Drawn Fate — Privacy Policy

Effective Date: March 7, 2026

This Privacy Policy describes how Drawn Fate ("we," "us," or "our"), collects, uses, shares, and protects your personal information when you use our website at www.drawnfate.com and our related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

We are committed to transparency about how we handle your data and to protecting your privacy. Please read this policy carefully. If you do not agree with its terms, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account, place an order, or interact with the Service, we may collect the following information:

  • Account information: Your name, email address, and account credentials.
  • Design prompts: The text prompts you submit to generate custom tarot card imagery. These prompts are stored in association with your account to enable deck creation and order fulfillment.
  • Order and shipping information: Your mailing address and phone number (if provided) for physical deck delivery.
  • Payment information: Payment details processed securely through Stripe. We do not store your full credit card number on our servers.
  • Communications: Any messages, feedback, or support inquiries you send to us.

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

  • Device and browser information: Device type, operating system, browser type, screen resolution, and language preferences.
  • Usage data: Pages visited, features used, time spent on pages, and interaction patterns.
  • Log data: IP address, access timestamps, referring URLs, and error logs.
  • Analytics data: Aggregated usage statistics collected through our analytics providers (described further in Section 5).

1.3 Information from Third Parties

We may receive limited information from third-party services we integrate with, such as payment confirmation data from our payment processor or delivery status updates from our fulfillment partner.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and maintain the Service, including generating your custom tarot card imagery using AI and fulfilling physical deck orders.
  • To process transactions and send related information, including purchase confirmations, invoices, and shipping notifications.
  • To communicate with you, including responding to your inquiries, providing customer support, and sending service-related updates.
  • To improve the Service by analyzing usage patterns, diagnosing technical issues, and developing new features.
  • To protect the Service by detecting and preventing fraud, abuse, and security incidents, including through automated bot protection.
  • To comply with legal obligations and enforce our terms of service.

3. AI-Generated Content and Your Prompts

Drawn Fate uses artificial intelligence to generate custom tarot card imagery based on the text prompts you provide. Here is how we handle that data:

  • Your prompts are sent to our AI generation provider to produce images. We do not use your prompts to train AI models.
  • Generated images are stored in our cloud infrastructure and associated with your account for the purpose of order fulfillment.
  • We retain your prompts and generated images for as long as your account is active or as needed to fulfill orders. You may request deletion at any time (see Section 9).
  • We do not sell, license, or share your prompts or generated artwork with third parties except as necessary to fulfill your order (e.g., sending print-ready files to our printing partner).

4. Third-Party Service Providers

We share your information with the following categories of third-party service providers, solely to operate and improve the Service:

  • Stripe (Payment Processing): Processes your payment transactions securely. Stripe collects and handles your payment card information in accordance with PCI-DSS standards. See Stripe's privacy policy at stripe.com/privacy.
  • Print-on-demand fulfillment provider: Receives print-ready card files and your shipping address to manufacture and deliver your physical tarot deck.
  • Cloud hosting and database provider: Hosts our application and stores generated images on secure, encrypted servers.
  • AI image generation provider: Processes your text prompts to generate tarot card imagery. Prompts are transmitted for processing and are not retained by the provider for model training.
  • Web hosting and analytics provider (Plausible Analytics): Provides cookie-free, privacy-focused website analytics. Plausible does not use cookies, does not collect personal data, and does not track visitors across sites. All analytics data is aggregated and no individual visitor profiles are created. See Plausible's data policy at plausible.io/data-policy.
  • Security and CDN provider: Provides bot protection and content delivery services to secure the Service and improve performance.

We require all third-party providers to handle your data in accordance with applicable privacy laws and only for the purposes for which we disclose it to them.

5. Cookies and Tracking Technologies

The Service uses cookies and similar tracking technologies to provide functionality, analyze usage, and enhance your experience.

5.1 Types of Cookies We Use

  • Essential cookies: Required for the Service to function, including session management and authentication.
  • Security cookies: Used by our security provider to distinguish human users from automated bots.

We do not use analytics cookies. Our analytics provider (Plausible Analytics) operates without cookies and does not collect or store any personal data.

5.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service. Because we do not use analytics cookies or other non-essential tracking cookies, no cookie consent banner is required for analytics purposes.

5.3 Do Not Track

We respect user privacy by design. Our analytics solution does not track individual visitors, does not use cookies, and does not collect personal data — making it inherently compliant with Do Not Track preferences.

6. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • Encryption of data in transit using TLS/SSL protocols.
  • Encryption of sensitive data at rest within our database infrastructure.
  • Secure authentication and access control mechanisms.
  • Regular security assessments of our infrastructure and third-party integrations.
  • Bot protection to prevent unauthorized automated access.

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

7. Data Retention

We retain your personal information for as long as necessary to provide the Service, fulfill orders, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Account data is retained for the duration of your active account and for a reasonable period thereafter to comply with legal and business obligations.
  • Design prompts and generated images are retained while your account is active and for up to 90 days after account deletion to allow for order fulfillment and dispute resolution.
  • Transaction records are retained as required by applicable tax and financial regulations.
  • Analytics data is retained in aggregated, anonymized form and is not subject to individual deletion requests.

8. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers operate.

Where we transfer personal data outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms to ensure your data receives an adequate level of protection.

9. Your Privacy Rights

9.1 General Rights (All Users)

Regardless of your location, you may:

  • Access and review the personal information we hold about you.
  • Request correction of inaccurate personal information.
  • Request deletion of your personal information, subject to legal retention requirements.
  • Opt out of marketing communications at any time by using the unsubscribe link in any email or contacting us directly.

9.2 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:

  • Right of access: Obtain confirmation of whether we process your personal data and receive a copy of that data.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data under certain circumstances.
  • Right to restriction: Request that we limit processing of your personal data.
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

Our legal bases for processing your data include: performance of a contract (e.g., fulfilling your orders), legitimate interests (e.g., improving the Service and preventing fraud), consent (e.g., for analytics cookies), and compliance with legal obligations.

You also have the right to lodge a complaint with your local data protection supervisory authority.

9.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: Request deletion of personal information we have collected from you.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell your personal information, share it for cross-context behavioral advertising, or use tracking cookies for advertising purposes.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

In the preceding 12 months, we have collected the categories of personal information described in Section 1. We do not sell personal information as defined under the CCPA/CPRA.

9.4 Other International Rights

If you are located in Brazil (LGPD), Canada (PIPEDA), Australia, or other jurisdictions with applicable data protection laws, you may have similar rights regarding access, correction, deletion, and portability of your personal data. We will honor such requests in accordance with applicable law.

9.5 Exercising Your Rights

To exercise any of your privacy rights, please contact us at privacy@drawnfate.com. We will respond to verified requests within 30 days (or as required by applicable law). We may need to verify your identity before fulfilling your request.

10. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on the Service with a revised "Effective Date" and, where appropriate, by sending you a notification via email. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Drawn Fate Email: privacy@drawnfate.com

Website: www.drawnfate.com

For GDPR-related inquiries, you may also contact your local data protection supervisory authority.