Privacy Policy

Privacy Policy

Effective date: January 1, 2026
Last updated: January 1, 2026

This Privacy Policy explains how Mystic Draw collects, uses, stores, discloses, and protects your personal information when you use our website, apps, readings, diary features, subscriptions, and related services (together, the “Service”).

By using the Service, you acknowledge that your personal information will be handled as described in this Privacy Policy.

1. Who we are

Mystic Draw is operated by [INSERT LEGAL NAME / BUSINESS NAME] (“Mystic Draw”, “we”, “us”, or “our”).

Contact email: namaste@mystic-draw.com

2. Scope of this Privacy Policy

This Privacy Policy applies to personal information we collect:

• when you visit our website;
• when you create or use an account;
• when you purchase or manage a subscription;
• when you request readings or enter diary notes;
• when you contact support;
• when you respond to surveys, emails, or promotions;
• when you use social logins or connected services, if offered; and
• when you otherwise interact with us.

This Privacy Policy does not apply to third-party services, websites, or platforms that we do not control, even if they are linked to or integrated with our Service.

3. The types of personal information we collect

Depending on how you use the Service, we may collect the following categories of personal information.

3.1 Account and identity information

• name or display name;
• email address;
• password hash and account credentials data;
• avatar or profile image, if uploaded;
• date of birth or zodiac-related profile details, if you provide them;
• plan type and account preferences.

3.2 Reading and diary information

• cards drawn;
• reading history;
• reading context you provide, such as work, love, finance, or free-text prompts;
• diary notes, reflections, tags, or journal-style content;
• preferences such as tone, deck choice, or reader style.

3.3 Payment and subscription information

• plan selected;
• billing status;
• transaction identifiers;
• payment timestamps;
• limited billing metadata provided by our payment processor.

We do not store your full payment card number unless explicitly stated otherwise. Payments are generally handled by third-party payment providers.

3.4 Technical and usage information

• IP address;
• browser type;
• operating system;
• device identifiers;
• app version;
• session data;
• referring URLs;
• timestamps;
• feature usage;
• clicks, page views, and interaction events;
• crash logs and diagnostic information.

3.5 Communications

• support requests;
• emails you send us;
• messages submitted through forms;
• survey responses;
• feedback and testimonials you choose to provide.

3.6 Marketing and notification preferences

• whether you opted into newsletters, reminders, or marketing;
• email open, click, and delivery data where supported by our providers.

3.7 Inferences and service-generated data

We may derive service-related information from your usage, such as:

• content recommendations;
• retention or engagement signals;
• plan eligibility or usage thresholds;
• product improvement insights; and
• moderation or abuse-prevention indicators.

We do not use diary entries or reading content to make legal, medical, employment, credit, or similarly significant decisions about you.

4. How we collect personal information

We may collect personal information:

• directly from you when you sign up or fill in forms;
• when you request readings or write diary notes;
• when you purchase or manage a subscription;
• automatically through cookies, logs, analytics, and device signals;
• from third-party service providers such as payment or login providers;
• from support interactions; and
• from lawful public or referral sources where relevant.

5. Why we collect and use personal information

We may use personal information to:

• create and manage your account;
• provide readings and diary functionality;
• process subscriptions, upgrades, downgrades, and billing;
• personalize your experience, including preferred tone, deck, or context handling;
• maintain reading history and saved notes;
• provide customer support;
• send service messages, billing notices, security alerts, and account updates;
• send marketing or reminder emails where permitted and where you have opted in if required;
• improve performance, quality, reliability, and product design;
• detect and prevent fraud, abuse, unauthorized access, and other harmful activity;
• comply with legal obligations;
• enforce our Terms and Conditions; and
• protect our rights, systems, users, and business.

6. Legal bases for processing

If and to the extent a privacy law applies that requires a legal basis for processing, we rely on one or more of the following:

• performance of a contract with you;
• your consent;
• our legitimate interests in operating, securing, and improving the Service;
• compliance with legal obligations; and
• establishment, exercise, or defense of legal claims.

Where we rely on consent, you may withdraw it at any time, although that will not affect processing already carried out lawfully before withdrawal.

7. Cookies, analytics, and similar technologies

We may use cookies, pixels, tags, local storage, SDKs, and similar technologies to:

• remember your login or preferences;
• keep the Service secure;
• understand usage and performance;
• measure traffic and engagement;
• improve design and features; and
• support basic marketing measurement where permitted.

Some cookies may be necessary for the Service to work properly.

You can usually control cookies through your browser or device settings. Blocking certain cookies may reduce functionality.

If required by applicable law, we will ask for consent before using non-essential cookies or similar tracking tools.

8. Sharing of personal information

We may share personal information with the following categories of recipients where reasonably necessary:

8.1 Service providers

Providers that help us operate the Service, such as:

• hosting and cloud infrastructure providers;
• database and storage providers;
• authentication providers;
• payment processors;
• email delivery providers;
• analytics providers;
• customer support tools;
• security and monitoring providers; and
• backup and disaster recovery providers.

8.2 Payment providers

When you pay for a subscription or digital product, relevant transaction and billing details may be processed by our payment provider.

8.3 Professional advisers

Lawyers, accountants, auditors, insurers, and other advisers where reasonably necessary.

8.4 Legal and compliance disclosures

We may disclose personal information where reasonably necessary to:

• comply with law, regulation, court order, or lawful request;
• detect, prevent, or respond to fraud, abuse, security incidents, or illegal conduct;
• protect rights, property, or safety; or
• enforce our legal terms.

8.5 Business transfers

If we sell, merge, reorganize, or transfer part or all of our business or assets, personal information may be disclosed as part of that transaction, subject to applicable law.

We do not sell your diary notes or personal reading content to data brokers.

9. International data transfers

We may store or process personal information in Australia and other countries where we or our service providers operate.

As a result, your personal information may be transferred outside your country of residence and may be subject to foreign laws.

Where required by law, we will take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with applicable privacy protections.

10. Data retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

• provide the Service;
• maintain your account;
• keep reading history available to you;
• comply with law, tax, accounting, and dispute obligations;
• detect security issues or abuse; and
• preserve backups and recovery systems for a limited period.

Retention periods may vary depending on the type of information.

In general:

• account data is kept while your account remains active;
• reading history and diary content are kept until deleted by you or until account deletion is completed, subject to backup cycles and legal retention needs;
• payment and transaction records may be retained longer where required for accounting, tax, fraud prevention, or dispute handling; and
• support and security logs may be retained for a limited period reasonably necessary for operations and compliance.

When personal information is no longer needed, we will delete it, de-identify it, or securely destroy it where practical.

11. Security

We use reasonable technical, organizational, and administrative measures designed to protect personal information from misuse, interference, loss, unauthorized access, modification, and disclosure.

These measures may include:

• access controls;
• encryption in transit;
• encryption or protected storage at rest where applicable;
• password hashing;
• logging and monitoring;
• least-privilege access;
• provider-level security controls; and
• backup and recovery procedures.

No method of internet transmission or electronic storage is completely secure. We cannot guarantee absolute security.

You are also responsible for protecting your account credentials and devices.

12. Your privacy choices and rights

Depending on your location and applicable law, you may have rights to:

• access personal information we hold about you;
• request correction of inaccurate information;
• request deletion of your personal information;
• request export or portability of certain data;
• object to or restrict certain processing;
• withdraw consent where processing is based on consent;
• opt out of marketing communications; and
• complain to a relevant privacy regulator.

We may need to verify your identity before responding to certain requests.

We may refuse or limit a request where permitted by law, including where the request is manifestly unfounded, technically impossible, affects others’ rights, or conflicts with legal obligations.

13. Account deletion and data export

You may request account deletion and, where available, export your data through your account settings or by contacting us.

When you request deletion:

• your account may be deactivated first;
• active profile access may end promptly;
• some information may remain in backups for a limited time;
• some information may be retained where required by law or reasonably needed for fraud prevention, dispute resolution, tax, accounting, or legal compliance; and
• de-identified or aggregated information may be retained.

Where technically feasible, we will provide a reasonable export format for your data, such as JSON, CSV, or PDF, depending on the feature.

14. Sensitive or highly personal content

Diary entries, reflection notes, and context fields may contain sensitive, emotional, intimate, or otherwise personal information that you choose to enter.

You should avoid including information that you do not want stored digitally, especially:

• health diagnoses;
• crisis details;
• government identification numbers;
• bank or card details;
• passwords; and
• other highly confidential information.

If you choose to include personal or sensitive content in your diary or reading prompts, you acknowledge that we will process and store that content in order to provide the Service to you.

We do not intentionally ask for health information, legal case details, or other special categories of personal information unless you choose to provide them.

15. Marketing communications

We may send you:

• transactional emails;
• service notices;
• billing notices;
• security alerts;
• support replies; and
• product announcements.

Where required by law, we will obtain consent before sending direct marketing.

You can opt out of marketing communications at any time using the unsubscribe link in the email or by contacting us.

Even if you opt out of marketing, we may still send non-marketing communications relating to your account, billing, security, support, or service changes.

16. Children

Mystic Draw is not intended for children under 18, and we do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child in violation of our rules or applicable law, we may delete that information and suspend or close the related account.

If you believe a child has provided personal information to us, please contact us.

17. Third-party links and services

The Service may contain links to third-party websites, providers, or services.

We are not responsible for the privacy, security, or data-handling practices of third parties. You should review their privacy policies before using their services.

18. Overseas users

Mystic Draw is operated from Australia.

If you access the Service from outside Australia, you understand that your information may be transferred to and processed in Australia and other countries where our providers operate.

If we actively offer the Service to people in jurisdictions with additional privacy rights, we aim to handle relevant requests in line with applicable law.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we may notify you by posting the revised version on the Service, updating the “Last updated” date, sending an email, or by another reasonable method.

Your continued use of the Service after the updated Privacy Policy takes effect means you acknowledge the revised Policy.

20. Complaints and contact

If you have questions, requests, or complaints about this Privacy Policy or our privacy practices, please contact us:

Mystic Draw
Email: namaste@mystic-draw.com

If you are not satisfied with our response, you may have the right to complain to a relevant privacy regulator, including in Australia the Office of the Australian Information Commissioner.

For general help, see our Help page.

Terms and Conditions