Khadira
Skip to content

Privacy Policy

Version 2026-04

Last updated: 13 April 2026

1. Who we are

Khadira is operated by KHADIRA AI LIMITED, a company registered in England and Wales (Companies House number 16637439) with its registered office at 128 City Road, London EC1V 2NX.

For all data protection matters, contact us at privacy@khadira.ai.

We have not appointed a Data Protection Officer. This is not required at our current scale and processing activity under Article 37 of the UK GDPR.

2. Data we collect

When you sign up and use Khadira, we collect and process the following categories of personal data:

CategoryExamplesWhy we collect itSource
Email addressyour@email.comAuthentication (magic link), account recoveryYou — signup form
Display name (optional)"Alex"Personalising chart references; not requiredYou — profile settings
Birth date1990-05-14Calculating your natal chartYou — birth data form
Birth time14:32 localCalculating gate lines (sensitive to ~15-minute precision)You — birth data form
Birth location"London, UK" → 51.5074, -0.1278, Europe/LondonCalculating planetary positions at your birth momentYou — birth data form, resolved via Mapbox
Calculated chart JSONgates, channels, centers, profile, type, authority, incarnation cross, variablesDelivering the service (the chart IS the deliverable)Computed by Khadira from your birth data
Planetary returnsevent timestamps, aspect tablesOn-demand retrieval in the MCPComputed by Khadira
Transit calculationscurrent planetary positions vs your chartOn-demand retrieval in the MCPComputed by Khadira
IP address203.0.113.42Used only by Supabase for auth rate limiting — NOT stored by KhadiraReceived from your browser at auth time
Acceptance recordstimestamp + policy version (e.g. "2026-04")Article 7 audit trail proving you accepted these policiesYou — /accept page

We practise data minimisation: we collect only what is necessary to deliver your chart and to demonstrate compliance with these policies.

3. Why we process it

Lawful basis

We process your birth data and generated chart JSON under Article 6(1)(b) of the UK GDPR — processing is necessary for the performance of the contract between you and Khadira. The chart calculation is the service; we cannot deliver it without this data.

We retain your acceptance records (timestamps and policy versions) under Article 6(1)(c) — compliance with a legal obligation (demonstrating valid consent for these policies themselves).

Special category data

Your birth date, time, and place are not special category data under Article 9 of the UK GDPR. Article 9 covers racial/ethnic origin, political opinions, religious beliefs, trade-union membership, genetic and biometric data, health data, and data about sex life or sexual orientation. Birth facts — the astronomical data used to calculate a Human Design chart — are ordinary personal data.

Automated decision-making

Your chart is produced by astronomical calculation from the data you provide. We do not make automated decisions about you with legal or similarly significant effect, and we do not profile you for advertising.

4. Who we share it with

We rely on the following sub-processors to deliver the service. Each has a data processing agreement (DPA) in place:

Sub-processorServiceLocationData sharedSafeguard
Supabase Inc.Authentication, PostgreSQL, built-in auth rate limitingFrankfurt, EU (eu-central-2)Email, chart JSON, persons data, acceptance recordsSupabase DPA
Brevo (Sendinblue SAS)Transactional email (magic-link delivery)France, EUEmail address + magic-link URL (sent in email body)Brevo DPA
MapboxGeocoding of birth locations (town → lat/lon/timezone)United StatesBirth location text (e.g. "London, UK") — no email, no user IDMapbox DPA; UK International Data Transfer Addendum (IDTA) + Standard Contractual Clauses (SCCs)
EU-based VPS providerApplication hostingEuropean Union (specific provider confirmed at Phase 29 lock-in)All data in transitPhase 29 decision — provider DPA will be linked here once selected

We do not sell your data. We do not share your data with advertisers or analytics providers. We use no third-party analytics at launch.

5. How long we keep it

While your account is active, we retain your data so the service continues to work. Birth data and chart calculations are stable by nature — they describe events that do not change — so there is no operational reason to delete while you are using Khadira.

When you close your account (by emailing privacy@khadira.ai), we delete all your personal data within 30 days. This includes your birth data, chart JSON, returns data, transits, composite records, and acceptance history.

Acceptance records are retained for the lifetime of your account plus 30 days after closure. These are the audit trail proving valid consent for these policies.

Backups managed by our sub-processors (e.g. Supabase) follow their own retention schedules and may take longer than 30 days to purge. We cannot accelerate sub-processor backup purging.

6. Your rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (equivalent to account closure)
  • Restriction — ask us to stop processing in specific circumstances
  • Objection — object to processing based on legitimate interests (not applicable here — we rely on contract, not legitimate interest)
  • Data portability — receive your data in a structured, commonly used format (we will provide chart JSON on request)
  • Complain to a supervisory authority — the UK regulator is the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email privacy@khadira.ai. We will respond within one month.

7. Cookies & similar

Khadira uses only strictly necessary cookies for authentication — specifically the Supabase session cookie that keeps you logged in. We use no analytics cookies, no advertising cookies, no social-media tracking cookies.

Strictly necessary cookies do not require a consent banner under PECR regulation 6(4). If we add any non-essential cookies in the future, we will ask for your consent first.

8. International transfers

Most of your data stays in the European Economic Area (EEA): Supabase hosts our database in Frankfurt, Germany; Brevo sends our transactional email from France.

Mapbox (used to geocode birth locations) is based in the United States. Transfers of the birth location text to Mapbox rely on the UK International Data Transfer Addendum (IDTA) combined with the EU Standard Contractual Clauses (SCCs) in Mapbox's DPA. Only the birth location string (e.g. "London, UK") crosses the wire — we do not share your email, name, or other identifiers with Mapbox.

9. Changes to this policy

When we update this Privacy Policy, we bump the version string and require you to re-accept the new version the next time you use the Khadira MCP. This ensures your acceptance is always current.

For material changes (new sub-processors, new data categories collected, changed retention rules), we provide at least 30 days' notice by email to the address you registered with.

Previous versions of this policy are preserved in our public git repository; the version string on this page corresponds to a specific commit.

10. Contact

Questions about this policy, requests to exercise your rights, or account-closure requests: privacy@khadira.ai.

Postal address (only for formal notices): KHADIRA AI LIMITED, 128 City Road, London EC1V 2NX, United Kingdom.

See also our Terms of Service.

Contents