Privacy Policy - Arcana Mystic Guide (V1.0 "Genesis")

1) Scope of this Policy

2) Personal Data We Collect

3) Purposes & Legal Bases (GDPR Art. 6)

• Provide the service and features (natal charts, tarot, rituals, etc.) - performance of a contract (Art. 6(1)(b)).
• Personalize the experience (e.g., remember AI chats, suggest rituals) - legitimate interests (Art. 6(1)(f)) with privacy balancing; where not strictly necessary, we rely on consent (Art. 6(1)(a)).
• Payments & accounting - legal obligation (Art. 6(1)(c)) and contract (Art. 6(1)(b)).
• Security, fraud prevention, abuse detection - legitimate interests.
• Marketing communications (e.g., newsletters) - consent (withdraw anytime).
• Product analytics & improvements - legitimate interests (using aggregated/anonymous data whenever possible).
• Saving AI chats to improve responses - legitimate interests and/or consent (you can opt out; see sections 7 and 11).

4) How We Use Your Data

• To display your profile (name, optional photo).
• To calculate and present natal charts and other spiritual/astrology insights from your birth data.
• To store AI chat history so we can provide context and better answers in later sessions.
• To process payments (via Stripe), issue confirmations/invoices, and manage subscriptions.
• To improve accuracy, reliability, and usefulness of features (aggregated usage analysis, non-identifying A/B tests).
• To enable share options (only when you choose to share your content).

5) Sharing & Disclosure

We do not sell or share your personal data for third-party advertising purposes. We only disclose data to:

• Processors who help us provide the service: hosting/infrastructure, databases, email service, monitoring/telemetry, Stripe for payments, and (if applicable) AI model providers. All processors act under data processing agreements and only per our instructions.
• Professional advisers (legal/accounting) when needed.
• Authorities when required by law or to protect rights/safety.
• In business transfers (merger/sale): data may be transferred subject to this Policy; we will notify you in advance as required by law.

6) International Transfers

If we transfer data outside Serbia/EU/EEA (e.g., to the United States), we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), additional security measures, and transfer risk assessments. You can request more details via a data rights request.

7) Data Retention

• Account & profile: retained while your account is active. When you request deletion, we delete or pseudonymize within a reasonable period; backups rotate within ~30-90 days.
• AI chats: retained while your account is active for personalization; in Settings you can (a) turn off personalization from chat history and/or (b) delete chat history entirely.
• Payment/accounting records: retained according to legal retention periods (typically 5-10 years, depending on jurisdiction).
• Telemetry/analytics: aggregated or anonymized where possible; identifiable logs kept for a limited time (e.g., up to 12 months) for security and diagnostics.

8) Your Rights

Under GDPR/Serbian law, you can:

• Access your personal data and obtain a copy.
• Rectify inaccurate or incomplete data.
• Delete data ("right to be forgotten") where applicable.
• Restrict processing or object (especially to processing based on legitimate interests and to profiling).
• Data portability - receive data in a structured, commonly used, machine-readable format.
• Withdraw consent at any time (e.g., newsletters, certain cookies, AI personalization based on consent).
• Lodge a complaint with a supervisory authority (e.g., Serbia's Commissioner for Information of Public Importance and Personal Data Protection or your EU authority).

To exercise rights, email privacy@arcana-app.example (replace with the real address). We will respond within statutory timeframes.

CCPA/CPRA (California): We do not "sell" or "share" personal information as defined by CPRA. If that changes, we will provide a "Do Not Sell or Share My Personal Information" mechanism. California residents may request access, deletion, correction, and information about our data practices.

9) AI & Automated Decision-Making

• The AI assistant uses your chat history and profile context to generate personalized answers and ritual suggestions.
• We do not make legal or similarly significant decisions solely by automated means.
• In Settings, you can:
  • Disable personalization that relies on chat history.
  • Delete chat history.
  • (When available) toggle "Use my chats to improve AMG" - ON/OFF.

10) Cookies & Similar Technologies

We use:

• Strictly necessary cookies (session, security, preferences).
• Functional cookies (UI customization).
• Analytics cookies (understand usage and improve).
• Marketing cookies - not currently used for third-party ad targeting. If we introduce them, we will seek consent and provide granular controls.

Where required (EEA/UK/RS), we present a Consent Management Platform (CMP) and honor your choices.

11) Payments via Stripe

When you purchase, you are redirected to or interact with Stripe components. Stripe processes your payment data as an independent controller/processor under its own terms and privacy notice. AMG receives tokenized details needed to activate your service, verify status, and issue invoices.

12) Social Sharing

When you use our share feature, your content leaves AMG and becomes subject to the privacy policies of the platform you post to (e.g., Instagram, X). Review their visibility settings before posting. AMG does not control how third parties handle content you choose to share.

13) Data Security

We apply technical and organizational measures including: encryption in transit and at rest, access controls, audit logs, pseudonymization where feasible, least-privilege principles, regular backups, and monitoring. No system is 100% risk-free; we will notify users and authorities as required in case of a data breach.

14) Children

AMG is not directed to individuals under 16 (or a lower age if local law allows, but never under 13). We do not knowingly collect children's data. If you believe a child has provided data, contact us so we can delete it.

15) Changes to this Policy

We may update this Policy to reflect legal changes, new features, or new processors. We will post the Effective date above and, where required, seek your consent for material changes.

16) Contact Us

• Data Controller: WorkHulk Production LLC (in formation) / working brand Arcana Mystic Guide
• Privacy email (data rights requests): privacy@arcana-app.example
• Address: [insert registered address once formed]
• EU/UK representative (if/when required): to be appointed and added here
• Data Protection Officer (if appointed): to be added here

17) Transparency Tables

18) Special Notices

• Spiritual interest inferences: used only within AMG to tailor interpretations and suggestions; not used for third-party ad targeting.
• Precise device location: we do not request GPS location. For natal charts we use the birthplace you enter (and, optionally, user-entered coordinates).