Does Deep Oracle sell my data?

No. We do not sell your personal data to any third party. Our subprocessors (Supabase, Stripe, PostHog, Resend, AI providers, Vercel) exist solely to deliver the service itself.

Is my raw birth data sent to AI providers?

No. Our deterministic oracle engine computes the full chart structure (BaZi pillars, ten gods, spirit stars, etc.) on our servers first. AI models receive only the computed structure plus your age, gender, and birth year. Your raw birth date, time, and location are never sent to AI providers.

How long do you keep my readings?

While your account is active. After account deletion, readings are permanently purged within 30 days. Public share links (/share/[token]) auto-expire after 90 days.

Can I delete my account?

Yes. Email support@deeporacle.ai with "PRIVACY — Account Deletion" in the subject line. We will process the request within 30 days. Financial transaction records (purchases, subscriptions) are retained for 7 years per tax requirements.

Privacy

Privacy Policy

Last updated: April 20, 2026

Information We Collect

Using this service, you may provide or we may collect: (1) Account information — email address, hashed password (or Google OAuth credential), login times, account language preference; (2) Chart data — birth date, time, location, gender that you voluntarily submit; (3) Reading history — chart structures and full AI-generated readings for logged-in users; (4) Payment information — subscription/purchase product IDs and amounts (full card details are handled by Stripe directly; we do not receive them); (5) Feedback and communication — content you submit via the feedback form or email; (6) Usage data — IP address (for rate-limiting only, auto-purged after 90 days), page views, click events (via PostHog analytics); (7) Cookies — Supabase authentication cookies (functionally required) and PostHog analytics cookies.

Our Subprocessors

Supabase (account and database hosting · AWS eu-west-2 London) · Stripe (payment processing · EU/US region, under Standard Contractual Clauses) · PostHog (product analytics · PostHog Cloud EU, eu.i.posthog.com) · Resend (transactional email via Supabase SMTP routing · eu-west-1 Ireland) · Anthropic / OpenAI / DeepSeek / Google (AI reading generation · subject to their own privacy policies; API inputs are not used for model training) · Vercel (platform hosting · EU region, London or Frankfurt). See the per-subprocessor data-flow breakdown below.

AI Model Data Processing

**Important architectural note**: we do NOT send your raw birth data (full date, time, location) to any AI model provider. Our deterministic oracle calculation engine computes the full chart structure on our servers first, then sends only the computed chart (BaZi pillars, ten gods, spirit stars, etc.) to an AI model to write the interpretation. Providers receive: your age (integer), gender, birth year, Day Master character, computed chart structure, and — if you submitted a question — your question text. Once the AI delivers the reading, providers retain API-input logs per their own defaults (typically 30 days). **Payment-time exception**: when you initiate a purchase from a specific chart page, the chart structure for that purchase is attached to the Stripe Checkout session metadata so we can link the payment to the correct chart after completion. See the Stripe data flow in Section 2.

Retention Periods

Share links: auto-expire and delete after 90 days; reading history (logged-in users): retained while account is active, permanently deleted at the end of the 30-day grace period following account deletion; purchase and subscription records: 7 years, to satisfy tax and dispute-resolution requirements; credit ledger: 7 years; usage/rate-limit records: 90 days (including anonymous users' IP addresses); feedback: 3 years or 1 year after resolution; PostHog events: 13 months (standard); Resend email logs: 90 days; AI provider logs: provider defaults (typically 30 days); Vercel access logs: Vercel default (typically 30 days).

Your Rights

You have the following rights over your personal data: **Access** (request a copy of data we hold about you), **Correction** (request that inaccurate data be fixed), **Deletion** (available as self-service via account settings; fall back to email if self-service is unavailable), **Portability** (export your data in a machine-readable format), **Restriction or Objection** (limit specific processing activities), **Withdraw consent** (revoke any consent you previously gave). **Account deletion**: deletion is self-service and enters a 30-day grace period; during that window, logging back in cancels the deletion. At the end of the grace period, your account, reading history, share links, and feedback are permanently purged (financial transaction records are retained separately for 7 years per tax requirements). **For other rights**: email support@deeporacle.ai with "PRIVACY" in the subject line. We respond within 30 days (GDPR standard).

Regional Compliance

**If you are in the UK, EU, or EEA**: these rights are granted under GDPR. You also have the right to lodge a complaint with your local data protection authority (e.g. ICO in the UK). **If you are in California**: these rights are granted under CCPA. You additionally have the right to opt out of the sale of personal information (Deep Oracle does not sell personal information) and the right to non-discrimination for exercising these rights. **If you are in mainland China**: these rights are granted under PIPL. Your data is processed outside mainland China via the subprocessors listed above; by creating an account or submitting birth data, you consent to this cross-border transfer.

Data Security and Breach Notification

All communication between client and server is encrypted via HTTPS. Authentication uses Supabase's standard OAuth and password-hashing mechanisms. Error tracking runs through Sentry (no personal data captured). In the event of a data breach affecting your personal data, we will notify you by email within 72 hours of becoming aware, per GDPR Article 33.

Policy Updates and Contact

This policy may be updated from time to time. Non-material changes take effect upon publication. For material changes affecting how we process personal data, we will request explicit re-consent via email or on-site notification. For privacy questions or to exercise your rights, email support@deeporacle.ai with "PRIVACY" in the subject line.