Privacy Policy

Last updated: 7 June 2026

Who we are

The Codex (“we”, “us”) is a tarot learning and journaling application operated at thecodex.thetarotbeyond.com. For questions about this policy or your data, contact us at info@thetarotbeyond.com.

What we collect

Guest use (no account) — if you use The Codex without signing in, your daily draws, saved readings, journal notes, decoder sessions and preferences are stored only locally in your own browser or device (in browser storage on this device). This data is never transmitted to or stored on our servers, and we have no access to it. You control it and can delete it at any time from inside the app or by clearing your browser storage.

  • Account information (only if you sign in) — your email address and a display name you choose. If you sign in with Google, we receive your email and basic profile info from Google.
  • Synced journal and readings (only if you have an account) — when you create an account, your daily draws, saved spreads, notes and combination decoder sessions are synced to our database so you can access them across devices. Each row is owned by your user ID and protected by row-level security.
  • Subscription data — if you upgrade, our payment processor (Stripe) handles your card details. We never see or store full card numbers.
  • Technical data — basic logs (IP address, browser, timestamps) needed to run the service securely and prevent abuse.

What we don’t do

  • We don’t sell your data.
  • We don’t share your journal or readings with third parties for marketing.
  • We don’t run third-party advertising or behavioural ad trackers.

How we use your data

  • To provide the service — sign you in, sync your journal, render your archive.
  • To process subscriptions through Stripe.
  • To keep the service secure and diagnose problems.
  • To send essential account emails (sign-in links, receipts). We don’t send marketing emails.

Who we share data with

Only the processors needed to run the app:

  • Supabase — database, authentication and storage.
  • Cloudflare — hosting and content delivery.
  • Google — only if you choose Google sign-in.
  • Stripe — only if you subscribe to a paid plan.

These providers act as data processors under our instructions and may store data outside your country, including in the United States, under appropriate safeguards (Standard Contractual Clauses or equivalent).

How long we keep it

Local guest data — stays on your device until you clear it (from inside the app or by clearing your browser storage). We have no copy of it and cannot delete it for you.

Account data — we keep your account, synced journal and readings for as long as your account is active. If you delete your account, we remove your personal data from our database within 30 days, except where we are required to keep limited records (e.g. billing receipts) for legal reasons.

Your rights (UK / EU GDPR)

These rights apply to the account data we actually hold for you on our servers. We cannot exercise them over local-only guest data, because that data lives on your device and we have no access to it — you manage and delete it directly from your browser.

For data we hold under your account, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your synced journal in a portable format.
  • Object to or restrict certain processing.
  • Lodge a complaint with your local data protection authority (e.g. the UK ICO).

Your account journal and readings are private to you and protected by row-level security in our database. We do not access individual entries except as needed to operate, secure or support the service, or where required by law.

To exercise any of these rights, email info@thetarotbeyond.com.

Cookies and local storage

We use a small number of strictly necessary cookies and browser local storage to keep you signed in and remember preferences (such as your active deck). We don’t use advertising or analytics cookies that track you across other sites.

Children

The Codex is not directed at children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

Changes

We may update this policy from time to time. Material changes will be announced in-app or by email where appropriate. The “Last updated” date above always reflects the current version.

See also our Terms of Service.