DESTINYPAL · LEGAL
Privacy Policy
Contents
- 1. Overview
- 2. Information We Collect
- 3. How We Collect Information
- 4. How We Use Information
- 5. Data Retention
- 6. Sharing and Third Parties
- 7. International Data Transfers
- 8. Your Privacy Rights
- 9. Cookies and Tracking
- 10. Data Security
- 11. Children's Privacy
- 12. Data Controller, Privacy Officer, and Complaints
- 13. Google AdSense
- 14. Changes to this Policy
§ 01
1. Overview
DestinyPal ('we', 'us', 'our') is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information. We aim to comply with applicable laws, including PIPA (Korea), the GDPR (EU), the CCPA (California), and other relevant regulations.§ 02
2. Information We Collect
Account: Google OAuth profile information (email, display name, profile image). We do NOT collect or store passwords — authentication is handled exclusively via Google OAuth. Authentication: OAuth tokens are encrypted at rest and are used only to maintain your login session. Payment: transaction IDs and billing information are processed by Stripe. We never store full card numbers. Service Data: the birth date, time, and location, along with any other inputs you provide for astrology, saju, tarot, and other readings. Chat and reading messages exchanged with the AI counselors, together with the AI-generated responses, are stored to preserve your history. If you submit information about another person (for example, a partner’s birth information for compatibility or couple readings, or shared session data), you confirm that you have obtained their informed consent for us to receive and process such information. Uploaded Images: profile and matching photos that you choose to upload are stored on Firebase Storage. AI Model Training: we do NOT use your inputs or AI responses to train AI models. The Anthropic Claude API used for readings operates under a commercial agreement that excludes API customer data from training. Technical: IP address, browser and device information, OS, cookies, logs. Communications: support tickets, feedback, and correspondence with us.
§ 03
3. How We Collect Information
Direct: information you provide during signup, purchase, or service use. Automatic: cookies, web beacons, and analytics tools (disabled until you consent) track usage patterns and technical data. Third Parties: payment processors (Stripe), authentication providers (Google OAuth), and analytics/advertising (Google AdSense). AdSense and Analytics are blocked until you consent via our CMP.
§ 04
4. How We Use Information
Service Delivery: providing astrology, saju, tarot, and other readings. [Legal basis (GDPR Art.6): performance of a contract] Account & Billing: authenticating users and processing payments. [Performance of a contract] Communication — service notices and support. [Performance of a contract] Communication — marketing. [Consent — Art.6(1)(a); withdrawable at any time] Improvement: analyzing usage to improve features and UX. [Consent (analytics cookies)] Compliance & Safety: fraud prevention, legal obligations, and Terms enforcement. [Legal obligation / legitimate interest] Advertising: personalized ads via Google AdSense. [Consent — blocked until you accept]
§ 05
5. Data Retention
On account deletion we destroy your data without delay, except where statute requires longer retention. Itemized: - Account profile, display name, and email: deleted immediately on account deletion. - Birth info, chat/reading records, and uploaded images: deleted immediately on account deletion (you may also delete individual chats or sessions earlier). - Payment and transaction records: 5 years (Korean E-Commerce Act §6 / tax records). - Records on contracts and withdrawal: 5 years (E-Commerce Act §6). - Records on consumer complaints or dispute resolution: 3 years (E-Commerce Act §6). - Display and advertising records: 6 months (E-Commerce Act §6). - Server access logs: 3 months (Communications Privacy Act §15-2). - Marketing consent settings: until consent is withdrawn.
§ 07
7. International Data Transfers
Data may be processed outside your country (primarily the US). We apply safeguards such as Standard Contractual Clauses (SCC), Data Processing Agreements (DPA), and standard security measures regardless of location. Per Korean PIPA Article 28-8, transfers to overseas processors are summarized as follows (recipient / country / items / method / period): - Vercel Inc. / US / account info, IP, request logs, application data / via TLS over the public internet, continuous / retained while account is active and per retention schedule above - Anthropic PBC / US / user input messages and birth context for AI reading generation / via TLS HTTPS API call, real-time per request / not retained by Anthropic for training; transient processing only - Stripe, Inc. / US / payment-related identifiers and billing info / via TLS HTTPS API, per checkout / 5 years per E-Commerce Act - Google LLC (OAuth) / US / OAuth profile info / via TLS HTTPS, per login / retained while account is active - Neon / Vercel Postgres / US / all stored application data / via TLS, continuous / per retention schedule above - Google LLC (Firebase Storage) / US / uploaded image files / via TLS HTTPS, per upload / retained while account is active - Sentry / US / error logs (may include partial request metadata) / via TLS HTTPS, on error / up to 90 days - Resend / US / recipient email and message body for transactional mail / via TLS HTTPS API, per send / retained per Resend's data policy
§ 08
8. Your Privacy Rights
You may request: access, correction, deletion, restriction, portability (GDPR), objection, and consent withdrawal. Contact: rheeco88@gmail.com. Response time: within 10 days (Korean residents — PIPA), within 30 days (other regions). Data portability requests are fulfilled by email export in a machine-readable format on request. GDPR: right to complain to an EU supervisory authority. CCPA: California users may exercise access, deletion, and opt-out rights; we do not sell or share personal information for cross-context behavioral advertising. We will not discriminate against you (e.g., deny service, charge different prices, provide a lower quality of service) for exercising your CCPA rights — "Right to Non-Discrimination" (Cal. Civ. Code §1798.125).
§ 10
10. Data Security
Safeguards: TLS/SSL in transit, encryption at rest (e.g., AES-256 where supported), role-based access controls, MFA for staff, monitoring, secure cloud infrastructure, Stripe PCI-DSS Level 1 for payments, periodic security reviews, and incident response procedures. No system is 100% secure; please protect your credentials.
§ 11
11. Children's Privacy
Sign-up is restricted to users aged 14 or above (or 16 or above where the applicable jurisdiction sets a higher digital-consent age, such as parts of the EU). We do not knowingly collect personal information from anyone below the applicable age threshold. If we discover that an account belongs to such a child, we will delete the account and any associated data without undue delay. Parents or guardians who become aware of such an account may contact us at rheeco88@gmail.com for immediate removal.
§ 12
12. Data Controller, Privacy Officer, and Complaints
Data Controller: Paul Rhee (individual) Email: rheeco88@gmail.com Privacy Officer (개인정보 보호책임자, PIPA Art.31) - Name: Paul Rhee - Title: Operator (sole proprietor) acting as Privacy Officer - Email: rheeco88@gmail.com (primary channel for all privacy inquiries) - Phone: a dedicated privacy hotline will be posted here once business registration is completed; in the meantime, please use email — we respond within the statutory timelines below. EU Representative (GDPR Art.27): Not designated. DestinyPal is operated by a sole individual in Korea and does not currently meet the thresholds requiring a designated EU representative; we will appoint one if our processing of EU resident data reaches the levels described in GDPR Art.27. Response target: within 10 days for Korean residents (PIPA), within 30 days for other regions. Korean users — to report a privacy infringement or seek mediation, you may contact: - Personal Information Protection Commission (PIPC): privacy.go.kr / 1833-6972 - KISA Privacy Infringement Report Center: privacy.kisa.or.kr / 118 - Personal Information Dispute Mediation Committee: kopico.go.kr / 1833-6972 - Supreme Prosecutors' Office Cybercrime Center: spo.go.kr / 1301 - National Police Agency Cyber Bureau: ecrm.police.go.kr / 182 EU users: right to lodge a complaint with your local data protection authority. California users: CCPA rights may be exercised via the email above.
§ 13
13. Google AdSense
We use AdSense to display ads. Google may use cookies and identifiers to serve and measure ads and to prevent fraud. AdSense loads only after you consent. You may opt out of personalized ads at https://www.google.com/settings/ads. See the Google Privacy Policy for details.
§ 14
14. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes take effect after notice (7 days for minor changes, 30 days for significant changes). Continued use after the effective date constitutes acceptance. Last Updated: 2026-05-27