Privacy Policy

This Privacy Policy explains how we collect, use, store, and protect your information when you use the ORA mobile app, website at ora.cards, and related services (the "Service").

We've tried to write this in plain English. If anything is unclear, contact us at support@ora.cards.

1. Who We Are (Data Controller)

The data controller is ORA (operated at ora.cards). Registered legal name and jurisdiction are available on request from support@ora.cards.

For all privacy-related questions, contact: support@ora.cards

For EU users: the same address serves as our data protection contact.

2. Quick Summary

In one paragraph:

ORA collects your email (if you sign up), your tarot questions, the readings generated for you, and basic account info. We share this with our infrastructure providers (Supabase, Anthropic, ElevenLabs, Deepgram, RevenueCat) only as needed to provide the Service. We do not sell your data, and we don't show ads. You can delete your account and all data at any time from the app or by emailing support@ora.cards.

3. Information We Collect

3.1 Information You Provide

What	When	Why
Email address	Sign-up	Account creation, password recovery, important account emails
Password (hashed)	Sign-up	Authentication. We never store plain passwords.
Name (optional)	Profile edit	Display in greetings (e.g., "Welcome, Roman")
Date of birth (optional)	Profile edit	Personalize readings based on life stage (we never use exact age in interpretations)
Tarot questions	Each reading	Generate your interpretation
Follow-up questions	When you ask follow-ups	Continue the conversation
Voice recordings	When you speak a question	Transcribed to text and discarded

3.2 Information Generated by the Service

What	Why
Cards drawn for each reading	Saved to your reading history
AI-generated interpretations	Saved to your reading history
Optional human review notes	Sent only if a reading is reviewed and there's something worth adding
Reading timestamps and counts	Enforce daily/monthly usage limits

3.3 Information Collected Automatically

What	Why
Device type, OS version, app version	Debugging, compatibility
Crash reports (via Sentry, when enabled)	Fix bugs
App usage events (via PostHog, when enabled)	Understand which features are used, improve product
IP address	Security, rate limiting, geolocation for region-appropriate content
Locale and timezone	Display dates and times correctly

We do not collect:

• Precise location (GPS)
• Contacts
• Photos or camera content
• Health data
• Financial account details (Apple handles all payments)

3.4 Payment Information

We do not collect or store credit card numbers or banking information. All payments are processed by Apple via the App Store. We receive only:

• Whether you have an active subscription
• When your subscription started, renewed, or was cancelled
• Anonymous transaction identifiers (from RevenueCat, our subscription manager)

4. How We Use Your Information

We use your information to:

• Provide the Service — create your account, generate readings, save your history
• Process subscriptions — confirm Premium access, handle trials and renewals
• Communicate with you — important account emails (e.g., password reset, subscription confirmation), and optional product updates (you can opt out)
• Improve the Service — analyze anonymized usage patterns, fix bugs, develop new features
• Ensure safety and security — detect abuse, prevent fraud, enforce our Terms
• Comply with legal obligations — respond to lawful requests, retain records as required by law

We do not use your data for:

• Advertising (we don't show ads, and we don't share your data with advertisers)
• Selling to third parties (we don't sell your data, period)
• Training third-party AI models on your personal questions

5. Third-Party Service Providers

To run the Service, we share specific data with these providers. Each is bound by a data processing agreement and processes your data only on our instructions.

5.1 Infrastructure

Provider	What They Do	What Data	Where
Supabase	Database, authentication, file storage, transactional emails	Account info, readings, follow-ups	Per project configuration (request region at support@ora.cards)
Formspree	Waitlist form processing (website only)	Email address submitted on ora.cards waitlist	US
Anthropic (Claude)	AI that generates reading interpretations	Your question, cards drawn, anonymized context	Routed through our backend
Deepgram	Speech-to-text transcription	Audio of your voice question (deleted after transcription)	US
ElevenLabs	Text-to-speech (Premium voice playback)	Reading text to be spoken aloud	US
RevenueCat	Subscription management	Anonymous user ID + subscription events	US
Sentry (optional)	Crash reporting	Crash logs, device info	EU
PostHog (optional)	Product analytics	Anonymized usage events	EU
Apple	App distribution, in-app purchases	Per Apple's Privacy Policy	Apple infrastructure

5.2 What We Don't Do With Third Parties

• We don't share data with marketing or advertising networks
• We don't allow Anthropic, Deepgram, or ElevenLabs to use your data to train their models on identifiable content (per their enterprise terms)
• We don't sell your data to data brokers

6. Voice Data — Specific Notes

When you speak a question:

1. Audio is captured on your device
2. Sent securely to Deepgram for transcription
3. Deepgram returns text
4. Audio is then discarded — we do not store voice recordings
5. The transcribed text is processed as your question

The audio is only sent to Deepgram and our backend. It is not shared with third parties beyond what's needed for transcription.

For Premium voice playback (TTS), the text of your reading is sent to ElevenLabs to generate audio. No personal account info is sent — only the reading text.

7. Data Retention

Data	How Long
Account info (email, name, birthdate)	Until account deletion
Readings and reading history	Until account deletion (Free: 7 days visible; Premium: full history)
Voice recordings	Discarded immediately after transcription (not stored)
Subscription history	Up to 7 years (for legal/tax compliance)
Crash and analytics data	Anonymized after 30 days; raw data deleted after 90 days
Backups	Retained up to 30 days after deletion
Legal compliance records	As required by applicable law

When you delete your account:

• Personal data is removed within 30 days
• Anonymized/aggregated data may persist
• Subscription records are retained as required by Apple and tax law

8. Data Security

We protect your data using:

• Encryption in transit — All connections use HTTPS/TLS
• Encryption at rest — Supabase encrypts data at rest
• Hashed passwords — Passwords are never stored in plain text
• Access controls — Only authorized personnel access production data, and only when needed
• Server-side secrets — API keys for AI providers are stored server-side, never in the app
• Row-level security — Database policies ensure you can only access your own data

No system is 100% secure. If a data breach occurs that affects you, we will notify you and the relevant authorities within 72 hours, as required by GDPR.

9. Your Rights

9.1 Universal Rights

You can, at any time:

• Access your data — View your readings and account info in the app
• Correct your data — Update your profile from the app
• Delete your account — Profile → Delete Account, or email support@ora.cards
• Export your data — Email support@ora.cards to request a copy of all your data in machine-readable format
• Opt out of marketing emails — Unsubscribe link in every marketing email (transactional emails like password resets cannot be opted out of)

9.2 EU/UK/EEA Users (GDPR)

You also have the right to:

• Restrict processing
• Object to processing
• Data portability (receive your data in a structured format)
• Lodge a complaint with your local data protection authority

Our legal bases for processing your data:

• Consent — For marketing communications and optional features
• Contract — To provide the Service you've signed up for
• Legitimate interests — To improve the Service, prevent fraud, ensure security
• Legal obligation — To comply with tax, accounting, and regulatory requirements

9.3 California Users (CCPA/CPRA)

You have the right to:

• Know what categories of personal information we collect (see Section 3)
• Know whether we sell or share your data (we do not)
• Delete your data
• Correct inaccurate data
• Opt out of "sales" or "sharing" (we don't sell or share data for cross-context behavioral advertising)
• Non-discrimination — we won't deny you service for exercising these rights

To exercise these rights, email support@ora.cards.

9.4 How to Exercise Rights

Email support@ora.cards with your request. We respond within 30 days (GDPR) or 45 days (CCPA). For account deletion, you can also use the in-app delete option (Profile → Delete Account).

10. Children's Privacy

ORA is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you are between 13 and 17, you may use the Service only with the involvement and consent of a parent or legal guardian.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect data from anyone under 13. In the European Union, the minimum age for consent to data processing varies by country (13–16); where a user is below the applicable age, parental consent is required. If we learn we have collected data from a child below the applicable minimum age without verified parental consent, we delete it promptly.

Parents or guardians who believe their child has provided us data can email support@ora.cards for removal.

11. International Data Transfers

Your data may be processed in:

• EU — including providers such as Supabase and Sentry; optional product analytics (see Sections 3.3 and 5.1) may also involve EU-hosted processing.
• US (Anthropic, Deepgram, ElevenLabs, RevenueCat, Apple)
• Other regions as needed for service delivery

For transfers outside your jurisdiction, we rely on:

• Standard Contractual Clauses (for EU transfers)
• Data Privacy Framework certifications where applicable
• Other legally recognized transfer mechanisms

12. Cookies and Tracking

The ora.cards website uses only essential cookies required for core functionality. For basic performance measurement we use Vercel Speed Insights, which is cookieless and does not track individuals. We do not use analytics cookies, advertising cookies, or third-party trackers on the website.

The mobile app does not use web-style cookies. It uses local storage and device identifiers for core functionality, and product analytics (PostHog, EU-hosted) to understand which features are used. These are described in Section 3.3.

13. Push Notifications

If you enable push notifications, we use them for:

• Reading-related notifications (when applicable)
• Card of the Day reminders (if you opt in)
• Account or subscription updates

You can disable push notifications anytime in iOS Settings → ORA → Notifications.

14. Account Deletion — Plain English

Here's exactly what happens when you delete your account:

1. Immediate: You're signed out, can no longer access your readings
2. Within 24 hours: Your readings, profile info, and account record are deleted from the active database
3. Within 30 days: Backups containing your data are also removed
4. Permanently retained: Anonymous transaction records for tax compliance (no personal info), and aggregated anonymized usage statistics

If you have an active subscription, deleting your account does not automatically cancel it — cancel in Apple ID settings first.

15. Changes to This Policy

We'll update this policy as the Service evolves. When we do:

• We update the "Last updated" date at the top
• For material changes (e.g., new data uses, new third-party providers), we notify you in-app or by email at least 30 days in advance
• Continued use after changes take effect constitutes acceptance

16. Contact

Privacy questions, requests, or concerns:

• Email: support@ora.cards
• Web: ora.cards/support
• EU users: the same email serves as our data protection contact

If you're not satisfied with our response, EU/UK users may complain to their local data protection authority.

ORA · Contact: support@ora.cards · Website: ora.cards