Privacy Policy

Birth Data

Your date of birth, birth time, and birth location are used to calculate charts (BaZi, Ziwei Doushu, Western astrology, numerology, and related systems). This data is stored in your profile and used only to generate and store your readings. We do not sell or share birth data with third parties for advertising or analytics.

Profiles You Create for Other People

If you create a chart or reading for another person, we may process the name or label you provide, that person's birth date, birth time, birth location, relationship context, and any related questions you submit. Only provide another person's data when you have a lawful reason and permission to do so.

Chat and Reading History

Messages you send to the AI oracle and the interpretations it generates are stored to support continuity across sessions. You may delete this data at any time from your account settings.

Payment Information

Payments are processed by Creem. We do not store full card numbers or raw payment credentials. We retain transaction identifiers, subscription status, and credit balance to deliver entitlements and handle support.

Authentication Identity

Login and identity management is handled by Auth0. We receive a user identifier, email address, and optional display name from your authentication provider. We do not store passwords.

Device and Network Data

Cloudflare and our own systems may process IP address, request metadata, user-agent strings, timestamps, error logs, and security events to route traffic, protect the service, and investigate abuse or reliability issues.

Usage Telemetry

We collect anonymized usage signals (page views, feature interactions, error reports) to improve the product. Telemetry does not include your birth data or chat content.

Sensitive and Inferred Information

Some information we process may be considered sensitive personal information in certain jurisdictions, including precise birth place or coordinates, gender, inferred ethnicity or spiritual/personality profile, and relationship or wellbeing context you choose to enter. We use this information only for the requested reading, account continuity, security, and legally required records.

Sensitive personal information categories

Mystic Mirror may process sensitive personal information such as precise birth place or coordinates, gender, relationship context, and inferences from BaZi, Ziwei Doushu, astrology, numerology, tarot, I Ching, or related systems. We use these categories to provide requested readings, preserve account history, secure the service, and maintain required records.

Sale or sharing

We do not sell personal information for money. We do not share birth data, chart data, or chat content for cross-context behavioral advertising. Transfers to AI inference providers are used to generate requested interpretations and require service-provider or contractor terms before regulated-market launch; until those terms are fully executed, this remains an implementation dependency.

Limit use of sensitive personal information

You may ask us to limit use of sensitive personal information to what is necessary to provide requested readings, maintain security, and meet legal obligations. Contact [email protected] with the subject line "Limit SPI".

Global Privacy Control

We honor browser-based opt-out preference signals such as Global Privacy Control when they are detected by this browser or by request headers. You can also review or change cookie and privacy choices from Account > Data & Privacy.

Inputs sent to AI providers

When you request an AI interpretation, we may send your user message, selected chart data, birth date, birth time, birth place, timezone, latitude/longitude where available, names or labels you provide, gender, relationship context, prior chat context, and derived divination profile needed for the response. We do not send raw card numbers or payment credentials.

Providers and locations

Current AI inference routing uses OpenRouter as the active inference router, restricted in production to AtlasCloud and Parasail sub-providers with provider-side data collection denied and OpenRouter fallback disabled. SiliconFlow, Z.ai, and BigModel remain listed only as historical China-hosted entries and are disabled for active production routing unless a future consent-gated legal path is approved. Auth0, Creem, Stripe, Cloudflare, and DigitalOcean may also process account, payment, hosting, or network data from the United States or global infrastructure.

Consent and legal basis

AI processing is used to perform the reading or chat feature you request. For jurisdictions that require explicit consent for AI-provider processing or cross-border transfer, the intended mechanism is a granular consent gate covering AI processing and cross-border transfer before the first AI interpretation. Until that consent gate and provider contracts are fully implemented, this notice identifies the intended consent path and remaining implementation dependency.

Opt-out and withdrawal

You may opt out of AI interpretation by not using AI-powered readings or chat features, and you may contact [email protected] to withdraw consent for optional AI processing. Withdrawal does not undo processing that already occurred lawfully, but it will limit future access to AI-powered features.

Automated decisions

Mystic Mirror does not use AI output to make legal, financial, employment, housing, credit, insurance, healthcare, or similarly significant decisions about you. Divinatory and reflective outputs are generated for self-exploration and do not determine your rights or access to essential services.

PDPA s.20 openness: policies and practices

Under PDPA s.20 and the PDPC Accountability/Openness guidance, we make information about our personal data policies, practices, and complaint process available in this Privacy Policy. The data categories, purposes, retention table, subprocessor register, AI disclosure, and cross-border transfer sections describe how we collect, use, disclose, retain, protect, and transfer personal data. For more detail, review those sections on this page or contact us at [email protected].

PDPA s.21 access and correction

Singapore users may request access to personal data we hold about them, information about how it has been used or disclosed within the relevant lookback period required by PDPA s.21, and correction of inaccurate personal data. Use /account/data for self-service export, deletion, and correction controls, or contact [email protected] if the account page cannot handle the request.

PDPA s.13 consent and withdrawal

Where we rely on consent under PDPA s.13, you may withdraw consent with reasonable notice. Use the ConsentGate choices and account settings at /account to disable optional AI-provider processing, marketing, or other optional data uses where available. Withdrawal does not undo processing that already occurred lawfully, but we will stop the affected optional collection, use, or disclosure after processing the withdrawal and explaining any product consequences.

PDPA s.26 cross-border transfers

For Singapore personal data transferred outside Singapore, PDPA s.26 requires comparable protection through prescribed or legally enforceable mechanisms unless an exception applies. Where applicable, Mystic Mirror intends to use the PDPC Model Contractual Clauses, ASEAN Model Contractual Clauses for Cross Border Data Flows, or another legally enforceable transfer mechanism. Current subprocessors and AI-provider locations are described in the subprocessor register and cross-border transfer section.

PDPC complaints and internal contact

Please contact us first at [email protected] so we can review and respond to your concern. Singapore users may also lodge data protection or DNC complaints with the PDPC through the official portal at https://www.pdpc.gov.sg/Complaints-Reviews-and-Investigations/Complaints or the current PDPC complaints page at https://www.pdpc.gov.sg/complaints-and-reviews.

Do Not Call Registry

Mystic Mirror does not send marketing SMS or telemarketing calls in Singapore. If that changes, we will update this section, check applicable Singapore telephone numbers against the DNC Registry where required, honor clear opt-outs, identify the sender, and comply with the PDPA DNC provisions and PDPC guidance before sending marketing calls, text messages, or faxes.

Mandatory data breach notification

For Singapore notifiable data breaches under the PDPA 2020 amendments, Mystic Mirror will assess suspected data incidents without undue delay and, where notification is required because the breach is likely to result in significant harm or is of significant scale, notify the PDPC as soon as practicable and no later than 72 hours / three calendar days after determining that the breach is notifiable. Where individual notice is required, we will notify affected users as soon as practicable, at the same time as or after notifying the PDPC.