ExoAtlas Privacy Policy

Last Updated: April 28, 2026

1. Introduction

Welcome to ExoAtlas (the "Site"), a platform offering interactive tools and resources for celestial data visualization, orbital mechanics analysis, space launch tracking, and astronomical calculations. Your privacy is important to us. This Privacy Policy outlines how we collect, use, and protect your information when you use our services, including our web applications, API endpoints, and data catalogs.

2. Information We Collect

We collect the following types of information:

A. Account Information

When you create an ExoAtlas account, we collect information necessary to provide and manage your account:

Email address
Password (stored securely by Supabase using industry-standard hashing; ExoAtlas never has access to plaintext passwords)
Phone number (if you register or enable two-factor authentication via SMS/OTP)
Display name and profile information (if provided)
Third-party authentication data (if you sign in via Google OAuth, we receive your name, email, and profile picture from Google)
Account metadata (creation date, last sign-in, subscription tier)

B. Billing and Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. ExoAtlas does not collect, store, or have access to your full credit card number, bank account details, or other sensitive payment credentials. We receive from Stripe:

Subscription status (active, canceled, past due)
Billing cycle and plan type (monthly or annual)
Payment method summary (e.g., card brand and last four digits, for display in your account)
Transaction history (invoice dates, amounts, and payment status)

For details on how Stripe handles your payment data, please review Stripe's Privacy Policy.

C. Personal Information (voluntarily provided)

Name or other details submitted through contact or feedback forms
Support inquiries and correspondence

D. Non-Personal Information (collected automatically)

Browser type, operating system, device type
IP address and geolocation (approximate, not GPS-level)
Referring pages and exit URLs
Time spent on the site and page interactions
Website performance and error data
Advertising data via Google AdSense

We use cookies, local storage, and similar technologies to gather this data for analytics, personalization, and advertising purposes.

E. Observing Location and Stargazing Preferences (voluntarily provided)

The Tonight's Sky planner, the home-page Tonight's Sky widget, and the profile preferences page allow you to save an observing location so we can compute personalized planet rise/set times, moon phase, conjunctions, and weather. This feature is opt-in: nothing is collected unless you take an action to provide it. Specifically, we may collect:

Latitude and longitude that you (a) enter manually, (b) select from an Open-Meteo place-name search result, or (c) authorize your browser to share via the W3C Geolocation API after you click "Use my location". Your browser will prompt you for permission before any GPS-level coordinates are read; you may decline.
Place label (e.g. "Boulder, CO") associated with the saved coordinates.
Time-zone identifier derived from your saved coordinates.
Bortle dark-sky class (1–9) that you select to reflect light pollution at your observing site.
Tonight's Sky alert preferences — whether alerts are enabled, delivery channels (email, browser push), event types you care about (conjunctions, oppositions, meteor showers), and the minimum "tonight score" threshold for an alert.

If you are signed in, these values are stored in our Supabase database in a row tied to your account, with row-level security so that only you can read or modify them. If you are not signed in, the location is stored only in your browser's localStorage on the device you used and is never transmitted to our servers. You may delete the saved location at any time from the profile page or by clearing site data in your browser; deleting your account removes the saved location automatically.

Astronomical computations (rise/set, altitude, phase, conjunction detection) are performed entirely in your browser using public-domain algorithms and are not transmitted to ExoAtlas servers. Your saved coordinates are, however, sent to Open-Meteo when the page requests local cloud cover and weather, and to Open-Meteo's geocoding service when you use the place-name search box. See Section 5 for details on Open-Meteo.

3. How We Use Your Information

We use information to operate, maintain, and improve our services, including:

Creating and managing your account
Processing subscription payments and managing billing through Stripe
Enforcing API rate limits and usage quotas based on your subscription tier
Sending transactional emails (account verification, password resets, billing receipts)
Computing personalized stargazing forecasts (planet visibility, moon phase, conjunctions, weather suitability) when you save an observing location, and — once you opt in — sending Tonight's Sky alerts to your chosen delivery channel
Monitor and improve website performance
Analyze user behavior to enhance site content and usability
Displaying personalized ads via Google AdSense (Free plan users only)
Responding to inquiries or support requests

We do not sell your personal information to any third party.

4. Cookies and Tracking

We use cookies to personalize content, analyze our traffic, and serve advertisements. These include essential, performance, functional, and targeting cookies. To manage your cookie preferences, we use Cookiebot, a Consent Management Platform (CMP) that appears upon your first visit. This tool allows you to:

Accept all cookies
Deny all non-essential cookies
Customize your cookie preferences by category

You can update your preferences at any time through the Cookiebot banner or by adjusting your browser settings.

You may also opt out of personalized advertising through Google Ads Settings.

Cookie Inventory

The following table summarizes the cookies identified on ExoAtlas.com, based on our most recent Cookiebot scan (March 2026). For the most current details, review the Cookiebot consent dialog on the site.

Cookie Name	Provider	Type	Category	Purpose	Expiry	Data Sent To
__eoi	exoatlas.com	HTTP	Necessary	Used to detect spam and improve the website's security	180 days	United States (adequate)
CookieConsent	exoatlas.com	HTTP	Necessary	Stores the user's cookie consent state for the current domain	1 month	Ireland (adequate)
rc::e	google.com	HTML	Necessary	Used to distinguish between humans and bots	Session	United States (adequate)
rc::h	google.com	HTML	Necessary	Used to distinguish between humans and bots	Persistent	United States (adequate)
_ga	exoatlas.com	HTTP	Statistics	Sends data to Google Analytics about the visitor's device and behavior; tracks the visitor across devices and marketing channels	2 years	United States (adequate)
_ga_#	exoatlas.com	HTTP	Statistics	Sends data to Google Analytics about the visitor's device and behavior; tracks the visitor across devices and marketing channels	2 years	United States (adequate)
google_adsense_settings	googlesyndication.com	HTML	Marketing	Used by Google AdSense for experimenting with advertisement efficiency across websites using their services	Persistent	United States (adequate)

This table reflects our most recent Cookiebot scan. Actual cookies may vary based on your consent preferences and third-party service updates. All data destinations listed above are classified as adequate under GDPR. You can manage cookie preferences at any time through the Cookiebot consent banner.

5. Third-Party Services

We partner with trusted service providers to help deliver, secure, and improve the site. These include:

Supabase — User authentication, account management, and database services. Supabase stores your account credentials and profile data. See Supabase Privacy Policy
Stripe — Secure payment processing and subscription management. Stripe processes and stores payment credentials. See Stripe Privacy Policy
Cloudflare — Security, CDN, DNS, SSL/TLS encryption, DDoS protection, Workers (serverless compute), Pages (web hosting), and R2 (object storage)
Google Analytics — Usage analytics and site performance monitoring
Google AdSense — Display advertising to support free access to tools (Free plan users only; Pro users are not served ads)
Cookiebot — Consent Management Platform (CMP) for GDPR/CCPA compliance
NASA JPL Horizons — Ephemeris and orbital data (public API)
IAU Minor Planet Center — Ephemeris and orbital data (public API)
The Launch Library 2 — Space launch tracking data (public API)
Open-Meteo — Free, no-API-key weather forecast and place-name geocoding services used by the Tonight's Sky planner. When you use these features, your saved or entered coordinates (and, for geocoding, the text you type) are transmitted to Open-Meteo's servers. Open-Meteo does not require accounts or API keys and states that requests are not personally tracked. See Open-Meteo Terms.

Each of these services may collect data in accordance with their own privacy policies. We do not control the data practices of these third parties.

6. Data Retention

We retain data according to the following guidelines:

Account data (email, profile, authentication records) is retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.
Billing and transaction records are retained for a minimum of 7 years as required by tax and financial record-keeping regulations.
API usage logs (request counts, rate limit data) are retained for up to 90 days for abuse prevention and service optimization.
Non-personal data (analytics, performance logs) is retained indefinitely for business analysis and site improvement.
Voluntarily submitted data (contact form inquiries, support emails) is retained only as long as needed to fulfill your request, after which it is archived or deleted.

7. Your Rights

If you are in the European Union, European Economic Area (EEA), the United Kingdom, Switzerland, or California, you have certain rights regarding your data under GDPR or CCPA.

A. European Union User Consent Policy - General Data Protection Regulation (GDPR)

Users in the European Union, European Economic Area (EEA), United Kingdom, and Switzerland: In accordance with the Google EU User Consent Policy and GDPR, we inform users that this site uses cookies and other local storage technologies to collect data. This data may be used for personalized ads and content, ad and content measurement, audience insights, and product development.

We use Cookiebot as our Consent Management Platform to ensure compliance with GDPR requirements. You have the right to:

Access your personal data
Rectify inaccurate data
Request deletion of your data ("right to be forgotten")
Object to data processing
Withdraw consent at any time
Data portability

To exercise these rights, please contact us.

B. California Residents - California Consumer Privacy Act (CCPA) Notice

If you are a California resident, you have rights under the CCPA, including:

The right to know what personal information we collect and how we use it
The right to request that we delete your personal information
The right to opt out of the sale of your personal information

While ExoAtlas does not sell personal data in the traditional sense, we may share usage data with third-party advertisers such as Google AdSense. To learn more or to submit a data request, please contact us.

C. Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy legislation may have additional rights, including:

The right to access, correct, and delete personal data
The right to opt out of targeted advertising and data profiling
The right to data portability

To exercise any of these rights, please contact us. We will respond to verified requests in accordance with applicable law.

8. Security

We take the security of your data seriously and implement multiple safeguards to protect your information:

SSL Encryption: All connections to ExoAtlas are secured using industry-standard TLS (SSL) encryption. This ensures that data transferred between your browser and our servers remains private and tamper-proof.
HTTP Strict Transport Security (HSTS): We enforce HSTS to ensure browsers only connect to our site over secure HTTPS. This protects against protocol downgrade attacks and SSL stripping.
DNSSEC Support: Our domain is protected with DNS Security Extensions (DNSSEC), adding an additional layer of authenticity to our DNS records and helping to prevent domain spoofing.
Cloudflare Integration: We utilize Cloudflare as our DNS host and security gateway, which provides protection against DDoS attacks, malicious bots, and unauthorized access attempts. Cloudflare also manages our edge SSL certificates, with automatic renewal for continuous HTTPS coverage.
Access Control: Only authorized administrators can access backend systems and analytics, with permissions managed under least privilege principles. These permissions are reviewed and audited regularly.

While no method of transmission over the internet is completely secure, we are committed to implementing best practices and evolving our defenses in line with emerging threats. If you have any security-related concerns, please contact us at contact@exoatlas.com.

9. Data Processing and International Transfers

ExoAtlas operates globally via Cloudflare's edge network. Your data may be processed and stored in data centers located in various countries, including the United States. By using our services, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

10. Data Breach Notification

In the event of a data breach that compromises your personal information, ExoAtlas LLC will notify affected users without undue delay. In compliance with GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach. Notifications will include a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Do Not Track (DNT) Disclosure

Some browsers transmit a "Do Not Track" (DNT) signal to websites. At this time, ExoAtlas does not respond to DNT signals. However, you can manage your tracking preferences through our Cookiebot consent banner, your browser's cookie settings, or the Google Ads Settings page.

12. Children's Privacy

ExoAtlas is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last Updated" date at the top. We encourage you to review it periodically. Continued use of the Site after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us.