Privacy Policy

AskTarot ("AskTarot," "we," "us," or "our") is an AI-assisted tarot reading service offered through our website and mobile-responsive web application (collectively, the "Service"). AskTarot is operated by an independent developer (the "Operator") rather than by a registered corporation. For the purposes of this Policy and applicable data protection law, the Operator acts as the data controller. The Operator's full name and postal address are available on request via the contact email in §16.

This Policy describes the rights you have over your personal data under applicable laws, including the European Union General Data Protection Regulation (GDPR), the UK Data Protection Act, and the California Consumer Privacy Act as amended by the CPRA (CCPA). AskTarot is not offered to users located in jurisdictions subject to comprehensive US, EU, or UK sanctions; see §2 of our Terms of Service for the current list. By using AskTarot you confirm that you have read, understood, and agreed to this Policy.

We collect three categories of information.

Information you provide directly

When you create an account we collect your email address, a hashed password, and an optional display name. When you receive a reading you submit a free-text question and may optionally provide context (e.g., the area of life concerned). When you subscribe to a paid plan, our payment processor Creem.io collects your payment card details on our behalf; AskTarot itself never sees or stores full card numbers. We do not require — and discourage you from submitting — government identifiers, medical records, or financial information beyond what is necessary to pay.

Information collected automatically

When you use the Service we and our infrastructure providers receive your IP address, approximate geographic location (city-level), browser type and version, operating system, device identifiers, referring URLs, the pages you view, and timestamps. This information is logged for security, debugging, and product analytics.

Information from third parties

If you sign in via a third-party identity provider (e.g., Google), we receive your name, email address, and a unique identifier from that provider. If you contact us by email we retain the message and your address.

We use your information to:

• ·Provide and personalize the Service, including generating tarot readings
• ·Authenticate you and maintain account security
• ·Process payments and prevent fraud
• ·Communicate transactional notices such as receipts, password resets, and refund confirmations
• ·Comply with legal obligations including tax recordkeeping
• ·Detect and prevent abuse, spam, and violations of our Terms
• ·Improve the Service through aggregate, de-identified analytics
• ·With your explicit opt-in consent, send occasional product announcements (you may unsubscribe at any time)

We do not sell your personal information, do not use your reading questions for AskTarot's own model training, and do not run third-party advertising networks on the Service.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• ·Contract performance (Art. 6(1)(b) GDPR): to deliver the Service you have signed up for, including account creation, processing readings, and billing.
• ·Legitimate interests (Art. 6(1)(f) GDPR): to secure the Service, prevent fraud, improve product quality, and communicate essential service updates. We have weighed these interests against your privacy rights and concluded they do not override your fundamental rights.
• ·Consent (Art. 6(1)(a) GDPR): for non-essential cookies, marketing emails, and any processing of special-category data you choose to submit in your reading questions (see §14). You may withdraw consent at any time without affecting prior lawful processing.
• ·Legal obligation (Art. 6(1)(c) GDPR): to retain tax-relevant records and respond to lawful requests from authorities.

This is the most important section if you care about who sees your tarot questions.

Where your question goes

When you request a reading, the question text you type and the names of the cards drawn for you are transmitted in real time, over an encrypted HTTPS connection, to one or more of our AI providers — currently Anthropic, PBC (Claude API) and OpenAI, OpCo, LLC (GPT API), and from time to time additional third-party AI model providers we may engage. These providers run the AI models that generate your written interpretation. The interpretation is then returned to AskTarot and displayed to you.

What we send and what we do not

We send the question text, the drawn cards, the spread layout, and a short non-identifying session token. We do not send your email address, account ID, name, date of birth, IP address, or payment information to any AI provider. The AI providers therefore cannot link your question to your identity.

Training and retention by AI providers

AskTarot only engages AI providers that, under their commercial API terms, do not use API inputs or outputs to train their own models. We use these providers through their commercial API products, not their consumer chat products. Our current providers' published practices are:

• ·Anthropic does not use API inputs or outputs to train its models. Inputs are retained for up to 30 days for trust-and-safety review and then deleted, unless a zero-retention agreement applies.
• ·OpenAI does not use API inputs or outputs to train its models. API data is retained for up to 30 days for abuse monitoring and then deleted.

You can review the current terms at anthropic.com/legal and openai.com/policies. If we ever engage an AI provider whose terms would permit training on your inputs, we will not send your data to that provider unless we first update this Policy and obtain consent where required by applicable law.

Your reading history on AskTarot

Separately from the AI providers, AskTarot stores your readings in our own Supabase database so you can return to them. You may delete any individual reading or your entire history at any time from Account → Privacy. Deletion removes the data from the active database within 24 hours and from encrypted backups within 30 days. Anonymous (logged-out) readings are stored for 24 hours and then permanently deleted.

To operate AskTarot we rely on the vendors listed below. Each vendor publishes its own Data Processing Agreement (DPA) and, where applicable, the European Commission's Standard Contractual Clauses (SCCs); we use these services subject to those published terms. We have not signed any bespoke data processing agreement that overrides or expands what the vendors publish.

We will update this list when we add or remove sub-processors. Material changes will be announced in-product at least seven (7) days in advance.

AskTarot uses only first-party cookies that are strictly necessary or functional for the operation of the Service:

• ·Authentication session cookies set by Supabase Auth, used to keep you signed in.
• ·Language preference cookies set by next-intl, used to remember your selected interface language.
• ·Theme preference cookies set by next-themes, used to remember your light/dark theme choice.

We do not use Google Analytics, Vercel Analytics, advertising pixels, behavioural tracking, or any other non-essential or third-party cookies. Because we do not set any cookie that requires consent under the EU ePrivacy Directive or the UK Privacy and Electronic Communications Regulations (PECR), AskTarot does not display a cookie consent banner.

You can clear or block these cookies at any time through your browser settings; doing so will sign you out and reset your language and theme preferences. If we ever introduce analytics or any other non-essential cookies, we will update this section in advance and display a consent banner where required.

We retain personal data only as long as needed for the purpose for which it was collected.

• ·Account data: kept while your account is active. After you delete your account, identifying information is removed within 30 days, except where retention is required by law.
• ·Reading history: kept until you delete the reading or your account.
• ·Anonymous readings: 24 hours.
• ·Payment records: retained by Creem.io and by AskTarot for the period required by applicable tax and accounting law (typically 7 years in the United States and European Union).
• ·Server logs: 90 days, then deleted or aggregated.
• ·Backups: encrypted backups containing data subject to deletion are overwritten on a rolling 30-day cycle.

We protect your data using HTTPS/TLS in transit and rely on the encryption-at-rest, access-control, and platform security capabilities provided by our infrastructure vendors — primarily Supabase (encrypted PostgreSQL, Supabase Auth password hashing) and Vercel. Production data access is limited to the Operator. We monitor public security advisories for the open-source dependencies we use.

No system is perfectly secure. In the event of a personal-data breach affecting you, we will notify affected users and competent authorities within the timeframe required by applicable law (72 hours under GDPR, where the breach is likely to result in a risk to your rights and freedoms).

AskTarot is operated from outside the European Economic Area, and most of our sub-processors are based in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the United States or other jurisdictions without an adequacy decision, that transfer takes place under the Standard Contractual Clauses (SCCs) issued by the European Commission as incorporated by reference into our vendors' published terms, supplemented by platform-level encryption.

If you are located in the EEA, the UK, or Switzerland, you have the right to:

• ·Access the personal data we hold about you
• ·Request correction of inaccurate data
• ·Request deletion of your data ("right to be forgotten")
• ·Request restriction of processing
• ·Request portability in a machine-readable format
• ·Object to processing based on legitimate interests
• ·Withdraw consent at any time
• ·Lodge a complaint with your local supervisory authority (a list is at edpb.europa.eu)

To exercise any of these rights, email itrunswap@gmail.com from the address associated with your account. We will respond within 30 days and will not charge a fee except for manifestly unfounded or repetitive requests.

If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:

• ·Right to know what personal information we collect, the sources, purposes, and categories of third parties with whom we share it. The disclosures in §§2, 3, and 6 satisfy this requirement.
• ·Right to delete personal information we have collected from you, subject to limited legal exceptions.
• ·Right to correct inaccurate personal information.
• ·Right to limit use of sensitive personal information (see §14).
• ·Right to opt out of sale or sharing. AskTarot does not sell personal information and does not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months and have no plans to do so.
• ·Right to non-discrimination for exercising any of the above.

To exercise these rights, email itrunswap@gmail.com. We will verify your identity by confirming the email is associated with your account and may ask for additional information. You may designate an authorized agent in writing.

AskTarot is intended for users aged 18 and over. We do not knowingly collect personal information from children under 13 (or under 16 in EEA member states whose national law sets a higher age). If we learn that we have collected personal information from a child below the applicable age without verified parental consent, we will delete it promptly. If you believe a child has provided us information, please contact itrunswap@gmail.com.

Tarot questions sometimes touch on topics that may qualify as special-category data under GDPR (Art. 9) or sensitive personal information under CCPA: health, sexual orientation, religious or philosophical beliefs, and mental state.

AskTarot does not require you to submit such information; you choose to do so at your own discretion. By submitting a tarot question that contains such content you provide explicit consent under Art. 9(2)(a) GDPR for the limited purpose of generating your reading. We do not use sensitive personal information for any purpose other than producing the reading you requested, and we do not share it beyond the AI providers described in §5. You may delete any reading at any time. If you do not wish to process sensitive information, we recommend phrasing questions in general terms.

If your question is about a crisis — including thoughts of self-harm, abuse, or a medical emergency — please contact a qualified professional or your local crisis line. Tarot is not a substitute for emergency care.

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the most recent revision. For material changes — such as new data uses, new sub-processors that affect your rights, or new categories of data collected — we will provide at least 7 days' advance notice by in-product banner and email. Continued use of the Service after the effective date constitutes acceptance.

For questions, complaints, or requests under this Policy, contact our privacy team at itrunswap@gmail.com. We aim to respond within five (5) business days and in any event within the periods required by applicable law. If you reside in the EU and we have not appointed an Art. 27 representative at the time of your inquiry, you may contact your local data protection authority directly.