Privacy Policy
Effective date: 2026-05-27
1. Overview
DestinyPal ('we', 'us', 'our') is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information. We aim to comply with applicable laws including PIPA (Korea), GDPR (EU), CCPA (California), and other relevant regulations.2. Information We Collect
Account: Google OAuth profile (email, display name, profile image). We do NOT collect or store passwords — authentication is exclusively via Google OAuth. Authentication: OAuth tokens encrypted at rest; used only to maintain your login session. Payment: Transaction IDs and billing info processed by Stripe; we never store full card numbers. Service Data: Birth date/time/location and inputs you provide for astrology, saju, tarot, and other readings; chat/reading messages exchanged with the AI counselors and the AI-generated responses are stored to keep your history. If you submit information about another person (e.g., birth information of a partner for compatibility or couple readings, or shared session data), you confirm that you have obtained their informed consent for us to receive and process such information. Uploaded Images: Profile and matching photos you choose to upload are stored on Firebase Storage. AI Model Training: We do NOT use your inputs or AI responses to train AI models. The Anthropic Claude API used for readings is operated under a commercial agreement that excludes API customer data from training. Technical: IP, browser/device info, OS, cookies, logs. Communications: Support tickets, feedback, correspondence.
3. How We Collect Information
Direct: Information you provide during signup, purchase, or service use. Automatic: Cookies, web beacons, and analytics tools (disabled until consent) track usage patterns and technical data. Third Parties: Payment processors (Stripe), authentication providers (Google OAuth), analytics/advertising (Google AdSense). AdSense/Analytics are blocked until you consent via our CMP.
4. How We Use Information
Service Delivery: Provide astrology/saju/tarot and other readings. [Legal basis (GDPR Art.6): performance of a contract] Account & Billing: Authenticate users, process payments. [Performance of a contract] Communication — service notices, support: [Performance of a contract] Communication — marketing: [Consent — Art.6(1)(a); withdrawable at any time] Improvement: Analyze usage to enhance features/UX. [Consent (analytics cookies)] Compliance & Safety: Fraud prevention, legal obligations, Terms enforcement. [Legal obligation / legitimate interest] Advertising: Personalized ads via Google AdSense. [Consent — blocked until you accept]
5. Data Retention
On account deletion we destroy your data without delay, except where statute requires longer retention. Itemized: - Account profile / display name / email: deleted immediately on account deletion. - Birth info, chat/reading records, uploaded images: deleted immediately on account deletion (the user can also delete individual chats or sessions earlier). - Payment & transaction records: 5 years (Korean E-Commerce Act §6 / tax records). - Records on contracts and withdrawal: 5 years (E-Commerce Act §6). - Records on consumer complaints or dispute resolution: 3 years (E-Commerce Act §6). - Display/advertising records: 6 months (E-Commerce Act §6). - Server access logs: 3 months (Communications Privacy Act §15-2). - Marketing consent settings: until consent is withdrawn.
6. Sharing and Third Parties
We do NOT sell personal information. We share only with service providers (processors) used to operate the service: - Vercel Inc. (hosting, edge runtime, deployment) — US - Anthropic PBC (Claude AI for readings) — US - Stripe, Inc. (payment processing, PCI-DSS Level 1) — US - Google LLC (OAuth authentication, optional AdSense after consent) — US - Database hosting provider for Postgres (Neon / Vercel Postgres) — US - Google LLC — Firebase Storage (image uploads for profile/matching photos) — US - Sentry (error monitoring, if enabled) — US - Resend (transactional email delivery) — US Legal: when required by law/court/government. Business transfers: in mergers/acquisitions (with notice). Advertising partners: Google AdSense may use cookies; opt out at https://www.google.com/settings/ads.
7. International Data Transfers
Data may be processed outside your country (primarily the US). We apply safeguards such as Standard Contractual Clauses (SCC), Data Processing Agreements (DPA), and standard security measures regardless of location. Per Korean PIPA Article 28-8, transfers to overseas processors are summarized as follows (recipient / country / items / method / period): - Vercel Inc. / US / account info, IP, request logs, application data / via TLS over the public internet, continuous / retained while account is active and per retention schedule above - Anthropic PBC / US / user input messages and birth context for AI reading generation / via TLS HTTPS API call, real-time per request / not retained by Anthropic for training; transient processing only - Stripe, Inc. / US / payment-related identifiers and billing info / via TLS HTTPS API, per checkout / 5 years per E-Commerce Act - Google LLC (OAuth) / US / OAuth profile info / via TLS HTTPS, per login / retained while account is active - Neon / Vercel Postgres / US / all stored application data / via TLS, continuous / per retention schedule above - Google LLC (Firebase Storage) / US / uploaded image files / via TLS HTTPS, per upload / retained while account is active - Sentry / US / error logs (may include partial request metadata) / via TLS HTTPS, on error / up to 90 days - Resend / US / recipient email and message body for transactional mail / via TLS HTTPS API, per send / retained per Resend's data policy
8. Your Privacy Rights
You may request: access, correction, deletion, restriction, portability (GDPR), objection, and consent withdrawal. Contact: support@destinypal.com. Response time: within 10 days (Korean residents — PIPA), within 30 days (other regions). Data portability requests are fulfilled by email export in a machine-readable format on request. GDPR: right to complain to an EU supervisory authority. CCPA: California users may exercise access, deletion, and opt-out rights; we do not sell or share personal information for cross-context behavioral advertising. We will not discriminate against you (e.g., deny service, charge different prices, provide a lower quality of service) for exercising your CCPA rights — "Right to Non-Discrimination" (Cal. Civ. Code §1798.125).
9. Cookies and Tracking
Uses: essential (login/security), analytics (after consent), advertising (AdSense after consent), preferences. Control cookies via browser settings; disabling may limit features. AdSense/Analytics load only after consent via our CMP; personalized ads can be managed at Google Ads Settings.
10. Data Security
Safeguards: TLS/SSL in transit, encryption at rest (e.g., AES-256 where supported), role-based access, MFA for staff, monitoring, secure cloud, Stripe PCI-DSS Level 1 for payments, periodic security reviews, incident response. No system is 100% secure; protect your credentials.
11. Children's Privacy
Sign-up is restricted to users aged 14 or above (or 16 or above where the applicable jurisdiction sets a higher digital-consent age, such as parts of the EU). We do not knowingly collect personal information from anyone below the applicable age threshold. If we discover that an account belongs to such a child, we will delete the account and any associated data without undue delay. Parents or guardians who become aware of such an account may contact us at support@destinypal.com for immediate removal.
12. Data Controller, Privacy Officer, and Complaints
Data Controller: Paul Rhee (individual) Email: support@destinypal.com Privacy Officer (개인정보 보호책임자, PIPA Art.31) - Name: Paul Rhee - Title: Operator (sole proprietor) acting as Privacy Officer - Email: support@destinypal.com (primary channel for all privacy inquiries) - Phone: a dedicated privacy hotline will be posted here once business registration is completed; in the meantime, please use email — we respond within the statutory timelines below. EU Representative (GDPR Art.27): Not designated. DestinyPal is operated by a sole individual in Korea and does not currently meet the thresholds requiring a designated EU representative; we will appoint one if our processing of EU resident data reaches the levels described in GDPR Art.27. Response target: within 10 days for Korean residents (PIPA), within 30 days for other regions. Korean users — to report a privacy infringement or seek mediation, you may contact: - Personal Information Protection Commission (PIPC): privacy.go.kr / 1833-6972 - KISA Privacy Infringement Report Center: privacy.kisa.or.kr / 118 - Personal Information Dispute Mediation Committee: kopico.go.kr / 1833-6972 - Supreme Prosecutors' Office Cybercrime Center: spo.go.kr / 1301 - National Police Agency Cyber Bureau: ecrm.police.go.kr / 182 EU users: right to lodge a complaint with your local data protection authority. California users: CCPA rights may be exercised via the email above.
13. Google AdSense
We use AdSense to show ads. Google may use cookies/IDs to serve and measure ads and prevent fraud. AdSense loads only after consent. Opt out of personalized ads at https://www.google.com/settings/ads. See Google Privacy Policy for details.
14. Changes to this Policy
We may update this Privacy Policy. Material changes take effect after notice (7 days for minor, 30 days for significant). Continued use after the effective date means acceptance. Last Updated: 2026-05-27