Privacy Policy

Privacy Policy

Privacy Policy

Last updated: Saturday May 9, 2026.

This Privacy Policy describes how Lauri Wilde ("we", "us", "our") collects, uses, and shares information when you visit lauriwilde.com (our marketing site) or use app.lauriwilde.com (the Wisdom Cards web app together, the "Service").

Reading this document is the easiest way to understand what we do with your data. If anything is unclear, please email us at lauri@lauriwilde.com.

1. Who we are

The data controller is:

"Lauri Wilde, sole trader"
Email: lauri@lauriwilde.com

If you are in the European Economic Area or the United Kingdom, our supervisory authority is [NATIONAL_DATA_PROTECTION_AUTHORITY].

2. What we collect

2.1 Information you provide directly

  • Account information when you sign in via Google, Apple, Microsoft, or magic link, we receive your email address, display name, and (where provided) avatar image.

  • Profile information display name, your selected card-deck preference, and any reflections, journal entries, or self-ratings you save inside the app.

  • Card-reading content questions you submit for a reading, the cards drawn, and the AI-generated interpretations. Your reading history is stored as part of your "journey."

  • AI Spiritual Coach conversations (paid tiers only) the messages you send and the responses generated.

  • Booking information when you book a session via our Calendly integration, we receive your name, email, and the session details from Calendly.

  • Newsletter information your email address when you subscribe to our newsletter via Mailchimp.

2.2 Information collected automatically

  • Technical data IP address, browser type and version, operating system, device type, language, time zone, referring URL, and pages or screens visited.

  • Usage data sessions, last-active time, monthly self-rating completions, awakening views, and other interactions with the app.

  • Cookies and similar technologies see Section 5 below.

2.3 Information from third parties

  • OAuth providers (Google, Apple, Microsoft) when you sign in, the provider tells us your verified email and basic profile data. We do not receive your password.

  • Calendly booking confirmations and cancellations via webhook, which we match to your account by email.

  • Mailchimp confirmation that you subscribed; we do not receive other Mailchimp profile data.

We do not intentionally collect special-category personal data (e.g. health, religious belief, sexual orientation), but we recognise that questions you ask of a card reading or share with the AI coach may include such information voluntarily. Section 3.2 explains how we treat that content.

3. How we use your information

We use your data to:

  1. Provide the Service authenticate you, save your readings, render your awakening progress, deliver AI interpretations, sync Calendly bookings, etc.

  2. Generate AI content your reading questions and coach messages are sent to OpenAI for processing (see Section 4.2).

  3. Moderate content for safety every reading question and coach message is screened by OpenAI's Moderation API. Mentions of self-harm trigger an in-app display of crisis resources (US: 988, plus international links). See our Terms for the full content-safety policy.

  4. Communicate with you transactional emails (sign-in links, booking confirmations), and the newsletter (only if you've subscribed).

  5. Improve the Service analyse usage patterns, debug errors, refine the spiritual content over time. We aggregate this data and avoid using identifiable readings or journal entries for analysis.

  6. Comply with legal obligations respond to lawful requests, defend legal claims.

3.1 Legal bases (for visitors in the EEA / UK)

  • Contract providing the Service you signed up for.

  • Legitimate interest improving the Service, security, fraud prevention, basic analytics.

  • Consent newsletter subscription, cookies that aren't strictly necessary.

  • Legal obligation tax, accounting, regulatory requests.

You may withdraw any consent at any time without affecting prior processing.

3.2 Sensitive content in readings, journal, and coach conversations

The questions you ask the cards and the messages you send the AI coach are personal by nature. We treat them as confidential to your account:

  • They are stored in our database in the same row as your reading / conversation record.

  • They are sent to OpenAI for moderation and interpretation, processed under OpenAI's enterprise data terms (no model training on your inputs).

  • They are not shared with other users, used for marketing, or used to train other systems.

  • You can delete your reading history, journal entries, or your entire account at any time.

4. Who we share your information with

We do not sell your personal information. We share it with the following sub-processors strictly to operate the Service:

4.1 Infrastructure & hosting

Sub-processor Purpose Location Supabase Inc. Database, authentication, file storage United States Railway Corp. Web application hosting United States Framer B.V. Marketing site hosting (lauriwilde.com) Netherlands Siteground Hosting Ltd. Image CDN Bulgaria / European Union

4.2 AI and content moderation

Sub-processor Purpose Location OpenAI L.L.C. GPT-4o for card interpretations + AI coach + content moderation United States

OpenAI processes your inputs under its enterprise data terms; submissions are not used to train OpenAI's models.

4.3 Communications

Sub-processor Purpose Location Resend Inc. Transactional email (sign-in links) United States Intuit Mailchimp Newsletter United States

4.4 Bookings

Sub-processor Purpose Location Calendly LLC Live session booking United States

4.5 Identity providers

Sub-processor Purpose Location Google LLC Google Sign-In United States Apple Inc. Apple Sign-In United States Microsoft Corporation Microsoft Sign-In United States

4.6 Analytics

Sub-processor Purpose Location Google LLC Google Analytics 4 aggregated traffic statistics on lauriwilde.com only United States

We have configured Google Analytics with IP anonymisation where supported. The app at app.lauriwilde.com does not load Google Analytics.

4.7 Other disclosures

  • Legal obligation if compelled by valid legal process.

  • Safety if we reasonably believe disclosure is necessary to prevent serious harm.

  • Business transfers if the Service is acquired by, or merged with, another organisation, your data may transfer as part of that transaction; you'll be notified.

5. Cookies and local storage

We use cookies, local storage, and session storage to keep you signed in, remember your preferences, and run our Service. Most are first-party (set by us); a few are set by sub-processors named above.

5.1 Strictly necessary

Name Purpose Lifetime sb-* (Supabase) Authentication session token 30 days auth_next Stores the post-login destination during OAuth 5 minutes wc_session_active 20-minute active-session window 20 minutes

5.2 Functional

Name Purpose Lifetime wc_rune_set Your selected card art preference (Nine Awakenings vs Yew Runes) Persistent lwc_app_user Marks that you've signed in to the app, so the marketing site doesn't pitch the app at you 1 year lwc_email_subscriber Marks that you've subscribed to the newsletter 1 year

5.3 Marketing-site only (lauriwilde.com)

Name Purpose Lifetime _ga, _ga_* (Google) Google Analytics aggregated traffic statistics Up to 2 years lwc_first_visit_at (localStorage) First-visit timestamp for the once-per-week splash 7 days lwc_card_of_week_v1 (localStorage) Splash-shown gate 7 days lwc_dismissed_<key> (localStorage) Per-CTA dismissal memory 7 days

You can clear cookies and local storage at any time via your browser settings.

6. How long we keep your data

Category Retention Account information Until you delete your account Card readings, journal entries, awakening reflections Until you delete them, or your account AI coach conversations Until you delete them, or your account Calendly bookings Indefinitely while the booking record is relevant; deleted on request Content-violation strike record 12 months from the last incident Aggregate analytics 14 months (Google Analytics 4 default) Newsletter subscription Until you unsubscribe Backups Up to 30 days after your data is deleted from the live database

7. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access get a copy of the personal data we hold about you.

  • Correction ask us to correct inaccurate data.

  • Deletion ask us to delete your data ("right to be forgotten" / "right to erasure"). Where we have a legal obligation to retain certain records, we will tell you.

  • Portability receive your data in a structured, machine-readable format.

  • Restriction ask us to pause or limit processing in certain cases.

  • Objection object to processing based on legitimate interests.

  • Consent withdrawal withdraw any consent at any time (e.g. unsubscribe from the newsletter).

  • Complaint lodge a complaint with your supervisory authority. EU residents can find theirs at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the ICO at https://ico.org.uk.

To exercise any of these rights, email [PRIVACY_EMAIL]. We may need to verify your identity before responding. We aim to respond within 30 days.

7.1 California residents

Under the California Consumer Privacy Act (CCPA / CPRA), you have additional rights including the right to know what personal information we have collected and the right to opt out of any sale or sharing. We do not sell or share your personal information for cross-context behavioural advertising.

8. International transfers

Most of our sub-processors are based in the United States. When we transfer your personal data outside the EEA / UK, we rely on the EU Standard Contractual Clauses (where the recipient does not have an adequacy decision) and additional safeguards as appropriate.

9. Security

We protect your data with industry-standard measures:

  • TLS encryption in transit

  • Encryption at rest in our Supabase database

  • Row-Level Security policies enforced at the database layer (you can only access your own readings, journal entries, etc.)

  • OAuth and PKCE-based authentication flows

  • Limited internal access; principle of least privilege

  • Regular security review of dependencies

No system is perfectly secure. If a breach affecting your personal data occurs, we will notify you and, where required, the relevant supervisory authority.

10. Children

The Service is not intended for children under 16 (EEA / UK) or under 13 (United States). We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Important limitations of the Service (privacy-relevant)

  • The card readings and AI coach are reflective tools intended for spiritual exploration. They are not medical, psychological, financial, or legal advice. Please see the Terms of Service for a fuller statement.

  • Our content moderation displays crisis resources when self-harm content is detected, but our system is not a crisis-intervention service. If you or someone you know is in immediate danger, please contact emergency services (US: 988 / 911, EU: 112, or your local equivalent).

  • Sensitive personal information that you choose to include in a reading question, journal entry, or coach message is processed and stored as described in Sections 3-4. Please consider what you share.

12. Changes to this Privacy Policy

We will update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top

  • Notify newsletter subscribers by email

  • Show an in-app notice the next time you sign in

If you continue to use the Service after the changes take effect, you accept the updated Privacy Policy.

13. Contact

For privacy questions, data requests, or anything else covered in this policy:

Email: lauri@lauriwilde.com

© Lauri Wilde 2026

© Lauri Wilde 2026