Privacy Policy
1. Introduction
Cartara is an AI-powered tarot reading mobile application operated by Sonia Volpe, based in Italy. This Privacy Policy explains how we collect, use, store, and share your information when you use the Cartara app.
By using Cartara, you agree to the practices described in this policy. If you do not agree, please do not use the app.
Effective date: February 25, 2026
2. Information We Collect
2a. Information You Provide
When you create an account and use Cartara, you provide:
- Account information — Email address, name, and password (stored securely hashed)
- Personal information — Birth date and pronoun preference, used to personalize your readings
- Language preference — Your selected language (English or Italian)
2b. Information Generated From Your Use
As you use the app, we generate and store:
- Derived profile data — Zodiac sign and generation, calculated server-side from your birth date
- Reading history — Tarot card selections, AI-generated interpretations, and reading metadata
- Credit and purchase records — Credit balances, transaction history, and product identifiers
- Ad interaction records — Rewarded video ad completions, verification nonces, and transaction IDs
2c. Information Collected Automatically
The app automatically collects:
- Device identifiers — Device ID (IDFV on iOS, Android ID on Android), used for per-device credit limits and fraud prevention
- Analytics data — If you consent, Firebase Analytics collects app usage events (e.g., readings started, categories selected, purchases completed), screen views, and user properties (zodiac sign, generation, pronoun, premium status). Your internal user ID is linked to analytics data for cross-session attribution. Analytics collection is entirely opt-in — you are asked for consent after onboarding and can enable or disable it at any time in Settings
- Crash and performance data — Error logs, stack traces, and device information collected by Sentry for stability monitoring
- API usage metrics — Token counts, cost, and latency of AI calls (contains no personal information)
3. How We Use Your Information
We use your information for the following purposes:
- Account creation and authentication — To create and secure your account
- Personalized readings — Your name, zodiac sign, and pronoun are used in AI prompts to generate tailored tarot readings
- Credit system management — To track free daily readings, purchased credits, and prevent abuse through device-based limits
- Purchase fulfillment — To process in-app purchases and manage subscriptions
- Ad reward verification — To verify that rewarded video ads were completed before granting credits
- Error monitoring — To identify and fix crashes and bugs using Sentry
- Cost monitoring — To track AI API usage costs internally (no personal information involved)
- Analytics and product improvement — With your consent, to understand how the app is used, identify popular features, and improve the experience (via Firebase Analytics)
4. Information Sharing
Third-Party Services
We share data with the following third-party services to operate the app:
| Service | Provider | Data Shared | Purpose |
|---|---|---|---|
| Firebase Analytics | Google LLC | App usage events, screen views, user ID, user properties (zodiac sign, generation, pronoun, premium status) | Analytics and product improvement (consent-gated) |
| Google AdMob | Google LLC | Device ID, ad interaction data | Rewarded video ads (non-personalized only) |
| RevenueCat | RevenueCat Inc. | User ID, purchase data | In-app purchase and subscription management |
| Sentry | Functional Software Inc. | Crash logs, device info | Error monitoring and app stability |
| Google Gemini | Google LLC | Name, zodiac sign, pronoun, reading context | AI reading generation |
| OpenAI | OpenAI Inc. | Same as Gemini (only used if Gemini is unavailable) | Fallback AI provider |
| Neon | Neon Inc. | All stored data | PostgreSQL database hosting |
| Railway | Railway Corp. | Backend request data | Backend API hosting |
What We Do NOT Do
- We do not sell your personal data to anyone
- We do not use personalized advertising — all ads are non-personalized
- We do not share your reading history with other users (unless you choose to share a reading)
5. Data NOT Collected
Cartara does not collect:
- Location data (no GPS, no IP geolocation stored)
- Contacts or phone numbers
- Photos, videos, or files
- Financial information (payments are handled entirely by Google Play and Apple — we never see card numbers)
- Health or fitness data
- Messages or communications between users (Cartara has no social features)
6. Data Storage and Security
- All data is stored on Neon (PostgreSQL database hosting) and processed through Railway (backend API hosting)
- Passwords are securely hashed using bcrypt
- All communications are encrypted via HTTPS (enforced by the
.appTLD) - Authentication uses JWT tokens
- We do not store personal information in server logs
7. Data Retention
- Account data — Retained until you request deletion
- Reading history — Retained until you request account deletion
- API usage logs — Retained for cost monitoring (contain no personal information)
- Ad verification records — Retained for fraud prevention purposes
- Crash logs — Retained by Sentry per their standard retention policy
8. Your Rights
You have the right to:
- Access your data — View your profile and reading history in the app
- Modify your data — Update your name, pronoun, and language preference in the app
- Request data export — Contact us at [email protected] to request a copy of your data
- Request deletion — Contact us at [email protected] to request account and data deletion
Under the EU General Data Protection Regulation (GDPR), you also have the right to data portability, the right to restrict processing, and the right to object to processing. To exercise these rights, contact us at the email above.
9. Children’s Privacy
Cartara is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.
10. International Users
- Data controller: Sonia Volpe, Italy
- Data processing locations: Neon (US/EU), Railway (US), Sentry (US), Google (US), OpenAI (US), RevenueCat (US)
- Legal basis for processing (GDPR):
- Consent — For non-personalized ads and Firebase Analytics (opt-in at onboarding, toggleable in Settings at any time)
- Contract performance — For core app features (account, readings, purchases)
- Legitimate interest — For fraud prevention and app security
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of Cartara after changes constitutes acceptance of the updated policy.
12. Contact
If you have questions about this Privacy Policy or your data, contact us at:
Email: [email protected]
Data Controller: Sonia Volpe, Italy