Privacy Policy

Last updated: April 6, 2026

This Privacy Policy explains how Tarot ("we", "us") collects, uses, and protects your personal data when you use our Service. We comply with the EU General Data Protection Regulation (GDPR) and, where applicable, the California Consumer Privacy Act (CCPA).

1. Data Controller

The data controller responsible for your personal data is the operator of this Service. For privacy inquiries, contact us at privacy@example.com.

2. Data We Collect

• Account data: email address, display name, hashed password (or third-party OAuth identifier).
• Usage data: reading history, questions you submit, timestamps, and preferences.
• Technical data: IP address, browser type, device information, and basic analytics.
• Cookies: authentication session cookies and, where applicable, analytics cookies (only with your consent).

3. Legal Basis for Processing (GDPR)

• Contract: to provide the Service you requested (Art. 6(1)(b) GDPR).
• Consent: for optional analytics and marketing (Art. 6(1)(a) GDPR).
• Legitimate interest: to secure the Service and prevent abuse (Art. 6(1)(f) GDPR).
• Legal obligation: where required by law (Art. 6(1)(c) GDPR).

4. How We Use Your Data

• To create and manage your account;
• To provide tarot readings and related features;
• To communicate important updates about the Service;
• To secure the Service and prevent fraud or abuse;
• To comply with legal obligations.

5. Third-Party Processors

We use trusted service providers to operate the Service. These processors act on our behalf under data processing agreements:

• Vercel Inc. — hosting and infrastructure (USA / EU regions);
• PostgreSQL database provider — data storage (via Vercel Marketplace);
• NextAuth OAuth providers — for third-party sign-in, if used (e.g., Google);
• Email delivery provider — for transactional emails, if applicable.

6. International Transfers

Some processors may be located outside the European Economic Area. Where this occurs, we rely on Standard Contractual Clauses or equivalent safeguards as required by GDPR.

7. Data Retention

We retain account data for as long as your account is active. If you delete your account, we delete or anonymize personal data within 30 days, except where retention is required by law.

8. Your Rights (GDPR / CCPA)

You have the right to:

• Access the personal data we hold about you;
• Request correction of inaccurate data;
• Request deletion ("right to be forgotten");
• Restrict or object to processing;
• Data portability;
• Withdraw consent at any time;
• Lodge a complaint with your local supervisory authority.

California residents have additional rights under the CCPA, including the right to know what personal data we collect and the right to opt out of any sale of personal data. We do not sell personal data.

9. Cookies

We use strictly necessary cookies for authentication. Optional analytics cookies are only set after you give consent via our cookie banner. You can withdraw consent at any time through your browser settings.

10. Security

We implement reasonable technical and organizational measures to protect your data, including encryption in transit (HTTPS), hashed passwords, and access controls. No system is perfectly secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us for removal.

12. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced on this page with an updated "last updated" date.

13. Contact

For any privacy-related questions or to exercise your rights, contact privacy@example.com.

Note: Note: This is a draft template and not legal advice. Please have it reviewed by a qualified lawyer before launch, and fill in the actual company name, address, and contact details.