Privacy policy

DestinyTara — Cultural Exploration and Personal Reflection Platform

Last updated: 2026-04-20

1. Data controller

DestinyTara
Monterrey, Nuevo Leon, Mexico
Privacy contact: privacy@destinytara.com
Legal contact: legal@destinytara.com

This Policy applies to all users worldwide and is designed to meet the requirements of the EU GDPR, the UK GDPR, California's CCPA/CPRA, and Mexico's LFPDPPP.

2. Data we collect

• Authentication: Email address (for OTP login via Mailgun).
• Birth data (sensitive): Date, time, and place of birth, and optionally gender, provided by you for Qi Men Dun Jia calculations.
• Usage data: AI conversations, saved charts, interaction logs, ratings.
• Payment: Processed by Stripe; we never store card numbers.
• Technical: IP address, approximate geolocation, device/browser metadata (for tax compliance, security, and fraud prevention).

3. Sensitive data and explicit consent

Your date, time, and place of birth, when combined with Qi Men Dun Jia analysis, may reveal information about your philosophical or spiritual beliefs. We therefore treat birth data as special-category / sensitive personal information under GDPR Article 9, Mexico's LFPDPPP, and analogous laws.

We only process birth data on the basis of your specific, informed, freely given, and revocable explicit consent. You consent separately and granularly to:

• (a) Service consent — processing your birth data strictly to deliver the cultural-exploration Service you request;
• (b) Training opt-in — we will NOT use your birth data or conversations to train AI models unless you separately opt in. Training opt-in is off by default and can be turned off at any time, with no effect on your access to the Service.

You can withdraw either consent at any time from your account settings or by emailing privacy@destinytara.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Data Protection Impact Assessment (DPIA)

Because birth data is sensitive and the Service uses AI to analyze it, DestinyTara has completed and documented an internal Data Protection Impact Assessment (DPIA) covering collection, processing, retention, third-party transfers, and risk mitigations for the birth-data processing flow. The DPIA is reviewed periodically. A summary can be requested at privacy@destinytara.com.

5. Legal bases for processing (GDPR Art. 6)

• Explicit consent — Art. 6(1)(a) and Art. 9(2)(a): for collecting and using your birth data to provide the Service.
• Contract — Art. 6(1)(b): for account creation, subscription management, and payment processing.
• Legitimate interests — Art. 6(1)(f): for security, fraud prevention, abuse detection, and service-integrity logging, balanced against your rights and freedoms.
• Legal obligation — Art. 6(1)(c): for tax, accounting, and other record-keeping duties under Mexican and applicable foreign law.

6. AI transparency

Your queries are processed by an AI inference provider (currently Qwen 72B via Together AI). No human reviews the AI output before it is shown to you. The AI may produce inaccurate or "hallucinated" responses. Interaction logs are anonymized after 30 days unless you have specifically opted in to training.

7. Third-party processors

• Payment processor — Stripe (US), for billing and subscription management.
• AI inference provider — Together AI (US), for model inference on your prompts and birth-data context; payload not retained beyond request lifecycle.
• Email delivery — Mailgun (US), for OTP and transactional email.
• Hosting and edge infrastructure — Cloudflare / AWS or similar global cloud providers for application hosting, edge delivery, and security.

We do not sell, rent, or trade your personal data. No data brokers, no ad networks.

8. International data transfers

DestinyTara relies on Cloudflare, AWS, and similar global infrastructure, which means your data may be processed outside your country of residence, including in the United States. For EU/EEA and UK users, international transfers rely on Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework where applicable, and supplementary technical and organizational measures consistent with Schrems II guidance.

9. Retention, account deletion, and right to erasure

You can delete your account and all associated birth data at any time, from your account settings or by emailing privacy@destinytara.com. Deletion is permanent and irreversible: birth data, saved charts, and AI conversations are purged from databases, caches, and propagated to third-party processors within a reasonable window (target: 30 days).

We do not retain personal data beyond what is technically or legally required:

• Account and birth data — for the life of the active account only.
• AI interaction logs — anonymized after 30 days (or deleted immediately on account deletion).
• Payment and invoicing records — 5 years, as required by Mexican fiscal law.
• Security/IP logs — 30 days.

10. Your rights

EU/EEA and UK (GDPR): right of access, rectification, erasure, restriction, portability, objection, to withdraw consent, and to lodge a complaint with your local supervisory authority.

California (CCPA/CPRA): right to know, delete, correct, limit use of sensitive personal information, opt out of sale/sharing (we do not sell or share for cross-context advertising), and non-discrimination.

Mexico (LFPDPPP — ARCO): access, rectification, cancellation, opposition.

11. Cookies

We use only a JWT authentication token stored in localStorage — strictly necessary for the Service to function. No tracking cookies, no analytics cookies, no advertising cookies. This falls under the ePrivacy Directive Article 5(3) "strictly necessary" exemption.

12. Age gate — no processing from minors

The Service is strictly for users 18 years of age or older. We do not knowingly collect or process any data from minors. If we learn that a user is under 18, we will immediately delete their account and all associated data. If you are a parent or guardian and believe we may hold data about a minor, please contact privacy@destinytara.com.

13. Contact

Privacy inquiries: privacy@destinytara.com
Legal inquiries: legal@destinytara.com