Privacy Policy

1. What We Collect

Account information: email, password (encrypted), and an optional name when you sign up.

Chart inputs: birth date, time, location, and gender that you submit to generate readings — plus the equivalent information for other people you add for compatibility analyses.

Usage data: sign-in timestamps, reading types, model selections, payment records, AI chat transcripts, tarot draw history, and anonymised device/browser metadata (IP addresses are used for abuse prevention and immediately aggregated by region after sign-in).

Payment data: handled via Stripe. We never store card numbers — only Stripe customer/charge IDs and amounts.

2. How We Use It

To generate the readings you request — your birth data is fed to the Bazi/ZWDS engines and AI models solely to produce the output you see.

For account and billing: identifying you, tracking token balance, processing Stripe payments.

To improve the Service: aggregated usage helps us refine model selection, fix engine bugs, and improve UI.

For security: detecting suspicious sign-ins, API abuse, and policy violations.

3. Who We Share With

Infrastructure providers: Vercel (hosting), Supabase (database + auth), Stripe (payments), Anthropic / OpenAI / DeepSeek / Moonshot (AI inference), Resend (transactional email). They process your data strictly as our processors.

Legal compliance: only when bound by a lawful subpoena or equivalent process.

Cross-border transfer: some processors (e.g. AI providers) are located outside Singapore (e.g. the United States). When we transfer your personal data abroad we contractually require a comparable standard of protection, as the PDPA requires.

We do not sell your chart data to advertisers or data brokers.

4. AI Models & Training

Readings are produced by third-party LLMs. We send only the prompt context required for the current reading.

Each provider’s training-data policy governs how they may handle that input. We prefer providers that contractually do not use API input for training; where cost or availability requires a model that does, we will note this on the reading at generation time.

5. Data Retention

Readings and charts: kept until you delete them. You can delete individual charts at any time from your Library.

Tarot history and AI chat: same retention as the linked chart; deleting a chart removes its associated draws and conversations.

Account metadata (email, sign-in timestamps): retained while your account exists. Account deletion clears this within 30 days unless law requires longer retention.

6. Your Rights

Access: download every record you submitted from the Account page.

Correction: edit your profile and charts on the same page.

Deletion: delete individual charts from your Library, or your whole account from Account.

Portability: export your data as JSON from Account.

Withdraw consent: you may withdraw consent you previously gave at any time (this may limit some features).

Singapore users: under the Personal Data Protection Act (PDPA) you have rights to access and correct your personal data. EU / UK / California residents additionally have the rights granted under GDPR / CCPA. Email sales@splashbros.games to exercise any of these.

7. Security

All transport uses TLS 1.2 or above.

Passwords are stored using bcrypt-derived hashing (Supabase Auth); we cannot read them in plain text.

The service key for database access is server-side only, never exposed to the browser. Row Level Security policies confine every authenticated user to their own rows.

Breach notification: in the event of a personal-data breach likely to cause significant harm, we will notify Singapore’s Personal Data Protection Commission (PDPC) and affected users within the timeframe required by the PDPA.

8. Cookies & Local Storage

We use essential cookies / localStorage to: keep you signed in (Supabase Auth), remember your language preference (NEXT_LOCALE), and cache your most recent reading translation for faster rendering.

We do not use third-party advertising tracking cookies.

9. Children

The Service is intended for users aged 16 and above. We do not knowingly collect information from anyone under 16. If you believe we hold such data, contact sales@splashbros.games and we will delete it.

10. Updates

This policy may evolve as the Service grows. Material changes are posted here with an updated "Last updated" date; if a change materially restricts your rights, we will email you in advance.