Privacy Policy

Last updated: May 21, 2026

1. Data Controller

TarotWithU (“we”, “us”, or “our”) is the data controller for the personal data processed through this website. For privacy-related inquiries, contact us at nahai0816@hotmail.com.

2. Data We Collect

We collect and process the following data:

  • Email address — collected when you create an account. Used for authentication. Legal basis: your consent.
  • Account information — username, account ID, authentication state, and account deletion status. Used to provide account features and protect access to registered-only functions.
  • Credits and usage records — your current credits balance, credit purchases, and idempotent credit consumption records. Used to provide paid AI interpretation access and prevent duplicate charges.
  • Purchase records — Stripe checkout session ID, payment intent ID, customer ID, purchased credit pack, amount, currency, and purchase status. We use this to fulfill credits, keep order records, and troubleshoot payment issues.
  • User questions, tarot reading content, and generated content — the question and reading context you submit, selected cards, generated reading content, and interpretation output. Used to provide the interpretation service and display your results.
  • Authentication cookies — Supabase session tokens stored as HTTP cookies. Legal basis: legitimate interest (necessary for login functionality).
  • Cookie consent preference — stored in localStorage to remember your choice. This is necessary storage and does not require separate consent.
  • Session data — tarot reading results and fortune cookie state stored in sessionStorage for page navigation. Cleared when the tab closes.
  • Basic technical logs — request time, route, status code, runtime errors, and similar operational logs from hosting and infrastructure providers. Used for security, debugging, abuse prevention, and service reliability.
  • Aggregate page-view analytics — when you visit a page, your browser sends the page path, referrer, country (derived from your IP address, which is not stored), and browser/OS information to Vercel Analytics. A daily-rotating anonymous hash is used to count unique visitors. No cookies, no localStorage, no persistent identifiers. Legal basis: legitimate interest.

We do not use advertising or cross-site tracking cookies.

3. Data Storage

Server-side data, including accounts, credits, purchases, forum posts, and reading-related records, is stored on Supabase cloud infrastructure. The application is deployed on Vercel’s network. Interpretation requests are sent to DeepSeek to generate responses. Payment checkout and payment status are handled by Stripe. Client-side data in localStorage or sessionStorage is stored in your browser.

We do not store your card number or full payment card details. Payments are processed by Stripe.

4. Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — ask us to correct inaccurate personal data.
  • Erasure — request deletion of your personal data. We will respond within 30 days. You may request deletion of your account and related data.
  • Restriction of processing — ask us to limit how we use your data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing of your personal data.

To exercise any of these rights, email nahai0816@hotmail.com. We will respond within 30 days.

5. Third-Party Services

  • Supabase — authentication and database. Supabase Privacy Policy
  • Stripe — checkout, payment processing, payment status, and payment records. Stripe handles card data; we do not store card numbers.
  • DeepSeek — interpretation generation. The question and reading context needed to generate your interpretation may be sent to DeepSeek.
  • Vercel — hosting and edge network. Vercel Privacy Policy
  • Vercel Analytics — cookie-free aggregate page-view statistics, processed by Vercel under the privacy policy linked above. No personal identifiers are stored.

6. Cookie & Storage Details

Below is a complete list of cookies and browser storage used by this website. All items are classified as “Necessary” — we do not use any marketing cookies, and our analytics provider does not set cookies.

NamePurposeTypeStorageExpiry
sb-*-auth-tokenSupabase authentication sessionNecessaryCookieSession / 7 days
cookie-notice-seenRemembers that you dismissed the cookie noticeNecessarylocalStoragePersistent
client_request_idIdempotency identifier for one interpretation request to prevent duplicate credit consumptionNecessaryRequest payload / database recordFor the account data retention period
tarot_resultPass reading results between pagesNecessarysessionStorageTab close
tarot_blindbox_seenPrevent showing duplicate fortune cookiesNecessarysessionStorageTab close

7. Changes to This Policy

We may update this privacy policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.