Privacy Policy
Last updated: April 2026
1. Information We Collect
We collect the following categories of personal data: (a) account data - name, email address, hashed password; (b) subscription data - plan, payment history (payments are made directly via external rails - Payoneer, DolarApp, Galicia USD, USDT - and 27mirrors does not store any card data); (c) service usage data - readings taken, journal entries, configuration preferences, reading type; (d) technical data - IP address, browser type and version, operating system, device, screen size, language, approximate country (from IP), referrer; (e) communication data - messages you send us via /contact or email; (f) cookie and local-storage data (see the Cookie Policy).
2. How We Use Your Data
We use your data to: provide and improve the service; manage your account and subscription; send you service-related communications (important updates, receipts); personalise your experience; and fulfil our legal obligations. We do not sell your personal information to third parties.
3. Cookies
We use essential cookies for site operation (session, locale, theme) and analytics cookies to understand how the service is used. You can manage cookies from your browser settings. See our Cookie Policy for details.
4. Third-Party Services
We work with trusted external providers acting as data processors: Cloudflare provides CDN, DNS, bot protection (Turnstile) and network security. Resend delivers transactional email (verification, invoices, notices). Anthropic processes the inputs needed to generate AI-assisted readings and tarot interpretations, under its privacy commitments (anthropic.com/legal/privacy). None of these providers access your reading data outside the specific purpose they are engaged for. Payment rails (Payoneer, DolarApp, Galicia, USDT) are external services through which you pay directly; 27mirrors does not store card data or access your payment credentials. Invoices are issued directly by 27mirrors (Monotributo AR).
4a. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases: (a) performance of contract - to deliver the service you signed up for; (b) compliance with legal obligations - billing and tax; (c) legitimate interests - fraud prevention, platform protection, and service improvement; (d) consent - for optional communications and non-essential cookies, which you can withdraw at any time.
4b. International Data Transfers
Some of our providers (Cloudflare, Resend, Anthropic) operate outside the European Economic Area. When data is transferred outside the EEA, we ensure appropriate safeguards are in place - Standard Contractual Clauses approved by the European Commission, adequacy decisions, or equivalent mechanisms - to protect your rights.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide you with the service. After account deletion, personal data is erased within 30 days, unless we are legally required to retain it longer. Specific periods: account data and user content - while the account exists, +30 days after deletion; billing records - 7 years (tax and accounting obligation); technical logs (IP, server logs) - 30 days; /contact messages - 24 months; session and authentication cookies - see Cookie Policy.
6. Your Rights (GDPR)
If you reside in the European Economic Area, you have the right to: access your personal data; rectify it if inaccurate; request its deletion; restrict or object to processing; and data portability. To exercise any of these rights, write to us at [email protected].
6a. CCPA/CPRA Rights (California)
If you reside in California, under the California Consumer Privacy Act (CCPA/CPRA) you have the right to: know what categories of personal data we collect and for what purpose; request access, correction or deletion; and opt out of any "sale" or "sharing" of your data ("Do Not Sell or Share My Personal Information"). 27mirrors does NOT sell your personal data and does not share it for cross-context behavioral advertising. You can exercise any of these rights - including the opt-out - by emailing [email protected] with "CCPA request" in the subject; we will respond within 45 days of receipt (extendable by another 45 days with prior notice if needed). We will not discriminate against you for exercising your rights.
6b. Argentine Personal Data Law (Law 25.326)
As a controller established in Argentina, we comply with Law 25.326 on Personal Data Protection and its implementing regulations. You have the right to access, rectify, update and delete your data, and may file complaints with the Agency for Access to Public Information (AAIP, www.argentina.gob.ar/aaip).
6c. EU Representative & Data Protection Contact
For all data-rights requests (access, rectification, erasure, portability, objection, restriction), contact us directly at [email protected]; we will respond within one month. Invoices are issued directly by 27mirrors (Monotributo AR); applicable VAT/GST in your jurisdiction is buyer responsibility. We have not appointed a Data Protection Officer (DPO) as this is not mandatory for our operational scale (Article 37 GDPR).
6d. Automated Decisions & Profiling
We use AI models (Anthropic) to generate tarot, astrology and numerology interpretations from the data you provide. These are creative content outputs, not decisions that produce legal or similarly significant effects (health, credit, employment, service access). We do not perform profiling that limits your access to the service, nor automated decision-making within the meaning of GDPR Article 22.
7. Children's Privacy
27mirrors is not directed at children under 13 and complies with the US Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501 et seq.) and the equivalent GDPR provisions (Article 8) for the EU, which sets a minimum consent age of 16 (or the lower age set by a Member State, never below 13). We do not knowingly collect personal information from children under the applicable ages; if a parent or guardian believes their child has provided us data, they should email [email protected] and we will delete it promptly.
8. Changes to This Policy
We may update this policy periodically. We will notify you by email or via a notice within the service before changes take effect. Continued use of the service after notification constitutes acceptance of the updated policy.
9. Contact
For questions about this policy or to exercise your rights, contact us at [email protected].