Privacy Policy

Data Controller

The data controller for this website is 邢台市信都区一念信息技术咨询工作室 (Xindu District Yinian Information Technology Consulting Studio), located at 邢台市信都区, 054000, People's Republic of China. For data protection inquiries, please contact hello@lunaspread.com.

1. Information We Collect

We collect information you provide directly to us, including your email address, payment information, and the questions you submit for readings. We also automatically collect certain information about your device and how you interact with our service.

2. Legal Basis for Processing (GDPR Art. 6)

Under the General Data Protection Regulation (GDPR), we process your personal data under the following lawful bases:

• Contract Performance (Art. 6(1)(b)): Processing your email, name, and payment information to provide paid readings and manage your account.
• Consent (Art. 6(1)(a)): Sending marketing emails or newsletters — you may withdraw consent at any time.
• Legitimate Interests (Art. 6(1)(f)): Maintaining service security (rate limiting, origin validation), preventing fraud, and responding to customer support inquiries.
• Legal Obligation (Art. 6(1)(c)): Retaining transaction records as required by applicable tax and commercial laws.

3. How We Use Your Information

4. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy. Specific retention periods are as follows:

• Account data (email, name, hashed password): Retained while your account is active. Deleted within 30 days of account deletion request.
• Reading history (questions, card draws, interpretations): Retained while your account is active. You may delete individual readings at any time. Deleted within 30 days of account deletion.
• Payment transaction records: Retained for the legally required period under applicable tax and commercial laws (typically 5-7 years). Full credit card numbers are never stored on our servers.
• Newsletter subscription data: Retained until you unsubscribe or withdraw consent.
• Contact form submissions: Retained for 12 months after resolution of your inquiry.

You may request deletion of your data at any time through your account settings or by contacting us.

5. Data Security

We implement industry-standard security measures including 256-bit SSL encryption for all data transmission, secure server infrastructure, and access controls to protect your personal information. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

6. Cookies and Tracking

We use essential cookies necessary for the functioning of the Service, including session management and security. We may also use analytics cookies to understand how visitors interact with our site. You can control cookie preferences through your browser settings. We do not use advertising or third-party tracking cookies.

7. Information Sharing

We do not sell, trade, or otherwise transfer your personal information to outside parties. This does not include trusted third parties who assist us in operating our Service (such as payment processors and email delivery services), so long as those parties agree to keep this information confidential and comply with applicable data protection laws.

8. Third-Party Subprocessors

To provide the Service, we engage the following third-party subprocessors who may process your personal data on our behalf. Each subprocessor is contractually bound to process data only per our instructions and to implement appropriate technical and organizational measures.

• PingPong (pingpongx.com) — Payment Processing: Processes payment transactions. Receives order amount, currency, and order ID. We never access your full credit card details. Data processing location: Singapore / United States.
• DeepSeek (deepseek.com) — AI Content Generation: Processes your reading questions and card data in real time to generate interpretations via API. Your data is processed ephemerally and is not used to train their models. No personal data is retained by the AI provider after processing completes. Data processing location: China. EU users: this transfer is covered by the contract performance exception under GDPR Art. 49(1)(b) as the processing is necessary for the performance of our contract with you.
• Resend (resend.com) — Email Delivery: Processes your email address for transactional emails (account verification, password reset) and optional marketing communications. Data processing location: United States.
• Vercel (vercel.com) — Hosting Infrastructure: Hosts the Service. May process IP addresses and request metadata for security and performance. Data processing location: United States.
• Sentry (sentry.io) — Error Tracking (Optional): Collects crash reports and performance data to help us maintain service quality. This only activates if you encounter an application error.

For EU/EEA users: Where transfers involve countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards. If you require a signed Data Processing Agreement (DPA), please contact us.

9. AI-Generated Content & Entertainment Disclaimer

Our Service uses artificial intelligence (specifically, the DeepSeek API described in Section 8) to generate tarot card interpretations in real time. This section explains how AI processes your data and clarifies the nature of the content produced.

How AI Data Processing Works

• What is sent to the AI: Your reading question, the names of the cards drawn, their positions in the spread, and the spread type you selected.
• What is NOT sent to the AI: Your name, email address, IP address, payment details, or any other personal identifiers.
• Processing is ephemeral: Your reading content is processed in real time and is not retained by the AI provider after the response is generated. DeepSeek does not use your data to train or improve their models.
• Human review of AI output: We do not monitor or review individual AI-generated readings in real time. However, we reserve the right to review anonymized, aggregated outputs for quality assurance and to improve our prompt design.

For Entertainment Purposes Only

All tarot readings, interpretations, and insights generated through our Service — whether produced by AI or drafted by our content team — are provided for entertainment purposes only. They do not constitute, and should not be relied upon as:

• Professional psychological advice, diagnosis, or therapy
• Legal advice or guidance on legal matters
• Medical advice, diagnosis, or treatment recommendations
• Financial, investment, or career advice

If you are experiencing a mental health crisis, please contact a qualified mental health professional or emergency services in your area. Our Service is not a substitute for professional care.

Your Right to Human Explanation

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. While our AI-generated readings are not automated decisions in this sense (they are creative content, not decisions about you), we respect your right to understand how the AI reached its output.

If you have questions about any AI-generated content you received, or wish to request a human explanation of how our AI system produces its readings, please visit our Contact page. Our team will provide a written explanation within 30 days, including the general principles of how our AI interprets tarot cards and the factors (spread type, card positions, reversal status) that influence the output.

10. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Correct any inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to Portability: Receive your data in a structured, commonly used format.
• Right to Object: Object to processing of your personal data for certain purposes.
• Right to Non-Discrimination: Exercise your privacy rights without discrimination.

To exercise any of these rights, please contact us through our Contact page.

10a. CCPA Notice — Do Not Sell or Share (California Residents)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to opt out of the “sale” or “sharing” of their personal information.

Our policy: We do not sell, rent, or share your personal information with third parties for monetary consideration. The only data sharing that occurs is with essential service providers (Vercel for hosting, DeepSeek for AI processing, Resend for emails, PingPong for payments) under strict data processing agreements. You may request a full list of our data processors and their locations by contacting us.

To exercise your CCPA rights, including the right to know what data we hold about you or request deletion, please contact us through our Contact page or email us directly. We will respond within 45 days as required by law.

10b. EU Representative (GDPR Article 27)

Under Article 27 of the General Data Protection Regulation, organisations that offer goods or services to individuals in the European Union but are not established within the EU must designate a representative in the Union.

EU Representative: TBD — We are in the process of appointing an EU representative. In the meantime, for GDPR inquiries, data subject requests, or any privacy concerns, please contact our Data Protection Officer directly:

📧 Email: privacy@lunaspread.com
📬 Response time: within 30 days (GDPR Art. 12 requirement)

This page will be updated upon appointment of the designated representative.

11. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect, use, or disclose personal information from anyone under 16 years of age. If you are between 16 and the age of majority in your jurisdiction (e.g., 18 in the United States), you may use the Service only with the consent and supervision of a parent or legal guardian.

We comply with:

• COPPA (United States): We do not knowingly collect personal information from children under 13 and comply with the Children's Online Privacy Protection Act.
• GDPR Article 8 (European Union): The digital age of consent varies by EU member state (13-16). We set our minimum age at 16 to cover all jurisdictions.
• UK Age Appropriate Design Code: We apply high privacy defaults and data minimization for all users.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please visit our Contact page immediately. We will promptly delete such information and terminate the associated account.

12. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including countries that may not have been deemed to provide an adequate level of data protection by the European Commission. Below we detail each cross-border transfer and the legal safeguards in place.

12.1 AI Processing in China (DeepSeek)

This is the most significant international transfer relevant to our Service. When you request a tarot reading, the content of your question and the cards drawn are transmitted to DeepSeek's API servers located in the People's Republic of China for real-time AI processing. China is not recognized by the European Commission as a country with an adequate level of data protection under GDPR Article 45.

What data is transferred: Your reading question text, the names of drawn tarot cards, their positions in the spread, and reversal status. We do NOT transmit your name, email address, IP address, payment details, or any other personal identifiers to DeepSeek.

Legal basis for this transfer: Under GDPR Article 49(1)(b), the transfer is necessary for the performance of a contract between you and us — specifically, the generation of the tarot reading you have purchased or requested. By explicitly submitting a question for a reading, you request this processing as an essential part of the contracted service. Additionally, under Article 49(1)(a), by using the Service you provide your explicit consent to this specific transfer after being informed of the risks.

Safeguards applied: We apply data minimization (only reading content, no personal identifiers), ephemeral processing (DeepSeek does not retain your data after generating the response), and we maintain a Data Processing Agreement with DeepSeek. DeepSeek has contractually committed not to use customer API data for model training.

Risk disclosure: While we apply the safeguards described above, you should be aware that data processed in China may be subject to Chinese laws, including the Cybersecurity Law and Data Security Law, which may permit government access under certain circumstances. By using our Service, you acknowledge and accept this risk. If you prefer not to have your reading content processed in China, please do not use the reading service, or contact us to discuss alternatives.

12.2 Other International Transfers

• United States (Vercel, Resend, Sentry): Vercel (hosting) and Resend (email delivery) process data in the United States. The EU-U.S. Data Privacy Framework (DPF) provides an adequacy decision for certified U.S. companies. Vercel and Resend are DPF-certified. For transfers not covered by DPF, we rely on Standard Contractual Clauses (SCCs).
• Singapore (PingPong): PingPong processes payment transactions. Singapore is recognized by the European Commission as providing an adequate level of data protection under GDPR Article 45 (Commission Decision 2003/246/EC).

For any international transfer, we implement appropriate safeguards including Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), and technical measures such as encryption in transit (TLS 1.3) and data minimization. To request copies of our SCCs or DPAs, please contact us through our Contact page.

13. Readings Confidentiality

All reading content is treated as confidential. While we may use anonymized, aggregated data for quality improvement, your personal information and specific questions are never shared without your explicit consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Continued use of the Service after changes constitutes acceptance.

15. Data Protection Officer & Supervisory Authority

Data Protection Officer (DPO): Given that our AI-powered readings may incidentally process data that reveals mental or emotional states (potentially falling under GDPR Article 9 "special categories of data"), we have appointed a Data Protection Officer. You may contact our DPO at:

Data Protection Officer
Luna Cultural Consulting Studio
Email: dpo@lunaspread.com
Response time: within 30 days (as required by GDPR Art. 12)

Your Right to Complain (GDPR Art. 77): If you believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence, place of work, or place of the alleged infringement. We encourage you to contact our DPO first — we are committed to resolving your concerns promptly and transparently.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please visit our Contact page or email us at the address provided on our website.