← Back to Aster Board

Privacy Policy

Effective: 2 May 2026 · Version 2.0 (Early Access)

Plain-English summary. Aster Board lets you view and customise a digital split-flap display. We collect the minimum amount of personal data needed to run an account-based service: an account identifier from our authentication provider (Clerk), the cards, presets, decks, memos, playlists, campaigns, reminders and settings you choose to save, and basic technical logs we use to keep the service secure and reliable. We do not sell your personal data, we do not run advertising trackers on the marketing site, and you can delete your account at any time from the Account page.

1. Who we are

Aster Board ("Aster Board", "we", "us", "our") is the operator of the asterboard.com website, progressive web app, and TV/remote interfaces (collectively, the "Service"). For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP), Aster Board acts as the data controller for personal data processed through your account. For California residents, this notice also serves as our CCPA/CPRA disclosure.

You can reach our privacy team at [email protected]. General support enquiries should go to [email protected].

2. Personal data we collect

Account information

When you create an account, our authentication provider (Clerk, Inc.) collects your email address and any sign-in method you choose (such as Google, Apple, or password). Clerk returns a stable identifier (the "Clerk user ID") which we store in our Postgres database to associate your saved content with you. We do not see or store your password.

Content you create

We store the cards, presets, playlists, memos, decks, flashcards, reminders, ad campaigns and display settings you choose to save. These records are scoped to your user ID and are only accessible to you and to staff members under the access controls in section 5.

Technical and security logs

To keep the Service secure and to comply with our legal obligations we record limited technical information including IP address (used for rate limiting and abuse prevention), browser/device user agent, timestamps, and the API endpoints you hit. These logs are kept for no longer than 30 days unless we are legally required to keep them longer (for example to investigate fraud or security incidents).

Cookies and local storage

We use a small number of strictly necessary cookies set by Clerk for session management, plus browser localStorage and IndexedDB to cache your settings and offline content. We do not use third-party advertising or analytics cookies on the marketing pages. If we add analytics in the future we will update this notice and, where required, ask for your consent.

What sign-in cookies Clerk sets. Clerk handles every aspect of authentication for us, including the cookies that keep you signed in. The names and lifetimes are controlled by Clerk and may change as they update their platform; at the time of writing the primary cookie is __session (Clerk session JWT, scoped to asterboard.com, HttpOnly, Secure, SameSite=Lax, rotated on each request). A second short-lived cookie may be set briefly during sign-in flows. Both qualify as strictly necessary under GDPR ePrivacy because the service cannot run an account without them. For the authoritative list see Clerk's cookie documentation.

What we store in your browser. Your settings (themes, channel preferences, pinned cities, world clocks), unsynced drafts of cards / decks / memos, and the dual-sync queue live in localStorage and IndexedDB under keys prefixed with aster- and the Dexie database aster-studio. Signing out wipes them on the local device. We never send the contents of localStorage off-device on our own initiative — only the data you explicitly save to your account goes to our servers.

3. How we use your data

  • To create and operate your account and authenticate you.
  • To store and sync the content you create across the devices you sign in on.
  • To deliver the curated content channels (wisdom, motivation, vocabulary, did-you-know, reflections, ESL) and the live API channels (NASA APOD, NYC subway, weather) and personalise the rotation according to your settings.
  • To respond to support requests you send us.
  • To detect, investigate and prevent abuse, fraud, security incidents, and violations of our Terms.
  • To send service messages such as security alerts, billing confirmations and material changes to these terms (we do not send marketing email without your separate consent).

4. Legal bases (EEA / UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service you sign up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, and improve reliability.
  • Legal obligation (Art. 6(1)(c)) — to retain limited records where law requires it.
  • Consent (Art. 6(1)(a)) — for any optional processing we add later that requires it (for example, marketing email or non-essential analytics). You can withdraw consent at any time.

5. Who we share data with

We do not sell or rent personal data. We share it only with processors that help us run the Service, each under a written data processing agreement that limits their use to our instructions:

  • Clerk, Inc. — authentication and identity management (United States).
  • Railway Corp. — application hosting and managed Postgres database (United States; regional data centres).
  • Cloudflare, Inc. — DNS, content delivery network and DDoS protection (global edge network).
  • Resend / transactional email provider — to send account and security emails when applicable.
  • Public content APIs (Wikipedia, JokeAPI, ZenQuotes, NASA APOD, Open-Meteo, Met Museum, and similar) — these are called from our servers and receive no personal data from us.

We may also disclose data to comply with a binding legal request, to protect the rights, property or safety of Aster Board, our users or the public, or in connection with a corporate transaction (for example, a merger or acquisition), in which case we will require the recipient to honour the commitments in this policy.

6. International data transfers

Aster Board is operated from the United States and our processors may be located in the United States and other jurisdictions. Where we transfer personal data of EEA, UK or Swiss data subjects outside their home jurisdiction, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), and on our processors' participation in the EU–US, UK–US and Swiss–US Data Privacy Frameworks where available. You can request a copy of the safeguards we use by emailing [email protected].

7. Data retention

  • Account and content data — kept while your account is active. Deleted within 30 days of account deletion (backup retention may extend this by up to 35 days).
  • Security and rate-limit logs — kept for up to 30 days, longer only where legally required.
  • Billing records — kept for the period required by applicable tax and accounting law (typically 7 years).

8. Your rights

Depending on where you live, you may have the right to access, correct, port, restrict, object to, or delete the personal data we hold about you, and the right to lodge a complaint with a supervisory authority. To exercise any of these rights, email [email protected] or use the in-app deletion tool on the Account page (which permanently removes your Clerk account and all associated content).

California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to access and delete it, to correct inaccuracies, to limit the use of sensitive personal information, and to opt out of any "sale" or "sharing" (we do neither). We do not use sensitive personal information for any purpose beyond providing the Service.

9. Children

The Service is not directed to children under 13 (or 16 in the EEA and UK), and we do not knowingly collect personal data from them. If you believe a child has provided personal data, please contact [email protected] and we will delete it.

10. Security

We use industry-standard safeguards including TLS in transit, encryption at rest for our managed database, strict same-origin security policy on our APIs, rate limiting on every endpoint, and principle-of-least-privilege access for our staff. No system is perfectly secure, however, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting you, we will notify you and the relevant supervisory authority without undue delay where required by law.

11. Changes to this policy

When we make material changes to this policy we will update the "Effective" date at the top of the page and, where appropriate, notify you in-app or by email before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact

Privacy questions: [email protected]. General support: [email protected]. Early access feedback: [email protected].

This notice is intended to be readable by humans and to satisfy the information requirements of GDPR Articles 13–14, the UK GDPR, the California Consumer Privacy Act and similar laws. It is not legal advice. If you have specific compliance questions for your own deployment of Aster Board, please consult qualified counsel.