Arcana Privacy Policy
Effective date: [EFFECTIVE_DATE]
This Privacy Policy explains how we handle personal information in Arcana, a dark-mystical, AI-powered tarot app for iOS and Android. It applies to the Arcana mobile app and any companion web pages we operate (including our web deletion page at https://arkanika.net/delete-account), everywhere the app is available.
Arcana is strictly for adults aged 18 and over. It is not directed to children, and we do not knowingly collect data from anyone under 18.
We may update this policy from time to time (see "Changes to this policy" below).
The short version (what you most need to know)
- Your readings are written by AI. When you create a reading or chat with your mage, the details you enter are sent to our AI partner Anthropic to write your reading. Anthropic works only on our behalf under contract, never uses your data to train its AI, and keeps it for at most a few days for safety before deleting it.
- We never sell or share your reading or chat content, and we never use your readings or chats for advertising.
- We do not sell your reading data. If you are a free user, your advertising identifier may be "sold"/"shared" for personalized ads under California law — you can opt out at any time, and personalized ads in the EEA/UK happen only with your consent.
- You're in control. You can withdraw your AI permission, and export or permanently delete everything, from Settings in the app (or delete via https://arkanika.net/delete-account without opening the app).
This summary is only a guide. The full policy below controls.
1. Who we are
[COMPANY_LEGAL_NAME], [COMPANY_ADDRESS] is the data controller (under the EU/UK GDPR) and the business (under the California CCPA/CPRA) responsible for the personal information described in this policy.
- Privacy questions and requests: privacy@arkanika.net
- General support: support@arkanika.net
Data Protection Officer: We have not appointed a Data Protection Officer because we are not required to. You can reach our privacy team using the contact details above.
2. EU / UK representative
For individuals in the European Economic Area, our Article 27 representative is [EU_REPRESENTATIVE]. Once our primary market is confirmed, we will also name a UK representative for individuals in the United Kingdom. If we determine we are exempt from appointing a representative, we will state the basis for that exemption here.
3. Age: Arcana is for adults 18+
Arcana is strictly for adults 18 and over. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. When you start using the app, you self-attest that you are at least 18, and we record that attestation. Our store age ratings reflect a mature/17+ audience.
If we learn that someone under 18 has used the app or provided us data, we will delete that account and its data. Because the app is for adults only, a parent or guardian cannot consent to a minor's use on their behalf. If you believe a minor has provided us information, contact us at privacy@arkanika.net.
4. Data we collect, why, and our legal basis
We collect only what we need to run Arcana. The table below lists every category of data, why we use it, and — for EEA/UK users — our legal basis under Article 6 of the GDPR. Retention is summarized in section 8.
Legal-basis key: Contract = necessary to provide the service you asked for · Consent = your freely-given, withdrawable consent · Legitimate interests = our legitimate business interests, balanced against your rights · Legal obligation = required by law.
Identity & account
| Data | Why we use it | Legal basis |
|---|---|---|
| Anonymous guest identifier (auto-created on first launch — no login needed) | Create your account, own your data, run the game economy | Contract; Legitimate interests (basic abuse/fraud prevention) |
| Sign in with Apple / Google (optional): provider user ID + email (Apple may give a private "relay" email) | Keep your account across devices; re-sign-in | Contract; Consent (your choice to link) |
| User-chosen display name (not your real store-account name) | Personalize greetings and the UI | Contract |
| Timezone | Calculate your daily reset, streaks and moon timing | Contract |
| 18+ age-attestation flag | Enforce our adults-only rule and comply with app-store age policies | Contract; Legitimate interests (store-policy compliance, age-gating) |
| AI-permission timestamp | Record the in-app permission you gave before any AI reading is generated, and keep proof of it | Legitimate interests (operating the AI permission gate); Legal obligation (GDPR Art. 7(1) requires us to keep records of consent) |
Reading content — sensitive, written by you
| Data | Why we use it | Legal basis |
|---|---|---|
| The question you type, who the reading is "for", the theme you choose | Generate a personalized reading (we send these to our AI partner to write it) | Contract — necessary to deliver the reading you requested. Where your free text may reveal special-category data, we rely on your explicit consent under GDPR Art. 9(2)(a) (see section 5). |
| The cards drawn | Generate the reading; track collection progress | Contract |
| The AI-generated reading text and your saved reading history | Deliver and let you revisit your readings | Contract |
Why this is sensitive: what you type is free text and can reveal things like your health, relationships, beliefs or finances — even another person's information. We never ask for this, but it can appear. See section 5.
Chat with your mage — sensitive
| Data | Why we use it | Legal basis |
|---|---|---|
| Your messages to the mage (plus earlier chat turns and the related reading content re-sent so the conversation stays coherent) | Continue the conversation about a reading | Contract — necessary to deliver the chat you requested; explicit consent (Art. 9(2)(a)) covers any special-category data in your free text |
| The AI-generated mage replies | Deliver and keep the thread | Contract |
Progression & game economy
| Data | Why we use it | Legal basis |
|---|---|---|
| XP, level, energy, streak, moon charms, ritual state, 78-card collection, unlocks | Run the gamified experience | Contract |
We do not share your economy state (your balances) with third parties for its own sake — it lives in our database. However, analytics events that describe in-app actions (for example, completing a reading or reaching a level) are processed by PostHog; see the device/technical row and section 12.
Purchases & subscriptions
| Data | Why we use it | Legal basis |
|---|---|---|
| Subscription/entitlement status and purchase history (via RevenueCat: app user ID + purchase/receipt info) | Manage Premium, remove ads, restore purchases | Contract; Legal obligation (retaining financial records for tax/audit under applicable tax law) |
| Payment card details | — | We never see these. Apple and Google handle all payment. |
Content you report to us (safety)
| Data | Why we use it | Legal basis |
|---|---|---|
| Reports you submit using the in-app Report control: the flagged reading or mage-chat content, the surrounding context, and identifiers linking the report to your account | Review reported content (a person on our team may read it), keep the app safe, act on abuse, and improve our safety guardrails | Legitimate interests (safety, abuse prevention, improving guardrails); Legal obligation (responding to lawful requests and notice-and-action duties, e.g. under the EU Digital Services Act) |
Note: Readings and mage replies are generated by AI and are not reviewed by a person before you see them. The exception is content you choose to report — reporting it sends that content to us so a person can review it. See sections 12 and 17.
Device & technical
| Data | Why we use it | Legal basis |
|---|---|---|
| Device identifiers, OS/device model, app version | Compatibility, support, security | Legitimate interests; Contract |
| IP address | Security, abuse/fraud prevention, routing | Legitimate interests (security and fraud prevention) |
| Push token | Send you moonrise/streak notifications | Consent (notifications) |
| Crash diagnostics (Sentry, PII-scrubbed) | Diagnose crashes and errors, keep the app stable | Legitimate interests |
| Product-analytics events (PostHog) | Understand usage and improve the product | Legitimate interests — but in the EEA/UK, where these rely on non-essential on-device storage/identifiers, we rely on your Consent (see sections 12 and 13) |
| Google Advertising ID (AdMob — free users only) | Serve ads; personalize ads only with consent | Consent (personalized ads / tracking); Legitimate interests (non-personalized ads where permitted) |
| Internal AI usage/cost metrics (token/cost metadata only — no reading or chat content) | Monitor our AI costs and reliability; never surfaced to you | Legitimate interests (cost and reliability monitoring). This telemetry is de-identified and your account link is removed on deletion (see section 8). |
Where we rely on legitimate interests, we have weighed our interest (for example, keeping the service secure and improving it) against your rights and freedoms, and we use the data in ways you would reasonably expect. You can object — see section 10.
5. Sensitive information
The question you type, who a reading is for, the theme, and your chat messages are free text. They can reveal sensitive things about you — health, sex life, relationships, religious or philosophical beliefs, finances — or information about other people, even though we never ask for it.
Please don't enter anything you wouldn't want processed, and avoid entering other people's personal or sensitive details.
- How we generate your reading (GDPR): The transfer of your reading and chat inputs to our AI partner is necessary to provide the reading or chat you requested, so our lawful basis for that transfer is contract (Art. 6(1)(b)). Separately, because your free text may reveal special-category data (Art. 9), we ask for your explicit consent under Art. 9(2)(a) as the condition for processing any such data, and — to meet Apple's App Store requirements — we also ask for your explicit in-app permission before any reading is generated. Our server will not generate a reading without that in-app permission on file. You can withdraw it at any time (see section 13); if you do, we can no longer generate readings or chat, because that processing is essential to those features.
- California (CPRA): this content may be "sensitive personal information." We use it only to provide the reading and chat you asked for — never to infer characteristics about you and never for advertising. Because we already limit our use to what's necessary to deliver the service, there is nothing further to limit, but you can still withdraw your AI permission and delete this content at any time.
We never use your reading or chat content for advertising, and we never sell or share it.
6. Who we share data with (at a glance)
We share personal information only with the service providers and partners below. Most act as our processors/service providers — they act only on our instructions under a data protection agreement (DPA). A few are independent controllers for a specific relationship (payments, or ad personalization).
| Recipient | Role | What it receives | Notes |
|---|---|---|---|
| Anthropic, PBC | Processor / sub-processor | Reading inputs (your question, who it's for, theme, cards) and your chat messages | AI generation of readings & chat. Under a data processing agreement; Anthropic does not train on your data and retains inputs/outputs for at most 7 days (for safety) before deletion. This is our headline third-party-AI disclosure. |
| Railway Corp. | Processor | Effectively all stored data | Cloud hosting of our API server and database (region [DATA_REGION]) |
| RevenueCat | Processor | App user ID + purchase/receipt info | Subscription & entitlement management |
| Apple / Google | Independent controllers | Sign-in identity + store billing/payment | Also our sign-in providers; we never see your card details |
| Google AdMob | Independent controller (ad personalization) | Advertising ID, IP, ad-request signals — free users only | Consent required in EEA/UK (via Google UMP) and via Apple ATT on iOS; may be a "sale" and/or "share" under CPRA (see section 11) |
| Sentry | Processor | Crash/error diagnostics (PII-scrubbed) | Stability & error diagnosis |
| PostHog | Processor | Product-analytics events | Product improvement; consent-based in EEA/UK |
| Expo | Processor | Push token + notification content | Notification delivery |
Our processors are bound by DPAs and may act only on our instructions. We keep our list of sub-processors current and can provide details on request at privacy@arkanika.net.
We never share your reading or chat content for advertising, and we never sell it.
More on the AI (Anthropic)
To write your reading and generate mage replies, we send Anthropic the details you provide — your question, who the reading is for, the theme, and the cards drawn. During a chat, we also re-send your chat messages, the earlier turns in that conversation, and the related reading content (the question/theme/cards and the reading text) so the multi-turn conversation stays coherent. We do not send Anthropic your account identity beyond the request itself, your email, display name, payment data, advertising ID, or game economy.
- Legal basis: the transfer is necessary to deliver the reading or chat you requested (contract), and your explicit consent covers any special-category data in your free text. We also require your explicit in-app permission (recorded with a timestamp) before making any AI call; without it, our server returns an error and makes no AI call. You can withdraw that permission in Settings.
- Safeguards: a data processing agreement with Anthropic (incorporated into its commercial terms). Anthropic does not use your inputs or outputs to train its models and retains them for at most 7 days for safety monitoring before deletion. The lasting copy of your reading lives in our database and is erased when you delete your account.
This matches what the in-app consent screen tells you: "reading details are sent to our AI partner Anthropic to write your reading."
7. International data transfers
We and some of our providers process data outside your country, including in the United States and the region where our database is hosted ([DATA_REGION]). US-based recipients include Anthropic (our AI partner), RevenueCat, Sentry, PostHog, and Google (AdMob and sign-in).
Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures. For recipients that act as independent controllers (for example, Google AdMob for ad personalization), the recipient's own transfer mechanism applies to the data it controls. You can request a copy of the safeguards we use by emailing privacy@arkanika.net. We will name destination countries/regions here once they are fixed.
8. How long we keep data
| Data | How long we keep it |
|---|---|
| Guest & account data (including readings, chat, economy) | Until you delete it |
| Account deletion | Two-tap in-app → soft-delete, then a 30-day hard purge that permanently erases your data; if you linked Apple sign-in, we call Apple's token-revocation on deletion |
| Push token | Until account deletion, or until you turn off notifications (your push opt-in is set to off) |
| Content you report to us (safety reports) | Kept as long as needed for safety review and record-keeping, then deleted; retained longer only where a legal obligation requires it |
| Short-lived logs | About 30 days |
| Anthropic (AI partner) | At most 7 days, then deleted (never used for training) |
| Purchase/financial records | Retained de-identified (unlinked from your account) as required for tax/audit |
| Internal AI usage/cost metrics | De-identified; your account link is removed on account deletion |
| Analytics / crash data | Per the provider's retention configuration (crash logs ~30 days) |
Where no fixed period applies, we set retention based on why we need the data, legal requirements, and the risk involved.
9. How we protect your data
We use technical and organizational measures appropriate to the risk, including: encryption in transit; server-authoritative access controls and row-level security so users can only reach their own data; keeping the AI key server-side only (never on your device); least-privilege access; scrubbing personal data from diagnostics; and a breach-response process. No method of transmission or storage is ever 100% secure, but we work to protect your information and to keep improving our safeguards.
10. Your choices & rights
You have rights over your personal information. To exercise any of them, use the in-app Settings (which offer permission controls, data export, and Delete Account & Data) or email privacy@arkanika.net. Because most accounts are anonymous, we may verify a request by reference to your account/device or sign-in; we may ask for limited information to confirm you are the account holder. We will not discriminate or retaliate against you for exercising your rights.
If you're in the EEA or UK (GDPR)
You have the right to: - Access the personal data we hold about you; - Rectify inaccurate or incomplete data; - Erase your data ("right to be forgotten"); - Restrict processing in certain cases; - Portability / export — receive your data in a portable format; - Object to processing based on our legitimate interests; - Withdraw consent at any time (as easily as you gave it) — in particular for your AI permission, push notifications, analytics (where consent-based), and personalized ads; withdrawal doesn't affect processing that already happened; - Complain to a supervisory authority — your local data protection authority (or the UK ICO). We'll name our lead authority once our market is confirmed.
We do not use your data for solely-automated decisions that produce legal or similarly significant effects. Readings are AI-generated entertainment, not profiling that affects your legal rights.
We aim to respond within the timeframes the law requires (generally one month under the GDPR).
If you're in California (CCPA/CPRA)
You have the right to: - Know / access the personal information we've collected and how we use and disclose it; - Delete your personal information; - Correct inaccurate personal information; - Opt out of "sale"/"sharing" of personal information; - Limit the use of sensitive personal information (we already limit it to providing the service); - Non-discrimination for exercising your rights.
We do not sell your reading or chat data, and we never share it for advertising. As explained in section 11, showing personalized ads to free users via AdMob involves disclosing your advertising identifier and related signals and may be both a "sale" and a "share" under the CPRA, so we provide an opt-out. You may submit requests via privacy@arkanika.net or in-app Settings, and you may use an authorized agent. We generally respond within 45 days and may verify your request.
California data categories (CPRA disclosure)
The following table maps the statutory categories of personal information to what we do. "Sold/Shared" refers to CPRA's broad definitions, which can include disclosing an advertising identifier for cross-context behavioral advertising.
| CPRA category | Collected? | Sources | Business/commercial purpose | Disclosed for a business purpose to (categories of recipients) | "Sold"/"Shared"? | Retention |
|---|---|---|---|---|---|---|
| Identifiers (guest ID, provider user ID, email, device IDs, push token, IP, advertising ID) | Yes | You; your device/app; our providers | Provide the service, security, notifications, ads to free users | Hosting, subscription, analytics, crash, push, and advertising providers | Advertising ID: potentially sold/shared for personalized ads (opt-out available). All others: no. | Until deletion; logs ~30 days |
| Commercial information (subscription/purchase history) | Yes | Stores; RevenueCat | Manage Premium; tax/audit | Subscription-management provider | No | De-identified for tax/audit |
| Internet/network activity (app usage, analytics events) | Yes | Your device/app | Product improvement, security | Analytics and crash providers | No | Per provider config |
| Geolocation (coarse, inferred from IP; timezone you set) | Yes (coarse only) | Your device/network | Security, routing, daily/streak timing | Hosting/security providers | No | Logs ~30 days |
| Sensitive personal information (reading questions/themes, chat that may reveal sensitive matters; account log-in via sign-in) | Yes | You | Provide readings/chat only | AI partner (to generate content), hosting | No — never sold/shared, never used for advertising | Until deletion |
| Inferences | No — we do not build profiles or infer characteristics about you | — | — | — | No | — |
| Other user-authored content (readings, chat, saved history) | Yes | You / AI-generated | Provide and store your readings | AI partner (≤7-day retention), hosting | No | Until deletion → 30-day purge |
11. Advertising, tracking & your "Do Not Sell or Share" choice
Arcana is free to use with ads, or ad-free with Premium.
- Free users see ads served by Google AdMob, which uses your device's advertising identifier along with your IP address and ad-request signals.
- Personalized ads involve cross-context behavioral advertising. Under California's CPRA, disclosing your advertising identifier and related signals to AdMob for this purpose may be treated as both a "sale" and a "share." You can opt out of it — use the "Do Not Sell or Share My Personal Information" control in the app's privacy settings (and you can reset or limit your advertising ID at the OS level). This opt-out covers both "sale" and "share."
- Global Privacy Control (GPC): On our companion web pages (including https://arkanika.net/delete-account), we recognize and honor Global Privacy Control and similar opt-out preference signals as a valid request to opt out of the sale/sharing of personal information. If you set an opt-out in the app, we apply it to your account; if your browser sends a GPC signal to our web pages, we treat that as an opt-out for that browser.
- In the EEA/UK, personalized ads and any tracking happen only with your consent, collected through Google's consent prompt (UMP) and, on iOS, Apple's App Tracking Transparency (ATT) prompt.
- Premium removes ads.
- We never use your reading or chat content for ads, and we never sell or share it.
12. Identifiers & on-device storage
Arcana is an app rather than a website, but it uses SDK identifiers and on-device storage similar to cookies: - Google Advertising ID (AdMob) — for ads to free users; consent-gated for personalization; - Device identifiers — compatibility, support, security; - Push token — notifications (consent-based); - Analytics identifiers/local storage (PostHog) — usage measurement and product improvement; - Secure on-device storage for your guest/session token.
In the EEA/UK, we treat non-essential analytics and non-essential SDK identifiers/local storage (including PostHog analytics) as consent-based, and only strictly-necessary storage (such as your guest/session token) operates without consent. You can reset your advertising ID at the OS level, change tracking choices via ATT/UMP, manage analytics consent in Settings, and turn off notifications in your device or app settings.
13. Consent & how to withdraw it
We rely on your permission/consent for: the AI processing of your reading and chat inputs (your in-app AI permission, plus explicit consent for any special-category data), push notifications, personalized ads/tracking, and, in the EEA/UK, non-essential analytics.
- We collect your AI permission during onboarding as a separate, affirmative step and record it with a timestamp; we show ATT/UMP prompts for tracking/ads, a pre-prompt for push, and, in the EEA/UK, a consent prompt for non-essential analytics.
- Your permissions are granular and can be withdrawn at any time in Settings, without affecting processing that already lawfully took place.
- If you withdraw your AI permission, we can no longer generate readings or mage chat for you, because sending your inputs to our AI partner is essential to those features.
This matches the in-app consent screen: reading details are sent to our AI partner Anthropic to write your reading; we never sell your data; and you can withdraw consent and delete everything in Settings.
14. Children
To reiterate section 3: Arcana is for adults 18+. It is not directed to children, we do not knowingly collect data from anyone under 18, and we will delete any account we learn belongs to a minor. Because the app is adults-only, California's under-16 opt-in rules for sale/sharing do not apply to our intended users.
15. Deleting your account & data (in-app and web)
You can delete everything at any time: - In-app: Settings → "Delete Account & Data" (two taps) → we soft-delete immediately, then permanently purge your data within 30 days. - On the web: you can request deletion at https://arkanika.net/delete-account without opening the app. - Export: you can export your data from Settings before deleting.
When you delete: your readings, chat, display name, economy and account data are purged; if you linked Apple sign-in, we call Apple's token-revocation; any copy held by our AI partner auto-deletes within 7 days (and is never used for training). We may retain de-identified purchase/financial records where the law requires (tax/audit), unlinked from your identity.
16. Consistency with our store privacy labels
The disclosures here are designed to match the Google Play Data safety form and the Apple App Privacy ("nutrition") label — the data types we collect, how we use and share them, our security practices, and deletion. If we change what we collect or which third parties we use, we update this policy, the Play Data safety form, and the Apple label together.
17. About the AI, and AI safety
Readings and mage chat are AI-generated. They may be inaccurate, inconsistent, or unexpected, and are provided for reflection and entertainment only. They are not professional medical, legal, financial, or psychological advice, and you should not rely on them for important decisions.
- Every reading and mage message includes an in-app Report control so you can flag offensive or harmful content. When you report content, it is sent to us and a person on our team may review it (see section 4, "Content you report to us").
- If you are in crisis: If you are thinking about harming yourself or are worried about your safety or someone else's, please contact your local emergency services or a crisis/suicide-prevention helpline right away. You can find helplines for many countries at findahelpline.com. Arcana is an entertainment app, not a crisis service, and its AI mage cannot keep you safe — a person can.
- There is no solely-automated decision that produces legal or similarly significant effects about you.
The full AI disclaimer and the same crisis resource also appear in our Terms of Use.
18. Changes to this policy
We may update this policy as the app and the law evolve. We'll revise the effective date above and, for material changes, give notice through the app, a "What's New" note, or email where we have it. Where a change affects processing that relies on your consent, we'll ask for your consent again. Continued use after the effective date means you accept the updated policy, to the extent permitted by law.
19. Contact us & how to complain
- Privacy requests & questions: privacy@arkanika.net
- General support: support@arkanika.net
- Postal: [COMPANY_LEGAL_NAME], [COMPANY_ADDRESS]
- EU representative: [EU_REPRESENTATIVE]
- California requests: privacy@arkanika.net or in-app Settings
If you're in the EEA or UK, you also have the right to complain to your local supervisory authority (or the UK ICO). We'd appreciate the chance to address your concern first.
This policy is interpreted under the laws of [GOVERNING_LAW_JURISDICTION], without limiting any mandatory rights you have under your local law.
Placeholders to resolve before publishing: [COMPANY_LEGAL_NAME], [COMPANY_ADDRESS], privacy@arkanika.net, support@arkanika.net, [GOVERNING_LAW_JURISDICTION], [EFFECTIVE_DATE], [EU_REPRESENTATIVE], https://arkanika.net/delete-account, [DATA_REGION].