Pentasophy
Sign in

Privacy Policy

Last updated: June 13, 2026

1. Who We Are

Pentasophy ("we," "us," or "our") is the data controller responsible for your personal data. Our service provides personalized energy pattern analysis based on birth data, powered by AI. For privacy-related inquiries, contact us at privacy@pentasophy.com.

2. What Data We Collect

We collect the following categories of personal data:

  • Birth Data: Your birth date (year, month, day), time (hour, minute), city of birth, and gender. This is the foundation of our energy pattern analysis.
  • Account Data: Your email address and display name, provided when you create an account.
  • Conversation Data: Messages you send and receive during interactions with our AI companion, including any personal context you choose to share.
  • Usage Data: Basic technical data such as IP address, browser type, and timestamps, collected automatically through standard web server logs.

3. How We Use Your Data

We use your personal data exclusively for the following purposes:

  • Chart Calculation: Your birth data is processed to generate your energy pattern chart (Ba Zi analysis).
  • AI Conversations: Your messages and birth chart data are sent to our AI provider to generate personalized responses.
  • Memory System: Key facts you share (e.g., career, relationship context) are stored to provide more relevant responses across sessions. You can view and delete these memories at any time from your profile.
  • Service Operation: Email is used for authentication, account recovery, and essential service notifications.

We do not sell your personal data. We do not use your conversation data to train AI models.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the UK, we process your personal data under the following lawful bases:

  • Consent: You provide explicit consent when you enter your birth data and create an account. You may withdraw consent at any time by deleting your account.
  • Contractual Necessity: Processing your birth data and messages is necessary to deliver the core service you requested.
  • Legitimate Interest: Basic usage data is processed for security monitoring and service improvement.

5. Sub-Processors

We use the following third-party services to operate Pentasophy. Each sub-processor is contractually bound to handle your data only as instructed:

  • DeepSeek (深度求索): AI model provider. Your messages and birth chart data are transmitted to DeepSeek's API to generate responses. Processing location: Singapore / China.
  • Supabase: Database and authentication provider. Your account data, birth data, conversation history, and memories are stored in Supabase's PostgreSQL database. Data is encrypted at rest (AES-256) and in transit (TLS). Processing location: United States (us-east-1).
  • Vercel: Hosting and deployment platform. Processes request logs and basic traffic data. Processing location: United States.

6. Data Retention

We retain your personal data for as long as your account remains active. When you delete your account, all associated data (birth data, conversation history, memories, and account information) is marked for deletion and permanently removed from our systems within 30 days. You may also delete individual conversation threads or memories at any time without deleting your entire account.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at Rest: All database content is encrypted using AES-256 via Supabase.
  • Encryption in Transit: All data transmission uses TLS 1.2+.
  • Row-Level Security (RLS): Supabase RLS policies ensure each user can only access their own data.
  • Authentication: Secure password hashing via Supabase Auth. Session tokens are stored in HTTP-only cookies where possible.

No method of electronic storage is 100% secure. We strive to use commercially acceptable means to protect your data but cannot guarantee absolute security.

8. Your Rights

Under GDPR (EEA / UK users):

  • Right of Access: Request a copy of your personal data. You can export your data as JSON from your profile settings at any time.
  • Right to Rectification: Correct inaccurate or incomplete data through your profile settings.
  • Right to Erasure: Delete your account and all associated data from your profile page.
  • Right to Data Portability: Receive your data in a structured, machine-readable format (JSON).
  • Right to Restrict Processing: Request that we limit how your data is used.
  • Right to Object: Object to processing based on legitimate interests.

Under CCPA (California residents):

  • Right to Know: Request disclosure of what personal data we collect and how we use it (this policy serves as that disclosure).
  • Right to Delete: Request deletion of your personal data.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Important: We do not sell personal data as defined under CCPA.

To exercise any of these rights, email us at privacy@pentasophy.com or use the self-service tools in your profile settings. We will respond within 30 days as required by law.

9. Cookies

We use only strictly necessary cookies for authentication and session management. These cookies are essential for the service to function and do not track you across other websites. We do not use:

  • Third-party tracking cookies
  • Advertising cookies
  • Analytics cookies (we do not use Google Analytics or similar)

Because we only use essential cookies, a cookie consent banner is not required under GDPR Article 5(3) of the ePrivacy Directive. However, you may configure your browser to block all cookies — note that this will prevent you from logging in.

10. International Data Transfers

Your data is stored and processed in the following locations:

  • Supabase: United States (AWS us-east-1)
  • Vercel: United States (global edge network)
  • DeepSeek API: Singapore / China

When data is transferred outside the EEA or UK, we ensure adequate safeguards are in place through: standard contractual clauses (SCCs) where applicable, and review of each sub-processor's security certifications and compliance documentation.

11. Children's Privacy

Pentasophy is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@pentasophy.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via:

  • Email notification to your registered email address
  • A notice displayed within the Pentasophy application
  • An updated "Last updated" date at the top of this page

Continued use of Pentasophy after changes take effect constitutes acceptance of the updated policy.

13. Contact

For questions about this Privacy Policy or to exercise your data rights, contact:

Email: privacy@pentasophy.com

You also have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK or your EU member state's DPA).