Privacy Policy

Last updated: June 1, 2026

Plain-language summary: Your journal and most settings stay in your browser. We only collect email if you give it. We never sell personal data. Payments are handled by our payment provider — we never see your card. Optional analytics and ads load only with your consent (Cookie Policy).

1. Who we are & contact

tarotogo ("we", "us") operates tarotogo.com, offering tarot readings for entertainment and self-reflection.

Data controller contact: johnny.bulker@gmail.com

For EU/UK/Israel data-subject requests, email the address above with the subject "Privacy request". We respond within 30 days (or as required by law).

2. What we collect

Stored only in your browser (not sent to us unless you sync Premium journal): reading journal, daily-card streak, spread preferences, language, premium license key cache, free-AI usage flag, cookie consent choice. See our Cookie Policy for every localStorage key.

Collected when you provide it: email address for daily-card emails, access recovery, or checkout (via payment provider). Used only to deliver the service you requested.

Collected automatically: IP address and request metadata for security, rate limiting, and abuse prevention — retained briefly, not used for profiling.

Premium journal (server): if you subscribe, saved readings may sync to our Cloudflare D1 database, keyed by your license — so you can access them across devices.

AI readings: your question and card spread are sent to our backend, which calls Anthropic's API server-side. We do not expose API keys in the browser.

Payments: processed by our Merchant of Record or payment partner (e.g. Stripe, Lemon Squeezy, Polar). We receive only email, subscription status, and license identifiers — never full card numbers. See the processor's privacy policy at checkout.

3. Legal basis (GDPR / UK GDPR)

Contract — providing readings, premium features, and license verification you paid for.
Consent — marketing/daily-card emails, optional analytics, optional advertising cookies.
Legitimate interests — security, fraud prevention, rate limiting, improving the service (balanced against your rights).
Legal obligation — tax/accounting records from payment processors where applicable.

4. How we use data

To run the service, verify subscriptions, send emails you signed up for, prevent abuse, and improve tarotogo. We do not sell your personal data. We do not build third-party advertising profiles unless you consent to advertising cookies on the free tier.

5. Processors (sub-processors)

We use trusted providers who process data on our behalf under appropriate agreements:

Netlify — static site hosting
Cloudflare — Workers (API), KV (licenses), D1 (Premium journals), CDN
Anthropic — AI interpretation (server-side only)
Resend — transactional email (optional)
Payment / MoR — Stripe, Lemon Squeezy, Polar, or similar
Google AdSense (if enabled, with consent) — advertising
Analytics (if enabled, with consent) — e.g. Plausible

We require processors to protect data and use it only for the services they provide us.

6. Advertising & cookies

Free users may see ads after consent. Ad partners may use cookies — manage this via our consent banner or Cookie Policy. Premium and remove-ads customers see no ads. See also Google Ad Settings.

7. Your rights

Depending on your location (EU/EEA, UK, Israel, California, and others), you may have the right to:

Access — know what personal data we hold about you.
Rectification — correct inaccurate data.
Erasure — delete data we hold (e.g. email, server journal).
Portability — receive your data in a portable format where applicable.
Object / restrict — object to certain processing (e.g. marketing).
Withdraw consent — for consent-based processing (analytics/ads/emails).
Complaint — lodge a complaint with your local supervisory authority.

Browser-stored data (journal, settings) can be cleared anytime in your browser. Email us for server-held data.

8. California (CCPA/CPRA) — Do Not Sell or Share

We do not sell or share personal information for cross-context behavioral advertising as defined under California law. If that changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" mechanism. Advertising cookies, if enabled, are opt-in via our consent banner.

9. International transfers

We and our processors may store or process data in the United States, EU, and other countries. Where required, we rely on appropriate safeguards (e.g. Standard Contractual Clauses, processor certifications). Contact us for details about transfers relevant to your region.

10. Data retention

Email & subscription records — while active plus a reasonable period for support, accounting, and legal obligations (typically up to 7 years for billing records via processor).
Premium journal (server) — while subscription is active; deleted on request or after prolonged inactivity following notice.
Rate-limit / security logs — hours to days.
Browser localStorage — until you clear it.

11. Children's privacy

tarotogo is not directed to children under 13 (or 16 in the EU/UK where applicable). We do not knowingly collect personal data from children. If you believe a child provided data, contact us and we will delete it.

12. Security

We use HTTPS, signed webhooks, server-side license checks, rate limits, and input sanitization. No method is 100% secure; use a strong email password and keep your license link private.

13. Changes

We may update this policy. Material changes appear in the "last updated" date. Continued use after changes constitutes acceptance where permitted by law.