Privacy Policy

Effective Date: May 13, 2026 | Last Updated: May 13, 2026

Not Legal Advice. This policy is provided for informational purposes. Callisto Consulting Group LLC DBA Callisto Tech recommends that users with specific legal concerns consult a qualified attorney.

1. Who We Are

Astra Financial Aid Advisor ("Astra," "we," "us," or "our") is operated by Callisto Consulting Group LLC DBA Callisto Tech, a limited liability company organized under the laws of the State of Colorado. Our principal place of business is in Colorado.

2. Scope of This Policy

This Privacy Policy describes how we collect, use, disclose, and protect information you provide when you use the Astra platform, including our website at astra-ed.org and any related services (collectively, the "Service"). By using the Service, you agree to the practices described here.

3. Information We Collect

3.1 Information You Provide Directly

Account information: name, email address, and (for local accounts) a hashed password.
Financial aid data: Expected Family Contribution (EFC/SAI), income figures, household size, and college selections you enter to generate personalized analyses.
Payment information: subscription billing is processed entirely by Stripe, Inc. When you enter payment details, that information is submitted directly to Stripe's secure servers via Stripe's embedded payment form — it never passes through or is stored on Astra's servers. We do not collect, see, or retain your credit card number, CVV, or bank account details at any time.

Your credit card is handled exclusively by Stripe.
Astra never receives, processes, or stores your payment card details. All transactions are handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor — the highest level of certification available. What Astra receives from Stripe is limited to: subscription status (active/inactive), a masked card summary (e.g., "Visa ending in 4242"), and a Stripe customer ID. See Stripe's Privacy Policy and Stripe's Security overview for full details.

3.2 Information Collected Automatically

Authentication tokens: session identifiers stored in a secure, HttpOnly cookie (JSESSIONID).
Log data: server-side logs may include IP addresses, browser type, pages visited, and timestamps for security and debugging purposes.
Cloudflare RUM data: our hosting infrastructure uses Cloudflare, which may collect performance and availability metrics under its own privacy policy.

3.3 Information from Third-Party Authentication

If you sign in with Google ("Sign in with Google"), we receive from Google your name, email address, and Google account identifier. We do not receive your Google password. This is governed by Google's OAuth 2.0 scope (openid, profile, email).

4. How We Use Your Information

To create and manage your account and authenticate your identity.
To generate personalized financial aid analyses and AI-assisted guidance.
To process subscription payments and manage access to premium features.
To send transactional communications (e.g., account-related emails).
To improve the accuracy, reliability, and security of the Service.
To comply with applicable legal obligations.

We do not sell your personal information to third parties. We do not use your data for targeted advertising.

5. FERPA Compliance

    Important Notice Regarding Student Education Records.
    The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its
    implementing regulations at 34 C.F.R. Part 99, protect the privacy of student education records
    maintained by educational institutions. Astra is designed as a consumer-facing advisory tool,
    not as a school official or agent of an educational institution.
  

5.1 Our Relationship to FERPA

Astra is not a covered "educational institution" under FERPA and does not maintain "education records" as defined by FERPA on behalf of a school. Any financial or academic data you enter into Astra is voluntarily submitted by you directly and is not obtained from or shared back to an educational institution without your explicit action.

5.2 Data You Enter

Financial figures, family circumstances, and college preferences you enter are used solely to generate your personalized analysis. We treat this information as sensitive personal data subject to the protections described in this Policy.

5.3 If You Are a Minor

If you are under 18, you should use this Service only with the involvement and consent of a parent or legal guardian. We do not knowingly collect personal information from children under 13 without verifiable parental consent as required by COPPA.

5.4 Institutional Use

If Callisto Tech enters into a separate agreement with an educational institution to provide Astra as part of that institution's services, a Data Processing Agreement (DPA) and applicable FERPA-compliant data handling provisions will govern that relationship. Contact [email protected] for institutional licensing.

6. Colorado Privacy Act (CPA) Rights

As a Colorado-based business, we comply with the Colorado Privacy Act, C.R.S. § 6-1-1301 et seq. (effective July 1, 2023). If you are a Colorado resident, you have the following rights with respect to your personal data:

Right to Access: You may request a copy of the personal data we hold about you.
Right to Correction: You may request correction of inaccurate personal data.
Right to Deletion: You may request deletion of your personal data, subject to legal retention obligations.
Right to Portability: You may request your data in a portable, readily usable format.
Right to Opt Out of Sale: We do not sell personal data. This right is not applicable.
Right to Appeal: If we decline to act on your request, you have the right to appeal our decision.

To exercise any of these rights, email us at [email protected] with the subject line "CPA Privacy Request." We will respond within 45 days as required by law, with a possible 45-day extension with notice.

7. Third-Party Service Providers

We share data with the following third parties solely to operate the Service:

Google LLC — OAuth 2.0 authentication (sign-in only). Google Privacy Policy
Stripe, Inc. — Payment processing and subscription management. Stripe is a PCI-DSS Level 1 certified processor. Your full card details are entered directly into Stripe's hosted payment form and are never transmitted to or stored by Astra. Astra receives only subscription status, a masked card identifier, and a Stripe customer ID. Stripe Privacy Policy · Stripe Security
Groq, Inc. — AI language model inference (LLaMA 3.3 70B) used to generate financial aid guidance. When you submit a query, the financial aid figures and context you enter are transmitted to Groq's API to produce a response. Groq processes this data solely as a service provider; it does not use your data to train models or for any purpose beyond fulfilling the request. No account credentials or payment details are ever included in AI queries. Groq Privacy Policy
Railway Corp. — Cloud hosting and infrastructure.
Cloudflare, Inc. — Content delivery, DDoS protection, and performance monitoring. Cloudflare Privacy Policy

We do not authorize these parties to use your data for any purpose other than providing services to us.

8. AI-Generated Content — Important Disclaimer

    AI responses are for informational purposes only and do not constitute financial, legal, or professional advice.
    Callisto Consulting Group LLC DBA Callisto Tech expressly disclaims all liability arising from reliance on AI-generated content.
  

8.1 How AI Responses Are Generated

Astra uses Groq, Inc.'s API to power its AI guidance feature. When you submit a query, the financial figures and context you provide are sent to Groq's servers, processed by the LLaMA 3.3 70B language model, and a response is returned to you. Callisto Tech does not author, control, or guarantee the output of any AI-generated response.

8.2 Nature of AI Content

All AI-generated responses on this platform are intended solely to provide general informational context about financial aid concepts, loan structures, and college cost data. They are designed to help you understand and organize factual information — not to tell you what to do.

AI responses do not constitute financial, investment, legal, tax, or professional advice of any kind.
AI responses do not replace consultation with a licensed financial aid counselor, certified financial planner, or attorney.
AI responses may contain errors, omissions, or outdated information. Language models can produce inaccurate outputs.
Astra does not use AI to make decisions about you or take any automated action affecting your rights.

8.3 Your Responsibility

All financial aid, borrowing, and educational decisions remain entirely your own. Callisto Consulting Group LLC DBA Callisto Tech, its officers, members, and agents expressly disclaim any liability for decisions made in reliance on AI-generated content produced through this Service, to the fullest extent permitted by applicable law, including the laws of the State of Colorado.

We encourage you to verify any AI-generated figures against official sources such as your institution's financial aid office, the U.S. Department of Education's StudentAid.gov, and the College Scorecard.

9. Data Retention

We retain your account information and entered data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., financial records, legal disputes).

10. Security

We implement industry-standard safeguards to protect your data, including:

TLS/HTTPS encryption for all data in transit.
Passwords stored using bcrypt hashing — never in plaintext.
Secure, HttpOnly, SameSite cookies for session management.
Access controls limiting who can access production data.

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your information using commercially reasonable means.

11. Cookies

We use the following cookies:

JSESSIONID — Strictly necessary session cookie. Identifies your authenticated session. Expires when you log out or close your browser.
oauth2_auth_req — Short-lived (3-minute) cookie used during Google OAuth sign-in to preserve state. Deleted after login completes.

We do not use advertising, tracking, or analytics cookies.

12. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date. Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Colorado, without regard to its conflict of law provisions. Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the courts located in Colorado.

15. Contact Us

For privacy-related questions, requests, or concerns:

Company: Callisto Consulting Group LLC DBA Callisto Tech
State of Organization: Colorado, USA
Email: [email protected]
Website: astra-ed.org