Contents
1. Introduction
Thoth: The Unknown ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application Thoth: The Unknown (the "App").
By downloading, installing, or using Thoth: The Unknown, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our App.
2. Information We Collect
2.1 Account & Authentication
To use Thoth: The Unknown, you must create an account. We collect the following:
- Email address — used to send you a magic link for sign-in; stored in our backend.
- Apple ID credential — if you choose "Sign in with Apple," we receive your anonymised Apple user ID and, optionally, your name. Apple may provide a relay email address.
We do not collect passwords.
2.2 Profile Information
During account setup you may provide:
- Display name (optional) — a nickname shown only to you within the App.
- Date of birth (required) — used to personalise tarot interpretations and to verify you meet the minimum age requirement (18+). Not shared with third parties.
- Time of birth (optional) — used for natal chart context in interpretations.
- Place of birth (optional) — free-text field; used for natal chart context in interpretations.
2.3 Reading Data
We store the following reading-related data in our cloud backend to enable multi-device access and history:
- Cards drawn during readings
- Spreads used (Three-Card, Five-Card, Celtic Cross)
- Dates and times of readings
- Personal reflections or notes added to readings (optional)
- Favourite status of readings
2.4 Device Information (Automatic)
- Device model and type
- Operating system version
- App crash logs and performance data (only if enabled in your iOS Settings → Privacy → Analytics)
3. How We Use Your Information
We use the information we collect to:
- Authenticate you and maintain your session securely across devices
- Provide and personalise the App — deliver readings, personalise interpretations, and maintain reading history
- Improve the App — fix bugs, optimise performance, and develop new features
- Provide technical support — troubleshoot issues and respond to requests
- Comply with legal obligations — including age verification
We do not use your information for marketing, advertising, selling to third parties, or behavioural profiling outside the App.
4. Data Storage & Security
4.1 Cloud Storage
Your account data, profile, and reading history are stored in our cloud backend operated by Supabase (see Section 5). Data is hosted in the eu-central-1 (Frankfurt, Germany) region. Reading data is also cached locally on your device for offline access.
4.2 Security Measures
- Authentication tokens are stored in the iOS Keychain with
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly— they do not sync to iCloud. - All data in transit is encrypted via TLS (HTTPS).
- Row-Level Security (RLS) policies ensure each user can access only their own data.
- Sign in with Apple nonces are generated using
SecRandomCopyBytesand hashed with SHA-256.
4.3 Data Retention
- Active account: Your data is retained for as long as your account is active.
- Account deletion: All personal data is permanently deleted from our servers within 30 days of deletion. Authentication records are removed immediately.
- Device cache: Local cache is wiped immediately when you delete your account or sign out.
5. Third-Party Services
5.1 Analytics & Crash Reporting
We do not use third-party analytics services (e.g., Google Analytics, Firebase, Crashlytics). If you enable Crash Reporting in iOS Settings → Privacy → Analytics, Apple may collect anonymised crash logs. This is entirely optional and controlled by your iOS settings.
5.2 Future AI Features
Post-launch versions may integrate optional AI interpretation features requiring card data to be sent to an external API (e.g., Claude API by Anthropic). Any such integration will require explicit user opt-in, transmit only necessary card data, and be clearly disclosed in the App and in this Policy.
5.3 Sub-Processor: Supabase
| Attribute | Value |
|---|---|
| Provider | Supabase Inc. |
| Purpose | Authentication, database (profile + readings), account management |
| Data hosted | eu-central-1 (Frankfurt, Germany) |
| Privacy policy | supabase.com/privacy |
6. User Rights & Controls
6.1 Access Your Data
You can access all your reading data at any time through the App's Reading History feature.
6.2 Delete Your Account
You can permanently delete your account directly within the App:
Settings → Account → Delete My Account
This immediately revokes your session, permanently deletes your profile and all readings within 30 days, and wipes your local cache immediately. This action is irreversible. Alternatively, email privacy@codewavemobile.com to request deletion.
6.3 Correct or Update Your Data
Update your display name, birth date, birth time, and birth place at any time via Settings → Profile.
6.4 Data Portability
Export functionality is not yet available in the App. To request a copy of your data in a portable format, contact us at privacy@codewavemobile.com.
6.5 Opt-Out
- Crash Reporting: Disable in Settings → Privacy → Analytics
- Location Services: Thoth: The Unknown does not request location access
7. Age Requirement
Thoth: The Unknown is designed for users aged 18 and over.
We do not knowingly collect personal information from users under 18. The App enforces an age gate during account setup — a valid date of birth confirming the user is 18 or older is required to create an account.
If we become aware that a user under 18 has created an account, we will delete that account and all associated data without notice. Parents or guardians who believe a minor has created an account should contact us immediately at privacy@codewavemobile.com.
8. Your Privacy Rights by Region
Turkey — KVKK
- Know whether your data is processed
- Request information about purpose and use
- Request correction of inaccurate data
- Request deletion or destruction of your data
- Object to processing
Europe — GDPR
- Access your personal data
- Rectify inaccurate data
- Right to erasure ("right to be forgotten")
- Restrict processing
- Data portability
- Lodge a complaint with your local DPA
California — CCPA/CPRA
- Know what personal information is collected
- Know if data is sold or disclosed
- Delete personal information
- Opt-out of sale/sharing
We do not sell your data.
To exercise any of these rights, contact us at privacy@codewavemobile.com. We will respond within 30 days.
9. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by updating the "Last Updated" date, posting the revised policy within the App, and requesting explicit consent if changes materially alter how we handle your data.
Your continued use of the App after changes become effective constitutes your acceptance of the updated Privacy Policy.
10. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:
- Email: privacy@codewavemobile.com
- Mailing Address: Thoth: The Unknown Support, Istanbul, Turkey
We will respond to privacy requests within 30 days.