Oracolarium

Privacy Policy

Effective Date: 1 April 2026

Last Updated: 1 April 2026

1. Data Controller

The data controller for the processing of your personal data is Ecliptio Ltd, a company registered in Malta (Company Registration Number: C111698), with registered office at Northlink Business Centre Level 2, Triq Burmarrad, Naxxar, NXR 6345, Malta, VAT Number MT31906033.

For privacy-related inquiries: privacy@oracolarium.com

2. Data We Collect

2.1 Data You Provide

  • Account Data: name, email address, password (hashed), preferred language
  • Profile Data: date of birth, time of birth, place of birth (for natal chart functionality, provided voluntarily โ€” treated as Special Category data, see Section 3)
  • Payment Data: processed by Stripe; we store only transaction IDs, amounts, and subscription status. We never store credit card numbers
  • Creator Data: additional information provided by Creators including display name, bio, portfolio links, and payout details
  • Communication Data: messages sent to our support team

2.2 Data Collected Automatically

  • Usage Data: readings performed, decks accessed, features used, session duration (collected via Plausible Analytics, a privacy-focused, cookieless analytics service)
  • Device Data: browser type, operating system, device type, screen resolution
  • Log Data: IP address (anonymized after 24 hours), access timestamps, error logs

2.3 Data Generated by the Platform

  • Reading History: cards drawn, AI-generated interpretations, timestamps
  • Natal Chart Data: calculated planetary positions, house placements, and AI-generated interpretations
  • AR Interaction Data: interaction events with AR content (no camera images are stored)

2.4 Data We Do NOT Collect

  • Camera images or video (AR features process on-device only)
  • Precise geolocation (we do not track your physical location)
  • Social media profiles (unless voluntarily provided for Creator pages)
  • Biometric data

3. Legal Bases for Processing (GDPR Art. 6 and Art. 9)

  • Contract Performance (Art. 6(1)(b)): account creation, providing readings, processing purchases, fulfilling subscriptions, delivering physical products
  • Legitimate Interest (Art. 6(1)(f)): platform security, fraud prevention, analytics for service improvement, customer support
  • Consent (Art. 6(1)(a)): marketing communications, cookie preferences beyond essential cookies
  • Legal Obligation (Art. 6(1)(c)): tax records, anti-money laundering requirements, responding to lawful data access requests

3.1 Special Category Data โ€” Natal Chart (Art. 9)

Birth data (date, time, and place of birth) collected for the purpose of generating astrological natal charts is treated as Special Category data under GDPR Art. 9, as it is processed for purposes that may reveal philosophical or spiritual beliefs.

The legal basis for this processing is Explicit Consent (Art. 9(2)(a)). Before providing birth data, users are required to confirm via a specific consent checkbox:

"I explicitly consent to the processing of my birth data (date, time, and place of birth) for the specific purpose of generating an astrological natal chart and AI-generated interpretation. I understand this data will be stored in my account and I may withdraw this consent and request deletion at any time."

This consent is separate from general account registration and can be withdrawn at any time via account settings, which will result in deletion of all natal chart data within 30 days.

4. How We Use Your Data

  • To provide and operate the Platform, including AI-powered readings and natal chart calculations
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (account verification, purchase confirmations, password reset) via SendGrid
  • To send marketing communications (only with your explicit consent, unsubscribe at any time)
  • To improve the Platform through anonymized, aggregated analytics
  • To provide customer support
  • To detect and prevent fraud and abuse
  • To comply with legal obligations

5. Data Sharing and Transfers

5.1 Third-Party Processors

We share personal data with the following processors, each bound by Data Processing Agreements:

  • Anthropic (USA): AI reading engine. Receives reading prompts only. Transfer basis: EU Standard Contractual Clauses (SCCs). See Section 10 for details on data sanitization.
  • Stripe (USA): Payment processing. Receives payment details. Transfer basis: EU-US Data Privacy Framework + SCCs
  • SendGrid/Twilio (USA): Transactional email delivery. Receives email addresses. Transfer basis: SCCs
  • ElevenLabs (USA/EU): Text-to-speech for audio readings. Receives reading text only (no PII). Transfer basis: SCCs
  • Wasabi (EU region): File storage for card images and assets. EU-based servers (Amsterdam), no international transfer
  • Plausible Analytics (EU): Privacy-focused analytics. No personal data transferred. EU-based, GDPR-compliant by design

5.2 International Transfers

Where personal data is transferred outside the EEA, we ensure adequate protection through: EU Standard Contractual Clauses (SCCs), adequacy decisions where applicable, and supplementary technical measures including encryption in transit and at rest.

5.3 We Do NOT

  • Sell your personal data to third parties
  • Share your reading history or natal chart data with advertisers
  • Use your data for profiling or automated decision-making that produces legal effects
  • Share AI-generated readings with anyone other than you (unless you choose to share)

6. Data Retention

  • Account Data: retained for the duration of your account plus 30 days after deletion request
  • Reading History: retained for the duration of your account; deleted within 30 days of account deletion
  • Payment Records: retained for 10 years as required by Maltese tax law
  • Natal Chart Data: retained for the duration of your account or until consent is withdrawn; deleted within 30 days of consent withdrawal or account deletion
  • Log Data: IP addresses anonymized after 24 hours; logs retained for 90 days
  • Marketing Consent Records: retained for 3 years after consent withdrawal for audit purposes
  • Creator Payout Records: retained for 10 years as required by tax law

7. Your Rights (GDPR Art. 15-22)

As a data subject under GDPR, you have the following rights:

  • Right of Access (Art. 15): request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16): correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): restrict processing in certain circumstances
  • Right to Data Portability (Art. 20): receive your data in a structured, machine-readable format (JSON export)
  • Right to Object (Art. 21): object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7(3)): withdraw consent at any time without affecting prior processing
  • Right to Lodge a Complaint: with the Office of the Information and Data Protection Commissioner (IDPC), Malta, or your local supervisory authority

To exercise any of these rights, contact: privacy@oracolarium.com. We will respond within 30 days as required by GDPR.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Passwords stored as bcrypt hashes (never in plaintext)
  • Regular security audits and vulnerability assessments
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Secure API authentication for all third-party integrations
  • Automated anomaly detection for unauthorized access attempts
  • Natal chart birth data stored with additional encryption layer

9. Children's Privacy

The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will promptly delete their account and associated data.

10. AI-Specific Privacy Provisions

When you use AI-powered features (readings, natal chart interpretations), data is sent to Anthropic's Claude API for processing. This section explains exactly what data is and is not transmitted.

10.1 Data Sent to AI Providers

The following data IS included in AI API requests:

  • Names of the cards drawn and their positions in the spread
  • The deck's guidebook meanings for each card (as uploaded by the Creator)
  • The AI persona configuration (tone, style, references)
  • The user's optional question or topic (if provided)
  • For natal charts: calculated planetary positions (degrees, signs, houses) โ€” not raw birth data

10.2 Data NOT Sent to AI Providers

The following personal identifiers are NEVER included in AI API requests:

  • User name or display name
  • Email address
  • IP address
  • Account ID or any unique user identifier
  • Date of birth, time of birth, or place of birth (for natal charts, only the calculated astronomical positions are sent, not the raw birth data)
  • Payment information
  • Reading history or previous readings
  • Any data that could be used to identify the user

10.3 AI Provider Data Handling

Per Anthropic's data use policy: input prompts sent via the API are not used for model training. They are retained only transiently for trust and safety monitoring (abuse prevention) and are not accessible to Anthropic staff except in response to specific trust and safety investigations.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email and/or a prominent notice on the Platform at least 30 days before changes take effect. The date of the latest revision is always indicated at the top of this document.

12. Contact and Supervisory Authority

Data Controller: Ecliptio Ltd, Northlink Business Centre Level 2, Triq Burmarrad, Naxxar, NXR 6345, Malta

Company Registration: C111698 | VAT: MT31906033

Privacy Contact: privacy@oracolarium.com

Supervisory Authority:

Office of the Information and Data Protection Commissioner (IDPC)

Level 2, Airways House, High Street, Sliema SLM 1549, Malta

Website: https://idpc.org.mt