Privacy Policy
Last updated: February 2026
This privacy policy explains how Cult of the Lamp ("we", "the Service") collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (DSGVO/GDPR) and applicable Austrian law.
1. Controller
The data controller within the meaning of Art. 4(7) DSGVO is:
[FULL NAME]
[ADDRESS]
Email: [EMAIL]
2. Data We Collect
2.1 Account Data
When you register (by invitation only), we collect your username, display name, and a hashed password (PBKDF2 with SHA-512 — we never store your plaintext password).
Legal basis: Art. 6(1)(b) DSGVO — performance of a contract.
2.2 Session Data
We use a single session cookie (auth_session) to maintain
your login state. This cookie is strictly necessary for the service to function and does not
track you across websites.
Legal basis: Art. 6(1)(b) DSGVO — technically necessary for service delivery.
2.3 Dream Readings & User Content
When you use Dream Cartomancy, we store your dream text, selected cards and spreads, reflections, and AI-generated interpretations. This data is associated with your account.
Legal basis: Art. 6(1)(b) DSGVO — core service functionality.
2.4 Payment Data
If you purchase illumination credits, we store your Stripe customer ID, credit balance, and transaction records. We do not store credit card numbers — all payment processing is handled by Stripe.
Legal basis: Art. 6(1)(b) DSGVO — contract performance; Austrian BAO § 132 — fiscal record-keeping.
2.5 Technical Data
Our hosting provider Cloudflare may log your IP address and basic request metadata for security and performance purposes. We use this data for abuse prevention only.
Legal basis: Art. 6(1)(f) DSGVO — legitimate interest in security.
2.6 AI Usage Logs
We log AI interpretation requests for rate limiting and abuse prevention. These logs include timestamps and usage counts, not the content of your dreams.
Legal basis: Art. 6(1)(f) DSGVO — legitimate interest in service integrity.
3. AI Data Processing
When you request an AI illumination, your dream text and card selections are sent to a third-party AI provider (Google Gemini or Anthropic Claude) for interpretation. Before transmission, your input is sanitized to remove personally identifiable information.
AI processing is only triggered when you explicitly click "Illuminate" — we never send your data to AI providers automatically. The generated interpretation is stored alongside your reading in our database.
AI providers process your data as sub-processors under their respective data processing agreements. They do not use your data to train their models.
4. Cookies
We use only one cookie:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
auth_session | Authentication state (Lucia Auth) | Session / 30 days | Strictly necessary |
As this cookie is strictly necessary for the service to function, no consent banner is required under TKG 2021 § 165(3) (Austrian implementation of the ePrivacy Directive).
We do not use analytics cookies, tracking cookies, or marketing cookies.
5. Third-Party Processors
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, DDoS protection | USA (SCCs) |
| Turso (ChiselStrike, Inc.) | Database (LibSQL) | USA (SCCs) |
| Stripe, Inc. | Payment processing | USA (SCCs) |
| Google LLC (Gemini) | AI interpretation | USA (SCCs) |
| Anthropic, PBC (Claude) | AI interpretation (fallback) | USA (SCCs) |
6. International Data Transfers
Our processors are located in the United States. Data transfers are safeguarded by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) DSGVO, as implemented by each provider.
7. Data Retention
- Account data: retained until you request deletion
- Dream readings & reflections: retained until you request deletion
- Payment transactions: retained for 7 years (Austrian BAO § 132 fiscal record-keeping obligation)
- Session data: automatically deleted on logout or after 30 days of inactivity
- Server logs: retained per Cloudflare's standard retention policy
8. Your Rights (DSGVO Art. 15–22)
You have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
To exercise any of these rights, contact us at [EMAIL].
You also have the right to lodge a complaint with the Austrian Data Protection Authority:
Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna
www.dsb.gv.at
9. Security
We take appropriate technical and organizational measures to protect your data, including:
- Passwords hashed with PBKDF2 + SHA-512 (never stored in plaintext)
- All traffic encrypted via HTTPS/TLS
- Invite-only registration to limit access
- Input sanitization before AI processing
10. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. For significant changes, we will notify registered users.