Privacy Policy

• Account information: name (or handle), email, hashed password.
• Birth profile (if saved): date of birth, time of birth (down to 时辰 precision), gender, place of birth (city name, optional latitude/longitude, optional timezone), notes.
• Casting content: question text submitted to the AI Diviner, input parameters at casting time, generated charts and readings, archived hexagrams, user feedback.
• Usage data: pages you visit, click events (anonymised for operational analytics), device type, browser, operating system.
• Technical data: IP address (used only for the anonymous-rate-limit counter, SHA-256-hashed before storage), user agent.
• Email subscription: the product-updates preference you opted into.

• provide casting and reading services, save your charts and profile, display archived history;
• maintain account login, password reset, email verification;
• compute the daily anonymous rate limit (anti-abuse) without retaining identifying IPs;
• send account-related transactional emails (OTPs, password resets, product updates — the latter unsubscribable any time);
• measure and optimise site performance, fix bugs, detect anomalous traffic;
• comply with legal obligations (responding to lawful requests, fraud prevention, protecting others' safety).

We do not sell, rent, or trade your personal information. We do not provide your birth details, casting questions, or readings to any third party for use in training their AI models.

We also do not profile based on your divination data for third-party ad targeting (we serve no third-party ads at all).

We share only the minimum information necessary, only with the following parties:

• Cloudflare (hosting / CDN / Workers / D1 database / DNS) — infrastructure provider; shared: all technical-layer requests and database content (under their encrypted storage).
• Resend (transactional email) — sends OTPs and product updates; shared: your email address and the email body.
• Better-Auth (account library, running on our own Cloudflare Workers) — not an external sharing destination.
• Upstream LLM API (the inference backend powering the HOLOS engine) — shared: your casting question text and the structured chart data; not shared: your name, email, or precise birth-location coordinates. We monitor and periodically review the upstream provider's data policy to verify they do not use our prompts or outputs for their model training.
• Legal authorities — only upon valid subpoena, court order, or equivalent process from a court of competent jurisdiction in Australia, or where we have a good-faith belief that disclosure is necessary to prevent imminent bodily harm.

Data is stored in Cloudflare's global D1 (SQLite) instances. The transport layer uses TLS 1.3. Passwords are stored as bcrypt hashes — never as plaintext. Backups are encrypted under Cloudflare's standard practices.

Despite reasonable industry-standard security, no system is 100% secure. In the event of a data breach we will notify affected users and relevant regulators within 72 hours per the Australian Notifiable Data Breaches Scheme.

• Active account data: retained for the life of your account.
• Deleted accounts: cleared from the live service within 30 days; backups rotate within 90 days.
• Anonymous rate-limit counters: retained for 24 hours, then auto-rolled.
• Email delivery logs: Resend retains for 30 days; we do not separately retain the email bodies after that.
• Legal retention: longer periods may apply where required by compliance (anti-fraud, tax, legal process).

As a data subject, you have the following rights (to the extent permitted by the Privacy Act 1988 (Cth), EU GDPR, California CCPA, and other applicable laws):

• Right of access: view all your saved data via account settings.
• Right of correction: self-edit your account and birth profile; for errors elsewhere, email info@holodata.au.
• Right to erasure: Account Settings → Delete Account; all data removed from the live service within 30 days.
• Right to portability: Account Settings → Data Export → one-click JSON file containing your birth profile, archived readings, feedback, and account metadata.
• Right to opt out: every product-updates email has an "unsubscribe" link in the footer; clicking it permanently unsubscribes you from that category (account-essential emails like OTPs cannot be opted out of).
• Right to complain: if you have concerns, contact info@holodata.au, or lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

We use the following cookies and browser-local storage:

• Session cookie (essential): keeps you logged in. HTTP-Only, Secure, SameSite=Lax.
• Locale cookie (essential): remembers your language selection.
• localStorage: holodata:tos_accepted_*: records the Terms version you've accepted so we don't re-prompt you.
• Theme preference (dark/light/system).

We do not use third-party tracking cookies — no Google Analytics, no Facebook Pixel, no advertising trackers of any kind.

The Service is not directed at persons under the age of 18. We do not knowingly collect personal information from minors. If you are the legal guardian of a minor and discover that your minor has submitted personal information to us, please contact info@holodata.au and we will delete it.

Our services run on Cloudflare's global network; your data may be replicated across Cloudflare data centres for low-latency delivery. All transfers use encrypted channels. Our primary database sits on Cloudflare's global D1, which operates under its compliance frameworks (SOC 2 Type II, ISO 27001, etc.).

We may update this Policy from time to time. The latest version will be posted on this page with its effective date. Material changes will be notified by email or in-product banner to registered users. Continued use of the Service constitutes acceptance.

Privacy questions, data requests, deletion requests, complaints:info@holodata.au