Privacy Policy

Version 2.0 · Effective 2026-05-26 · GLOBAL

How BookTarot collects, uses, shares, retains, and protects your personal information, with full GDPR/UK GDPR Article 13/14 disclosures, CCPA/CPRA notice at collection, and region-specific rights for the EU/EEA, UK, Switzerland, US states, Canada (incl. Quebec Law 25), Brazil, Australia, New Zealand, Japan, South Korea, Singapore, Thailand, India, South Africa, and the Gulf states. We do not sell personal information, do not run behavioural advertising, and do not train artificial-intelligence models on Reader, Client, or Session data.

PLAIN-LANGUAGE SUMMARY · NOT A SUBSTITUTE FOR THE FULL TEXT. BookTarot Ltd. is the controller of personal information processed through booktarot.com. We collect what we need to book your Sessions, take payment, keep the Platform secure, and meet our legal obligations — and not more. We do not sell your personal information, run behavioural advertising, or train AI models on Reader, Client, or Session content. You have rights to access, correct, delete, port, and object — listed in plain English below and exercised at privacy@booktarot.com or through your account settings. If you are in the EU/EEA, UK, Switzerland, or one of the US states with comprehensive privacy law (and many others), Section 19 details the specific rights that apply to you. Recordings of Sessions are off by default and only turned on when both parties opt in. Reading the whole policy takes about ten minutes; reading this summary takes one.

This Privacy Policy ("Policy") explains how BookTarot Ltd., a company incorporated in England and Wales with registered office published at /legal/imprint ("BookTarot", "we", "us", "our"), collects, uses, shares, retains, and protects personal information when you access or use booktarot.com, the BookTarot mobile applications, and related services that link to this Policy (together, the "Platform"). It applies to Clients, Readers, organisational customers, and visitors. Capitalised terms not defined here have the meaning given to them in our Terms of Service at /legal/terms.

A note on legal review. This Policy is drafted to a production standard but is not a substitute for advice from a Data Protection Officer or counsel admitted in your jurisdiction. Operators should retain qualified privacy counsel with experience in each material market and run a final review before launch, with particular attention to (a) GDPR/UK GDPR Article 13/14 disclosures and Article 27 representative appointments, (b) the CCPA/CPRA notice-at-collection requirements, the right to limit use of sensitive personal information, and the verifiable-consumer-request and authorized-agent rules, (c) Quebec Law 25's mandatory PIA / governance requirements, (d) the new generation of US state privacy laws (Maryland's MODPA, Minnesota's MCDPA, Texas's TDPSA, Oregon's OCPA, etc.), and (e) sectoral rules (TCPA, CAN-SPAM, PECR, CASL, Spam Act 2003) for marketing communications.

1. Scope, controller, and contact

1.1 Controller

BookTarot Ltd. is the "controller" (GDPR), "business" (CCPA/CPRA), "fiduciary" (Virginia / Colorado / Connecticut / Utah / Texas / Oregon / Montana / Iowa / Delaware / New Jersey / Tennessee / Indiana / Maryland / Minnesota), "organization" (PIPEDA), "operator" (Privacy Act 2020 NZ), "controller / responsible party" (POPIA), "data fiduciary" (DPDPA India), and equivalent under other laws of personal information processed through the Platform. We are responsible for deciding why and how personal information is processed.

1.2 Joint controllers and processors

In limited circumstances, we act as a "joint controller" with a third party (for example, where Stripe acts as the controller of card-payment data for its own anti-money-laundering, fraud-detection, and regulatory purposes). In those cases, the third party's privacy notice also applies; we have entered into appropriate joint-controller agreements where required by Article 26 GDPR. Where we process personal information on behalf of an organisational customer (such as a B2B account), we act as the customer's "processor"; that customer's privacy notice applies to that processing.

1.3 How to reach us

1.4 Data Protection Officer

We have appointed a Data Protection Officer (DPO) under Article 37 GDPR. The DPO's contact is dpo@booktarot.com.

1.5 EU and UK representatives

For users in the European Economic Area, our Article 27 GDPR representative is published at /legal/imprint. For users in the United Kingdom, our representative under Article 3(2) of the UK GDPR is published at the same page. You may contact either representative directly with privacy enquiries.

1.6 Supervisory authorities

You may also lodge a complaint with the data-protection supervisory authority in your country. A non-exhaustive list is in Section 21. Our lead supervisory authority for cross-border EU processing is determined under Article 56 GDPR and is published in Section 21 once the lead-authority determination is finalised. In the UK, our supervisory authority is the Information Commissioner's Office.

2. Defined terms

When capitalised in this Policy, the following words have the meanings given here:

  • "Account" — your registered BookTarot account.
  • "Booking" — a confirmed reservation of a Session.
  • "Client" — a User who books a Session.
  • "Content" — any text, images, audio, video, ratings, reviews, profile information, message-thread content, or other material you post or transmit through the Platform.
  • "Personal information" — any information relating to an identified or identifiable natural person, equivalent to "personal data" under the GDPR, "personal information" under the CCPA/CPRA, "personal data" under the LGPD, "personal data" under PIPEDA, and similar concepts under other laws.
  • "Sensitive personal information" — the categories specifically protected by applicable law, including racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic and biometric data processed to uniquely identify a person, health data, data concerning sex life or sexual orientation, criminal-conviction data, government identifiers, precise geolocation, contents of communications, and account credentials.
  • "Platform" — see preamble.
  • "Reader" — an independent professional approved by BookTarot to offer Sessions.
  • "Recording" — an audio or audio-visual capture of a Session generated through the Platform's recording feature.
  • "Session" — an individual tarot reading scheduled and conducted through the Platform.
  • "User" — anyone who uses the Platform — Clients, Readers, organisational customers, and visitors.

3. Categories of personal information we collect

The table below summarises the categories of personal information we collect, what they include, where they come from, and how the categories map to the CCPA/CPRA category labels in California Civil Code § 1798.140. Specific elements may vary depending on how you interact with the Platform.

Our categoryWhat it includesSourceCCPA/CPRA category
IdentifiersDisplay name, email address, hashed account password, phone number (where you provide one), Account identifier, IP address, device identifiers (cookie ID, mobile advertising identifier where applicable)You; deviceA (identifiers), G (geolocation, in some cases)
Customer recordsBilling name, shipping/event address (rare), payment-card-token reference (full PAN never on our servers), Stripe customer ID, tax-residence inputs you submitYou; StripeB (customer-record categories under Cal. Civ. Code § 1798.80(e))
Demographics where you provide themCountry of residence, preferred language, accessibility needs you tell us about, time-zoneYouC (protected classifications, in narrow cases — only where required by law and where you provide them)
Commercial informationBookings, Sessions, refunds, credits, promotional-code use, reading-history metadata (Reader, date, duration, spread)You; PlatformD (commercial information)
Internet / electronic activityPages visited, referring URL, click-stream within the Platform, browser type and version, device type, error logs, cookie identifiers (set per the Cookie Policy)Device; PlatformF (internet or other electronic network activity)
GeolocationCountry and approximate region resolved from IP via Cloudflare; we do not collect precise GPS or street-address geolocationCloudflare; deviceG (geolocation; non-precise only by default)
Audio / visualLive video and audio during a Session (transmitted but, by default, not stored); Recordings (only if both parties opt in)You; counterpartyH (audio, electronic, visual, thermal, olfactory, or similar information)
Professional or employment-related (Readers only)Practitioner bio, work history, references, tax forms (W-9, W-8BEN, W-8BEN-E, DAC7 information), Stripe Connect account IDReader; verification provider; StripeI (professional or employment-related information)
Education (Readers only, where relevant)Certifications or training claimed in profileReaderJ (education information)
InferencesMatch scores between Clients and Readers; fraud-risk scores; content-moderation decisions; product-experience preferencesPlatformK (inferences drawn from any of the above)
Sensitive personal information (see Section 6)Account credentials, government identifiers (for Reader KYC and where law requires), precise geolocation (only with explicit consent for any forthcoming feature), contents of messages exchanged on the Platform, racial/ethnic origin or religious/philosophical beliefs where you voluntarily share them in a profile or message, sexual orientation or sex-life information where you volunteer it in a SessionYou; verification providerL (sensitive personal information under CPRA)

We collect personal information only where there is a clear, legitimate, and (where required) lawful basis for doing so. We do not buy personal information from data brokers, do not enrich your profile with third-party advertising-graph data, and do not use third-party tracking pixels for advertising purposes.

3.1 Information that is required vs optional

Email address, display name, and age confirmation are required to create an Account. Other information (such as preferred language, accessibility needs, or profile photo) is optional. Where information is required to operate the Platform we say so at collection.

3.2 What we do NOT collect

We list what we do not collect because the absence matters:

  • We do not collect precise GPS or street-level geolocation by default.
  • We do not collect device-microphone or device-camera input outside an active Session (where you grant permission to the application).
  • We do not collect contacts, photos, calendar, or files from your device.
  • We do not assign or read mobile advertising identifiers (IDFA / GAID).
  • We do not store full payment-card numbers; tokenised payment data is held by Stripe under PCI-DSS.
  • We do not collect biometric identifiers (face geometry, voice prints, gait, retina/iris scans). We do not perform face-recognition processing on Recordings.

4. Sources of information

We receive personal information from four sources:

  • You. Directly through Account creation, Bookings, Sessions, messages, reviews, support contacts, and profile updates.
  • Your device. Automatically when you use the Platform — IP address, browser type, language preference, page interactions, cookie identifiers (see /legal/cookies).
  • Third-party processors acting on our behalf. Stripe (payment confirmations and risk signals), our identity-verification provider (Reader KYC outputs), Cloudflare (geo signals), Resend (email-deliverability events), Twilio (SMS delivery receipts), Sentry (error context), and others listed at /legal/subprocessors.
  • Counterparties on the Platform. A Reader you book will see your display name, your scheduled-Session metadata, and what you write in your messages or notes. A Client you accept will see your Reader profile and what is shared in the Session.

We do not knowingly receive personal information from advertising networks, data brokers, or list rentals.

5. Purposes and lawful bases

The table below sets out, for each purpose of processing, (i) the categories of personal information involved, (ii) the lawful basis under Article 6 GDPR (and, where applicable, Article 9), and (iii) our default retention.

PurposeCategories involvedGDPR lawful basisRetention
Create and authenticate AccountsIdentifiers, credentialsPerformance of a contract (Art 6(1)(b)); legal obligation in partActive Account + 30 days
Take Bookings and process paymentsIdentifiers, customer records, commercial informationPerformance of a contract (Art 6(1)(b)); legal obligation for tax (Art 6(1)(c))7 years for tax-relevant records
Provide Session video / audio infrastructureAudio / visual (live, not stored by default)Performance of a contract (Art 6(1)(b))Not retained beyond the call
Create and deliver Recordings (when both parties opt in)Audio / visual (Recording)Explicit consent of both parties (Art 6(1)(a); Art 9(2)(a) where the Recording reveals special-category data)90 days unless the Client downloads it
Operate trust-and-safety, anti-fraud, and content moderationIdentifiers, internet activity, inferences, contents of communications where flaggedLegitimate interests (Art 6(1)(f)); legal obligation in partUp to 6 years for audit; longer in case of active investigation
Provide customer supportIdentifiers, commercial information, message content where sharedPerformance of a contract (Art 6(1)(b)); legitimate interests (Art 6(1)(f))3 years from the end of the support thread
Process Reader payouts and meet tax-reporting obligations (1099-K, DAC7, UK OECD, etc.)Identifiers, customer records, professional/employment, tax formsLegal obligation (Art 6(1)(c))7 years (or longer where local tax law requires)
Comply with KYC, AML, and sanctions-screening obligationsIdentifiers, government identifiers, screening resultsLegal obligation (Art 6(1)(c)); legitimate interests5 years from end of relationship
Send operational communications (Booking confirmations, reminders, security alerts, policy updates)IdentifiersPerformance of a contract (Art 6(1)(b)); legitimate interests (Art 6(1)(f))Logs of sends: 1 year
Send marketing communications (where you have opted in or where soft opt-in applies under PECR Reg 22(3))Identifiers; marketing preferencesConsent (Art 6(1)(a)); legitimate interests on soft opt-inUntil withdrawn + 30-day cooling period for audit
Run product analytics (server-side, cookieless by default; identifiable only after consent)Internet activity; pseudonymous Account identifierLegitimate interests (cookieless) (Art 6(1)(f)); consent if cookie-based or otherwise identifiable in the EU/EEA/UK12 months from event
Respond to law-enforcement and regulatory requestsWhatever is requested under the valid legal processLegal obligation (Art 6(1)(c))As required by law
Defend or pursue legal claimsWhatever is relevant to the claimLegitimate interests (Art 6(1)(f)); legal claims exemptionStatutory limitation + 1 year
Conduct corporate due diligence and transactionsIdentifiers; commercial information; aggregate metricsLegitimate interests (Art 6(1)(f))Until completion + 1 year

5.1 Legitimate-interests assessments

Where we rely on legitimate interests, we have run a balancing test taking your reasonable expectations and rights into account. A summary of those balancing tests is available on request to privacy@booktarot.com. You may object to processing based on legitimate interests at any time (see Section 19).

5.2 No general profiling for advertising

We do not build advertising-purpose profiles of Users and we do not engage in behavioural advertising. The only "profiling" we perform is the limited matching, trust-and-safety, and fraud-detection processing described above, with human review of significant decisions (see Section 10).

6. Sensitive / special-category personal information

6.1 GDPR Article 9

Tarot Sessions and the Platform can involve "special categories" of personal data within the meaning of Article 9 GDPR — for example, religious or philosophical beliefs implied by the use of a divinatory framework, or health, sex-life, or sexual-orientation information that a Client may voluntarily share during a reading. We process such data only on one or more of the following bases:

  • Your explicit consent (Art 9(2)(a)), which you give when you book a Session and when you opt in to Recording.
  • Establishment, exercise, or defence of legal claims (Art 9(2)(f)).
  • Substantial public interest under EU or member-state law where applicable (Art 9(2)(g)), interpreted narrowly.

We do not infer sensitive characteristics from your browsing behaviour. We do not target advertising on the basis of inferred sensitive characteristics. We do not sell sensitive personal information.

6.2 CPRA "sensitive personal information"

Under California Civil Code § 1798.140(ae), "sensitive personal information" includes credentials, government identifiers, contents of communications, precise geolocation, racial/ethnic origin, religious/philosophical beliefs, union membership, genetic data, biometric identifiers for unique identification, health data, and sex-life or sexual-orientation data. We collect a limited subset of these (Account credentials; Reader government identifiers for KYC; contents of messages exchanged on the Platform; voluntary sensitive disclosures during a Session) and we use them only for the purposes set out in this Policy. You have the right to limit our use and disclosure of sensitive personal information to those uses necessary to provide the Service. See Section 19.4.

6.3 Health data (not HIPAA / not HMR)

The Platform is not a covered entity or business associate under the US Health Insurance Portability and Accountability Act, and tarot Sessions are not regulated health services in the United Kingdom or EU. Information shared in a Session is not protected health information within the meaning of HIPAA. If you share health information with a Reader, you do so voluntarily and at your own risk. Readers are contractually prohibited from making medical diagnoses, recommending treatment, or commenting on prognosis (see /legal/terms § 5).

7. Recordings of Sessions

7.1 Default off

Recordings are off by default. The Platform creates a Recording only when both the Client and the Reader explicitly opt in through the in-Session controls before the recording starts. This is described in detail at /legal/terms § 10.

7.2 What a Recording contains

A Recording captures the audio and video of the Session, the date and time, the Client and Reader identifiers, and any messages exchanged through the in-Session chat. It may capture sensitive personal information if the Client volunteers any during the call.

7.3 Purpose

We process Recordings only for delivery to the Client, retention by the Client for personal use, dispute investigation, and trust-and-safety review. We do not sell Recordings, license them to advertisers, train artificial-intelligence or machine-learning models on them, share them with insurers or employers, or otherwise use them beyond these purposes.

7.4 Retention and deletion

Server-side Recordings are retained for 90 days by default. The Client may download the Recording for personal retention; once downloaded, the Client controls retention. We delete server-side copies on the published schedule. Either party may request earlier deletion through the dashboard or by emailing privacy@booktarot.com.

7.5 Two-party consent and biometric anticipation

A number of US states (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon (in-person), Pennsylvania, Vermont, Washington) and most EEA member states require all parties to a recorded conversation to consent. Opting in through the Platform constitutes that consent. We do not perform facial-recognition, voice-print, or other biometric processing on Recordings. If any future feature would process biometric identifiers within the meaning of Illinois's Biometric Information Privacy Act (740 ILCS 14/), Texas Business and Commerce Code § 503.001, Washington RCW 19.375, or similar laws, we will obtain the consent those laws require before activating the feature for you.

8. Cookies and similar technologies

See the Cookie Policy at /legal/cookies for the full list, categorisation, retention, and consent controls. Briefly:

  • Essential cookies are always on. They support session, security, fraud prevention, language preference, and geo routing.
  • Functional, analytics, and marketing categories are opt-in for EU/EEA/UK visitors and managed through the cookie-preferences link in the footer.
  • We honour browser-level Global Privacy Control (GPC) and Do Not Track signals where technically feasible, and we treat a GPC signal received from a California, Colorado, Connecticut, Texas, or other applicable-state visitor as a valid opt-out of "sale" and "sharing" of personal information.

Marketing cookies are inactive at launch. We will not enable third-party advertising cookies without granular opt-in consent.

9. AI and machine learning

9.1 Our position

We do not train, fine-tune, or evaluate any artificial-intelligence or machine-learning model on Reader, Client, or Session personal information. This includes profile content, reviews, messages, Recordings, transcripts, daily-draw interpretations, and any other Content connected to an identified or identifiable person. It also includes derived representations (embeddings, audio fingerprints, summaries that are not aggregated beyond reasonable de-identification).

9.2 Vendor obligations

We require AI and ML processors we use (for example, content moderation under our trust-and-safety stack) to commit contractually to a no-training-on-customer-data posture, with data-retention windows aligned to the purpose. Our subprocessor list at /legal/subprocessors identifies any vendor we use for AI-assisted processing.

9.3 Reader and Client safeguards

You may not, and may not assist any third party to, use Content on the Platform to train AI/ML systems. See /legal/terms § 13.

10. Profiling and automated decision-making

10.1 Where we use automated processing

We use limited automated processing for (a) matching Clients with Readers based on stated preferences, (b) fraud-risk and chargeback-risk scoring, (c) content moderation of profile bios, reviews, and messages, and (d) anti-spam and anti-abuse controls.

10.2 Human review of significant decisions

Decisions that produce legal or similarly significant effects (such as Account suspension after a fraud-risk signal, or removal of a Reader from the Platform after moderation review) are made or confirmed by a human reviewer before they take effect. We do not make solely-automated significant decisions about you.

10.3 Article 22 GDPR

You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you, and the right to request human review, contest the decision, and express your point of view. To exercise these rights, contact privacy@booktarot.com.

10.4 Meaningful information about the logic

For each automated component above, the logic, significance, and consequences for you are summarised in plain English on request to privacy@booktarot.com.

11. Children and minors

The Platform is not directed to anyone under 18 (or under the higher local-law threshold under /legal/terms § 3.1). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it without undue delay.

  • United States. We comply with the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506. We do not knowingly collect personal information from anyone under 13. California adds restrictions on the "sale" or "sharing" of personal information of consumers under 16; we do not sell or share personal information at all, but for under-16 California residents we also will not contact them with marketing without verifiable parental consent.
  • European Union. Where consent is the lawful basis for an "information-society service" under Article 8 GDPR, the digital-consent age is 16 unless the member state has lowered it (member states have set the age between 13 and 16). We require all Users to be 18 regardless.
  • United Kingdom. We apply the Information Commissioner's "Age-Appropriate Design Code" principles to all Users by default — data minimisation, no profiling by default, no nudge techniques to disclose more information than necessary.
  • Brazil. Article 14 LGPD requires specific consent for children under 12 and adolescents 12–17. We do not knowingly collect personal information from anyone under 18.

Parents and guardians who believe their child has provided personal information to us may contact privacy@booktarot.com; we will investigate and delete promptly.

12. How we share personal information

We share personal information only with the categories of recipients listed below. A current list of named processors is at /legal/subprocessors.

12.1 Other Users in the context of a Booking

A Reader you book sees your display name, your scheduled-Session metadata, what you write in your in-Platform messages or notes, and the Session itself. A Client you accept sees your Reader profile and what is shared in the Session.

12.2 Processors (service providers)

We rely on third-party processors who handle personal information on our instructions and under written contracts that meet the requirements of Article 28 GDPR and the equivalent of similar laws. Current processors include:

  • Stripe — payments, payouts, Stripe Connect, Stripe Tax, fraud-risk signals.
  • Vercel — application hosting, edge network, image optimisation.
  • Supabase — database, file storage.
  • Cloudflare — DNS, WAF, DDoS protection, geo signals, R2 storage.
  • LiveKit / Mux — video-call infrastructure.
  • Resend — transactional email.
  • Twilio — SMS notifications (where you opt in to SMS).
  • MaxMind — IP geolocation fallback.
  • Sentry — error monitoring.
  • PostHog — product analytics (server-side, cookieless by default).
  • Identity-verification provider for Reader KYC.

Stripe acts as an independent controller for KYC, anti-money-laundering, and regulatory-reporting purposes; its privacy notice applies to that processing.

12.3 Other recipients

  • Legal and regulatory authorities where required by validly issued legal process, court order, or applicable law. We push back on requests that appear over-broad and publish aggregate statistics in the Transparency Report at /legal/transparency.
  • Tax authorities under DAC7, the OECD Model Rules, US 1099-K, and equivalent regimes.
  • Successors in interest in connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, with notice to affected Users where required by law.
  • Professional advisers (lawyers, accountants, insurers, auditors) under duties of confidence.

12.4 No sale / no targeted advertising

We do not sell personal information for monetary or other valuable consideration, and we do not use personal information for cross-context behavioural advertising. To the extent any cookie-based analytics signal could be considered "sharing" under the California CPRA, the Colorado CPA, the Connecticut CTDPA, or similar laws, you can opt out via the "Do Not Sell or Share My Personal Information" link in the footer or by enabling the Global Privacy Control signal in a supporting browser.

13. International transfers

The Platform is operated from servers in the European Union, the United States, and other regions through our processors. When personal information is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a third country, we ensure an adequate level of protection by relying on one or more of the following mechanisms:

  • Adequacy decisions. The European Commission has adopted adequacy decisions for the UK, Switzerland, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, the Republic of Korea, Uruguay, and (for certified organisations) the United States under the EU–US Data Privacy Framework.
  • Standard Contractual Clauses. The European Commission's Standard Contractual Clauses (Decision 2021/914) in their most current form, with the appropriate module selected for each flow.
  • UK International Data Transfer Addendum. The UK ICO's IDTA or the UK Addendum to the SCCs for transfers from the UK.
  • Swiss Adequacy. The Swiss Federal Data Protection and Information Commissioner's amendments to the SCCs for transfers from Switzerland.
  • Supplementary measures. Encryption in transit (TLS 1.2+) and at rest (AES-256), pseudonymisation where feasible, strict access controls, contractual restrictions on government-access disclosures, and transparency-report commitments where law permits.

Where a transfer relies on a vendor's certification under the EU–US Data Privacy Framework (or the UK Extension), we verify that certification before relying on it and monitor recertification on the published cycle. A copy of the relevant transfer instrument is available on request.

14. Data security

14.1 Programme

We protect personal information with administrative, technical, and physical safeguards including:

  • TLS 1.2+ encryption in transit for all Platform traffic.
  • AES-256 encryption at rest for database storage and Recordings.
  • Hashing of credentials with scrypt (or a comparable memory-hard algorithm) and per-user salts.
  • Role-based access control with least-privilege provisioning and quarterly access reviews.
  • Multi-factor authentication for staff access to production systems.
  • Logging, intrusion-detection, and centralised security monitoring.
  • Vendor security review for new processors, with annual reassessment.
  • Vulnerability scanning, dependency monitoring, and a published responsible-disclosure policy.
  • Documented incident-response procedures with on-call rotation.
  • Backup and disaster-recovery testing.

14.2 Breach notification

No system is perfectly secure. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority within 72 hours of becoming aware where required by Article 33 GDPR or the equivalent in your jurisdiction.
  • Notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
  • Document the breach internally per Article 33(5) GDPR.

US state notification thresholds (such as the California Civil Code § 1798.82 timing rules) and Australia's Notifiable Data Breaches scheme apply alongside GDPR / UK GDPR.

14.3 Responsible disclosure

To report a vulnerability or security concern, please contact security@booktarot.com. We will not pursue researchers who follow our published responsible-disclosure policy.

15. Retention

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. The default schedule is:

CategoryDefault retention
Account informationActive Account + 30 days; longer where you have undeleted Bookings or open disputes
Booking and payment records7 years (tax / accounting)
Recordings (when both parties opt in)90 days on our servers; the Client controls retention of any local copy
Server access logs90 days
Security and incident-response logs1 year
Identity-verification documents (Readers)5 years from end of relationship (AML/KYC)
ReviewsWhile the underlying Booking exists; retention beyond Account closure is described in /legal/terms § 14
Marketing preferencesUntil withdrawn + 30-day audit window
Cookie consent records24 months for audit
Customer-support tickets3 years from closure
Tax forms (W-9, W-8, DAC7)7 years
Sanctions-screening results5 years

Where retention is required by law for longer (for example, where local tax law mandates a 10-year retention), we follow the longer statutory period.

16. Your privacy rights (general)

Subject to the law of your jurisdiction, you may have the following rights. We summarise them here in plain English; the precise scope for your country is in Section 19.

  • Access — confirm whether we process your personal information and request a copy.
  • Rectification / correction — correct inaccurate or incomplete information.
  • Erasure / deletion — request deletion of your personal information.
  • Restriction or objection — restrict or object to certain processing (including direct marketing and legitimate-interests processing).
  • Portability — receive a copy of certain data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Withdraw consent — at any time, without affecting prior processing.
  • Object to automated decision-making — request human review.
  • Non-discrimination — exercise your rights without us treating you adversely.
  • Lodge a complaint — with the supervisory authority in your jurisdiction.

Most rights are self-serve from your Account settings — including deleting your Account, updating your profile, exporting your data, and managing communication preferences. For requests that require manual handling, contact privacy@booktarot.com. We respond within thirty calendar days (or earlier where the law of your country requires).

16.1 Verification

We verify requests against the email registered to your Account and, where the request is for sensitive data or where we have reason to doubt identity, with additional verification information. We do not require excessive identity documents for routine requests.

16.2 Authorised agents

You may use an authorised agent to make a request on your behalf where the law of your jurisdiction permits (for example, under the California CPRA). The agent must provide signed written permission from you and may be required to verify their own identity.

16.3 Appeals

For states that require an appeals process (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Indiana, Maryland, Minnesota), you may appeal a denied request to privacy@booktarot.com within 30 days of denial. We will respond within 60 days. If your appeal is denied, you may submit a complaint to your state attorney general.

16.4 Exceptions

We will not delete or restrict personal information where doing so would prevent us from meeting a legal obligation (such as tax-retention rules), where retention is necessary for the establishment, exercise, or defence of legal claims, where it is necessary for ongoing fraud-prevention, or where another permitted exemption under the applicable law applies. We will tell you when we rely on an exception.

17. Marketing communications

17.1 Operational vs marketing

Operational communications (Booking confirmations, payment receipts, security alerts, policy updates) are required to operate the Platform and you cannot opt out while you maintain an Account.

17.2 Consent rules by region

  • EU/EEA (ePrivacy Directive / national implementations). Marketing emails require prior opt-in consent, except for the limited "soft opt-in" for existing-customer marketing about similar products with an opt-out option in each message.
  • United Kingdom (PECR Reg 22). Same as the EU model; soft opt-in for similar products to existing customers is permitted with a clear opt-out in each message.
  • United States (CAN-SPAM, 15 U.S.C. §§ 7701 et seq.). Marketing emails must include a working unsubscribe link, our postal address, and accurate from / subject lines. We honour unsubscribes within 10 business days.
  • Canada (CASL). Marketing requires express or implied consent and clear unsubscribe.
  • Australia (Spam Act 2003). Marketing requires consent, a clear sender identification, and an unsubscribe facility.
  • Brazil (LGPD). Marketing requires consent that is informed, specific, and clear.

17.3 SMS / messaging

Where you opt in to SMS reminders we will send only Booking-relevant messages from a registered sender ID. Reply STOP to opt out or HELP for assistance. US 10DLC and TCPA compliance are described in /legal/terms § 11.

17.4 Telephone calls

We do not make outbound marketing telephone calls. Support callbacks are only on your request.

18. Records of processing activities; impact assessments

We maintain a Record of Processing Activities under Article 30 GDPR. We conduct a Data Protection Impact Assessment (DPIA) under Article 35 GDPR before introducing any processing that is likely to result in a high risk to your rights and freedoms (for example, the launch of any forthcoming biometric feature). DPIAs are available to supervisory authorities on request.

19. Region-specific rights

The following region-specific provisions apply in addition to the rest of this Policy. Where a regional rule gives you more rights than the general framework above, the regional rule controls.

19.1 European Union / European Economic Area

You have the following rights under Chapter III GDPR: access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), portability (Art 20), objection including objection to direct marketing (Art 21), and not to be subject to a decision based solely on automated processing including profiling (Art 22). You may withdraw consent at any time (Art 7(3)), and you may lodge a complaint with your supervisory authority (Art 77). The Article 27 GDPR representative is published at /legal/imprint.

19.2 United Kingdom

You have the equivalent rights under the UK GDPR and the Data Protection Act 2018, and you may lodge a complaint with the Information Commissioner's Office at https://ico.org.uk/make-a-complaint. The Article 3(2) UK GDPR representative is published at /legal/imprint.

19.3 Switzerland

You have the equivalent rights under the revised Federal Act on Data Protection (revFADP). You may lodge a complaint with the Federal Data Protection and Information Commissioner.

19.4 California (CCPA as amended by the CPRA)

If you are a California resident, you have the right to:

  • Know — request the categories and specific pieces of personal information we collect, the categories of sources, the purposes of collection, and the categories of third parties to whom we disclose information.
  • Delete — request deletion of personal information we have collected from you.
  • Correct — request correction of inaccurate personal information.
  • Opt out of "sale" or "sharing" — we do not sell personal information and do not engage in cross-context behavioural advertising; you can confirm by visiting /legal/do-not-sell or enabling Global Privacy Control.
  • Limit use and disclosure of sensitive personal information — to those uses necessary to provide the Service.
  • Non-discrimination — we will not deny goods or services, charge different prices, or provide different quality because you exercise a right.

To exercise these rights, email privacy@booktarot.com or use the self-serve links in your Account. We verify requests by matching information to the registered Account. We allow authorised agents on receipt of signed written permission. Shine the Light requests under Cal. Civ. Code § 1798.83 — we do not share personal information with third parties for those third parties' direct-marketing purposes, so a Shine the Light request will return a confirmation of that position.

Notice at collection. The categories of personal information we collect and the purposes for which we collect them are summarised in Section 3 and Section 5 of this Policy; that summary constitutes the notice at collection required by the CCPA. We do not collect personal information for purposes that are materially different from those disclosed here.

19.5 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Delaware, New Jersey, Tennessee, Indiana, Maryland (MODPA), Minnesota (MCDPA)

If you are a resident of one of these states, you have the right to access, correct (where the state law provides), delete, port, and opt out of targeted advertising, "sale", and (where the state law provides) profiling that produces legal or similarly significant effects. We do not engage in targeted advertising, "sale", or profiling with significant effects (see Section 10). You have the right to appeal a denied request (Section 16.3). Maryland's MODPA imposes additional data-minimisation and sale-of-sensitive-data restrictions; we comply with those as part of our default posture.

19.6 Other US states

For residents of US states without a comprehensive privacy law, we apply the rights and protections in this Policy on a voluntary basis where doing so is consistent with applicable law.

19.7 Canada (PIPEDA, Quebec Law 25, Alberta PIPA, BC PIPA)

If you are a resident of Canada, you have the rights of access, correction, withdrawal of consent, and complaint set out in the Personal Information Protection and Electronic Documents Act and, where applicable, provincial laws. Quebec residents have the additional rights set out in An Act respecting the protection of personal information in the private sector (Law 25), including data portability (in force since September 2024), notification of confidentiality incidents, transparency of automated decisions affecting them, and the right to designate a person to exercise their rights after death. We have appointed a person responsible for the protection of personal information under Law 25; contact privacy@booktarot.com.

19.8 Brazil (LGPD)

If you are a resident of Brazil, you have the rights set out in Article 18 LGPD: confirmation of processing, access, correction, anonymisation or deletion, portability, deletion of data processed on consent, information about sharing, information about not consenting and the consequences, and revocation of consent. Our Encarregado (DPO) is contactable at dpo@booktarot.com. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados.

19.9 Australia

If you are a resident of Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles apply. You may request access and correction under APP 12 and APP 13, and you may complain to the Office of the Australian Information Commissioner. We comply with the Notifiable Data Breaches scheme.

19.10 New Zealand

If you are a resident of New Zealand, the Privacy Act 2020 applies. You may request access and correction, and you may complain to the Office of the Privacy Commissioner.

19.11 Japan

If you are a resident of Japan, the Act on the Protection of Personal Information (APPI) applies. You have rights of disclosure, correction, suspension of use, and erasure, and you may complain to the Personal Information Protection Commission. We obtain your consent before transferring your personal information to third parties outside Japan where APPI requires it.

19.12 South Korea

If you are a resident of South Korea, the Personal Information Protection Act applies. You have rights of access, correction, suspension, and deletion, and you may complain to the Personal Information Protection Commission (PIPC).

19.13 Singapore

If you are a resident of Singapore, the Personal Data Protection Act 2012 applies. You have rights of access and correction and you may complain to the Personal Data Protection Commission.

19.14 Thailand

If you are a resident of Thailand, the Personal Data Protection Act B.E. 2562 applies. You have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent, and you may complain to the Personal Data Protection Committee.

19.15 India

If you are a resident of India, the Digital Personal Data Protection Act, 2023 ("DPDPA") applies as it comes into force in stages. You have the rights of access, correction, completion, updating, erasure, grievance redressal, and nomination. Our grievance officer is reachable at privacy@booktarot.com. If we are designated a "Significant Data Fiduciary" by the Government of India, additional obligations will apply and we will publish them here.

19.16 South Africa

If you are a resident of South Africa, the Protection of Personal Information Act, 2013 ("POPIA") applies. You have the rights of access, correction, deletion, and objection, and you may complain to the Information Regulator. Our Information Officer is reachable at privacy@booktarot.com.

19.17 Gulf states

For residents of the United Arab Emirates (Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data), the Kingdom of Saudi Arabia (Personal Data Protection Law), the Kingdom of Bahrain (Personal Data Protection Law), and other Gulf jurisdictions with personal-data laws, you have the access, correction, and deletion rights set out in the applicable law. Local rules on cross-border transfer apply; we comply with the consent and transfer-mechanism requirements relevant to your residency.

19.18 Rest of world

For residents of other jurisdictions, we apply the rights and protections in this Policy on a voluntary basis where doing so is consistent with applicable law.

20. How to exercise your rights

The fastest way to exercise most rights is from your Account settings:

  • Update profile information — Settings → Profile.
  • Download your data — Settings → Privacy → "Export my data". We deliver a JSON archive within 30 days.
  • Delete your Account — Settings → Privacy → "Delete my account". Soft-deletion is immediate; we retain only the records we are legally required to keep.
  • Manage marketing preferences — Settings → Communications.
  • Manage cookie preferences — footer → "Cookie preferences".
  • Withdraw consent for Recordings — Settings → Privacy → "Session recording preferences".

For anything else, email privacy@booktarot.com from the email registered to your Account. We respond within thirty calendar days (or earlier where the law of your country requires); we may extend this where the request is complex, with notice to you.

21. Supervisory authorities and complaints

You have the right to lodge a complaint with the data-protection supervisory authority in your country. A non-exhaustive list:

We would prefer the opportunity to resolve your concern directly first; please contact us at privacy@booktarot.com before escalating where it makes sense to do so.

22. Joint-controller and processor relationships

22.1 Where we act as a controller

We act as a controller of personal information processed for our own purposes — operating the Platform, taking payments to Readers, meeting tax obligations, defending legal claims, and so on. This Policy describes that processing.

22.2 Where we act as a processor

Where we provide the Platform to an organisational customer on a B2B basis, we may act as the customer's processor in respect of certain personal information of the customer's end-users. The customer's privacy notice applies to that processing. The terms of our processor relationship are in the Data Processing Addendum at /legal/dpa.

22.3 Joint controllership with Stripe

For card-payment processing on the Platform, Stripe acts as an independent controller in respect of its anti-fraud, anti-money-laundering, and regulatory obligations. Stripe's privacy policy is at https://stripe.com/privacy. We share with Stripe only the information necessary for payment processing.

23. Linked content and external sites

The Platform may link to external websites for your convenience (for example, a Reader's external portfolio link or a partner's blog). We do not control those sites and we are not responsible for their privacy practices. Read their policies before sharing personal information with them.

24. Changes to this Policy

We may update this Policy from time to time. We will notify you of material changes by email and an in-Product banner with at least fifteen (15) days' notice; some changes (such as the addition of a new region-specific rider) take effect on publication. Material changes to the lawful bases, categories of personal information collected, retention, sharing, or international-transfer mechanisms are notified to you in advance. Previous versions are archived; contact privacy@booktarot.com for access. The "Version" and "Effective" markers at the top of this page record successive versions.

25. Contact


Acknowledgement. By using the Platform you confirm that you have read and understood this Policy. Where consent is required for any specific processing, we obtain it separately at the point of collection.