Privacy Policy
Effective date: May 2026 Document version: 1.0
This Privacy Policy ("Policy") explains how Socrion ("Service") collects, uses, shares and protects your personal data when you use the Service. It also describes your rights and how to exercise them.
This Policy complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable data protection laws in your country of residence.
1. Data Controller
The data controller responsible for your personal data is:
Dmitrii Kuznetsov, Independent Developer.
Address: Soi Saturdays, Saturdays Residence by Sure, Building B, B107, 136 | 191, Rawai, Phuket 83100, Thailand. Email: legal@socrion.io Website: https://socrion.io
If you have any questions about this Policy or how we handle your personal data, please contact us at the address above.
2. Scope
This Policy applies to personal data processed by the Service in connection with:
- the marketing website at https://socrion.io;
- the user application at https://app.socrion.io;
- the mobile applications for iOS and Android distributed via Apple App Store and Google Play.
By using the Service, you acknowledge that you have read and understood this Policy.
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1. Information you provide
- Account data: email address, display name, password (stored as a bcrypt hash);
- Authentication identifiers: Telegram, Google or Apple identifier when you sign in via one of these providers;
- Profile data (optional): real name, date of birth, place of birth, time of birth — only if you choose to provide these in your profile;
- User content: questions you submit for readings, saved reading results, your usage history within the Service;
- Support correspondence: information you provide when contacting our support.
3.2. Information we collect automatically
- Technical data: IP address, browser type and version (User-Agent), device information, session identifiers, cookies and similar technologies;
- Usage data: pages visited, features used, timestamps of interactions;
- Diagnostic data: error reports, performance metrics.
3.3. Information from third parties
- Payment data from Apple In-App Purchase: transaction identifier, amount, date and currency (we do not receive your full payment card details — Apple processes the card data on their side);
- Payment data from Google Play Billing: transaction identifier, amount, date and currency (Google processes the card data on their side);
- Payment data from Telegram Stars: Telegram payment identifier, amount in Stars (XTR), date — received via the Telegram Bot Payments API when you make a purchase within the Telegram Mini App version of the Service;
- Payment data from Lava.top: transaction identifier, amount, date and currency — received from Lava.top for web-based international payments (we do not receive your full payment card details — Lava.top processes the card data on their side);
- Profile data from OAuth providers: when you sign in via Google or Apple, we receive your name and email; from Telegram Login Widget — your Telegram ID and username.
3.4. Special categories of personal data
We do not intentionally collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation).
If your reading question incidentally contains such information, please be aware that it will be processed as part of user content and you can delete it at any time.
4. Why We Process Your Personal Data (Purposes and Lawful Basis)
We process your personal data for the following purposes and on the following lawful bases under Article 6 GDPR:
| Purpose | Categories of data | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Creating and maintaining your account | Account data, authentication identifiers | (b) performance of a contract |
| Providing the Service (generating readings, maintaining balance) | User content, account data, profile data | (b) performance of a contract |
| Processing payments | Payment data, account data | (b) performance of a contract |
| Customer support | Support correspondence, account data | (b) performance of a contract |
| Security, fraud prevention and abuse detection | Technical data, IP address | (f) legitimate interests |
| Anonymised analytics | Cookies, anonymised technical data | (a) consent (via cookie banner) |
| Marketing communications | Email address | (a) consent (opt-in via profile settings) |
| Compliance with legal obligations | Payment data, support correspondence | (c) legal obligation |
We never process your personal data for purposes other than those listed above without your prior knowledge or consent.
5. Data Sharing — Third-Party Processors
We share your personal data with the following categories of processors who act on our behalf under data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic, Inc. | Processing your questions through AI models to generate reading interpretations | United States |
| Resend, Inc. | Delivery of transactional and (with consent) marketing emails | United States |
| Apple Inc. | In-app purchases via Apple IAP, app distribution | Worldwide |
| Google LLC | In-app purchases via Google Play Billing, app distribution | Worldwide |
| Telegram FZ-LLC | Authentication via Telegram Login Widget; processing of payments via Telegram Stars within the Telegram Mini App version | United Arab Emirates |
| Lavalane LTD (Lava.top) | Processing of web-based international payments (cards in USD/EUR) | Cyprus (European Union member state — internal EEA transfer) |
| Cloudflare, Inc. | Content delivery network, DNS, DDoS protection | Worldwide |
| Hosting infrastructure providers | Hosting of the Service backend and databases | European Union (Germany). Specific provider details are available on request via legal@socrion.io |
We do not sell your personal data. We do not share your personal data with advertisers or data brokers.
We may disclose your personal data to public authorities when required by applicable law.
6. International Data Transfers
Some of our processors operate outside the European Economic Area (EEA) and the United Kingdom. Specifically:
- Anthropic, Inc. and Resend, Inc. are based in the United States;
- Cloudflare, Inc. uses globally distributed infrastructure;
- Telegram FZ-LLC is based in the United Arab Emirates.
Other processors operate within the EEA:
- Lavalane LTD (Lava.top) is established in Cyprus;
- our hosting infrastructure is located in Germany.
For transfers of personal data outside the EEA and the United Kingdom, we rely on appropriate safeguards under Articles 45–46 GDPR, including the European Commission's Standard Contractual Clauses (SCCs) signed with each processor, and additional safeguards where applicable to the specific destination country.
For processors established within the EEA, transfers are governed directly by the GDPR without the need for additional safeguards.
You can request a copy of the safeguards in place by contacting us at legal@socrion.io.
7. How Long We Keep Your Personal Data
We retain your personal data for the periods set out below:
| Category | Retention period |
|---|---|
| Account data | Until you delete your account + 30 days (backups) |
| User content (readings, questions) | Within your account until you delete it |
| Payment data | 5 years from the date of transaction (legal obligation: tax and accounting laws) |
| Support correspondence | 3 years after the last interaction |
| Technical data and security logs | 90 days |
| Anonymised analytics | 365 days |
| Marketing consent record | Until consent is withdrawn |
Where personal data is no longer necessary for the purposes for which it was collected, we delete or anonymise it within a reasonable time.
8. Your Rights Under the GDPR
You have the following rights with respect to your personal data:
8.1. Right of access (Article 15)
You may request a copy of the personal data we hold about you, along with information about how we process it.
8.2. Right to rectification (Article 16)
You may ask us to correct inaccurate or incomplete personal data.
8.3. Right to erasure (Article 17)
You may ask us to delete your personal data, subject to legal obligations that require us to retain certain data (e.g., tax records).
8.4. Right to restriction of processing (Article 18)
You may ask us to limit how we use your personal data in certain circumstances.
8.5. Right to data portability (Article 20)
You may request a copy of your personal data in a structured, commonly used, machine-readable format.
8.6. Right to object (Article 21)
You may object to processing of your personal data based on our legitimate interests, including for marketing purposes.
8.7. Right to withdraw consent (Article 7(3))
Where processing is based on your consent (e.g., analytics cookies, marketing emails), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
8.8. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority in the EU or UK member state where you reside, work or where the alleged infringement took place.
9. How to Exercise Your Rights
You can exercise your rights by:
- using the relevant features in your account at https://app.socrion.io (e.g., deleting your account via Profile → Security → Delete Account);
- contacting us at legal@socrion.io.
We will respond to your request within one month from receipt, in accordance with Article 12(3) GDPR. In complex cases, this period may be extended by up to two further months, in which case we will inform you.
We do not charge for handling your requests, unless they are manifestly unfounded or excessive.
10. Account Deletion
You have the right to delete your account at any time through the Service. The detailed procedure is described at https://socrion.io/en/legal/delete-account.
When you delete your account:
- your account data, authentication credentials, profile data, user content and support correspondence are deleted from our active systems within 30 days;
- data is removed from backups within an additional 30 days;
- payment data is retained for 5 years in anonymised form, as required by tax and accounting laws;
- any unused in-service credit balance is forfeited and not refunded in cash, except as provided in our Refund Policy.
11. Cookies and Similar Technologies
We use cookies and similar technologies to operate the Service, remember your preferences and (with your consent) to analyse how the Service is used.
Detailed information about cookies is available in our Cookies Policy.
You can manage your cookie preferences via the cookie banner shown on your first visit and via the "Cookie Settings" link in the website footer.
12. Children's Privacy
The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children or minors.
If you become aware that a child has provided us with personal data, please contact us at legal@socrion.io and we will take steps to delete such data.
13. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- encryption of data in transit using TLS/HTTPS;
- hashing of passwords using bcrypt;
- access controls and audit logging;
- separation of duties and least-privilege access for personnel;
- regular security review of third-party processors.
No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Articles 33–34 GDPR.
14. No Cross-App Tracking and No Advertising
We do not engage in cross-app or cross-website tracking. Specifically:
- we do not collect or share your IDFA (Identifier for Advertisers on iOS), GAID (Google Advertising ID on Android), or similar device identifiers for advertising or tracking purposes across other apps or websites operated by third parties;
- we do not display third-party advertising within the Service;
- we do not integrate advertising SDKs that profile users for behavioural advertising;
- the Service does not require, and does not display, the App Tracking Transparency (ATT) consent prompt on iOS, because we do not track you across apps and websites owned by other companies.
The only identifiers we collect (account identifier, session identifier, technical data such as IP address and User-Agent) are used solely to operate the Service, prevent fraud, and provide customer support — not for advertising.
15. AI Processing and Model Training
The content you submit when requesting a reading (your question and any optional context) is transmitted to our third-party AI provider (currently Anthropic, Inc., see Section 5) solely for the purpose of generating an interpretation of your reading in real time during your session.
Under the API terms of our AI provider, the content you submit is not used for training or fine-tuning AI models. Your questions, the resulting interpretations and any related session data are not pooled into AI training datasets.
When transmitting your question to the AI provider, we send only the text of your question and the configuration of the spread (selected cards, layout) — we do not transmit your account identifier, name or email address along with the request.
16. Marketing Communications
We do not send marketing communications by default. You may opt in to receive product news, educational content and special offers via your account settings at https://app.socrion.io.
You can opt out at any time by:
- toggling off marketing notifications in your account settings;
- clicking the "Unsubscribe" link in any marketing email;
- contacting us at legal@socrion.io.
Transactional emails (email verification, password reset, payment receipts, security alerts) are sent regardless of marketing consent on the basis of contract performance (Art. 6(1)(b) GDPR).
17. Disclaimer Regarding the Nature of the Service
The Service provides AI-generated tarot card interpretations for entertainment purposes only. The Service is not, and should not be used as, a substitute for professional medical, psychological, legal, financial or other professional advice.
Decisions taken on the basis of the Service are your sole responsibility.
18. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices or legal requirements.
If we make material changes, we will notify you via email or through the Service at least 14 days before the changes take effect. The "Effective date" at the top of this Policy indicates when it was last updated.
Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy. If you do not agree, you should stop using the Service and may delete your account.
19. Contact
If you have any questions, concerns or requests regarding your personal data or this Policy, please contact us:
Dmitrii Kuznetsov, Independent Developer.
Address: Soi Saturdays, Saturdays Residence by Sure, Building B, B107, 136 | 191, Rawai, Phuket 83100, Thailand. Email: legal@socrion.io
We aim to respond within one month from receipt of your request.