← Back to Chatarot.ai

Privacy Policy

Last Updated: December 23, 2025

1. Introduction

Welcome to Chatarot.ai ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered tarot reading service.

By using Chatarot.ai, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, username, and password (encrypted using bcrypt hashing)
• Tarot Reading Data: Your questions, selected cards, card positions, and conversation history with our AI tarot reader
• Communications: Messages you send to us for support or feedback

2.2 Information Collected Automatically

• Technical Data: IP address, browser type and version, device type, operating system, screen resolution
• Usage Data: Pages visited, time spent on pages, access timestamps, click patterns, navigation paths
• Location Data: Approximate geographic location derived from IP address (country/region level)
• Log Data: Request IDs, error logs, session IDs, referrer URLs

2.3 Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication, security, and basic functionality (session management, login state)
• Analytics Cookies: We currently do NOT use third-party analytics tools like Google Analytics

You can disable cookies through your browser settings, but this may affect your ability to use certain features (such as staying logged in).

3. How We Use Your Information

3.1 Purposes of Use

We use your information for the following purposes:

• Provide and deliver our tarot reading services
• Authenticate your account and maintain security
• Store your reading history for future reference
• Generate AI-powered tarot interpretations by processing your questions and card selections
• Send verification codes and important service notifications via email
• Analyze usage patterns in aggregated, de-identified form to improve user experience and service quality
• Prevent fraud, abuse, and ensure platform security
• Comply with legal obligations

3.2 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the services you requested
• Consent: You have given explicit consent (e.g., for email communications, account creation)
• Legitimate Interests: To improve our services, prevent fraud, and ensure security, where such interests are not overridden by your data protection rights
• Legal Obligation: To comply with applicable laws and regulations

3.3 Use of AI and Content Processing

When you submit questions for tarot readings, we send your input (questions, selected cards, and conversation context) to OpenAI's API to generate interpretations. We do not intentionally include direct identifiers (like your name or email) in these requests, but the content you write may inherently contain personal information. We use these interactions to:

• Generate personalized tarot interpretations
• Maintain conversation context for follow-up questions
• Improve response quality through aggregated, de-identified analysis

We do NOT use your individual reading content to train third-party models or share it with advertisers.

4. Data Storage, Security, and Retention

4.1 Data Storage Location

Your data is stored securely on Amazon Web Services (AWS) servers located in Tokyo, Japan (ap-northeast-1 region).

4.2 Security Measures

We implement industry-standard security measures including:

• Encryption in Transit: All data transmission uses HTTPS/TLS encryption
• Encryption at Rest: Database and file storage are encrypted using AWS encryption services
• Password Security: Passwords are hashed using bcrypt (never stored in plain text)
• Access Controls: Role-based access control and principle of least privilege
• Backup and Recovery: Regular automated backups with encryption
• Security Monitoring: Regular security audits and vulnerability assessments

While we strive to protect your data, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

4.3 Data Retention

• Account Data: Retained until you delete your account
• Reading History: Retained until you manually delete readings or close your account
• Logs and Technical Data: Retained for up to 90 days for security and debugging purposes
• Backup Data: May persist in encrypted backups for up to 30 days after deletion

5. Third-Party Services and Data Sharing

We use the following third-party service providers:

5.1 Infrastructure and Hosting

• Amazon Web Services (AWS): Cloud hosting, database (MongoDB), email delivery (SES for verification codes). AWS processes your account data, reading history, and technical logs. Data is stored in AWS Tokyo region.
• Cloudflare: Content delivery network (CDN) and DDoS protection. Cloudflare may process IP addresses, request headers, and cached content to improve performance and security.

5.2 AI Services

• OpenAI: AI-powered tarot interpretations. We send your questions, selected card information, and conversation context to OpenAI's API. We do not intentionally include direct identifiers, but the content you submit may contain personal information. OpenAI's data processing is subject to their Privacy Policy and API Data Usage Policy.

5.3 Future Services

• Google OAuth (Planned): If you choose to log in with Google in the future, we will receive your Google account email, name, and profile picture. This data is subject to Google's Privacy Policy.

5.4 International Data Transfers

Some of our service providers (such as OpenAI) may process data outside of Japan or the EEA. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Service providers' compliance with recognized data protection frameworks
• Encryption and security measures during transfer

5.5 When We Share Data

We do NOT sell, rent, or share your personal data with third parties for their marketing purposes. We may share data only in the following circumstances:

• With service providers listed above, solely to provide services to you
• If required by law, court order, or government request
• To protect our rights, property, or safety, or that of our users or the public
• In connection with a business transfer (merger, acquisition, sale of assets), in which case the acquiring party will honor this Privacy Policy

6. Your Rights and Choices

6.1 General Rights

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your account and associated data
• Data Portability: Receive your data in a structured, machine-readable format
• Withdraw Consent: Withdraw consent for processing where we rely on consent
• Opt-Out: Unsubscribe from marketing communications (though we currently only send transactional emails)

6.2 GDPR Rights (for EEA Users)

If you are located in the EEA, you also have the right to:

• Object: Object to processing based on legitimate interests
• Restrict Processing: Request that we limit how we use your data
• Lodge a Complaint: File a complaint with your local data protection authority

6.3 California/CCPA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (Note: We do NOT sell or share your personal information)
• Right to Limit: Limit the use of sensitive personal information
• Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

Do Not Sell or Share My Personal Information: We do not sell or share your personal information as defined by CCPA/CPRA.

6.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at chatarotai@gmail.com. We will:

• Respond to your request within 30 days (or as required by applicable law)
• Verify your identity before processing requests (to prevent unauthorized access)
• Provide the requested information or action free of charge for the first request (subsequent requests may incur a reasonable fee)

For verification, we may ask you to confirm your email address or provide additional identifying information.

7. Children's Privacy

Chatarot.ai is not intended for users under 13 years of age (or the minimum age required in your jurisdiction, whichever is higher). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information.

8. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes by:

• Posting a prominent notice on our website
• Sending you an email notification (if you have an account)
• Updating the "Last Updated" date at the top of this policy

Your continued use of Chatarot.ai after changes become effective constitutes your acceptance of the revised Privacy Policy.

9. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: chatarotai@gmail.com
• Website: https://chatarot.ai

For GDPR-related inquiries from EEA users or CCPA inquiries from California residents, please include "GDPR Request" or "CCPA Request" in your email subject line.

10. Additional Information

10.1 Automated Decision-Making

Our AI tarot readings involve automated content generation based on your inputs. These are for entertainment and self-reflection purposes only and do not constitute automated decision-making with legal or similarly significant effects.

10.2 Data Protection Officer

Given the current scale of our operations, we have not appointed a formal Data Protection Officer (DPO). For privacy matters, please contact us at the email address above.

10.3 Business Transfers

If Chatarot.ai is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice and ensure the acquiring party continues to honor this Privacy Policy.