Skip navigation
MysticalOrb

Privacy Policy

Last updated: 03/06/2026

MysticalOrb ('we') respects your privacy and is committed to protecting your personal data under the Personal Data Protection Law No. 91/2025/QH15 (effective 01/01/2026). This policy explains how we collect, use, and protect your information when you use the MysticalOrb app.

1. Information we collect

When you use MysticalOrb anonymously (without signing in), we do not collect any personally identifiable information. Each session is assigned a random anonymous identifier that cannot be linked to your real identity.

When you choose to sign in with a Google or Facebook account, we collect the following information from the authentication provider:

  • Display name
  • Email address
  • Profile picture (profile photo URL)
  • User identifier from the provider (Google UID / Facebook UID)

We also store the content of your Tarot readings, including:

  • The question you enter into the app
  • The Tarot cards drawn
  • The AI-generated interpretation based on your question and cards
  • The time the reading was performed

2. How we use your information

We use the information we collect for the following specific purposes:

  • Providing the service: Creating personalised Tarot interpretations using AI based on your specific question and cards.
  • Storing history: Allowing you to review your previous readings in your account.
  • Authentication and security: Verifying user identity and protecting your account.
  • Improving the service: Analysing aggregated data (not personally identifiable) to improve interpretation quality and user experience.
  • Usage analytics: Collecting anonymous statistics about how users interact with the app (via Google Analytics with IP anonymisation enabled).

3. Data retention

We only retain your data for as long as necessary to provide the service:

  • Reading history: Stored until you request account deletion. When an account is deleted, all associated readings are deleted with it.
  • Authentication account: Login information (name, email, profile picture) is kept until you delete your account or revoke app access from your Google/Facebook account.
  • Anonymous accounts: Anonymous sessions not linked to a real account are automatically deleted after 30 days of inactivity.
  • System logs: Operational logs are kept for up to 30 days for security and troubleshooting purposes.
  • Consent records: Records of your agreement to this policy are stored for the lifetime of your account to meet legal compliance requirements.

4. Your rights

Under the Personal Data Protection Law 2025 (Article 9), you have the following rights over your personal data:

  • Right of access: Request to view the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data ('right to be forgotten'). Upon receipt of a valid request, we will delete the account and all associated data within 30 days.
  • Right to withdraw consent: Withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing before the withdrawal. You may withdraw by signing out and deleting your account, or revoking app access from your Google/Facebook account.
  • Right to restrict processing: In certain circumstances, request that we limit how we process your data.
  • Right to lodge a complaint: Submit a complaint to the competent personal data protection authority in Vietnam if you believe we have processed your data unlawfully.

To exercise any of the above rights, please contact us at the email address provided in the Contact section below.

5. Data security

We apply appropriate technical and organisational security measures to protect your data:

  • Encryption at rest and in transit: All data is stored on Google Firebase Firestore, encrypted at rest and in transit using TLS 1.3.
  • Server-side API keys: API keys used to access the AI service (Google Gemini) are stored and used on the server only. No secret keys are exposed on the browser side.
  • Firestore security rules: Reading data and account information can only be accessed by the account owner. No client application can write directly to the database — all write operations are performed through Firebase Cloud Functions on the server.
  • Third-party authentication: We use Firebase Authentication (Google) to manage identity and do not store your password.
  • Certified cloud infrastructure: Data is stored on Google Cloud infrastructure in the Southeast Asia region (asia-southeast1), complying with ISO 27001 and SOC 2 standards.

6. Payment data

When you purchase credits via bank transfer (SePay), we process information from the transfer notification including: transfer amount, transfer memo (order reference code), and transaction time. We do not store your bank card number, bank account number, or any payment card information.

The legal basis for processing payment data is contract performance — specifically completing your credit purchase — under the Personal Data Protection Law No. 91/2025/QH15.

Payment order records are stored for 5 years for accounting and dispute resolution purposes in accordance with Vietnamese accounting law. Card numbers and bank account numbers are not recorded anywhere in our system.

Transfer notifications are processed by SePay (sepay.vn), a domestic payment gateway. All data is processed within the territory of Vietnam.

If we add an international payment method in the future, this policy will be updated to reflect that provider.

7. Ad Tracking and Cookies

MysticalOrb uses third-party advertising tracking tools (Meta Pixel, Google Analytics) to measure advertising effectiveness and optimise marketing campaigns. These tools may place cookies on your device and send event data to Meta and Google servers located abroad.

We only activate these advertising tracking tools after you give your consent. You can change or withdraw your consent at any time via .

Data sent to advertising platforms is processed in hashed form and does not include your name, email, phone number, or any directly identifying personal information.

Under the Personal Data Protection Law No. 91/2025/QH15 (effective 01/01/2026), you have the right to refuse or withdraw consent to the processing of your data for advertising purposes at any time without affecting your access to the app's core features.

8. Contact

If you have any questions about this privacy policy, wish to exercise your rights over personal data, or wish to lodge a complaint, please contact us:

For complaints relating to personal data protection violations, you have the right to submit a complaint to the Ministry of Public Security — the authority responsible for personal data protection in Vietnam under Law No. 91/2025/QH15.

9. Changes to this policy

We may update this privacy policy from time to time to reflect changes to our service, technology, or legal requirements.

When we make significant changes, we will notify you in one of the following ways:

  • Displaying an in-app notification the next time you open the app
  • Sending an email to your registered email address (if applicable)

The date of the last update will be noted at the top of this page. Continuing to use the app after the policy has been updated means you accept the new policy. If you do not agree with any changes, you may stop using the service and request account deletion.

© 2026 MysticalOrb. Back to app

This app is for entertainment and self-reflection only. It is not medical, legal, or psychological advice. Please seek professional advice when needed.