Tarot Insights

Privacy Policy

Last updated: March 15, 2026

This Privacy Policy explains how Tarot Insights ("we", "us", "our") collects, uses, stores, and protects your information when you use our application. By accessing or using the app, you agree to this policy.

We are committed to complying with applicable privacy regulations, including the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and other relevant data protection laws.

1. What Data We Collect

1.1 Account Information

If you create an account, we collect:

  • Email address (required for account creation)
  • Display name (from your Google profile if you sign in with Google, or set manually)
  • Firebase authentication identifier (a unique user ID generated by our authentication provider)

1.2 User-Generated Content

When you use the app, the following content is created and stored:

  • Questions and context you submit for tarot readings
  • Reading session data, including selected spread type, drawn cards, card positions, and reading stage
  • AI-generated interpretations and summaries produced during your readings
  • Chat history between you and the AI within each reading session
  • Profile preferences, such as card reversal settings, major arcana preferences, and selected card back design

1.3 Locally Stored Data

The following data is stored in your browser's local storage and is not transmitted to our servers:

  • Anonymous user identifier — a randomly generated ID for non-logged-in users, used solely to generate your daily card draw
  • Daily card cache — your recent daily card results (up to 10 entries), stored to ensure consistency within a single day

1.4 Automatically Collected Technical Data

When you access the app, we may automatically collect:

  • Browser type and language
  • Device type and operating system
  • General location (country level, derived from IP address)
  • IP address (anonymized where required by law)

We make reasonable efforts to anonymize technical data wherever possible.

1.5 Data We Do NOT Collect

  • We do not collect sensitive personal data (health, religious beliefs, biometric data, sexual orientation, political opinions)
  • We do not use cookies for advertising or tracking purposes
  • We do not collect financial or payment information (no payment features are currently implemented)

2. How We Use Your Data

We process your data for the following purposes:

  • Provide tarot readings and interpretations — using your questions, context, and card data. Legal basis: contract performance.
  • Generate AI-powered card interpretations — using your questions, context, card details, and language. Legal basis: contract performance.
  • Save and display your reading history — using reading sessions and chat history. Legal basis: contract performance.
  • Maintain your account and preferences — using your email, display name, and settings. Legal basis: contract performance.
  • Generate your daily card draw — using your anonymous ID or user ID and the current date. Legal basis: legitimate interest.
  • Improve app performance and fix issues — using anonymized technical data. Legal basis: legitimate interest.
  • Comply with legal obligations — using account data as required. Legal basis: legal obligation.

We do not sell your personal information. We do not use your data for targeted advertising or profiling.

3. AI Processing and Data Sharing

3.1 How AI Is Used

Tarot Insights uses Google Gemini AI to generate card interpretations and reading summaries. When you open a card or request a reading, the following data is sent to Google's AI service:

  • Your question and any optional context you provided
  • The card drawn, its position in the spread, and its orientation
  • A system prompt with interpretation guidelines
  • Your language preference

3.2 What Happens to Data Sent to AI

  • Data is transmitted to Google's servers for processing and is subject to Google's Privacy Policy
  • We do not control how Google processes data received through the Gemini API
  • AI-generated responses are stored in your reading session within our database

3.3 Other Third-Party Services

  • Firebase Authentication (Google) — used for user sign-in and account management. Data shared: email, display name, auth credentials.
  • Cloud Firestore (Google) — used for data storage for readings and profiles. Data shared: all user-generated content.
  • Google OAuth (Google) — used for social sign-in. Data shared: Google profile (email, name).

All third-party services are governed by their own privacy policies. We encourage you to review Google's Privacy Policy and Firebase Terms of Service.

We may integrate additional trusted third-party services in the future. Any such changes will be reflected in an updated version of this policy.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance — processing necessary to provide the service you requested (readings, account features, history)
  • Consent — when you voluntarily provide information (e.g., creating an account, submitting questions)
  • Legitimate interests — for app improvement, security, and analytics, where these interests are not overridden by your rights
  • Legal obligation — when required to comply with applicable laws

You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.

5. Data Storage and Security

5.1 Where Your Data Is Stored

Your data is stored in Google Cloud infrastructure (via Firebase) in data centers that may be located outside your country of residence. For transfers from the EEA, we rely on Google's compliance mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission.

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Firebase security rules restricting data access to authenticated users
  • Server-side authentication verification for all API requests
  • Access control ensuring users can only access their own reading data

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Account information — retained until you delete your account
  • Reading sessions and history — retained until you delete your account or request deletion
  • Profile preferences — retained until you delete your account
  • Local storage data — retained until you clear your browser data
  • Anonymized technical data — retained for up to 26 months

You may request deletion of your data at any time by contacting us (see Section 10). Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.

7. Your Rights

7.1 Rights Under GDPR (EEA Residents)

If you are located in the European Economic Area, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure ("right to be forgotten") — request deletion of your personal data
  • Restriction — request that we limit how we process your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — withdraw consent at any time where processing is based on consent
  • Lodge a complaint — file a complaint with your local data protection supervisory authority

7.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

  • Know — request disclosure of the categories and specific pieces of personal information we have collected
  • Delete — request deletion of your personal information
  • Non-discrimination — not be discriminated against for exercising your privacy rights
  • Opt-out of sale — we do not sell personal information, so this right is automatically satisfied

7.3 How to Exercise Your Rights

To exercise any of the above rights, please contact us at the address listed in Section 10. We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.

8. Children's Privacy

Tarot Insights is not directed at children. We do not knowingly collect personal data from:

  • Children under 16 years old in the European Economic Area
  • Children under 13 years old in all other jurisdictions

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. We will promptly delete any such data from our systems.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify users through the app or on our website

Continued use of the app after changes are posted constitutes acceptance of the updated policy. If you disagree with any changes, you should discontinue use of the app and may request deletion of your data.

10. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us at:

📧 privacy@tarotinsights.app

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EEA data protection authorities is available at edpb.europa.eu.