1. Introduction

We respect your privacy and are committed to protecting the personal information you share through the Mystic Tarot mobile application ("App"). This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and your rights regarding your information. By using the App, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of personal information:

Account Information: Email address and password (hashed securely, never visible to operators).

Profile Information: Display name and birth month/day for zodiac sign determination and personalized readings.

Reading Content: Questions and intentions you type into the App before requesting a reading. This content is transmitted to OpenAI for processing.

Usage Data: Automatically collected data including tarot readings generated, daily usage counts, rewarded ad interactions, and subscription status.

Device Information: Device type, operating system version, and unique device identifier for push notifications.

IP Address: Automatically collected through our backend infrastructure (Supabase) for security and service delivery purposes.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data on the following legal bases:

Contract Performance: Processing your account information, reading history, and subscription data is necessary to provide the App services you have requested.

Consent: We rely on your consent for sending push notifications and for processing personalized advertising through Google AdMob. You may withdraw consent at any time.

Legitimate Interests: We process device information and usage data based on our legitimate interests in maintaining app security, preventing fraud, and improving our services.

Legal Obligation: We may process data where required by applicable law.

4. How We Use Your Information

We use your data to:

• Personalize your tarot readings based on your zodiac sign and question
• Authenticate your account and maintain security
• Track daily usage limits and manage free/premium access
• Maintain your reading history and card collection
• Send opt-in push notifications such as daily reading reminders
• Process in-app purchases and subscriptions
• Improve app functionality and user experience
• Comply with legal obligations

5. Automated Decision Making

Mystic Tarot uses automated processing to generate tarot readings based on your inputs. When you submit a question, your name, zodiac sign, question text, and reading category are processed automatically by OpenAI's systems to produce your reading. This constitutes automated decision making under GDPR Article 22. These readings are for entertainment purposes only and have no legal or similarly significant effect on you. You have the right to request human review of any automated output by contacting us.

6. Third-Party Services and Data Sharing

We share your data with the following third-party service providers:

Supabase: Handles authentication, database storage, and server-side functions. Data is stored on encrypted infrastructure. Supabase servers may be located outside the European Union. Appropriate data transfer safeguards are in place. Privacy policy: supabase.com/privacy

OpenAI: Generates tarot readings using your name, zodiac sign, reading question, and reading category. Your question content is transmitted to OpenAI servers located in the United States. Privacy policy: openai.com/privacy

Google AdMob: Displays advertisements to free tier users and may collect device identifiers and usage data for ad targeting purposes. Privacy policy: policies.google.com/privacy

RevenueCat: Manages in-app subscriptions and purchase processing. Privacy policy: revenuecat.com/privacy

Expo/EAS: Provides push notification delivery services. Privacy policy: expo.dev/privacy

We do not sell your personal data to third parties.

7. International Data Transfers

As a service based in the Republic of Moldova using US-based service providers including OpenAI, Google AdMob, and RevenueCat, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including relying on Standard Contractual Clauses or other lawful transfer mechanisms where required.

8. Data Storage and Security

Your data is stored on Supabase cloud infrastructure with encryption at rest and in transit. Passwords are hashed and never stored in plain text. We use JWT-based authentication to secure all API communications. While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Data Retention

We retain your personal data for the following periods:

• Account information: Retained while your account is active and deleted within 30 days of account deletion request
• Reading history: Retained while your account is active. Deleted within 30 days of account deletion
• Usage data: Retained for 12 months for service management purposes
• Device identifiers for push notifications: Retained while notifications are enabled
• Ad interaction data: Retained per Google AdMob's data retention policies

If you delete your account, we will remove your personal data from our active systems within 30 days.

10. Your Rights

Depending on your location, particularly if you are in the European Economic Area, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Data Portability: Request your data in a structured, machine-readable format
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for push notifications or personalized ads at any time via device settings
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority

We will respond to all data rights requests within 30 days. To exercise any of these rights, please contact us using the information below.

11. Children's Privacy

Mystic Tarot is intended for users aged 16 and older in the European Union, and 13 and older in other regions. We do not knowingly collect personal information from children below these age thresholds. If we discover that we have collected information from a child below the applicable minimum age, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us immediately.

12. Cookies and Tracking

The App itself does not use browser cookies as it is a native mobile application. However, third-party SDKs integrated into the App, including Google AdMob and analytics tools, may use device identifiers and similar tracking technologies for advertising and analytics purposes. You may opt out of personalized advertising through your device settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification or email with the updated effective date. Continued use of the App after changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: contact@mystictarotapp.com
Website: mystictarotapp.com
Mystic Tarot, Republic of Moldova

If you are located in the European Union and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.