Privacy Policy

1.1 Information You Provide Directly

When you create an account or use our Service, we may collect: your email address; display name; date, time, and place of birth (for astrological calculations); sun sign preference; payment information (processed securely by Stripe — we never store raw card data); and messages you send through our support contact form.

1.2 Information Collected Automatically

When you access the Service, we automatically collect: device information (browser type, operating system, device type); log data (IP address, pages visited, time spent, referring URLs); usage data (features used, readings generated, preferences set); and service worker cache interactions (for PWA functionality).

1.3 Information from Third Parties

We receive information from Supabase (our authentication and database provider) regarding your account status; Stripe (our payment processor) regarding subscription status and payment events; and OpenAI (our AI provider) — we send anonymised prompt data; no personally identifiable information is transmitted except what you explicitly include in a reading prompt.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Generate personalised astrological readings and insights using AI
• Process payments and manage your subscription
• Send transactional emails (account confirmation, password resets)
• Respond to support requests submitted via our contact form
• Analyse usage patterns to improve the Service
• Enforce our Terms of Service and detect fraud
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising targeting. We do not share your birth data with any party outside of what is necessary to generate your reading via AI APIs.

3.1 Service Providers

We share data with carefully selected third-party vendors who assist in operating the Service:

• Supabase — Authentication and database hosting (EU/US infrastructure). Data Processing Agreement in place.
• Stripe — Payment processing. Stripe's Privacy Policy governs their handling of payment data.
• OpenAI — AI reading generation. Prompts are sent without your email or name unless you include them in your query text.
• Vercel — Hosting and edge infrastructure. Vercel may process request logs containing your IP address.
• Resend — Transactional email delivery for contact form responses and account emails.
• Upstash — Rate limiting (hashed IPs only; no personal data stored).

3.2 Legal Requirements

We may disclose your information if required to do so by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service of any change in ownership.

We retain your personal data for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, tax, or fraud prevention purposes (typically up to 7 years for financial records).

Reading archives are stored until you delete them or close your account. AI prompt/response logs are not retained by Arcanavana beyond what is needed to display your reading; AI providers retain data per their own policies.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure (Right to be Forgotten) — Delete your personal data. As easy as a single button: go to Profile → Privacy & Data and tap Delete Account. One confirmation tap and your account and all associated data are permanently deleted. No contact form or email required.
• Portability — Export your data as JSON from Profile → Privacy & Data → Export My Data.
• Objection — Object to certain processing activities.
• Withdraw Consent — Where processing is based on consent, withdraw it at any time.

For requests not covered by the in-app controls above (e.g. rectification, objection), use our contact form. We will respond within 30 days.

We use the following cookies and similar technologies:

• sb-access-token / sb-[project]-auth-token — Session authentication (strictly necessary, httpOnly).
• arcanavana-premium — Premium subscription status verification (httpOnly, 1-hour expiry, re-verified server-side).
• Service Worker Cache — PWA offline functionality (stores app shell; does not contain personal data).

Free accounts may display third-party advertising (e.g. Google AdSense), which may use advertising cookies. Premium subscribers enjoy an ad-free experience. We do not use cross-site tracking or analytics cookies. You may clear cookies at any time through your browser settings; this will log you out of the Service.

We implement enterprise-grade security measures including: TLS 1.3 encryption in transit; AES-256 encryption at rest via our encrypted database architecture; nonce-based Content Security Policy to mitigate XSS attacks; server-side premium verification to prevent unauthorised access; rate limiting on all API routes; and Row-Level Security (RLS) policies ensuring users can only access their own data.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and we encourage you to use a strong, unique password for your account.

The Service is not directed to children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately via our contact form and we will delete the data promptly.

Arcanavana operates globally. Your data may be transferred to and processed in countries other than your own, including the United States and the European Union. We ensure such transfers comply with applicable data protection law (e.g., Standard Contractual Clauses for EU data transfers under GDPR).

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR). Our lawful bases for processing are: Performance of a Contract (providing you the Service you signed up for); Legitimate Interests (fraud prevention, security, service improvement); and Consent (for non-essential data processing, where applicable).

You have the right to lodge a complaint with your local supervisory authority if you believe we have violated applicable data protection law.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected; the right to delete personal information; the right to opt-out of the sale of personal information (note: we do not sell personal information); and the right to non-discrimination for exercising your privacy rights.

To submit a CCPA request, please use our contact form.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if we have your address) and by updating the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us through our support page. We do not publish an email address to prevent spam; all enquiries are handled through the contact form.