriate experience for users aged 13–17, with parental consent required before any chart is generated. This experience is designed with privacy as the default: no account is created, no email is collected, and no data is written to any server. The natal chart is calculated using the Swiss Ephemeris API (birth date, time, and location are transmitted for computation only and not stored by TMG) and stored locally on the user's device under the key tmg_minor_chart (see Section IX). The chart can be cleared at any time by tapping "New Chart." Secondary apps — Health Journal, Tea Moon, Health Blueprint, and the practitioner apps — are not available to users under 18.
Parental or guardian consent is collected within the app before chart generation for any user whose birth date indicates they are between 13 and 17. By providing consent, the parent or guardian confirms they have reviewed and agreed to this privacy policy on behalf of the minor.
Right to be informed (fulfilled by this policy), right to delete data (Settings → Danger Zone), right to withdraw consent at any time.
Right to know, right to delete, right to opt out of sale (we do not sell data), right to non-discrimination, and right to correct inaccurate personal information. Categories collected: identifiers, health/medical information, internet/electronic activity (Firebase analytics). Sold/shared: No.
Users in these jurisdictions have equivalent rights to access, correction, anonymisation, portability, and deletion. Contact Lisa@TripleMoonGoddess.com. Australian users may also escalate to the OAIC.
The Integrative Practitioner, Soul Pattern, and Constitutional Health apps are separate paid-tier applications. Their data architecture differs from the individual seeker apps.
Practitioners enter client birth data (date, time, location) to generate a natal chart and derived outputs. The practitioner also enters a client email address as the client identifier within their account. That email is encrypted client-side at the moment of entry — the plaintext is immediately deleted from Firestore and never stored unencrypted on any server. Even if the database were compromised, client email records would be unreadable without the practitioner's passphrase.
The practitioner view surfaces chart-derived outputs: sign placements, house positions, constitutional profile, pattern group scores, and comparison signals. Practitioners do not see raw birth data displayed back to them after chart generation — the chart describes the person through derived outputs, it does not display the underlying date, time, and location as identifying fields.
Birth data entered by a practitioner is used solely to calculate the natal chart for that client record. It is stored in the practitioner's Firestore account under their authenticated UID, protected by Firebase Security Rules. It is not shared with other practitioners, not used for advertising, and not linked to any identity record in the research corpus.
Soul module sessions, pattern scores, comparison signals, and practitioner follow-up feedback may contribute to the TMG longitudinal research corpus. All research records are pseudonymized before inclusion. The pseudonymized record contains pattern-level and astrological signal data only — for example, whether a particular planetary aspect correlates with a reported pattern across a population. No name, email, birth date, birth time, or birth location is included in any published or shared research output. The link between a client record and its pseudonymized research entry is stored separately from the research corpus and is never published.
Practitioner apps use client-side encryption for sensitive fields. See Section VIII for full technical detail. The passphrase is the practitioner's responsibility — TMG has no recovery mechanism and cannot access encrypted data under any circumstances.
We will update this policy when our data practices change. Material changes will be communicated via an updated notice on the consent screen within the app and an updated effective date at the top of this document. Continued use of the app after a material change constitutes acceptance. Where legally required, we will re-obtain explicit consent.
For any privacy-related question, data request, or complaint:
Triple Moon Goddess
Lisa Hagan
3654 Thornton Ave, Unit #748
Fremont, CA 94536
United States
Email: Lisa@TripleMoonGoddess.com
If you are not satisfied with our response, you have the right to escalate to your local data protection authority:
EU/EEA: your national supervisory authority (ICO in UK, CNIL in France, BfDI in Germany) · California: California Privacy Protection Agency (CPPA) · Australia: Office of the Australian Information Commissioner (OAIC)