Tarotdoxa

Privacy Policy

Effective Date: June 11, 2026 · Last Updated: June 11, 2026

Tarotdoxa LLC ("Tarotdoxa," "we," "us," or "our") operates the Tarotdoxa mobile application and website (the "Service"). This Privacy Policy describes our practices regarding the collection, use, and disclosure of information when you use our Service.

We designed Tarotdoxa to collect as little personal information as possible. You can use the core of the Service - drawing cards and receiving readings - without creating an account, and in that case your readings stay on your device. If you choose to create an optional account, we store your reading history and any credits you buy on our servers so they are available across your devices and on the web. We do not sell your personal data, and we never use your readings to train our reading engine without your separate written consent.

1. Who We Are

Tarotdoxa LLC is an Oregon limited liability company. You can reach us at:

Email: privacy@tarotdoxa.com
Address: 273 NW 182nd Ave, Beaverton, OR 97006

2. What We Do Not Do

To be explicit:

We do not require an account to use the core Service. Accounts are optional (see §3).
We do not sell, rent, or trade your personal information to third parties.
We do not use your readings to train AI models without your explicit, separate, written consent.
We do not track you across other apps or websites.
We do not use third-party advertising networks.

3. Information We Process

Account Information (Optional)

You can create an account so your readings and credits travel across devices and to the Tarotdoxa website. We offer sign-in by email (a one-time code or magic link sent to your address) and Sign in with Apple. Additional sign-in methods (such as Google and phone) may be added later. When you create an account, we collect and store:

Your email address (your account identifier).
A display name, if your sign-in provider supplies one or you set one.

Account identity and sign-in are handled by Supabase Auth (see §6). If you sign in with Apple or Google, that provider authenticates you; we receive only the minimal identity information needed to create your account. You can delete your account at any time from within the app (see §7), which permanently removes your account and the server-side data described below.

Reading History and Chat (Stored Only With an Account)

Without an account, your readings are stored only locally on your device, as before. With an account, the readings you choose to keep - the cards drawn, the spread, the generated interpretation, any optional topic, and any follow-up "Reading Chat" conversation - are synced to and stored on our servers (Supabase) so they are available on your other devices and on the web. This history is private to your account and is not shared. You can delete individual readings, or your entire account, at any time.

Credits

If you buy reading credits, we store your credit balance on our servers, associated with your account, so it is available wherever you sign in. Credit balances do not expire. The purchase itself is handled by Apple (in the app) or by our payment processor on the web (see "In-App and Web Purchases" below); we do not store your payment card details.

Information You Provide

If you contact us (for example, by emailing us), we receive the information you send and use it only to respond to you.

In-App and Web Purchases

In-app purchases (subscriptions and credit packs) are processed entirely by Apple through the App Store; we receive only aggregate, anonymized purchase data and never see your payment card, billing address, or Apple ID. Web purchases (when the website launches) are processed by our payment processor, which handles your payment details under its own privacy policy; we receive confirmation and the credits to apply, not your card data. Apple's privacy practices are at https://www.apple.com/legal/privacy/.

Information Generated During Your Reading

When you draw cards, the cards drawn, your selected spread, and any optional context you provide are sent to our reading engine to generate your reading. If you are not signed in, the reading is stored only on your device. If you are signed in, it is also saved to your account history as described above.

Anonymous Analytics

We use Apple's built-in analytics (which require your opt-in via iOS settings) to understand aggregate usage patterns: which features are used, which spreads are popular, crash data. These are anonymized by Apple and not tied to your identity.

Technical Information

When the app communicates with our reading engine, our servers automatically receive standard technical information (such as IP address and a timestamp). We use this only to operate and secure the Service, and we delete server logs after 30 days.

4. How We Use Information

We process information to:

Deliver the reading you requested
Maintain your account, reading history, and credit balance (if you create an account)
Maintain and improve the Service (aggregate usage patterns only)
Respond to your inquiries
Comply with legal obligations
Detect and prevent fraud or abuse

5. How We Train Our Reading Engine

Tarotdoxa's voice and reading patterns were developed by Holly Cole, a co-founder of Tarotdoxa LLC, drawing on over two decades of her own tarot practice. We trained our reading engine using:

Holly's own teaching materials, voice characteristics, and pedagogical structure
Readings between Holly and Tarotdoxa co-founder Russell Gardner
Readings between Holly and consenting family members who provided explicit written consent for AI training use

We have never used your reading as training data. We will never use your reading as training data without your explicit, separate, written consent. The model encodes patterns, not individual readings.

6. Sharing Information and Service Providers

We do not sell, rent, or trade personal information. We share information only in the limited circumstances below, with providers acting on our behalf under their own privacy policies:

Supabase: provides our account authentication and the database that stores your account, reading history, and credit balance.
Apple and Google: when you choose Sign in with Apple or Google, they authenticate your identity.
Resend: delivers transactional account emails, such as magic-link sign-in messages.
Cloudflare Workers and Anthropic (Claude API): process the cards drawn and your optional context to generate your reading; they do not retain your reading content beyond what is required to deliver it.
Apple / our web payment processor: process purchases as described in §3.
Legal requirements: if compelled by valid legal process. We will challenge requests we believe overreach.
Successor in interest: if Tarotdoxa LLC is acquired or merged, your information may transfer subject to this Privacy Policy.

We do not transfer your personal information to any other third party.

7. Your Rights

You have the right to:

Access: ask what personal information we hold about you
Correct: ask us to correct inaccurate information
Delete: delete your account and its server-side data at any time directly in the app (Settings -> Account -> Delete Account). Deletion is also available through a server request to our account-deletion endpoint, or by emailing privacy@tarotdoxa.com
Withdraw consent: withdraw any consent you previously provided
Opt out of analytics: disable analytics in iOS settings at any time

Deleting your account permanently removes your account, your synced reading history and chats, and your credit balance from our servers. Credits do not expire but are forfeited on account deletion. To exercise any other right, email privacy@tarotdoxa.com; we will respond within 30 days.

Additional rights for residents of California (CCPA/CPRA), Colorado, Virginia, Connecticut, Texas, and other US states with comprehensive privacy laws

You have the rights described above. You may designate an authorized agent to make requests on your behalf. We do not "sell" personal information and we do not "share" it for cross-context behavioral advertising under any applicable state law.

Additional rights for residents of the European Economic Area, United Kingdom, Switzerland, and other GDPR-equivalent jurisdictions

You have the rights above, plus the right to data portability, to object to processing based on legitimate interests, and to lodge a complaint with your local data protection authority. Our lawful basis for processing is performance of the contract (delivering the Service and maintaining your account) and our legitimate interest in operating and securing the Service.

8. Children

Tarotdoxa is intended for users aged 17 and older. We do not knowingly collect personal information from anyone under 13 (or under 16 in the EEA/UK). If you believe a child has provided us information, email privacy@tarotdoxa.com and we will delete it.

9. Security

We use industry-standard technical and organizational measures to protect the information we process. Account data is access-controlled so that each account can reach only its own records. No system is perfectly secure, but we minimize what we collect.

10. Data Retention

On-device readings (no account): stored on your device under your control until you delete them
Account, synced reading history and chats, credit balance (with an account): retained until you delete your account, after which they are permanently removed
Reading content sent to the engine: processed in real time and not separately retained by the engine beyond delivery
Server logs: deleted after 30 days
Analytics: retained in anonymized form per Apple's policies
Support correspondence: retained for up to 3 years
Records of consent: retained for the life of the Service plus 7 years (per our operating agreement)

11. International Users

Tarotdoxa is operated from the United States. If you access the Service from outside the United States, your information may be processed in the United States, handled consistently with this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced in the app and via the Effective Date above. Your continued use after a change constitutes acceptance of the updated policy.

13. Contact

For privacy questions, data subject requests, or to exercise any right above:

Email: privacy@tarotdoxa.com
Mail: Tarotdoxa LLC, 273 NW 182nd Ave, Beaverton, OR 97006

We are the data controller for purposes of GDPR. Our designated Privacy Contact is Russell Gardner.