Privacy Policy

Last updated: May 30, 2026

1. Introduction

Fate ("we," "our," or "us") is an iOS tarot reading app. This Privacy Policy explains what data we collect, what we don't, and how the data you do create inside the app flows between your device, our backend (Firebase), and the AI model that interprets your card photos.

We've tried to write this honestly. Fate is built by one developer and runs on a small, ordinary set of services. We don't sell ads, we don't track you across other apps, and we don't share your readings with anyone.

2. How Your Data Flows

Understanding the data flow is the clearest way to understand our privacy model:

Device ↔ Firebase (your private vault): Your account, your readings, and the card photos you upload are stored in Google Firebase under your user ID. Each reading lives in a per-user Firestore subcollection that only your signed-in account can read or write. Card images are stored in Firebase Storage under a path keyed to your user ID.
Device ↔ Cloud Function ↔ OpenAI:When you tap "generate reading," your card photo is sent (as a one-time, in-memory payload) to a Firebase Cloud Function we run, which forwards it to OpenAI's vision model (currently gpt-4o-mini) for interpretation only. OpenAI processes the image to produce the reading text and does not use it to train their models per their API data policy. The interpretation text is returned to your device. The same path is used for virtual spreads (text-only card list), the deck-scan tool (a single card photo), the Ask AI chat (text-only question and the prior chat history for context), per-reading follow-up questions, the Card of the Day text, and the short share-card summary generated from a saved reading. The card photo and any chat content exist on OpenAI's servers only for the duration of the API call.
Device ↔ Apple / Google (sign-in): If you sign in with Apple or Google, the provider handles authentication and returns a token to Firebase Auth. We never see your Apple or Google password.
Device ↔ RevenueCat ↔ Apple: When you subscribe to Fate Unlimited, the purchase is processed by Apple. RevenueCat sits between the app and Apple to tell us whether your subscription is active. RevenueCat receives an anonymous user ID we generate for you and the receipt data Apple returns. We never see your Apple ID or payment method.
Device ↔ PostHog (product analytics):The app sends anonymous behavioral events to PostHog (e.g. "reading started," "paywall shown," "subscription purchased") keyed to your Firebase user ID, so we can understand which parts of the app work and which don't. The Cloud Function also logs AI generation metadata (model, latency, token count, cost) to PostHog. The content of your photos, readings, questions, chat history, and AI responses is never sent to PostHog. Session recording / replay is explicitly disabled.

3. Information We Collect

Account information

Email address (if you sign up with email or Google; Apple may relay a private email)
A Firebase Authentication user ID (UID), generated when you sign up
The sign-in provider you used (Apple, Google, or email)
The profile photo URL your sign-in provider supplies, if any

Profile details (all optional, edit or clear at any time)

After sign-up the app asks for a short profile so readings can address you by name and reflect a bit of who is asking. None of these fields are required to use the app, and you can edit or clear any of them from Settings → Profile at any time.

First name and last name (first name is requested; last name is optional)
Pronouns, if you choose to share them
Relationship status, if you choose to share it
Birth date, if you choose to share it
Birth time, if you choose to share it (you can also mark it unknown)

Birth date and birth time, when provided, are stored in your private Firestore user document and used only to personalize the reading prompt sent to the AI for your account. They are never shared with third parties beyond the AI provider at the moment of generating a reading, and they are deleted with your account.

Reading content (created by you)

The card photos you upload or capture in the app
The reading text returned by the AI, including photo readings, virtual spreads, deck-scan results, and Card of the Day text
Your optional notes, the reading direction (upright/reversed), spread type and chosen cards for virtual draws
Your follow-up questions and the AI's answers tied to a reading
Your Ask AI chat transcripts
The card name parsed from the reading and bookmark flag
A short share-card summary derived from a saved reading the first time you share it (cached on the reading doc to avoid regeneration)
A timestamp for when the reading was created

This content is stored only under your account in Firestore + Firebase Storage. No one but you can read it.

Subscription state

Whether your Fate Unlimited entitlement is active (true/false) and its expiry date, as reported by RevenueCat / Apple
A free-tier usage counter per AI feature (how many of your free photo readings, spreads, scans, chat messages, Card of the Day draws, and per-spread follow-ups you've used). These never reset by design.
A weekly fair-use counter (how many AI calls you've made this ISO week). This resets every Monday.

Preferences

Whether you want reversed (upside-down) cards included in spreads and your daily draw, set from Settings
Whether haptic feedback is enabled (stored on-device)

Product analytics (PostHog, anonymous behavioral events)

Event names like "photo_reading_started," "paywall_shown," "subscription_purchased," "free_quota_exceeded," tied to your Firebase user ID
Coarse metadata such as which spread type you used, which card you viewed, and how long an AI reading took to generate
Crash and error reports from the app and Cloud Functions, without the content of what triggered them
Server-side AI generation metadata (model name, token count, latency, cost) so we can monitor reliability and unit economics

PostHog is configured with privacy mode on for the AI side. The content of your photos, readings, questions, chat history, and AI responses is never sent to PostHog. Session recording / replay is disabled.

What we do NOT collect

No advertising identifier (no IDFA, no IDFV-based tracking)
No location data, contacts, calendar, microphone, or sensor data
No third-party ad networks, ad SDKs, or retargeting trackers
No cross-app or cross-site tracking of any kind
No content of your photos, readings, or chats sent to PostHog (only event names and the metadata listed above)
No session recording or screen replay

4. Tracking & Advertising

Fate does nottrack you across other companies' apps or websites. We do not participate in ad networks, retargeting, or audience-building of any kind. We do not use Apple's IDFA (Identifier for Advertisers). Accordingly, the App does not present an App Tracking Transparency (ATT) prompt because no cross-app or cross-site tracking occurs.

5. Third-Party Services

The App relies on the following services, each with their own privacy policies:

Google Firebase(Authentication, Firestore, Cloud Storage, Cloud Functions): hosts your account, readings, and card photos. Data is stored in Google Cloud's us-central1 region.
OpenAI: receives the card photo (for the photo reading and deck scan flows) and the prompt text from our Cloud Function in order to generate the reading. Per OpenAI's API data policy, API submissions are not used to train OpenAI models.
Apple: handles Sign in with Apple, App Store distribution, and Fate Unlimited in-app subscription billing.
Google Identity: handles Sign in with Google.
RevenueCat: reports your Fate Unlimited subscription status (active/expired) to the app and to our backend. RevenueCat receives an anonymous user identifier we generate and the receipt data Apple returns. RevenueCat processes data in the United States.
PostHog: product analytics and error monitoring. Receives anonymous behavioral events keyed to your Firebase user ID and AI generation metadata (no content). Hosted at us.i.posthog.com (United States). Session recording is disabled.

6. Camera & Photo Library

Fate requests permission to use your camera and photo library so you can capture or pick a card photo. Photos are only accessed when you explicitly choose one or take a new shot. The selected photo is resized on-device (max width 1024 px) and then uploaded only when you tap to generate a reading.

7. Data Retention & Deletion

Your readings and card photos live in your account indefinitely so you can look back at them. You can delete any individual reading at any time from the History screen, both the Firestore document and the underlying Storage image are removed.

You can also delete your entire account from Settings → Profile → "Delete my account." This triggers a Cloud Function that:

Deletes every card image you've uploaded from Firebase Storage
Recursively deletes your readings subcollection in Firestore
Deletes your user document
Deletes your Firebase Auth account (invalidating all sessions)

This is irreversible.

8. Legal Basis for Processing (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

Contractual necessity (Art. 6(1)(b) GDPR): account creation, storing your readings, and generating interpretations, all necessary to provide the service you signed up for.
Legitimate interest (Art. 6(1)(f) GDPR): basic platform operation and abuse prevention.

9. International Data Transfers

Firebase, OpenAI, RevenueCat, and PostHog all process data in the United States. If you access Fate from outside the U.S., your data is transferred to and processed in the U.S. These providers offer Standard Contractual Clauses for cross-border transfers.

10. Your Rights

You have the right to:

Access the personal information stored in your account (visible in the app)
Delete individual readings or your entire account at any time
Request a copy of your data by emailing us

EEA/UK residents (GDPR): you also have the right to data portability, the right to restrict or object to processing, and the right to lodge a complaint with your local data protection authority.

California residents (CCPA/CPRA):you have the right to know what personal information we collect, the right to delete it, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information.

11. Children's Privacy

Fate is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will delete the account.

12. Security

Authentication tokens are kept in iOS Keychain via Expo Secure Store. All traffic between the app, Firebase, and the Cloud Function uses HTTPS. Firestore security rules restrict every user's data to their own UID. No system is perfectly secure, but Fate doesn't store anything beyond what's needed for the readings you explicitly create.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page and (if significant) in the app. Continued use of Fate after changes constitutes acceptance.

14. Contact

Questions, requests, or anything else, write to support@moetalaat.com.

15. Summary

In short: Fate keeps your readings in your private Firebase vault. Card photos are sent to OpenAI only at the moment of generating a reading, and only to produce that reading, they are not used to train any model. We run product analytics (PostHog) for behavioral events and AI generation metadata only, never for the content of your photos, readings, or chats. We don't run ads, we don't track you across other companies' apps, and we don't sell or share your data. Delete a reading and it's gone. Delete your account and everything is gone.