Privacy Policy

Last updated: [LAST UPDATED]

This Privacy Policy explains what [COMPANY NAME] (“we”) collects when you use Selfarcana (the “Service”), why we collect it, who we share it with, and what rights you have over your data.

1. Information we collect

• Account information — your email, name, Google account identifier, and profile photo URL (if provided by Google at sign-in).
• Profile you provide— preferred display name, birthdate, and the “intent” you select at onboarding.
• Your selfie — the image you upload so we can generate personalized card imagery.
• Generated imagery — the personalized card images our pipeline creates from your selfie and the reference artwork.
• Readings — the cards drawn and the narrative text generated for each reading.
• Billing data — your subscription status and billing period end. We do not store card numbers; payment details are handled by Stripe.
• Usage data — events describing how you interact with the Service (page views, which buttons you tap, rough device type), collected via PostHog if you consent to analytics cookies.
• Error data — technical diagnostics sent to Sentry when something breaks. This excludes your selfie and the text of your readings.

2. Your selfie — how we handle it

This is the most sensitive data you give us. Specifically:

• Purpose. Your selfie is used only to generate your personalized tarot card imagery. We do not use it to identify you, to train AI models, or for advertising.
• Consent. You give explicit consent at upload and can withdraw it at any time by replacing or removing your selfie in Settings, or by deleting your account.
• Where it lives. Encrypted at rest in Cloudflare R2. Access is through short-TTL signed URLs; buckets are not public.
• Who sees it.Only our image-generation pipeline and Google's Gemini model, which receives it as a reference when generating your cards. We do not sell, trade, or share your selfie with any other party.
• Retention. Until you delete it or your account. After account deletion we remove the selfie and all generated imagery within 30 days.

If you are a resident of a jurisdiction that treats face images as biometric data by default (for example, Illinois BIPA, Texas CUBI, or the EU GDPR when used for unique identification), please note that we do not perform facial recognition, identification, template generation, or matching. We use the image as a visual reference in a generative model and store the original for re-use with your consent. We treat face images as sensitive regardless of jurisdictional classification.

3. How we use information

• to provide, operate, and improve the Service;
• to generate your personalized card imagery and reading narratives;
• to process payments and manage your subscription;
• to communicate with you about the Service (welcome, trial ending, service updates);
• to prevent fraud and abuse;
• to comply with legal obligations.

4. Service providers (sub-processors)

We use the following processors. Each receives only the minimum data necessary for the stated purpose:

• Google LLC — OAuth sign-in, Gemini image generation (receives your selfie + reference artwork), Gemini 2.5 Pro (reading narrative input).
• Cloudflare, Inc. — R2 object storage for selfies and generated imagery; CDN delivery of images.
• Stripe, Inc. — payments processing. Stripe has their own privacy policy.
• Resend, Inc. — transactional email delivery.
• PostHog, Inc. — product analytics (if you consented to analytics cookies).
• Functional Software, Inc. (Sentry) — error monitoring.
• Railway Corp. — infrastructure hosting (Postgres database, Redis queue, application servers).

5. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

• Access + portability. Download an export of your data from Settings → Export my data, or email us.
• Deletion. Delete your account from Settings → Delete my account. We hard-delete within 30 days.
• Rectification. Update your display name and intent from Settings. For anything else, email us.
• Withdraw consent. Remove your selfie at any time; change cookie preferences via the banner or by clearing your browser storage.
• Object, restrict processing. Email [CONTACT EMAIL] with specifics.
• Complain. If you are in the EU, you may lodge a complaint with your local supervisory authority. If you are in California, you may exercise your CCPA rights without discrimination.

6. International transfers

The Service is operated from the United States. If you access it from outside the US, your data will be transferred to, stored, and processed in the US. Where required, we rely on Standard Contractual Clauses (or equivalent mechanisms) with our processors.

7. Retention

We retain personal data for as long as your account is active. After you delete your account, we hard-delete your selfie, generated imagery, and reading history within 30 days. We may retain limited aggregated or anonymized data (e.g., counts of readings generated) for analytics and service improvement.

8. Children

The Service is not directed to individuals under 18 and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, email us and we will delete it.

9. Security

We encrypt data in transit (TLS) and at rest (R2 server-side encryption). Access to production systems is restricted and audited. No system is 100% secure; if you suspect a compromise, notify us immediately.

10. Cookies

See our Cookie Policy.

11. Changes

We will post material changes to this Policy and, where required, notify you by email. The “Last updated” date at the top reflects the most recent revision.

12. Contact

Email [CONTACT EMAIL]. Postal address: [COMPANY NAME], [COMPANY ADDRESS]. For EU data-protection matters, contact [DPO EMAIL].