Privacy Policy

1. What this policy covers

This Privacy Policy explains what personal data MysticDeck AI (“we”, “us”) collects, why we collect it, how we use it, and what rights you have over it. It applies to mysticdeck.org and any subdomains we operate.

2. Data we collect

We collect the following categories of data:

• Email address — when you sign up via the CTA form on the landing page
• Account credentials — email and a password hash, when you create a paid account
• Questions you type and the resulting readings — stored to deliver the Service and to show your reading history
• Payment metadata — handled entirely by Paddle; we receive only the fact that a subscription is active, the plan tier, and the billing status. We never see or store your card number.
• Standard server logs — IP address, user agent, request URL, response code. Retained for 30 days for abuse prevention.

3. How we use your data

• To deliver the Service you signed up for
• To process your subscription through Paddle and verify access to paid features
• To send transactional emails (receipts, security alerts)
• To respond to your support requests
• To detect and prevent abuse, fraud, and terms-of-service violations

We do not sell your data. We do not use your data for advertising retargeting.

4. Third-party services

We share the minimum data necessary with these providers:

• Paddle.com — merchant of record. Receives your email, billing country, and payment method to process your subscription. Paddle’s privacy policy.
• Vercel — hosts our application and processes inbound requests. Receives your IP and request metadata. Vercel’s privacy policy.
• Resend (or equivalent transactional email provider) — sends account and receipt emails. Receives your email address and the message body.

5. Cookies

We use a small number of essential cookies and similar storage:

• Session cookie — keeps you signed in (HttpOnly, Secure, SameSite=Lax)
• CSRF token — protects form submissions
• paddle.js overlay — set only when you click a checkout button, to remember the overlay state

We do not use advertising, analytics, or cross-site tracking cookies.

6. Your rights (GDPR / CCPA)

You may at any time:

• Request a copy of the data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and all related data
• Export your reading history in a portable format
• Opt out of any non-essential email

To exercise any of these rights, email [email protected]. We respond within 30 days.

7. Data retention

We retain your account data for as long as your account is active. If you cancel and request deletion, we erase your personal data within 30 days, except where retention is required for tax / accounting law (typically 7 years for payment records held by Paddle).

8. Security

We use industry-standard safeguards: TLS 1.2+ for data in transit, bcrypt for password hashing, principle of least privilege for internal access, and HMAC signature verification on all payment webhooks. No method of transmission over the internet, however, is 100% secure.

9. Children’s privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.

10. Changes

We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect any changes. For material changes, we will also email active subscribers at least 14 days in advance.

11. Contact

Privacy questions: [email protected]. We respond within 30 days.