Privacy Policy

1. Introduction

Spatom ("we", "us", or "our") operates Tarotlit mobile application (the "App"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our App.

This Privacy Policy applies to the App and all products and services offered by Spatom in connection with the App.

2. Information We Collect

We collect minimal information necessary to provide and improve our App services. Most of your data stays on your device.

Locally Stored Data (On Your Device Only)

• Saved readings and journal entries - Stored in a local SQLite database on your device
• Personal notes and photos - Any notes or photos you add to journal entries are stored locally
• App preferences - Settings such as language, theme, notification schedule, and favorites
• Google Sign-In token - If you connect Google Drive backup, your OAuth token and basic profile (name, email, photo) are stored securely in the device's secure storage (Keychain / Keystore) for backup purposes only

Analytics Data (Anonymous)

• Firebase Analytics - We collect anonymous usage statistics (screen views, card draws, spread completions) via Firebase Analytics to understand how users interact with the App and improve features. This data is not linked to your personal identity.
• Crash reports - Technical information about app crashes to help us fix bugs

In-App Purchase Data

• RevenueCat - Subscription and purchase status is processed by RevenueCat to validate Premium access. RevenueCat may collect transaction identifiers and receipt data in accordance with their privacy policy.

Device Information

• Device type - Device model and OS version
• App version - Version of App you are using
• Device identifiers - Firebase Analytics may collect an app-instance ID and, where permitted by your device settings, an advertising identifier (Advertising ID on Android or IDFA on iOS) for anonymous usage measurement.

3. How We Use Your Information

We use collected information for various purposes:

• To provide and maintain our App - Core functionality and service delivery
• To improve user experience - Analyzing usage patterns to enhance features
• To communicate with you - Important updates and support responses
• To ensure security - Protecting against fraud and unauthorized access

3.5 Legal Basis and Retention (GDPR)

We process your data on the following legal bases:

• Local app functionality — Necessary for the performance of our contract with you (Terms of Use). Retained locally until you delete the App or clear its data.
• Analytics & crash reports — Based on your consent, which you can withdraw at any time. Retained by Firebase for up to 26 months (or shorter based on your device settings).
• Purchase validation — Necessary for the performance of our contract. RevenueCat retains transaction identifiers for as long as required by tax and accounting law.

If you are in the EEA, you have the right to lodge a complaint with your local Data Protection Authority.

4. Data Storage and Security

We prioritize the security and privacy of your data through various measures:

• Local storage - Personal readings, journal entries, notes, and photos are stored locally on your device in a SQLite database. We do not upload them to our servers.
• Optional cloud backup - If you enable backup, your data is saved as a file to your personal Google Drive (Android) or iCloud (iOS). The app does not create an online account; backup is manual and stores files only in your own cloud storage account, not on our servers.
• Encryption - Data transmission is encrypted using industry-standard protocols (TLS/SSL)
• Secure token storage - OAuth tokens for Google Drive are stored in the device's secure key storage (iOS Keychain / Android Keystore)
• Regular updates - Security patches and updates to protect against vulnerabilities

5. Third-Party Services

Our App may use third-party services that have their own privacy policies:

• Google Play Services - For app distribution and Google Sign-In / Google Drive API access (scope: drive.appdata). Google processes data according to their Privacy Policy.
• Firebase Analytics - Anonymous usage analytics (screen views, card draws, spread completions, feature usage) collected with user consent. Firebase may collect an app-instance ID and, depending on your device settings, an advertising identifier (Advertising ID on Android or IDFA on iOS). See Google's Privacy Policy for details.
• RevenueCat - In-app purchase and subscription management. RevenueCat, Inc. may collect your device identifier, purchase history, app user ID, and receipt data to validate Premium access and manage subscriptions. See the RevenueCat Privacy Policy.
• Crash reporting - Automatic crash reports to improve app stability

6. Your Rights and Data Deletion

You have the following rights regarding your data:

• Access - Request access to your personal data
• Correction - Request correction of inaccurate data
• Deletion - Request deletion of your personal data
• Portability - Request transfer of your data to another service
• Objection - Object to processing of your personal data

How to delete your data or revoke access

• Local data - Delete the App or clear its data in Android Settings (Settings → Apps → Tarotlit → Storage → Clear Data). This removes all local readings, journal entries, and settings.
• Google Drive backup - Revoke the App's access to your Google Account at any time via Google Account → Security → Third-party apps. Backup files in your Google Drive can be deleted manually from your Drive if needed.
• iCloud backup - Disable iCloud backup for the App in iOS Settings, or delete the backup file from your iCloud Drive.
• Analytics opt-out - Firebase Analytics data is anonymous and not linked to your identity. Device-level ad and analytics settings do not fully disable Firebase Analytics collection. The only way to completely stop analytics collection is to uninstall the app. You may also contact us to request deletion of analytics data associated with your device.

Because the App does not create an online account on our servers, there is no server-side account to delete. All personal tarot data is stored locally on your device.

7. Consent and GDPR / CCPA Compliance

The App includes a consent management flow that informs you about data collection practices and requests your consent where required by law (GDPR, CCPA, and other applicable regulations). You can review and update your consent choices at any time in the App settings.

California Residents (CCPA/CPRA). We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Categories of personal information we collect are: (1) Identifiers (device type, app version, device ID); (2) Internet or electronic network activity (anonymous analytics); (3) Commercial information (subscription status). You have the right to know, delete, and correct your personal information. To exercise these rights, email us at support@spatom.com or visit our Delete Data page.

8. Children's Privacy

Our App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@spatom.com. If we learn that we have collected personal information from a child under 13, we will delete that information promptly.

9. Changes to This Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the bottom of this policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.