Legal
Privacy Policy
Effective date: March 25, 2026
Last updated: March 25, 2026
Intuitum (“we”, “our”, or “us”) operates the Intuitum mobile application and the intuitum.app website. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services, in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.
01Information We Collect
Information you provide directly
- •Questions and text input you enter for tarot readings and spread guidance
- •Photos of tarot cards you upload for card scanning
- •Feedback and ratings you submit on readings and scans
Information collected automatically
- •Device identifiers — a hashed fingerprint derived from your device platform, vendor ID (iOS) or Android ID, device model, and OS version. We do not collect your name, email address, or account credentials.
- •IP address — recorded in server request logs for security and rate limiting.
- •Device and app information — device model, operating system version, app version, and platform (iOS or Android).
- •Usage data — screen views, app lifecycle events, and interaction patterns via our analytics provider (PostHog), hosted in the EU.
- •Reading and interpretation data — the cards drawn, spread type, AI-generated interpretations, and associated metadata.
- •Device attestation data — cryptographic attestation information (Apple App Attest or Google Play Integrity) used to verify device authenticity.
Information stored only on your device
Your preferences (shuffle duration, card reveal style, tone, depth, focus areas, and reversal settings) are stored locally on your device using encrypted storage. These are never transmitted to our servers.
Information we do not collect
We do not collect your name, email address, phone number, precise location, contacts, or any biometric data. Intuitum does not require account creation. We do not use cookies on our website.
02How We Use Information
| Purpose | Data Used |
|---|---|
| Provide AI-powered tarot interpretations | Cards drawn, spread type, your question, tone and focus preferences |
| Card scanning and recognition | Uploaded card images, device identifier |
| Spread recommendation | Your text input describing your situation |
| Subscription management | Device identifier, transaction IDs from Apple/Google, subscription tier |
| Security and fraud prevention | Device fingerprint, attestation data, IP address, trust level |
| Rate limiting and abuse prevention | Device identifier, IP address, request type |
| Product improvement and analytics | Anonymised usage patterns, screen views, app lifecycle events |
| Error monitoring | Crash reports and error traces (production only, no personal data) |
| Reading history | Cards, spreads, interpretations linked to your device |
03Legal Basis for Processing
Under the GDPR (Article 6), we process your personal data on the following legal bases:
| Legal Basis | Processing Activity |
|---|---|
| Contract performance (Art. 6(1)(b)) | Providing tarot readings, card scanning, spread guidance, and subscription services you request |
| Legitimate interest (Art. 6(1)(f)) | Security measures, fraud prevention, device attestation, rate limiting, error monitoring, and product improvement analytics |
| Consent (Art. 6(1)(a)) | Analytics data collection via PostHog (you can opt out at any time) |
Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.
04Third-Party Services
We share data with the following third-party service providers, each acting as a data processor under appropriate contractual safeguards:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenAI | AI-powered tarot interpretation and card image analysis | Card names, orientations, your question, tone preferences, card image URLs | United States |
| OpenRouter | Alternative AI provider for interpretations | Same as OpenAI (used as fallback) | United States |
| Amazon Web Services (S3) | Secure storage of uploaded card images | Card scan images | Configured region (EU/US) |
| PostHog | Privacy-focused product analytics | Anonymised usage events, screen views | European Union |
| Sentry | Error and crash monitoring (production only) | Error traces, stack traces (no personal data) | United States |
| Apple App Store | In-app purchase processing and receipt validation | Transaction IDs, receipt data | United States |
| Google Play Store | In-app purchase processing and receipt validation | Transaction IDs, purchase tokens | United States |
We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.
05International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). When your personal data is transferred to countries that have not been deemed to provide an adequate level of data protection by the European Commission, we rely on:
- •Standard Contractual Clauses (SCCs) approved by the European Commission
- •The EU-U.S. Data Privacy Framework, where the recipient is certified
- •Adequacy decisions, where applicable
Our analytics provider (PostHog) processes data exclusively within the European Union.
06Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Attestation challenges | 5 minutes (automatically purged) |
| Session tokens | 24 hours (automatically expire) |
| Request logs (incl. IP addresses) | 90 days, then permanently deleted |
| Reading history and interpretations | Retained until you request deletion |
| Uploaded card images | Retained until you request deletion |
| Subscription records | Retained for the duration of your subscription plus any legally required period |
| Device records | Retained until you request deletion or the device is inactive for 12 months |
| Analytics data (PostHog) | Subject to PostHog's data retention policy |
07Your Rights
Under the GDPR (EU/EEA/UK residents)
You have the right to:
- •Access — request a copy of your personal data
- •Rectification — correct inaccurate or incomplete data
- •Erasure — request deletion of your personal data (“right to be forgotten”)
- •Restriction of processing — limit how we use your data
- •Data portability — receive your data in a structured, machine-readable format
- •Object — object to processing based on legitimate interest
- •Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
- •Lodge a complaint — file a complaint with your local data protection supervisory authority
Under the CCPA (California residents)
You have the right to:
- •Know what personal information we collect, use, and disclose
- •Request deletion of your personal information
- •Non-discrimination for exercising your privacy rights
We do not sell or share personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.
Exercising your rights
To exercise any of these rights, contact us at privacy@intuitum.app. Because Intuitum does not require account creation, we identify your data through your device fingerprint. Please include your device platform (iOS or Android) and, if possible, the approximate date you first used the app to help us locate your records. We will respond within 30 days (GDPR) or 45 days (CCPA).
08Cookies & Tracking Technologies
Website (intuitum.app)
Our website is a static site that does not use cookies, tracking pixels, or any third-party analytics. No personal data is collected when you visit our website.
Mobile application
The Intuitum app uses PostHog (EU-hosted) for privacy-focused product analytics. PostHog collects anonymised usage events such as screen views and app lifecycle events. No advertising trackers, fingerprinting libraries, or third-party tracking SDKs are used in the app.
09Security Measures
We implement appropriate technical and organisational measures to protect your data:
- •Session tokens and authentication secrets are hashed using SHA-256 before storage
- •Sensitive data on your device is encrypted using the iOS Keychain (iOS) or Android Keystore (Android) via Expo Secure Store
- •Device attestation via Apple App Attest and Google Play Integrity verifies device authenticity
- •All communication between the app and our servers is encrypted using TLS/HTTPS
- •Presigned URLs for image uploads expire after 5 minutes
- •CSRF protection is implemented on all API endpoints
- •Access to server infrastructure is restricted and monitored
10Children's Privacy
Intuitum is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@intuitum.app and we will promptly delete it.
11Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you through the app or by updating the “Last updated” date at the top of this page. We encourage you to review this policy periodically.
12Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can reach us at:
Email
privacy@intuitum.app
General enquiries
hello@intuitum.app
If you are in the EU/EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
This privacy policy was last reviewed on March 25, 2026.