Privacy Policy

Platform: WWW.ARCANAOFTAROT.COM

§ 1 GENERAL PROVISIONS

1. The controller of personal data collected through the website www.arcanaoftarot.com is Damian Idczak conducting business under the name Damian Idczak registered in the Central Register and Information on Economic Activity of the Republic of Poland maintained by the minister responsible for economic affairs, registered office and correspondence address: ul. Niedas Leśny 26a, 95-080 Tuszyn, Tax Identification Number (NIP): 7282893112, Statistical Number (REGON): 540577030, email address: contact@arcanaoftarot.com, telephone number: 888753735, hereinafter referred to as the “Controller” and also the “Service Provider.”
2. Personal data collected by the Controller through the Platform is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR, and the Consumer Rights Act of 30 May 2014.
3. All words or expressions written with a capital letter in this Privacy Policy shall be understood in accordance with their definition contained in the Terms of Service of www.arcanaoftarot.com.

§ 2 PURPOSE AND SCOPE OF DATA COLLECTION

PURPOSE OF PROCESSING AND LEGAL BASIS

1. The Controller processes personal data of Platform Users in the following cases:
   1. Account registration on the Platform, for the purpose of creating an individual account and managing that Account, on the basis of Article 6(1)(b) of the GDPR (performance of a contract for the provision of electronic services in accordance with the Platform’s Terms of Service),
   2. placing an Order for a Premium Subscription or Credit Pack, for the purpose of performing the Agreement for the Delivery of a Digital Service, on the basis of Article 6(1)(b) of the GDPR (performance of contract),
   3. provision of Digital Services, including the generation of personalized tarot readings, Oracle conversations, Soul Card profiles, Oracle Notes, monthly reviews, and pattern analyses, on the basis of Article 6(1)(b) of the GDPR (performance of contract) and Article 6(1)(a) of the GDPR (consent for AI data processing — separate “ai_processing” consent),
   4. carrying out other activities essential/necessary for the operation of the Platform, i.e.:
      • product analytics and Platform improvement (measurements, telemetry): Article 6(1)(f) of the GDPR — the Controller’s legitimate interest in improving the quality and usability of services,
      • security and fraud prevention (logs, DDoS protection, rate limiting, breach detection): Article 6(1)(f) of the GDPR,
      • direct marketing, email notifications, and commercial communication — to the extent required by the provisions of the Electronic Communications Law: Article 6(1)(a) of the GDPR (consent). Consent may be withdrawn at any time,
      • pursuing or defending claims: Article 6(1)(f) of the GDPR,
      • maintaining an audit log of data operations (account deletion, data export, consent changes): Article 6(1)(f) of the GDPR — the Controller’s legitimate interest in ensuring accountability.

TYPES OF PERSONAL DATA PROCESSED

2. The User provides or the Platform generates the following categories of data:
   1. Identification and contact data: name, email address, profile picture (in the case of registration via Google OAuth or Apple OAuth),
   2. Authentication data: hashed password (in the case of email and password registration — bcrypt algorithm), OAuth tokens (access tokens, refresh tokens, ID tokens — stored in the database),
   3. Onboarding preferences: nickname, date of birth, zodiac sign, zodiac element, spiritual experience level, focus areas, preferred reading time, communication style,
   4. Reading data: questions asked by the Client, selected card spreads, drawn cards, AI-generated interpretations, follow-up messages in Oracle Chat,
   5. Journal entries: entry content, mood tags, links to readings,
   6. Soul Card data: date of birth, birth number, personality card, soul card, shadow card, AI-generated personality portrait, character traits, share slug, sharing status,
   7. Oracle Notes: internal notes generated by AI after each reading, containing emotional state assessment, themes, contextual observations, and the Oracle’s intuitions about the Client’s deeper intentions,
   8. Life Chapters: titles, descriptions, themes, associated cards, status, and dates of life periods,
   9. Daily Cards: drawn cards, reversed status, messages, Moon phase data,
   10. Monthly Reviews: AI-generated narratives, statistics (reading count, journal entries, recurring cards, mood distribution, Moon phases),
   11. Billing data (to the extent it constitutes personal data within the meaning of the GDPR): Stripe customer ID, subscription ID, subscription status, credit balance, purchase history. The Controller does not store full payment card details — these are managed exclusively by the payment operator Stripe,
   12. Consent data: consent type (terms, privacy policy, AI processing, marketing email, analytics, age verification), grant status, policy version, grant/revocation date, source (registration, onboarding, settings), IP address,
   13. Technical data: IP address (collected during registration and consent updates for audit purposes and for rate limiting), browser type, operating system type.

PERSONAL DATA RETENTION PERIOD

3. Personal data of Users is retained by the Controller:
   1. where the basis for processing is the performance of a contract, for as long as necessary for the performance of the contract, and thereafter for a period corresponding to the statute of limitations for claims. Unless a specific provision provides otherwise, the statute of limitations is six years, and for periodic payments and claims related to business activity — three years,
   2. where the basis for processing is consent, for as long as the consent is not withdrawn, and after withdrawal of consent for a period corresponding to the statute of limitations for claims that the Controller may raise and that may be raised against it,
   3. in the event of Account deletion by the Client — all data associated with the Account (readings, journal entries, Oracle Notes, Soul Card, Life Chapters, monthly reviews, preferences, conversation history, credits) is permanently deleted. Only a hashed user identifier (SHA-256) is retained in the audit log, without personal data. Payment records may be retained by the payment operator Stripe in accordance with its legal obligations.

DATA PROCESSED IN CONNECTION WITH AI FEATURES

4. The Platform uses artificial intelligence models to generate content based on data entered by the User (questions, intentions, journal entries, onboarding preferences).
5. When generating readings and Oracle conversations, the following data is transmitted to the AI provider (in anonymized form — without email address, name, payment data, or account identifiers):
   • the Client’s question or intention (sanitized),
   • recent questions from reading history (up to 3),
   • frequency of recurring cards and dominant suits,
   • onboarding preferences: nickname, zodiac sign, element, experience level, focus areas, communication style,
   • current Oracle Notes (emotional assessments, themes, observations),
   • current Life Chapter analysis,
   • the Client’s language/locale.
6. AI features are provided using an external technology provider (sub-processor) — Google LLC, whose servers may be located outside the EEA (in particular in the United States). The Controller shall notify of planned changes to sub-processors; the Client may raise an objection.
7. Prompts, User input data, and AI event logs are retained for the period necessary to ensure security, accountability, and technical support, not exceeding 360 days, unless a longer period results from the pursuit of claims or legal obligations. This data is not used for model training without prior, express consent.
8. The Controller does not use the User’s input data or generated content for “training” models without the User’s prior, express consent.
9. The User should verify AI-generated content before publication/use.
10. Where required by law, the User may be obliged to disclose to recipients that the content was generated or co-created by AI.
11. The Controller maintains logging of significant system events and human oversight of AI function operation to ensure security and accountability.
12. The User should not upload content containing the personal data of third parties, in particular images, to the Platform for the purpose of using the Digital Service. By uploading such content, the Client does so at their own risk. The Controller retains content uploaded by the User only to the extent necessary for the provision of the Digital Service.

AUTOMATICALLY COLLECTED DATA

13. During use of the Platform, additional information may be collected, in particular: the IP address assigned to the User’s computer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type.
14. Upon giving separate consent, on the basis of Article 6(1)(a) of the GDPR, data may also be processed for the purpose of sending commercial information by electronic means — in accordance with Article 398(1) and (2) of the Act of 12 July 2024 — Electronic Communications Law, including communications resulting from profiling, provided the User has given appropriate consent.
15. Navigation data may also be collected from Users, including information about links they choose to click or other actions taken on the Platform. The legal basis for such activities is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting of facilitating the use of services provided electronically and improving the functionality of those services.
16. The provision of personal data by the User is voluntary but necessary for the proper use of the Platform, including entering into an agreement for the delivery of a Digital Service.
17. The Controller takes particular care to protect the interests of data subjects, and in particular ensures that the data it collects is:
    • processed in accordance with the law,
    • collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes,
    • substantively correct and adequate in relation to the purposes for which it is processed, and stored in a form that permits identification of data subjects for no longer than necessary to achieve the purpose of processing.

§ 3 RECIPIENTS OF PERSONAL DATA

1. Users’ personal data is transferred to service providers used by the Controller in operating the Platform, and in particular to:

   Recipient	Purpose	Data Scope	Location
   Google	Authentication (OAuth)	Email address, name, profile picture	USA
   Apple	Authentication (OAuth)	Email address, name	USA
   Stripe	Payment processing	Email address, subscription and credit purchase details	USA
   Resend	Transactional and notification emails	Email address, name, personalized email content	USA
   Google LLC (Gemini AI)	Tarot reading generation, Oracle Notes, Soul Card portraits, monthly reviews	Anonymized data: questions, card data, chat messages, onboarding preferences, recent reading context (without email, name, or payment data)	USA
   Vercel Analytics	Anonymized usage analytics	Page views, performance metrics (no PII, cookieless by default)	USA
   Cybot (CookieBot)	Cookie consent management	Cookie consent preferences	EU
   Sentry	Error monitoring	Technical error data (personal data is automatically stripped before sending)	USA

2. Service providers referred to in point 1 of this section, to whom personal data is transferred, depending on contractual arrangements and circumstances, either follow the Controller’s instructions regarding the purposes and methods of processing such data (data processors) or independently determine the purposes and methods of their processing (controllers).
3. Users’ personal data is stored exclusively within the European Economic Area (EEA), subject to point 1 of this section and § 5 of this Privacy Policy.
4. Personal data may be transferred outside the European Economic Area (EEA), in particular to the United States, in connection with the Controller’s use of services from the providers listed in point 1. Data transfers are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46(2)(c) of the GDPR, or on the basis of an adequacy decision, insofar as such a decision is in effect for the relevant country.

§ 4 RIGHT OF CONTROL, ACCESS TO PERSONAL DATA, AND CORRECTION

1. The data subject has the right to access their personal data and the right to rectify, delete, restrict processing, the right to data portability, the right to object, and the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
2. Legal bases for the User’s requests:
   • Access to data — Article 15 of the GDPR,
   • Rectification of data — Article 16 of the GDPR,
   • Deletion of data (so-called right to be forgotten) — Article 17 of the GDPR,
   • Restriction of processing — Article 18 of the GDPR,
   • Data portability — Article 20 of the GDPR,
   • Objection — Article 21 of the GDPR,
   • Withdrawal of consent — Article 7(3) of the GDPR.
3. To exercise the rights referred to in point 2, an appropriate email may be sent to: contact@arcanaoftarot.com.
4. The Platform also provides a data export function in JSON format, available in Account settings, enabling the download of all of the Client’s personal data (profile, preferences, readings, journal entries, Soul Card, Life Chapters, daily cards, monthly reviews, credit purchase history, consent history) — fulfillment of the right to data portability (Article 20 of the GDPR).
5. The Platform also provides an Account deletion function in Account settings, enabling the permanent deletion of all data associated with the Account — fulfillment of the right to be forgotten (Article 17 of the GDPR).
6. When the User exercises a right arising from the above, the Controller shall fulfill the request or refuse to fulfill it without delay, but no later than within one month of receiving it. If, however — due to the complex nature of the request or the number of requests — the Controller is unable to fulfill the request within one month, it shall fulfill it within the next two months, informing the User within one month of receiving the request of the intended extension and the reasons therefor.
7. If it is found that the processing of personal data violates the GDPR, the data subject has the right to file a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

§ 5 COOKIES

1. The Controller’s website uses cookies.
2. The installation of cookies is necessary for the proper provision of services on the Platform’s website. Cookies contain information necessary for the proper functioning of the website and also enable the compilation of general website visit statistics.
3. Two types of cookies are used on the website: “session” cookies and “persistent” cookies.
   • “Session” cookies are temporary files that are stored on the User’s device until they log out (leave the website),
   • “Persistent” cookies are stored on the User’s device for the time specified in the cookie parameters or until they are deleted by the User.
4. The following categories of cookies are used on the Platform:

   Essential cookies (always active):

   Cookie	Purpose	Duration
   next-auth.session-token	Maintains login session	7 days
   next-auth.callback-url	Stores the return URL during authentication	Session
   next-auth.csrf-token	Protects against CSRF attacks	Session
   CookieConsent	Stores cookie consent preferences (CookieBot)	1 year
   i18n_locale	Stores language preferences	1 year

   Analytics cookies (optional — require consent):

   Cookie	Purpose	Duration
   Vercel Web Analytics	Anonymized page view tracking (cookieless by default)	N/A

5. The Platform does not use marketing, advertising, or remarketing cookies. The Platform does not use Google Analytics, Google Ads, or other advertising tools.
6. The Controller uses the CookieBot service (Cybot A/S) for cookie consent management. CookieBot automatically blocks optional cookies until consent is given by the User.
7. The User has the right to decide on the access of cookies to their computer by:
   • selecting the types of cookies they consent to upon first entering the Platform’s website and the appearance of the cookie notice (CookieBot banner),
   • changing cookie preferences at any time by clicking the cookie icon or re-displaying the banner,
   • changing settings in their browser window. Detailed information about the options and methods for handling cookies is also available in the software (web browser) settings.

§ 6 EMAIL NOTIFICATIONS

1. The Platform sends the following categories of email messages through the Resend service provider:

   Transactional emails (do not require marketing consent):

   • welcome email upon Account registration,
   • verification email (for email and password registration),
   • password reset email,
   • subscription activation confirmation,
   • subscription cancellation confirmation,
   • goodbye email upon Account deletion.

   Marketing/notification emails (require consent):

   • weekly reading reminder,
   • monthly summary (Monthly Soul Review),
   • anniversary/milestone emails,
   • re-engagement emails,
   • Trial Period expiration reminder.
2. Marketing emails are sent exclusively to Users who have given marketing consent (marketing_email) and have enabled the corresponding notification preferences in Account settings.
3. The Platform does not use tracking pixels in email messages and does not track link clicks.
4. Each marketing email includes a one-click unsubscribe mechanism compliant with the RFC 8058 standard, implemented via the List-Unsubscribe header and a signed unsubscribe link.

§ 7 FINAL PROVISIONS

1. The Controller applies technical and organizational measures ensuring the protection of processed personal data appropriate to the threats and categories of data being protected, and in particular secures data against disclosure to unauthorized persons, acquisition by unauthorized persons, processing in violation of applicable regulations, and alteration, loss, damage, or destruction. In particular, the Controller applies:
   • encrypted connections (HTTPS),
   • secure authentication (OAuth 2.0),
   • password hashing (bcrypt for email/password accounts),
   • secure payment processing (Stripe PCI-DSS compliance),
   • sanitization of personal data before transmission to AI providers and error monitoring systems,
   • masking of personal data in error monitoring session recordings.
2. The Controller provides appropriate technical measures to prevent unauthorized persons from acquiring and modifying personal data transmitted electronically.
3. For matters not regulated by this Privacy Policy, the provisions of the GDPR and other applicable provisions of Polish law shall apply accordingly.