Privacy Policy
Mystical Realms Effective Date: March 8, 2026 Last Updated: June 2025
Website: https://mystical-realms.com Contact: privacy@mystical-realms.com Operator: Joshua McLain
1. Introduction
This Privacy Policy describes how Mystical Realms ("we," "us," or "our") collects, uses, stores, and protects your personal information when you use the Mystical Realms website and web application located at https://mystical-realms.com (the "Service"). The Service provides tarot card readings, astrology chart generation, journaling, and related features.
We are committed to transparency about our data practices and protecting your privacy. Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
If you have questions about this policy, contact us at privacy@mystical-realms.com.
2. Eligibility — Age Restriction
The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that a user is under 18, we will promptly delete their account and all associated data. If you believe a minor has provided us with personal information, please contact us at privacy@mystical-realms.com.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
| Data | Purpose |
|---|---|
| Email address | Account creation, authentication, and communication |
| Password (hashed) | Account authentication (stored as a bcrypt hash; we never store plaintext passwords) |
| OAuth provider identifiers | If you sign in via Google or Apple, we receive a provider-specific user ID and your email address |
| Display name (optional) | Personalization within the Service |
| Timezone | Accurate time display and astrological calculations |
3.2 Birth Data (Astrology Features)
When you use astrology features (natal charts, synastry comparisons, transit charts), we collect:
| Data | Purpose |
|---|---|
| Date of birth | Astrological chart calculation |
| Time of birth | Astrological chart calculation (house and ascendant accuracy) |
| Place of birth (city/location name) | Astrological chart calculation and display |
| Geographic coordinates (latitude/longitude) | Precise astronomical calculations via Swiss Ephemeris |
| Birth timezone | Historical daylight saving time accuracy |
Important: Synastry (relationship comparison) features require birth data for a second person. By entering another person's birth data, you represent that you have obtained their consent to share this information with the Service, or that you have another lawful basis to do so.
3.3 Tarot Reading Data
When you perform tarot readings, we collect:
| Data | Purpose |
|---|---|
| Question (optional) | Context for reading interpretation |
| Mood (optional) | Contextual reading interpretation |
| Cards drawn (card IDs, positions, reversed status) | Reading record and interpretation |
| AI interpretation text | Stored with your reading for future reference |
| Deck skin preference | Visual personalization |
3.4 Journal Entries
When you use the journal feature, we collect:
| Data | Purpose |
|---|---|
| Freeform text notes | Personal reflection and journaling |
| Question text | Journal entry context |
| Mood | Journal entry metadata |
| Tags | Organization and filtering |
Journal entries are stored as plaintext in our database, protected by access controls (see Section 8). They are not end-to-end encrypted.
3.5 User-Created Content (Spreads)
When you create custom tarot spreads, we store:
- Spread title, description, and position layout data
- Tags
- Public/private visibility setting (public spreads are visible to all users)
3.6 Automatically Collected Information
| Data | Purpose |
|---|---|
| Session tokens (via HTTP cookies) | Authentication and session management |
| Moon phase (calculated, not collected) | Computed server-side for readings and journal entries using date/time only |
3.7 Analytics Data (Opt-In Only)
If you opt in to analytics via our cookie consent banner or account settings, we collect the following through PostHog, a product analytics platform:
| Data | Purpose | |------|---------|| | Feature usage events (e.g., "chart generated," "reading started," "journal entry created") | Understand how features are used to improve the Service | | Page views and navigation patterns | Identify usability issues and improve navigation | | Browser type, operating system, screen size | Ensure compatibility and responsive design | | Pseudonymous user identifier (your Supabase user ID) | Distinguish unique users without identifying personal information |
We do NOT collect through analytics: email addresses, display names, birth data, geographic coordinates, tarot card content, journal text, reading details, or any personal content. IP addresses are anonymized.
If you do not opt in to analytics, or if you opt out at any time, PostHog operates in cookieless mode and captures no data whatsoever.
4. How We Collect Information
- Directly from you: Account registration, form submissions, journal entries, birth data entry, tarot readings, and spread creation.
- From third-party authentication providers: If you sign in via Google or Apple OAuth, we receive your email address and provider user ID.
- From Google APIs: When you search for a birth location, your search text is sent to Google Places API to provide autocomplete suggestions. Google Geocoding API and Google Timezone API are used to resolve geographic coordinates and historical timezone data from selected locations.
- Automatically: Session cookies are set by our authentication provider (Supabase) to maintain your login session.
5. How We Use Your Information
We use your information for the following purposes:
- Provide the Service: Generate astrological charts, deliver tarot readings, store journal entries, and manage your account.
- AI-Generated Interpretations: Send chart data, reading data, or dice roll data to Google Gemini AI to generate personalized interpretations (see Section 6.2).
- PDF Export: Generate downloadable PDF reports containing your chart data and optional AI interpretations.
- Account Management: Authenticate your identity, maintain your session, and process account deletion requests.
- Service Improvement: Diagnose technical issues and improve Service functionality. If you opt in to analytics, we use PostHog to collect aggregate, non-identifying usage data (see Section 3.7).
- Analytics (opt-in): If you consent, track anonymous feature usage events through PostHog to understand how the Service is used and prioritize improvements.
We do not use your information for:
- Advertising or marketing by third parties
- Selling or renting to any third party
- Behavioral profiling for advertising purposes
- Automated decision-making that produces legal or similarly significant effects
6. Third-Party Services and Data Sharing
We share your personal information only with the following third-party service providers, solely for the purposes described below. We do not sell, rent, or trade your personal information.
6.1 Supabase (Database and Authentication)
- Provider: Supabase, Inc.
- Purpose: Database hosting (PostgreSQL), user authentication, and session management
- Data shared: All account data, birth data, readings, journal entries, and spreads are stored in Supabase-hosted infrastructure
- Location: Cloud infrastructure in the United States
- Privacy policy: https://supabase.com/privacy
6.2 Google Gemini AI (Interpretations)
- Provider: Google LLC
- Purpose: Generating AI-powered interpretations for tarot readings, natal charts, synastry comparisons, and astrological dice rolls
- Data sent to Google:
- Tarot readings: question, mood, spread layout, card names, keywords, reversed status
- Natal charts: birth date, time, location name, planetary positions, aspects, detected patterns
- Synastry: both persons' birth dates, times, location names, planetary positions, and inter-chart aspects
- Dice rolls: planet, sign, house number, optional question
- Data NOT sent: Geographic coordinates (latitude/longitude) are not transmitted to Google Gemini. Only location names are included for interpretive context.
- Privacy policy: https://policies.google.com/privacy
6.3 Google Maps Platform (Location Services)
- Provider: Google LLC
- Purpose: Birth location search (Places Autocomplete API), coordinate resolution (Geocoding API), and historical timezone determination (Timezone API)
- Data sent: Location search text typed by the user, place identifiers, geographic coordinates, and historical timestamps
- Note: All Google API calls are proxied through our server. Your Google API key is never exposed to the client.
- Privacy policy: https://policies.google.com/privacy
6.4 Google and Apple (OAuth Authentication)
- Providers: Google LLC, Apple Inc.
- Purpose: Optional social sign-in
- Data received: Email address and provider-specific user identifier
- Privacy policies: https://policies.google.com/privacy, https://www.apple.com/legal/privacy/
6.5 Swiss Ephemeris (Astronomical Calculations)
- Note: Swiss Ephemeris (pyswisseph) runs entirely on our servers using local ephemeris data files. No data is transmitted to any external service for chart calculations.
6.6 PostHog (Product Analytics — Opt-In Only)
- Provider: PostHog, Inc.
- Purpose: Product analytics — understanding feature usage patterns to improve the Service
- Data sent to PostHog (only when you opt in):
- Feature usage events (event name and non-personal metadata such as spread ID, card count, arcana type)
- Page view URLs
- Browser type, operating system, screen size
- Your pseudonymous user ID (Supabase user ID)
- Data NOT sent: Email address, display name, birth data, geographic coordinates, card names, journal text, reading content, or any personal content
- IP handling: IP addresses are collected for analytics processing but are anonymized and not used for geolocation profiling
- Location: PostHog Cloud US (data processed in the United States)
- Privacy policy: https://posthog.com/privacy
- Consent: Analytics data is only collected when you explicitly opt in via the cookie consent banner or account settings. You can opt out at any time.
7. Cookies and Storage Technologies
7.1 Cookies
We use strictly necessary cookies and optional analytics technologies (opt-in only):
| Cookie | Purpose | Duration |
|---|---|---|
Supabase session cookies (sb-*) | Authentication — stores JWT access token and refresh token | Session / 1-hour access token with refresh token rotation |
PostHog cookies (ph_*) | Analytics session tracking (only set when you opt in) | Varies; typically up to 1 year |
Because we use strictly necessary cookies for authentication, opt-in consent is not required for those cookies under the EU ePrivacy Directive (Article 5(3) exemption). However, analytics cookies require and receive explicit opt-in consent before activation. For full details on all cookies and storage technologies we use, see our Cookie Policy.
7.2 Local Storage (Browser)
| Key | Contents | Purpose |
|---|---|---|
auth-storage | User ID, email, display name, deck skin preference, timezone | Persist authentication state across page loads |
tarot-store | Selected deck skin preference | Remember visual preference |
cookie-consent | Consent acknowledgment timestamp, consent version, analytics preference (opted in or out) | Record your cookie and analytics consent preferences (expires after 6 months; re-prompted when policy version changes) |
These are functional storage items necessary for the Service to operate. They contain no tracking data. For a comprehensive list of all cookies and storage technologies, see our Cookie Policy.
8. Data Security
We implement the following security measures to protect your data:
- Authentication: Passwords are hashed using bcrypt before storage. JWT tokens are used for session management with 1-hour expiry and refresh token rotation.
- Access controls: Database Row-Level Security (RLS) policies ensure users can only access their own data.
- Server-side processing: All API keys (Google, Supabase service role) are kept server-side and never exposed to the browser.
- HTTPS: All data transmitted between your browser and our servers is encrypted in transit via TLS/HTTPS.
- No plaintext passwords: We never store, log, or transmit your password in plaintext.
While we implement reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
9. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information | Retained until you delete your account |
| Birth profiles and natal charts | Retained until you delete your account |
| Tarot readings | Retained until you delete your account |
| Journal entries | Retained until you delete your account |
| User-created spreads | Retained until you delete the spread or your account |
| AI interpretations | Not stored separately — included within reading or chart records |
| PDF exports | Generated on-demand and delivered to your browser; not stored on our servers |
| Session tokens | Automatically expire after 1 hour (access token); refresh tokens rotate on use |
When you delete your account, all of your data is permanently deleted, including: journal entries, readings, spreads, card-of-the-day records, deck preferences, profile data, birth profiles, natal charts, synastry charts, and your authentication record.
10. Your Privacy Rights
10.1 All Users
Regardless of your location, you have the right to:
- Access your personal data (your profile, readings, journal entries, and charts are accessible within the application)
- Export your journal entries (available in JSON, CSV, or Markdown format via the journal export feature)
- Delete your account and all associated data (available via the account settings)
- Correct your profile information (editable within the application)
10.2 Rights Under the California Consumer Privacy Act (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA, as amended by the CPRA:
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
- Right to delete: You may request that we delete your personal information. You can do this directly by deleting your account, or by contacting us.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt-out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
- Right to limit use of sensitive personal information: Birth data (date, time, precise geolocation) constitutes sensitive personal information. We use this data solely for the purpose of providing the astrological calculation services you request. You may request that we limit use of this data by contacting us.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise your rights, contact us at privacy@mystical-realms.com. We will respond within 45 days as required by law. We may verify your identity before processing your request.
10.3 Rights Under the EU General Data Protection Regulation (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom (UK), you have the following rights under the GDPR:
- Right to access (Article 15): Request a copy of the personal data we hold about you.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing (Article 18): Request that we limit how we process your data under certain circumstances.
- Right to data portability (Article 20): Request your personal data in a structured, machine-readable format.
- Right to object (Article 21): Object to processing of your personal data based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Legal Bases for Processing (Article 6):
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Performance of a contract (providing the Service you requested) |
| Storing readings, journals, charts | Performance of a contract |
| AI interpretation generation | Performance of a contract (feature you request) |
| Location search via Google APIs | Performance of a contract (providing accurate astrological calculations) |
| Essential session cookies | Legitimate interest (necessary for Service functionality) |
| Analytics via PostHog | Consent (Article 6(1)(a)) — only processed when you explicitly opt in; you may withdraw consent at any time via Settings |
Data Transfers: Your data is stored on servers in the United States operated by Supabase, Inc. For transfers from the EEA/UK to the US, we rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) as applicable.
To exercise your GDPR rights or file a complaint, contact us at privacy@mystical-realms.com. You also have the right to lodge a complaint with your local data protection supervisory authority.
11. International Data Transfers
Our Service is operated from the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
By using the Service, you consent to the transfer of your information to the United States. For users in the EEA/UK, we ensure appropriate safeguards are in place as described in Section 10.3.
12. Third-Person Data (Synastry Feature)
The synastry feature allows you to enter birth data for another person to generate a relationship chart comparison. By using this feature, you acknowledge and agree that:
- You have obtained the other person's consent to provide their birth data to the Service, or you have another lawful basis to do so.
- You are responsible for informing the other person about how their data will be processed as described in this Privacy Policy.
- The other person's birth data is stored in association with your account and is subject to the same retention and deletion policies.
We have no direct relationship with the individuals whose birth data you submit. If such an individual contacts us requesting access to, correction of, or deletion of their data, we will notify you and work to honor their request.
13. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify affected users without undue delay via the email address associated with their account.
- Notify relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by applicable law (GDPR Article 33).
- Provide details including: the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.
14. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Because our analytics are strictly opt-in and we do not engage in cross-site behavioral advertising, the Service operates the same way regardless of whether a DNT signal is received. If you have not opted in to analytics, no tracking occurs. We do not track users across third-party websites.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this document.
- Notify registered users via email if the changes materially affect how we process their personal data.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
Joshua McLain Mystical Realms Email: privacy@mystical-realms.com Website: https://mystical-realms.com
For GDPR-related inquiries, you may also contact your local data protection authority. For CCPA-related complaints, you may contact the California Attorney General at https://oag.ca.gov/contact/consumer-complaint-against-business-or-company.
17. Summary of Data Practices
| What We Collect | Why | Who Receives It |
|---|---|---|
| Email, password (hashed) | Account & authentication | Supabase |
| Display name, timezone | Personalization | Supabase |
| Birth date, time, place, coordinates | Astrology calculations | Supabase (storage), Google Gemini (date/time/place name only for interpretations), Google Maps (place search) |
| Tarot reading data (cards, question, mood) | Reading delivery & storage | Supabase (storage), Google Gemini (for AI interpretation) |
| Journal entries (freeform text) | Personal journaling | Supabase (storage only) |
| Custom spread layouts | Spread creation & sharing | Supabase |
| Session cookies | Authentication | Your browser (HTTP cookies managed by Supabase) |
| Analytics events (opt-in) | Product improvement | PostHog (only when you consent) |
| Cookie consent record (localStorage) | Transparency and consent compliance | Your browser only (not transmitted to any server) |
We do not: sell your data, use advertising trackers, profile you for marketing, or collect data from minors. Analytics are opt-in only and can be disabled at any time.