1. Introduction

We respect your privacy and are committed to protecting the personal information you share through the Mystic Tarot mobile application ("App"). This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and your rights regarding your information. By using the App, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of personal information:

Account Information: Email address and password (hashed securely, never visible to operators).

Profile Information: Display name and birth month/day for zodiac sign determination and personalized readings.

Reading Content: Questions and intentions you type into the App before requesting a reading. This content is transmitted to OpenAI for processing.

Usage Data: Automatically collected data including tarot readings generated, daily usage counts, rewarded ad interactions, and subscription status.

Device Information: Device type, operating system version, and unique device identifier for push notifications.

IP Address: Automatically collected through our backend infrastructure (Supabase) for security and service delivery purposes.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data on the following legal bases:

Contract Performance: Processing your account information, reading history, and subscription data is necessary to provide the App services you have requested.

Consent: We rely on your consent for sending push notifications, for processing personalized advertising through Google AdMob, and for sending promotional or re-engagement emails about new features, content, and special offers. You may withdraw any of these consents at any time, and every promotional email contains a one-click unsubscribe link.

Legitimate Interests: We process device information and usage data based on our legitimate interests in maintaining app security, preventing fraud, detecting fraudulent installs, monitoring AI quality, and improving our services. This includes authorized personnel reviewing reading content, AI-generated outputs, and aggregate user behavior to debug errors, refine our prompts, and improve model quality.

Legal Obligation: We may process data where required by applicable law.

4. How We Use Your Information

We use your data to:

• Personalize your tarot readings based on your zodiac sign and question
• Authenticate your account and maintain security
• Track daily usage limits and manage free/premium access
• Maintain your reading history and card collection
• Send opt-in push notifications such as daily reading reminders
• Send promotional or re-engagement emails about new features, content, and special offers, with a clear unsubscribe option in every message
• Allow authorized personnel to review reading questions, AI-generated responses, user-submitted ratings, and flagged content for the purposes of debugging errors, monitoring AI quality, detecting abuse or policy violations, and improving our prompts and models. Such access is limited to staff who need it and is logged.
• Use aggregated and pseudonymized reading content to evaluate, refine, and retrain prompts and machine-learning models so future readings are more accurate and helpful
• Detect fraudulent installs, automated traffic, and abuse using device-integrity signals (e.g. Google Play Integrity, install referrer timing, device-locale and IP triangulation)
• Process in-app purchases and subscriptions
• Improve app functionality and user experience based on usage analytics and crash reports
• Comply with legal obligations

5. Automated Decision Making

Mystic Tarot uses automated processing to generate tarot readings based on your inputs. When you submit a question, your name, zodiac sign, question text, and reading category are processed automatically by OpenAI's systems to produce your reading. This constitutes automated decision making under GDPR Article 22. These readings are for entertainment purposes only and have no legal or similarly significant effect on you. You have the right to request human review of any automated output by contacting us.

6. Third-Party Services and Data Sharing

We share your data with the following third-party service providers:

Supabase: Handles authentication, database storage, and server-side functions. Data is stored on encrypted infrastructure. Supabase servers may be located outside the European Union. Appropriate data transfer safeguards are in place. Privacy policy: supabase.com/privacy

OpenAI: Generates tarot readings using your name, zodiac sign, reading question, and reading category. Your question content is transmitted to OpenAI servers located in the United States. OpenAI may temporarily retain inputs and outputs for abuse monitoring per its API terms; we do not authorize OpenAI to train its models on your data. Privacy policy: openai.com/privacy

Google AdMob: Displays advertisements to free tier users and may collect device identifiers and usage data for ad targeting purposes. Privacy policy: policies.google.com/privacy

Google Play Integrity: Validates that installs and sessions originate from genuine Android devices and uncompromised app binaries, in order to detect fraud and protect paying users. Privacy policy: policies.google.com/privacy

RevenueCat: Manages in-app subscriptions and purchase processing. Privacy policy: revenuecat.com/privacy

Firebase Analytics & Crashlytics (Google): Collects usage analytics and crash reports to help us measure feature performance and fix bugs. Privacy policy: firebase.google.com/support/privacy

Email Service Provider (e.g. Resend, SendGrid, or Postmark): Delivers transactional and (where you have consented) promotional emails. Your email address and message content are transmitted to the provider for delivery.

Expo/EAS: Provides push notification delivery services. Privacy policy: expo.dev/privacy

We do not sell your personal data to third parties.

7. International Data Transfers

As a service based in the Republic of Moldova using US-based service providers including OpenAI, Google AdMob, and RevenueCat, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including relying on Standard Contractual Clauses or other lawful transfer mechanisms where required.

8. Data Storage and Security

Your data is stored on Supabase cloud infrastructure with encryption at rest and in transit. Passwords are hashed and never stored in plain text. We use JWT-based authentication to secure all API communications. While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Data Retention

We retain your personal data for the following periods:

• Account information: Retained while your account is active and deleted within 30 days of account deletion request
• Reading history: Retained while your account is active. Deleted within 30 days of account deletion
• Usage data: Retained for 12 months for service management purposes
• Aggregated and pseudonymized reading content (questions, AI responses, user ratings): May be retained beyond account deletion in a form not linked to your identity, solely for AI quality analysis and model improvement
• Email marketing preferences (opt-in / opt-out status): Retained indefinitely so we can honor your unsubscribe choice if you sign up again
• Device identifiers for push notifications: Retained while notifications are enabled
• Fraud-detection signals (device integrity, install referrer): Retained for 6 months
• Ad interaction data: Retained per Google AdMob's data retention policies

If you delete your account, we will remove your personal data from our active systems within 30 days.

10. Your Rights

Depending on your location, particularly if you are in the European Economic Area, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Data Portability: Request your data in a structured, machine-readable format
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for push notifications or personalized ads at any time via device settings
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority

We will respond to all data rights requests within 30 days. To exercise any of these rights, please contact us using the information below.

11. Children's Privacy

Mystic Tarot is intended for users aged 16 and older in the European Union, and 13 and older in other regions. We do not knowingly collect personal information from children below these age thresholds. If we discover that we have collected information from a child below the applicable minimum age, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us immediately.

12. Cookies and Tracking

The App itself does not use browser cookies as it is a native mobile application. However, third-party SDKs integrated into the App, including Google AdMob and analytics tools, may use device identifiers and similar tracking technologies for advertising and analytics purposes. You may opt out of personalized advertising through your device settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification or email with the updated effective date. Continued use of the App after changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: contact@mystictarotapp.com
Website: mystictarotapp.com
Mystic Tarot, Republic of Moldova

If you are located in the European Union and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.