Privacy Policy (GDPR Compliant)
Last Updated: 27 March 2026
This Privacy Policy explains how majorarcana.cards ("the Website") collects, uses, and protects personal data when you use the Service.
The Website is operated by:
Vector Weave S.R.L.
Registered in Romania
Trade register number: J2026015728007
Registered address: București Sectorul 2, Șoseaua Colentina, Nr. 16, Bl. A5, Ap. B44
Contact email: [email protected]
The Company acts as the Data Controller for the personal data described in this policy.
1. Data We Collect
We collect only the data necessary to operate the Service.
1.1 Information You Provide
When using the Service you may provide:
- questions submitted for tarot readings
- follow-up messages and conversation context
- email address (if you create an account or purchase a package)
1.2 Automatically Generated Data
When you use the Website we generate technical data necessary for operation:
- hashed IP address used for free-usage limits
- JWT authentication token stored in a secure cookie
- technical identifiers used for free reading limits (e.g. session or usage identifiers, not hardware device IDs)
- session metadata necessary for system functionality
We do not use analytics tools or tracking systems.
1.3 Reading Data
The Service stores reading content for journal functionality, including:
- tarot spread configuration
- card selections
- generated interpretations
- follow-up conversation history
This data allows users to review previous readings and maintain a reflection journal.
2. How We Use Personal Data
We process personal data only for the following purposes:
- generating tarot readings
- maintaining user reading history
- enabling account functionality
- enforcing free usage limits
- processing payments
- providing customer support
- maintaining security and preventing abuse
- sending marketing communications (only if you have opted in)
3. Legal Basis for Processing (GDPR Article 6)
We process personal data under the following legal bases:
Contract Performance. Processing necessary to provide the Service, including: generating readings; storing reading history; managing user accounts; processing purchases.
Legitimate Interest. Processing necessary to operate and secure the platform, including: preventing abuse of free readings; maintaining system security; enforcing usage limits. We have balanced these interests against your rights; we do not use your data for marketing or profiling without your consent.
Consent. Where you opt in to marketing (e.g. via a checkbox or in personal info), we process your email for sending news and offers; you may withdraw consent or opt out at any time in personal info or via the link in each email.
Legal Obligations. Processing required to comply with legal and financial regulations related to payments.
4. Data Retention
Data retention depends on how the Service is used.
Anonymous Users. Anonymous readings are stored temporarily. Retention period: 6 months. After this period, the data is automatically deleted. Anonymous readings are not tied to identifiable accounts.
Registered Users. Users who purchase a reading package may create an account using their email address. For registered users: readings are stored indefinitely; users may delete individual readings at any time; users may delete their entire account from the personal info page. When an account is deleted: all associated data is removed from active systems immediately. The operation is irreversible. Automated backups and system logs containing residual data are purged within their standard 7-day retention cycle.
5. Cookies
The Website uses only essential cookies required for functionality.
JWT Authentication Cookie. The Service stores a secure JWT cookie used to maintain authentication sessions. Cookie characteristics: HTTP-Only; Secure; SameSite=Lax; required for login and session management.
Cloudflare Security Cookies. Our infrastructure provider Cloudflare may set cookies (__cf_bm, cf_clearance) for bot protection and security purposes. These cookies are strictly necessary for the Website to function safely and do not require consent.
Stripe Payment Cookies. During the checkout process, our payment processor Stripe may set temporary cookies necessary to complete your purchase securely. These cookies are strictly necessary and are removed after the transaction is complete.
No cookies are used for: advertising; analytics; cross-site tracking; behavioral profiling.
Because this cookie is strictly necessary for the functioning of the Service, it does not require consent banners under GDPR.
6. Payments
Payments are processed through Stripe. Stripe acts as an independent payment processor. The Website does not store: credit card numbers; card verification codes; full billing information. Stripe may process payment information according to its own privacy policy. Stripe acts as an independent data controller for payment data it collects during checkout. Stripe's data processing is governed by their own privacy policy and applicable data protection agreements.
Stripe Privacy Policy: https://stripe.com/privacy
7. Third-Party Data Processors
We work with trusted service providers that process data on our behalf.
Hosting Provider. Infrastructure is hosted on Hetzner Online GmbH (Germany). Servers are located in the European Union.
Email Provider. Email services are provided by Google Workspace. Used for account communications and support, including magic-link and transactional emails (e.g. login links).
AI Processing Providers. Tarot interpretations are generated using artificial intelligence systems operated by third-party providers. We currently use Anthropic (Claude) and xAI (Grok).
These providers process user inputs solely to generate reading responses in real time via their commercial API services.
Under the commercial API terms of these providers, user inputs sent through our Service are not used to train or improve their AI models. This is distinct from the consumer-facing versions of these products, which may have different data policies.
We do not send personally identifiable information (such as your email address or name) to AI providers. Only the text of your question and conversation context is transmitted.
These providers act as data processors under contractual safeguards including Data Processing Agreements (DPAs). AI providers may process data outside the European Union. Where this occurs, appropriate safeguards such as Standard Contractual Clauses (SCCs) are used.
If we change AI providers in the future, this policy will be updated to reflect the current providers. A list of current providers is also available on request at [email protected].
8. International Data Transfers
While the Website infrastructure is hosted within the European Union, some third-party processors (such as AI providers) may process data in other jurisdictions. When international transfers occur, we rely on appropriate safeguards including: Standard Contractual Clauses (SCCs); contractual data protection commitments from processors.
9. Data Security
We implement appropriate technical and organizational measures to protect personal data. These measures include: secure server infrastructure; encrypted connections (HTTPS); restricted system access; hashed IP storage; authentication security using HTTP-only cookies. However, no system can guarantee absolute security.
10. Your Rights Under GDPR
Under the General Data Protection Regulation you have the right to: access your personal data; request correction of inaccurate data; request deletion of your data; restrict processing; object to certain types of processing; request data portability.
You can access and update much of your data in personal info; for the rest, contact us at [email protected]. For data portability, we will provide your personal data in a structured, commonly used format (e.g. JSON). You may receive a single export file or, where useful, separate files per data type. You may object to processing based on legitimate interest; we will consider your request and stop unless we have compelling legitimate grounds.
Registered users can exercise many of these rights directly through personal info. Requests may also be submitted by contacting: [email protected]. We will respond within one month as required by GDPR Article 12(3). For complex requests, this period may be extended by up to two additional months, in which case we will notify you of the extension within the first month.
11. Automated Decision-Making
The Service uses automated AI systems to generate tarot readings based on your input. These readings are generated entirely by automated means without human review.
The outputs are intended for reflection and entertainment only and do not constitute decisions that produce legal effects or similarly significant effects on you. You are not obligated to act on any reading provided by the Service.
12. Right to Lodge a Complaint
If you believe your data has been processed unlawfully, you have the right to file a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
https://www.dataprotection.ro
13. Age Requirement
The Service is intended for individuals 18 years of age or older. By using the Website, you confirm that you are at least 18 years old. The Company does not knowingly collect personal data from minors.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes that affect how your personal data is processed, we will notify registered users via email at least 14 days before the changes take effect.
For non-material changes (such as clarifications or formatting updates), the updated version will be published on the Website without prior notice.
In both cases, the "Last Updated" date will be revised. Continued use of the Service after updates constitutes acceptance of the updated policy.
15. Contact
For any questions regarding this Privacy Policy or data protection matters:
Email: [email protected]
Company: Vector Weave S.R.L.
Trade register number: J2026015728007
Address: București Sectorul 2, Șoseaua Colentina, Nr. 16, Bl. A5, Ap. B44