thoth.cards is a Thoth Tarot reference and personal practice tool. This policy describes how we collect, use, and protect your information when you use the site.
For questions about this policy, contact us at privacy@thoth.cards.
You may create an account using an email and password, or by signing in through a social login provider. Our self-hosted authentication system manages your credentials in either case. The thoth.cards application never sees or stores your password.
When you create an account, we store:
If you sign in through a social provider, we import that provider's basic profile information (name, email, profile picture URL) into your account on first login and use it for subsequent logins. We do not access your social media contacts, posts, or activity.
If you use the Readings feature, we store:
This data serves your personal practice. The core purpose of the feature is the long-term personal record: looking back across months or years of readings and recognizing patterns.
We set a small number of cookies, all strictly necessary for the site to function:
| Cookie | Purpose | Details |
|---|---|---|
| Access token | Maintains your logged-in session | HttpOnly, SameSite=Strict, Secure; expires after 15 minutes |
| CSRF token | Protects against cross-site request forgery on actions like saving a reading | SameSite=Strict, Secure; expires after 15 minutes |
| OIDC state cookies | Used during the login redirect; last only seconds | HttpOnly, Secure |
We set no analytics cookies, no advertising cookies, and no third-party cookies. We do not fingerprint your browser.
We use a self-hosted instance of Umami, a privacy-focused analytics tool. Umami does not set cookies, does not collect personally identifiable information, and does not track users across websites. It uses a daily-rotating server-side hash rather than client-side identifiers.
We collect only aggregate, anonymous usage data: page views, referral sources, and country-level geographic region. This helps us understand how the site is used and improve it. We do not use Google Analytics, Facebook Pixel, or any third-party analytics service.
Our servers produce structured logs for operational and security purposes. Per-request log entries include a request identifier, your account identifier (on authenticated requests only), the request path, HTTP status, and response time. Our web server also logs client IP addresses.
We have not yet formalized log retention. We do not keep indefinite logs and will set a retention period and update this policy then.
noreply@thoth.cards via our self-hosted mail server.
We do not send marketing or promotional emails.We do not use behavioral targeting, recommendation algorithms, or engagement-metric optimization. Card of the Day rotates on a deterministic, date-seeded schedule, not a personalized one.
When you sign in through a social login provider, that provider can see that you authenticated with thoth.cards through our identity service. Each provider has its own privacy policy that governs their side of the authentication. We receive only the basic profile information listed above (name, email, profile picture).
If you later disconnect a social login from your account, we do not automatically remove the profile information already imported. You may request its removal by contacting us.
Your readings are private by default. You may set a reading's visibility to:
When you share a reading publicly, anyone with the link can see the cards drawn, the spread layout, and your journal entry for that reading. We show your display name; we never expose your email address, login identity, or date of birth in shared readings.
You control visibility per reading and can change it at any time.
The entire data path is self-hosted on infrastructure we operate and control. We do not store your data on third-party cloud platforms or SaaS services.
The narrow exceptions:
We encrypt all traffic between your browser and our servers via HTTPS/TLS.
We retain your account and reading data for as long as your account exists. The Readings feature exists to build a long-term personal record, so we do not automatically delete your history.
Session data: Access tokens expire after 15 minutes. Login sessions expire after 4 hours of inactivity or 24 hours absolutely, whichever comes first.
Backups: We retain database backups for 30 days, then automatically delete them.
Account deletion: You may request deletion of your account and all associated data at any time by contacting privacy@thoth.cards. On a verified deletion request, we delete your authentication account, your local user record, and all associated readings, journal entries, and tags. We complete deletion within 30 days. Deletion requests do not affect aggregate, anonymized analytics data (which cannot identify you). Data may persist in encrypted backups for up to 30 days after deletion, after which we automatically purge it.
Depending on your jurisdiction, you may have the right to:
To exercise any of these rights, contact privacy@thoth.cards.
thoth.cards is not for children under 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.
We may update this policy from time to time. When we do, we update the "Last Updated" date at the top. If we make material changes to how we handle your data, we will notify logged-in users through the site before the changes take effect.
For any questions, concerns, or requests related to your privacy, email privacy@thoth.cards.