Privacy Policy

Account identity — your Google email, display name, avatar URL, and the stable Google subject ID. Used only to sign you in and to address you in the interface.

Profile — your chosen sigil, default spread, language. Astrology and birth-card features compute on the server from data you enter and persist only the derived tags (sun / moon / rising sign codes and soul / personality card IDs). Your raw birthday, birth time, place, and coordinates are never written to our database — this is an auditable privacy commitment, not a configurable option.

Readings and journal — only when you bind a reading to your grimoire: drawn cards, spread type, the question you asked, the AI interpretation, your notes, tags, mood, and a per-reading share token if you choose to mint a public share link. If you re-roll an angle or style on a saved reading, the alternate interpretation is stored alongside the original.

Engagement records — your daily-card draws (one card stored per UTC day per user), 21-day challenge progress, achievement unlocks, and quiz scores. We use these to render your /profile, /journey, and /wrapped pages and to award the achievements described in the Terms.

Push subscriptions — when you opt in on /profile: the endpoint URL provided by your browser plus the device's p256dh and auth public-key material (issued by your browser; not personal data on its own). Removed when you turn the toggle off.

Referrals — when you generate or redeem an invite code: the code string and one redemption row per accepted invite, used to grant the bonus month described in the Terms.

Billing — for paid subscribers: tier, renewal date, any pending grace-period deadline, and the Creem customer / subscription IDs. We never see your card number, expiry, or CVV.

Analytics — anonymous event records keyed by a hashed user ID. No question text, no card content, no interpretation prose.

Contract performance (GDPR Art. 6(1)(b)) — account, profile, readings, billing. Without these we cannot deliver the service you asked for.

Legitimate interest (Art. 6(1)(f)) — minimal analytics for service health and abuse prevention. Balanced against your privacy by hashing identifiers and offering opt-out via sign-out.

Consent (Art. 6(1)(a)) — astrology prompt enrichment, web push, marketing email, and opt-in daily card email. All off by default; you toggle them on yourself.

Legal obligation (Art. 6(1)(c)) — billing records retained as required by the merchant of record's tax law.

All user-bound rows (account, profile, readings, journal, saved cards, daily draws, challenge progress, achievements, quiz scores, push subscriptions, referral records, monthly usage counters): until you delete your account, when they cascade-delete in a single transaction.

Database backups: rolling 30-day retention.

Server and access logs: 30 days.

Analytics events: 12-month rolling window.

Billing records: up to 7 years after account deletion, retained by Creem under their tax and audit obligations.

Cloudflare (United States, global edge) — Workers compute, D1 database, R2 asset storage. All hot data lives here.

Google (United States) — OAuth sign-in only. We receive your email, name, avatar, and subject ID; nothing more.

DeepSeek (Singapore / China) — AI interpretation provider. We send drawn cards, spread type, question, locale, and optional astrology context. We never send your email, name, or history.

Resend (United States) — transactional and scheduled email. We pass your email address and the rendered template body.

Web push relays (Apple Push Notification service / Firebase Cloud Messaging / Mozilla Push Service) — used only when you have opted in to push. We send the notification payload to the endpoint URL your browser issued; the relay forwards it to your device.

PostHog (United States, EU region available) — product analytics. We send a hashed user ID and event names; no question text or interpretation prose.

Creem — operated by Armitage Labs OÜ (Tallinn, Estonia, EU) — merchant of record for paid subscriptions. They handle card processing and tax compliance; we receive only their abstract customer / subscription IDs. Transfers outside the EEA, where applicable, rely on EU Standard Contractual Clauses.

authjs.session-token (development) / __Secure-authjs.session-token (production) — Auth.js v5 session, httpOnly, sameSite=lax, required for sign-in.

NEXT_LOCALE — your chosen language.

lunarcana-ref — invite-code carrier, expires after redemption.

PostHog distinct_id — first-party analytics identifier, set only when NEXT_PUBLIC_POSTHOG_KEY is configured.

We do not set third-party advertising cookies and we do not participate in cross-site behavioural tracking.

Local storage — non-sensitive client preferences kept on the device only and never sent to our servers: ambient track + volume, mute state, install-prompt dismissal, daily meditation counter. Clearing site data removes them.

Lunarcana is hosted on Cloudflare's global network; your data may be processed in regions outside your country of residence, including the United States. Transfers originating in the EU, UK, or Switzerland rely on Standard Contractual Clauses (SCCs) where applicable.

The China edition (when launched) runs on Aliyun within Mainland China and does not mirror data out of the region. Cross-border transfer of data collected by the China edition is subject to a separate consent flow.

Access, correction, deletion, portability — email support@lunarcana.app, or use Profile → Delete Grimoire for immediate cascading deletion across every user-bound table: user / account / session / reading / readingInterpretation / savedCard / userPreference / subscription / dailyDraw / userChallenge / userAchievement / userQuizScore / pushSubscription / referralCode / referralRedemption / usageMonthly. Deletion is a single transaction and is irreversible.

Withdraw consent — toggle astrology, push, marketing email, daily card email, and voice synthesis in Profile at any time.

Object to or restrict processing — email us.

Lodge a complaint — with your local data-protection authority (EEA: your supervisory authority; UK: ICO; California: Attorney General; China: CAC).

California (CCPA / CPRA) — we do not sell or share personal information for cross-context behavioural advertising. A "Do Not Sell or Share" link is therefore not required, but you may still exercise the rights above.

China (PIPL) — you may request a copy of your data and an explanation of processing; you may withdraw consent at any time.

Lunarcana is not directed at users under 13 (under 16 in the EU). If we learn that we have inadvertently collected data from such a user we will delete it without delay.

Material changes are announced on-site at least 14 days before they take effect. The "Last updated" line at the top of this page is authoritative.

In transit — TLS 1.3 between your browser, Cloudflare's edge, and every subprocessor we call. Authentication cookies are httpOnly and sameSite=lax; session tokens are random opaque values issued by Auth.js v5 and stored only as references in our database.

At rest — our Cloudflare D1 database is encrypted using Cloudflare's managed disk encryption. We do not store your card number, expiry, CVV, or any payment instrument — only the abstract Creem customer / subscription IDs.

Access controls — administrative access to the production database is limited to the maintainer's hardware-key authenticated Cloudflare account. We do not run an internal customer-support tool with unrestricted read access to user rows.

Breach notification — if a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware and contact affected users by the email address on file without undue delay, in line with GDPR Art. 33-34 and equivalent statutes.

AI-generated tarot interpretations are produced on demand from the cards you draw and the question you ask, by a third-party language model. They are intended for reflection, journaling, and contemplative practice. Nothing about your account, eligibility, pricing, or service tier is decided by the AI.

We do not engage in automated individual decision-making (including profiling) that produces legal or similarly significant effects on you, within the meaning of GDPR Art. 22.