Privacy Policy
Last updated: March 19, 2026
arcanamaze ("we," "us," or "our") operates the arcanamaze service (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.
We are based in Japan. If you are located in the European Economic Area (EEA), United Kingdom, California, or other jurisdictions with specific data protection laws, please see the region-specific sections below for additional information about your rights.
1. Information We Collect
Account Information
- Email address (when creating an account)
- Password (stored encrypted using bcrypt; we cannot view your original password)
- Display name (optional)
Service Usage Data
- Daily oracle records (cards drawn, mood records, notes)
- Full reading records (spreads, questions, card placements, notes)
- AI reading usage logs (frequency and timing of use)
Automatically Collected Data
- Access logs (IP address, browser information, access timestamps)
- Anonymized analytics data via Google Analytics
SNS Authentication Information (if applicable)
- Minimum information required for authentication (provider ID, email address)
- We do not store your SNS profile information
2. How We Use Your Information and Legal Basis
We use the collected information for the following purposes. For users in the EEA/UK, the legal basis under GDPR for each purpose is noted.
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing, operating, and maintaining the Service | Performance of contract |
| Managing and authenticating user accounts | Performance of contract |
| Data backup and cross-device synchronization | Performance of contract |
| Responding to user support inquiries | Legitimate interest |
| Improving the Service and developing new features | Legitimate interest |
| Creating statistical data and analysis (non-identifiable) | Legitimate interest |
| Anonymized data utilization (see Section 5) | Legitimate interest / Consent |
| Detecting and preventing unauthorized use | Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Sending service-related communications | Legitimate interest |
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 6).
3. Third-Party Sharing
We do not sell your personal information. We share personal information only in the following cases:
Service Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Google (Google Analytics) | Access analytics | Anonymized access data | United States |
| AI API Provider (OpenAI) | AI reading generation | Question text and card placement only (no personal identifiers) | United States |
| Payment processor (Paddle) | Payment processing | Email address and payment information | United Kingdom |
- When sending data to AI APIs, we never include personally identifiable information such as user IDs or email addresses
- Payment information (credit card numbers, etc.) is not stored on our servers
- We do not sell or share your personal information for cross-context behavioral advertising
Legal Requirements
We may disclose information when required to do so by law or in response to valid legal process.
4. Data Storage, Retention, and Deletion
Where Your Data is Stored
- Browser (IndexedDB): Data is stored locally on your device
- Server: Located in Japan. Japan has been granted an adequacy decision by the European Commission, meaning data transfers from the EEA to Japan are considered to provide an adequate level of data protection
Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Daily oracle / reading records | Until account deletion |
| AI reading usage logs | Until account deletion |
| Access logs | 12 months |
| Anonymized statistical data | Indefinite (non-identifiable) |
Deletion
- Account deletion: All personal data stored on our servers is permanently deleted within 30 days
- Browser data: You can delete local data through your browser settings or in-app settings
- Backups: Removed from server backups within 90 days of account deletion
5. Anonymized Data Utilization
We may use data entered by users (oracle records, mood records, notes, etc.) in anonymized, non-personally identifiable form for the following purposes:
- Service improvement and new feature development
- Creating statistical data and analysis (e.g., card frequency trends, mood distributions)
- Training and improving AI (artificial intelligence) models
- Research purposes
How We Anonymize Data
- User IDs, email addresses, and display names are completely removed
- Date information is relativized to prevent identification of individual behavior patterns
- Individual reading records are never published as-is
- Aggregation is only performed on sufficiently large datasets
Anonymized Data and Account Deletion
After account deletion, we stop further use of your data. However, data that has already been anonymized and aggregated at the time of deletion cannot be attributed to any individual and is therefore excluded from deletion, as it no longer constitutes personal data.
6. Your Rights
All users have the following rights:
- Access: View your records anytime within the app
- Export / Portability: Download your data in a machine-readable format (JSON)
- Deletion: Delete all personal data by deleting your account
- Withdraw consent: Stop data usage by deleting your account
Additional Rights for EEA/UK Residents (GDPR)
If you are located in the EEA or UK, you also have the right to:
- Rectification: Request correction of inaccurate personal data
- Restriction: Request that we restrict processing of your personal data
- Object: Object to processing based on legitimate interest, including for AI training purposes
- Lodge a complaint: File a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at the European Data Protection Board website
To exercise any of these rights, please use our contact form. We will respond within 30 days.
Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know: Request what personal information we have collected about you
- Delete: Request deletion of your personal information
- Non-discrimination: We will not discriminate against you for exercising your privacy rights
- Do Not Sell or Share: We do not sell your personal information or share it for cross-context behavioral advertising
We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.
7. International Data Transfers
Your personal data is processed and stored on servers located in Japan. If you are located outside Japan:
- EEA/UK users: Japan has received an adequacy decision from the European Commission, providing appropriate safeguards for data transfers
- Other jurisdictions: By using the Service, you consent to the transfer of your data to Japan, where data protection laws may differ from those in your country
8. Cookies and Local Storage
The Service uses the following cookies and local storage:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| auth_token | Cookie (HttpOnly) | Maintaining login state | 30 days |
| arcanamaze_theme | localStorage | Saving theme preference | Indefinite |
| Google Analytics | Cookie | Access analytics | Per Google's terms |
You can manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of the Service.
9. Handling of Divination Records
Divination records (cards, mood, notes) may relate to personal beliefs and thoughts. Under GDPR, this may constitute special category data. We handle this data with particular care:
- We do not share divination records with third parties without your explicit consent
- When sending data to AI APIs, we ensure it is in non-personally identifiable form
- Statistical use is only performed after complete anonymization
- We process this data only with your explicit consent, obtained at account registration
10. Security
We implement the following measures to protect your personal information:
- Password encryption (bcrypt)
- Communication encryption (HTTPS/TLS)
- Secure authentication token management (HttpOnly Cookies)
- Protection against unauthorized access (rate limiting, SQL injection prevention)
- Regular security reviews
While we implement reasonable safeguards, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
11. Children's Privacy
- United States (COPPA): The Service is not directed at children under 13
- EEA/UK (GDPR): The Service is not intended for users under 16 without parental consent
- Other jurisdictions: The Service requires users to meet the minimum age of digital consent in their jurisdiction
If we learn that we have collected personal data from a child below the applicable age without proper consent, we will delete that data promptly.
12. Changes to This Policy
We may update this Policy due to changes in laws or improvements to the Service. For significant changes:
- We will notify users within the Service and/or by email at least 14 days before the changes take effect
- Continued use of the Service after changes take effect constitutes acceptance of the updated Policy
- Where required by law, we will obtain your consent before applying changes
13. Contact and EU Representative
For inquiries regarding the handling of personal information:
Please use our contact form.
For EEA/UK users, if we are required to appoint a representative under GDPR Article 27, details will be published here.
For data protection inquiries, we aim to respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.