Privacy ยท Last updated May 15, 2026

Privacy Policy

We try to collect as little as possible, hold it for as short as possible, and never sell it. This page tells you exactly what happens with the information you give us.

What we collect

  • Account info. Your email address and a hashed (one-way scrambled) password, or a one-time magic-link code if you sign in that way. We never store your raw password.
  • Subscription info. If you subscribe, Stripe processes your card. We only receive their customer and subscription IDs and your billing email โ€” never your card number.
  • Readings & journal. When you save a reading or write a journal note, we store it in our database so you can see it again. It's yours.
  • Pre-order list. If you join the printed-deck waitlist, we store your email, the source (e.g. "sales-site"), your IP, and a short user-agent string so we can tell humans from bots.
  • Server logs. Standard request logs (IP, timestamp, path, status) kept for a short window for debugging and abuse prevention.

What we don't collect

  • We do not run third-party advertising trackers.
  • We do not sell or rent your data, ever.
  • We do not use your readings or journal entries to train AI models for anyone else.

How we use it

  • To run the service. Show you your readings, sync them across your devices, and remember you between visits.
  • To process payments. Hand off to Stripe so you can subscribe and cancel.
  • To interpret readings. When you ask for an AI interpretation, the cards in your spread are sent to Anthropic's Claude API. The interpretation is returned to you and saved with your reading. We don't send your email, name, or journal notes with that request.
  • To email you. Account emails (sign-in codes, password resets, receipts) via Gmail. One pre-order announcement if you joined that list.

Third parties we share with

  • Stripe โ€” for payments. Stripe's privacy policy.
  • Anthropic โ€” for AI card interpretations. Anthropic's privacy policy.
  • Google Gmail โ€” to send transactional and pre-order emails.
  • Railway โ€” our hosting provider.
  • Cloudflare โ€” DNS and traffic protection.

That's the full list. We add to it only when a feature requires it, and we update this page when we do.

Cookies

We use a single first-party cookie to keep you signed in. There are no advertising or analytics cookies on the marketing site.

Your rights

Wherever you live, you can write to us and ask us to:

  • Show you a copy of what we hold about you.
  • Correct anything that's wrong.
  • Delete your account and everything tied to it.
  • Stop using your data for any specific purpose.

Email us at designholistically@gmail.com. We'll respond within a reasonable time, and always within the time required by your local law (e.g., 30 days under GDPR, 45 days under CCPA).

Children

The Elemental Oracle Deck isn't designed for children. If you're under the age of digital consent in your country (this varies โ€” 13 in the US, often 16 in the EU/UK), please ask a parent or guardian to use the service on your behalf. If we learn we've collected data from a child without that consent, we'll delete it.

International transfers

We're based in the United States. Using the service means your data may be processed in the US and other countries where our providers operate. We use providers that maintain appropriate safeguards (Standard Contractual Clauses, etc.).

Security

Passwords are hashed with PBKDF2-SHA256 (200,000 rounds). Traffic is encrypted in transit (HTTPS). Payment cards never touch our servers โ€” Stripe handles them. We're a small operation, so we keep the attack surface small on purpose.

Changes to this policy

If we change anything meaningful, we'll update the "Last updated" date at the top and, for material changes, notify you by email or in-app banner before the change takes effect.

Questions? Write to designholistically@gmail.com.