Privacy Policy

We collect the following categories of personal data:

• Quiz answers. The 12 answers you provide during the self-discovery quiz.
• Birth data (optional). Date, time, and place of birth, if you choose to provide them for a more personalized reading.
• Email address. Required to deliver the reading you purchase.
• Purchase data. Transaction metadata from our payment processor (Lemon Squeezy / Stripe): order ID, country of billing address, currency, amount, timestamp. We do not receive or store your full credit card information — that is handled entirely by our payment processor.
• Technical data. When you visit the site, your browser automatically sends information such as IP address, browser type, referrer URL, and timestamps. We use this only for security, debugging, and aggregate analytics.

Under GDPR (if applicable to you):

• Performance of a contract — we process your quiz answers, birth data, and email to deliver the reading you purchased.
• Legitimate interest — we use technical data for security, fraud prevention, and service improvement.
• Consent — if you opted in to receive occasional product updates (separate checkbox during quiz), we process your email for that purpose until you unsubscribe.
• Legal obligation — we retain transaction records as required by tax and accounting law.

We share minimum necessary data with the following processors, each under a Data Processing Agreement (DPA):

• Lemon Squeezy (Stripe, Inc.) — payment processing. They receive your email, billing country, and IP.
• Supabase — database hosting. All personal data you submit is stored on Supabase infrastructure (Singapore region).
• Anthropic — AI model that generates your reading. We send your quiz answers and birth data (if provided) to Anthropic's API to produce the reading. Anthropic does not use this data to train their models per their API terms.
• Resend — email delivery. We send your email address and the reading content to Resend for delivery.
• Vercel — web hosting. They handle HTTP requests and have incidental access to technical data.

We do not sell your personal data to third parties.

• Quiz answers and birth data: stored with your order for as long as your reading is accessible to you (indefinitely, unless you request deletion).
• Email address: stored for the duration of your relationship with us, plus 7 years for tax compliance.
• Transaction records: 7 years (legal obligation).
• Technical logs: 30 days.

Depending on where you live, you may have rights including:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure ("right to be forgotten") — delete your data, subject to legal retention obligations.
• Portability — receive your data in a machine-readable format.
• Objection — object to certain processing based on legitimate interest.
• Withdraw consent — unsubscribe from product updates at any time.

To exercise any right, email privacy@soulmirror.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We use only strictly-necessary cookies and similar technologies: session storage to save your quiz progress, and first-party Vercel/Supabase cookies for security. We do not use third-party advertising cookies, Facebook Pixel, Google Analytics, or behavioral tracking.

Your data may be processed in countries outside your own (for example, Anthropic processes requests in the United States; Supabase stores data in Singapore). Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent legal mechanisms to ensure your data receives an equivalent level of protection.

We take reasonable measures to protect your data: HTTPS encryption in transit, encryption at rest (via our hosting providers), access controls on our database, and separation of sensitive tokens (payment processor handles all cardholder data directly). No online service is 100% secure — if a breach occurs affecting your data, we will notify you promptly as required by law.

Soul Mirror is intended for users aged 18 and over. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, please contact us at privacy@soulmirror.app and we will delete it promptly.

We may update this Privacy Policy occasionally. Material changes will be communicated via email or a notice on the site. The "Last updated" date at the top reflects the latest revision.

Questions or requests about this policy: privacy@soulmirror.app.