Skip to content

Privacy Policy

Last updated: 2026-03-20

1. Data Controller

The controller of your personal data is MAGNET MEDIC Tomasz Fiedoruk, ul. Dworcowa 19, 78-550 Czaplinek, Poland (NIP: PL2530148533, REGON: 331412634). For data protection inquiries, contact: aimag.me/contact.

2. What Data We Collect

As part of providing the service, we collect the following data:

  • Email address — required for account creation and login.
  • Tarot readings — questions, drawn cards, and generated interpretations, stored on the user account.
  • Usage data — number of readings per day, last login date, language preferences.
  • Preferences — chosen language (PL/EN), display settings.
  • Payment data — processed exclusively by Stripe. We do not store card numbers or payment data on our servers.
  • Authentication data — if you sign in via Google or Apple, we receive your name and profile photo from that provider. We do not receive or store your password from third-party providers.

3. Purpose and Legal Basis for Processing

We process your data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR) — given during account registration, specifically for processing data to provide the service.
  • Performance of a contract (Art. 6(1)(b) GDPR) — necessary to provide the tarot reading service and maintain your account.
  • Legitimate interest of the controller (Art. 6(1)(f) GDPR) — usage analytics to improve the service, abuse prevention.
  • Third-party authentication — processing is based on your consent when you choose to sign in via Google or Apple (Art. 6(1)(a) GDPR).

4. Data Retention Period

  • Anonymous readings (without an account) — automatically deleted after 30 days.
  • Account data — stored until the account is deleted by the user. After deletion, data is removed within 30 days.
  • Billing data — stored in accordance with tax law requirements (5 years from the end of the year in which the transaction was made).

5. Your Rights

Under GDPR, you have the following rights:

  • Right of access — you can ask what data we process about you.
  • Right to rectification — you can request correction of inaccurate data.
  • Right to erasure ("right to be forgotten") — you can request deletion of your data.
  • Right to data portability — you can download your data in JSON format.
  • Right to restriction of processing — you can request restriction of processing in certain situations.
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right to object — you can object to the processing of your data based on legitimate interests (Art. 21 GDPR). We will stop processing unless we have compelling legitimate grounds.
  • Right to lodge a complaint — you can file a complaint with a supervisory authority (in Poland: Prezes UODO, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl; or your local Data Protection Authority).

6. Cookies

We only use essential cookies: a session cookie (PHPSESSID) to maintain your login session and a language preference cookie. We do not use advertising, tracking, or cookie-based analytics cookies. Analytics (Plausible) operates without cookies.

7. Third Parties

Your data may be shared with the following third parties:

  • Plausible Analytics — anonymous traffic analytics. Does not collect personal data, does not use cookies, GDPR compliant without user consent.
  • NVIDIA API (NIM) — prompts (questions) are sent to the NVIDIA API to generate interpretations. NVIDIA processes data according to its own privacy policy.
  • Stripe — processes payments. Payment data is sent directly to Stripe and is not stored on our servers.
  • OpenRouter Inc. — AI model routing service. Prompts may be routed through OpenRouter to access various language models. OpenRouter processes data according to its own privacy policy.
  • Anthropic PBC — AI inference provider (Claude models). Prompts may be processed by Anthropic when Claude models are used as fallback. Anthropic processes data according to its own privacy policy.

8. Contact

For data protection inquiries, you can contact us at: aimag.me/contact. We respond to inquiries within 30 days.

9. International Data Transfers

Some of your data may be transferred to and processed in the United States by our service providers: NVIDIA Corporation (AI model inference), Stripe Inc. (payment processing), and Cloudflare Inc. (CDN and security). These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission and/or the service providers' participation in applicable data protection frameworks. We do not sell your personal data to any third party.

10. California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) grants you additional rights: the right to know what personal information we collect and how it is used; the right to request deletion of your personal information; the right to opt out of the sale of personal information — we do not sell your personal information; the right to non-discrimination for exercising your privacy rights. To exercise these rights, contact us at aimag.me/contact. We do not sell, share, or use personal information for cross-context behavioral advertising.

11. Automated Decision-Making

Our service uses artificial intelligence (AI) to generate tarot card interpretations. This constitutes automated processing but does not produce legal effects or similarly significantly affect you, as the interpretations are provided for entertainment and personal reflection purposes only. You are not subject to decisions based solely on automated processing that produce legal effects. You have the right to object to processing based on legitimate interest (Art. 21 GDPR) — contact us at aimag.me/contact.

12. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at aimag.me/contact and we will promptly delete such data.

13. Security Monitoring and Fraud Prevention

To protect our Service and users from fraudulent activity, abuse, and unauthorized access, we process certain technical data on the basis of our legitimate interests (Article 6(1)(f) GDPR). Data processed for security purposes includes: IP addresses associated with account access and transactions (retained for up to 90 days, then anonymized or deleted); technical identifiers derived from HTTP request headers (retained for up to 90 days); timestamps and frequency of service interactions; country of access derived from IP address; and email domain used for registration to identify disposable or high-risk email providers. Our systems may automatically suspend accounts where fraudulent activity is detected. In such cases, you will receive an email notification within 24 hours and may appeal by contacting us at aimag.me/contact. Appeals are reviewed by a human within 5 business days. You have the right to request human intervention, express your point of view, and contest the decision (Article 22(3) GDPR). We do not use JavaScript-based device fingerprinting beyond what is strictly necessary to provide the Service.

14. Service Analytics

We analyze aggregated usage patterns (such as frequency of service use, session duration, and navigation behavior) for the purposes of improving the Service and detecting abnormal usage patterns that may indicate fraud or abuse. This analysis is conducted on the basis of our legitimate interests (Article 6(1)(f) GDPR) and does not involve automated decision-making with legal effects without human review. We use Plausible Analytics, a privacy-preserving analytics tool that does not use cookies and does not perform cross-site tracking.

15. Mobile Application

Our Android application available on Google Play ("AI Tarot Reading — aiMag.me") is a Trusted Web Activity (TWA) — a lightweight wrapper that opens our website (aimag.me) in a fullscreen browser view. The app does not collect any additional data beyond what is described in this Privacy Policy. All data processing occurs through our website as described above. The app does not use Google Play Billing; all payments are processed through Stripe as described in Section 7.

Home Cards Reading Sign in