Privacy Policy

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract — processing necessary to provide the service you registered for (account management, generating readings, saving your data, processing payments).
• Consent — marketing emails, push notifications, and non-essential analytics cookies. You may withdraw consent at any time from your settings.
• Legitimate interest — security monitoring, fraud prevention, bug tracking, and platform improvement, balanced against your right to privacy.

Chaos Tarot uses a secure, httpOnly session cookie containing an encrypted token (JWT) to authenticate your session. This cookie is essential for the service to function and cannot be disabled. It does not contain your email or personal information.

We also use localStorage to store UI preferences such as cookie consent status, theme settings, and age verification.

Analytics cookies (Vercel Analytics and Speed Insights) are only set if you explicitly accept them via our cookie consent banner. We do not use third-party advertising cookies, tracking pixels, or fingerprinting technologies.

When you request an AI interpretation, the following data is sent to Anthropic's Claude API: the cards or symbols drawn, their positions, the spread type, your optional question, and (for Oracle-tier users) relevant excerpts from your reading history for context. Your email address, access code, and other personal identifiers are never sent to the AI.

Anthropic does not use API data for model training. Under Anthropic's commercial API terms, inputs and outputs are not used to train, improve, or fine-tune their models. Anthropic retains API inputs and outputs for a limited period (typically 30 days) for safety monitoring and abuse prevention, after which they are deleted.

All AI-generated interpretations are clearly labeled as such within the application. AI interpretations are for entertainment and reflection only and should not be treated as professional advice.

If your question contains personal information, that information is processed by Anthropic to generate your interpretation but is not permanently retained or linked to your identity.

We rely on the following third-party services to operate the platform. Data Processing Agreements (DPAs) are in place with each provider where required by law:

• Stripe — payment processing for one-time and subscription purchases.
• Supabase — database hosting and storage. Your data is stored on Supabase's infrastructure in the United States.
• Vercel — application hosting, CDN, and optional analytics (Speed Insights / Web Analytics). Vercel processes all HTTP requests to the platform.
• Resend — transactional and marketing email delivery.
• Anthropic (Claude AI) — AI-powered divination interpretations. Only reading context is shared; no personal identifiers are sent. See Section 6.

We also maintain automated presence on Twitter/X, Bluesky, Tumblr, and Discord for platform news and content. These social media integrations post platform-generated content only; no user data is shared with these services.

Chaos Tarot is operated from the United States. If you access the platform from the EEA, UK, Switzerland, or other regions with data protection laws, your data will be transferred to and processed in the United States.

We ensure appropriate safeguards for international data transfers through our providers' Standard Contractual Clauses (SCCs) and compliance certifications. Stripe, Supabase, Vercel, and Anthropic each maintain SCCs or equivalent mechanisms for cross-border data transfers.

We retain your account data and reading history for as long as your account is active. You can delete your account and all associated data at any time from your settings page (no need to contact us). Account deletion is immediate and permanent.

Upon deletion, the following data is permanently removed: readings, journal entries, AI interpretations, community posts, circle memberships, achievements, streak data, push subscriptions, email records, and your access code. Any active Stripe subscriptions are also cancelled.

Some anonymized, aggregated data (such as total platform usage statistics) may be retained as it cannot be linked back to any individual.

All Users

Regardless of your location, you have the right to:

• Access your data — export a complete copy of your data in JSON format from Settings → Export My Data.
• Delete your data — permanently delete your account and all associated data from Settings → Delete Account.
• Opt out of emails — via the unsubscribe link in any email or from your settings.
• Control cookies — manage cookie preferences via the banner shown on your first visit, or by clearing your browser data.

EEA, UK & Swiss Residents (GDPR)

Under the General Data Protection Regulation, you additionally have the right to:

• Rectification — correct inaccurate personal data. Contact us at the email below.
• Restriction — request that we limit processing of your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format (the JSON export at Settings satisfies this right).
• Object — object to processing based on legitimate interest.
• Withdraw consent — withdraw consent for marketing emails and analytics at any time without affecting the lawfulness of prior processing.
• Lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, email support@chaos-tarot.com. We will respond within 30 days.

California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:

• Know what personal information we collect and how it is used (described throughout this policy).
• Delete your personal information (available self-service in Settings).
• Opt out of sale or sharing — we do not sell or share your personal information with third parties for cross-context behavioral advertising. We never have and never will.
• Non-discrimination — we will not discriminate against you for exercising your privacy rights.

Categories of personal information we collect: identifiers (email, access code), commercial information (purchase history), internet activity (usage data), and inferences (AI interpretations drawn from your reading context).

Chaos Tarot is not directed at children under the age of 13. We require all users to confirm they are at least 13 years of age before accessing the platform. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at support@chaos-tarot.com. We will promptly delete the child's data from our systems.

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, contact us at:

support@chaos-tarot.com

We aim to respond to all privacy-related inquiries within 30 days.