Privacy Policy

Last Updated: May 25, 2026

Introduction

This Privacy Policy explains how Tarotly ("Tarotly", "we", "our", or "us") collects, uses, and safeguards personal data when you use the Tarotly mobile application ("App") or our website at tarotly4you.com. We have written it to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and the privacy requirements of the Apple App Store and Google Play.

Data Controller

The controller responsible for the processing of your personal data is:

• Legal entity: Tanael S.àr.l.
• Postal address: 19 Rue de l’Industrie, L-8069 Bertrange, Luxembourg
• Commercial register: RCS Luxembourg B169689
• VAT identification: LU27601728
• General contact: support@tarotly4you.com
• Privacy contact: privacy@tarotly4you.com
• EU representative: Not required — Tanael S.àr.l. is established in the EU (Luxembourg).

Information We Collect

Information You Provide

• Account Information: When you create an account, we collect your email address and a chosen display name. If you sign in with Google or Apple, we also receive the basic profile information that the provider returns to us (your email, name, and — where you choose to share it — your profile photo).
• Reading Data: When you draw a reading, we process the spread you chose, the card placements, and any optional inputs you provide (focus question, interpretation mode). If you choose to save the reading, we store the cards drawn, the spread used, the AI-generated interpretation, and any journal note you add.
• AI Content Reports: If you report an AI-generated interpretation from inside the App, we store the reported text snippet, selected report reason, basic app details, and your user ID (which may be anonymous) so we can review and improve safety filters.
• Dream Content (Dream Spread / Dream Journal): If you use the Dream Spread or Dream Journal, you may enter the text of a dream (up to 3,000 characters). For Premium users, this content is saved to the Dream Journal so you can revisit it; for non-Premium users it is processed only to generate the reading and not stored on our servers.
• Compatibility Inputs: If you use the Compatibility spread, you may enter another person’s first name and (optionally) date of birth. You confirm that you have that person’s permission to share this information with us and our AI provider. We do not store these inputs on our servers — they are processed only to generate the reading.
• Preferences & Settings: Your interpretation mode, deck choice, theme, language, daily reminder time, and weekly recap opt-in are stored with your account so they sync across devices.
• Communications: If you contact us by email, we keep the message and any attachments to handle your request and as proof of our reply.

Automatically Collected Information

• Device Information: Device type, operating system version, app version, language, and time zone.
• Usage Data: Screen views, feature interactions, and your tier (free, registered, premium). When you are signed in, this data is associated with your account user ID; when you are signed out it is not.
• Crash & Diagnostic Data: If the App crashes, our crash-reporting tool (Sentry) collects a stack trace, device and OS information, app version, and — when you are signed in — your user ID and email so we can reproduce the issue.
• Server Logs: Our API records IP addresses, user-agent strings, and request timestamps for security, abuse prevention, and rate-limiting purposes. Logs are kept for a maximum of 30 days.
• Purchase & Subscription Data: When you buy Premium, our purchase processor (RevenueCat) receives a device-bound purchase identifier, the product purchased, and the entitlement state. We do not see your full payment card or store account credentials — those stay with Apple or Google.

How We Use Your Information

We use the information we collect to:

• Provide and maintain the Tarotly App and its features (account, sync, reading generation, journal, history).
• Generate AI-powered tarot interpretations through our AI provider.
• Process and verify subscription purchases and entitlements.
• Diagnose crashes, prevent abuse, and keep the service secure.
• Review user reports about AI-generated output and improve content safeguards.
• Send the Weekly Recap email if you have explicitly enabled it (Premium opt-in).
• Show local notifications for the Daily Card reminder if you have enabled it.
• Communicate with you about important changes to the service or these terms.
• Comply with our legal obligations (e.g. accounting, responding to lawful requests).

Legal Bases for Processing (EU/UK GDPR)

If you are in the EU, the EEA, the UK or Switzerland, we rely on the following legal bases under Article 6(1) GDPR:

• Performance of a contract — Art. 6(1)(b): To provide the App, generate readings, store account-linked content, and process Premium purchases.
• Consent — Art. 6(1)(a): For Firebase Analytics (where required by local law), for the Weekly Recap email opt-in, and for push notifications. You may withdraw consent at any time.
• Legitimate interests — Art. 6(1)(f): For crash reporting, anti-abuse rate limiting, and product analytics aggregated at the cohort level. Our legitimate interest is keeping the service reliable, safe, and improving over time. You can object to such processing at any time.
• Legal obligation — Art. 6(1)(c): For retaining records required by tax law and for responding to lawful requests from authorities.

Third-Party Services and Sub-processors

Sub-processors We Use

We rely on the following sub-processors to operate Tarotly. Each is bound by a data-processing agreement that includes appropriate safeguards for international transfers (Standard Contractual Clauses where applicable).

• Google Cloud Platform (Firebase Auth, Firestore, Cloud Run, Firebase Analytics): Hosts the API, the user database, authentication, and analytics. Backend is hosted in europe-west1 (Belgium). Operated by Google LLC (USA) / Google Ireland Limited (EU). Privacy policy: https://policies.google.com/privacy.
• OpenAI, L.L.C. (USA): Generates the AI tarot interpretations. We send only what is needed to generate the reading: the chosen spread, card placements, your interpretation mode, and any optional question, dream text or compatibility inputs you provided. Per OpenAI’s API data-usage policy, content sent via the API is not used to train OpenAI models. Privacy policy: https://openai.com/policies/privacy-policy.
• RevenueCat, Inc. (USA): Manages subscription state and entitlements for purchases made on the App Store and Google Play. Privacy policy: https://www.revenuecat.com/privacy.
• Functional Software, Inc. dba Sentry (EU region: de.sentry.io): Crash and error reporting. Tarotly’s Sentry data resides in the EU (Germany). Privacy policy: https://sentry.io/privacy/.
• Amazon Web Services, Inc. (Amazon SES, Stockholm region): Delivers transactional and Weekly Recap emails. AWS SES is operated from eu-north-1 (Stockholm). Privacy policy: https://aws.amazon.com/privacy/.
• Apple, Inc. (USA) / Google LLC (USA): Process App Store and Google Play purchases. We do not receive your payment details. Apple: https://www.apple.com/legal/privacy/. Google: https://policies.google.com/privacy.

AI Interpretations (OpenAI)

We use OpenAI’s API to generate tarot interpretations. The inputs sent to OpenAI include the spread you chose, the card placements, the interpretation mode, and any free-text inputs you optionally provided (focus question, dream text, compatibility names/birth dates). We do not send your name, email, or account identifier with the request. For more information about how OpenAI handles API data, please review OpenAI’s Privacy Policy.

Important: Per OpenAI’s API data-usage policy, content submitted through the API is not used to train OpenAI’s models. We also do not use your readings, dreams, or journal entries to train any AI model, our own or anyone else’s.

Analytics (Firebase Analytics)

We use Firebase Analytics to understand which screens are used and how the App performs. When you are signed in, screen views are associated with your account user ID so we can build aggregate usage statistics; when you are signed out, no user ID is attached. We do not share Firebase Analytics data with third parties for advertising and we do not use it to build profiles about you. If you would prefer not to be measured, you can opt out via the OS-level "Limit ad tracking" / Google Analytics opt-out, or by uninstalling the App.

Crash Reporting (Sentry)

When the App crashes or hits an unhandled error, Sentry collects a stack trace, the device model, the OS version, the app version, and — when you are signed in — your user ID and email so we can reach out if needed. Sentry data for Tarotly is stored on Sentry’s EU instance (de.sentry.io). The data is kept for the period Sentry’s plan provides for, typically 90 days, and then automatically deleted.

Notifications and Email

The Daily Card reminder is a local notification scheduled on your device — we do not push it from our servers. The Weekly Recap email (Premium) is sent only after you opt in, and every email contains a one-click unsubscribe link as required by EU/US anti-spam law. You can also turn the reminder and the recap off from the Profile screen at any time.

Data Storage and Security

• Account-linked data (profile, readings, daily cards, dream journal, settings) is stored in Firebase Firestore in the europe-west1 region (Belgium) and encrypted in transit and at rest.
• Readings made without an account stay on your device only and are never associated with an account. The card placements (and any optional free-text inputs) are still sent to our AI provider for the duration of the request, but are not stored on our servers.
• Traffic between the App and our servers is protected by TLS 1.2 or higher.
• Access to production data is restricted to authorised maintainers and audited.
• We implement appropriate technical and organisational measures to protect your data, including least-privilege access controls, encrypted backups, and regular security review of our dependencies.

How Long We Keep Your Data

We keep personal data only as long as we need it for the purposes set out in this Policy.

• Account profile: For the lifetime of the account. When you delete your account, we erase it within 30 days, except for data we are legally required to keep.
• Readings, daily cards, dream journal entries: Free and Registered users: only the most recent 30 days are retained on our servers. Premium users: kept until you delete the reading or your account. Deleted with the account.
• Server logs (Cloud Run): Up to 30 days, then automatically purged.
• Crash reports (Sentry): Typically 90 days from collection, then automatically deleted by Sentry.
• Email delivery records (AWS SES): Bounce and complaint records up to 12 months to comply with anti-spam obligations.
• AI content reports: Up to 12 months, unless we need to retain them longer for abuse prevention or legal reasons. Deleted with your account where they are linked to your user ID.
• Purchase records: Up to 10 years where required by tax law in our country of establishment.
• Compatibility inputs (third-party names / birth dates): Not stored. Used only to generate the reading and discarded immediately after.

International Data Transfers

Some of our sub-processors are based outside the EU/EEA, in particular in the United States (OpenAI, RevenueCat, Apple, Google). Where personal data is transferred outside the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where available, the EU-US Data Privacy Framework, together with additional technical and contractual safeguards. You can request a copy of the safeguards in place by contacting privacy@tarotly4you.com.

Sensitive Inputs (Dreams, Compatibility)

Dream content and compatibility inputs may incidentally reveal sensitive aspects of your life or another person’s life (e.g. emotional state, relationships, beliefs). We process this content only to provide the reading you requested and, for Premium Dream Journal entries, to store it on your account so you can revisit it. We do not analyse it for any other purpose, do not share it with advertisers, and do not use it to train AI models. If you enter information about another person (e.g. compatibility partner), you confirm that you have their permission to share that information with us.

Your Rights

Depending on where you live, you have the following rights regarding your personal data:

• Access the personal data we hold about you (Art. 15 GDPR).
• Request correction of inaccurate data (Art. 16).
• Request deletion of your data (Art. 17, "right to be forgotten").
• Restrict or object to processing based on our legitimate interests (Art. 18, 21).
• Receive your data in a portable format and have it transmitted to another controller (Art. 20).
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3)).
• Not be subject to a decision based solely on automated processing that produces legal effects (Art. 22). Note: Tarotly’s readings are AI-generated for entertainment and do not produce legal or similarly significant effects.

To exercise these rights, contact us at privacy@tarotly4you.com. We will respond within 30 days.

Right to Lodge a Complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority — in particular, the supervisory authority of the EU/EEA Member State in which you reside, work, or where the alleged infringement took place. Our lead supervisory authority is the Commission nationale pour la protection des données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg — https://cnpd.public.lu.

Deleting Your Account

You can delete your account and all associated personal data directly from the App: Profile → Delete Account. After confirmation, your account, readings, daily cards, dream journal entries and preferences are permanently deleted within 30 days. Cached copies in encrypted backups are automatically rotated out within 90 days. If you cannot use the App (e.g. you have uninstalled it), you can request deletion from our public web form:

https://tarotly4you.com/en/account/delete

Children’s Privacy

Tarotly is not intended for users below 16 in the EU/EEA, or below 13 in jurisdictions where 13 is the digital consent age (including the United States under COPPA). We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided us with personal data, please contact privacy@tarotly4you.com and we will delete it.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising, and to limit our use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising, and we do not use sensitive personal information for purposes beyond providing the service. To exercise your rights, contact privacy@tarotly4you.com.

Cookies (Website)

Our website (tarotly4you.com) uses only strictly necessary cookies and local storage to remember your language preference and to keep the navigation working. We do not set advertising or third-party tracking cookies on the website. The Tarotly mobile App does not use browser cookies, but uses Firebase identifiers as described above.

Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material (for example, a new sub-processor or a new category of personal data), we will notify registered users at least 30 days before it takes effect, via in-app banner and email. The "Last Updated" date at the top of this Policy is always current.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

• Email: privacy@tarotly4you.com