BOOKTAROT
Begin

Privacy Policy

Version 1.0 · Effective 2026-05-17 · GLOBAL

How BookTarot collects, uses, shares, retains, and protects your personal information, with jurisdiction-specific rights and how to exercise them.

This Privacy Policy explains how BookTarot Ltd. ("BookTarot", "we", "us") collects, uses, shares, retains, and protects your personal information when you use booktarot.com and related services (the "Platform"). It applies to Clients, Readers, and visitors.

A note on legal review. This Policy reflects production-quality drafting. Operators should run a final review with qualified counsel and a Data Protection Officer (or Article 27 representative for EU coverage) before launch.

1. Controller and contact

BookTarot Ltd. is the controller of personal information processed through the Platform. Contact: privacy@booktarot.com.

For users in the European Economic Area or United Kingdom, our representative under GDPR Article 27 is available at the same address. Where a Data Protection Officer is required, contact dpo@booktarot.com.

2. Personal information we collect

We collect personal information that you provide directly, that we collect automatically when you use the Platform, and that we receive from third-party processors:

You provide: name, email, password, profile information, payment information (handled by Stripe, never stored on our servers), reading notes, booking details, messages, reviews, and (for Readers) identity verification documents, professional history, and tax information.

We collect automatically: IP address (resolved to country and approximate region), device and browser information, language preference, pages visited, referring URL, interactions with the Platform, and cookie identifiers as described in the Cookie Policy.

We receive from third parties: payment confirmation and risk signals from Stripe; identity verification results from our verification provider; geo signals from Cloudflare; analytics events from PostHog (cookieless server-side mode for EU/UK visitors until consent).

We do not knowingly collect personal information from children. The Platform is restricted to users 18 and older.

3. How we use personal information

We use personal information to provide and improve the Platform, including:

  • Creating and authenticating accounts.
  • Matching Clients with Readers and processing bookings.
  • Processing payments and payouts.
  • Communicating about bookings, support, security, and policy changes.
  • Operating safety, fraud prevention, and trust functions including content moderation.
  • Complying with legal obligations including tax reporting and law-enforcement requests where validly compelled.
  • Marketing communications, where you have opted in or where permitted by applicable law on a soft opt-out basis with a clear unsubscribe option.

The legal bases under GDPR (and equivalent frameworks elsewhere) are: performance of a contract (booking, payment), legitimate interests (security, fraud prevention, basic analytics), consent (marketing, non-essential cookies, recording features), and legal obligation (tax, regulatory).

4. How we share personal information

We share personal information with:

  • Readers and Clients in the context of a booking: display name, profile, scheduled session details, and messages exchanged within the Platform.
  • Service providers (processors): Stripe (payments and Connect), Twilio (SMS), Resend (transactional email), Cloudflare (CDN, WAF, DDoS protection, geo), Vercel (hosting), Supabase (database and auth), LiveKit (video calling infrastructure), Cloudflare R2 (storage), MaxMind (geolocation fallback), PostHog (product analytics), Sentry (error monitoring), and our identity verification provider. A current Subprocessor List is maintained at /legal/subprocessors.
  • Legal and regulatory authorities where required by law or to enforce our Terms.
  • Successors in interest in connection with a merger, acquisition, or sale of assets, with notice to affected users.

We do not sell personal information for monetary consideration. Certain analytics signals may be considered "sharing" under the California CPRA; California residents may opt out via the "Do Not Sell or Share My Personal Information" link in the footer.

5. International transfers

Where personal information is transferred from the EEA, UK, or Switzerland to a third country, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by appropriate technical and organizational measures including encryption in transit and at rest, access controls, and pseudonymization where feasible.

6. Retention

We retain personal information only as long as necessary for the purposes described, or as required by law:

  • Account information: while the account is active, plus thirty days after deletion.
  • Booking records: seven years to support tax and regulatory obligations.
  • Marketing preferences: until withdrawn.
  • Identity verification documents: as required by anti-fraud and KYC obligations, typically five years from the end of the business relationship.
  • Recordings (when both parties opt in): thirty days, unless either party saves the recording.
  • Server logs: ninety days.

7. Your rights

Subject to applicable law, you may have the following rights:

  • Access: request a copy of the personal information we hold about you.
  • Rectification: correct inaccurate information.
  • Erasure ("right to be forgotten"): request deletion of your information.
  • Restriction or objection: restrict or object to certain processing.
  • Portability: receive a copy of certain data in a structured, machine-readable format.
  • Withdraw consent: at any time, without affecting prior processing.

Most rights are self-serve in your account settings. For requests that require manual handling, contact privacy@booktarot.com; we respond within thirty days. You may also lodge a complaint with your supervisory authority.

California residents (CCPA / CPRA): the categories of personal information we collect and the purposes are described above. You have the right to know, delete, correct, limit use of sensitive personal information, and opt out of "sale" or "sharing"; see the footer link "Do Not Sell or Share My Personal Information".

Brazil (LGPD), Canada (PIPEDA, Quebec Law 25), Australia (Privacy Act 1988), Japan (APPI), Singapore and Thailand (PDPA), South Africa (POPIA): equivalent access, correction, and deletion rights apply; submit requests to privacy@booktarot.com.

8. Security

We protect personal information with administrative, technical, and physical safeguards including encryption in transit (TLS 1.2+) and at rest, role-based access control, least-privilege provisioning, regular security review, vulnerability scanning, and incident response procedures. No system is perfectly secure; we will notify affected users and supervisory authorities of personal data breaches as required by applicable law.

9. Cookies and similar technologies

See the Cookie Policy at /legal/cookies for the full list of cookies used, their purpose, retention, and how to manage your preferences. EU and UK visitors are offered granular consent before non-essential cookies are set.

10. Automated decisioning

We use automated systems for fraud detection and content moderation. Significant decisions affecting you (such as account suspension following a fraud signal) are reviewed by a human before being finalized. You can request human review of automated decisions by contacting privacy@booktarot.com.

11. Changes

We update this Policy from time to time. Material changes will be notified by email and an in-app banner with at least fifteen days' notice for substantive changes. Previous versions are archived; contact privacy@booktarot.com for access.

12. Contact

For privacy questions, requests, or complaints: privacy@booktarot.com. For data protection officer matters (where applicable): dpo@booktarot.com.