Privacy Policy
1. Who We Are
Vesperine is operated for English-language customers by NOMAD SUSTAINTECH LIMITED (hereinafter "we").
Registered address: Auckland, New Zealand.
Support: [email protected]|Read together with our Terms of Service.
2. Data We Collect
Account: email, password hash, locale, timezone, login device / IP (for fraud prevention).
Reading inputs: name or handle, birth date, birth time, birth place, gender, calendar, your question. Birth time and place are treated as highly sensitive.
Payment: name, email, order ID, amount, result. We do not collect or store full card numbers, expiry, or CVV — those are handled directly by Stripe (the only payment processor used for English-market checkouts).
Public supporter data: if you choose named support for the first-signal pool, we store and publish your display name, short message, and support amount. Anonymous support does not publish your name or message.
Vesperine Memory: context, preferences, boundaries, or recurring themes you explicitly save for future readings. You can edit or delete these notes in your account.
Usage: readings you generate (saved to your history), token transactions, subscription status, master bookings, support tickets.
Location and region data: we use country-code headers, browser language, and timezone to route visitors to the right language, currency, payment flow, and legal entity. If you have already granted browser location permission, we may log rounded approximate GPS coordinates for traffic distribution analysis; we do not store precise street-level location.
Cookies and similar technologies: login session, locale, anti-fraud, first-party analytics; if enabled for paid campaigns, Meta Pixel, Google Ads, Google Tag Manager, or Microsoft Clarity may measure ad performance, conversion events, heatmaps, and session replay. Question textareas, birth-data fields, and reading body content are masked from session-replay tooling.
3. How We Use Data
To deliver the services you bought (readings, tarot, oracle, subscription, master matching, e-invoices).
To publish named support records on the supporter wall when you opt in.
To send service notifications (password reset, subscription renewal, master reply, reading complete). If you leave your email after the first signal and opt in, we may send a short onboarding sequence; you can unsubscribe.
To provide continuity from Vesperine Memory you explicitly save; these notes do not override the current chart, cards, or question.
To show the appropriate language, currency, payment processor, and legal entity for your region.
To improve quality via de-identified or aggregated analysis. We do not send your inputs / outputs to third-party AI vendors for model training.
Fraud prevention and lawful request compliance.
4. Third-Party Recipients
Payments: Stripe (Stripe Payments New Zealand Limited) processes all English-market payments, refunds, and card tokenisation. We do not pass your card details through our servers.
AI vendors: Anthropic (Claude API) and our self-hosted Qwen model are the two AI vendors used to generate readings. When Anthropic is used, your inputs are sent to Anthropic's servers (United States) for inference and are not used by Anthropic to train models, per Anthropic's commercial terms. When self-hosted Qwen is used, your inputs stay inside our infrastructure and are not sent to a third-party AI vendor.
Email: a third-party transactional email service (currently Gmail SMTP / Google Workspace) is used to deliver password resets, receipts, and onboarding messages.
Marketing measurement: when enabled for campaigns, Meta Pixel, Google Ads, Google Tag Manager, or Microsoft Clarity may receive pageview, registration, lead, checkout, and heatmap events. Sensitive surfaces (questions, birth data, reading bodies) are masked from session-replay tooling — see §2 for the masking detail.
Cloud infrastructure: Vesperine is delivered from cloud infrastructure located in Taiwan (Taiwan Computing Cloud), chosen for cost and proximity to our self-hosted AI inference. This is hosting/infrastructure only — your billing relationship is with the New Zealand operating entity above, and the choice of cloud region does not change the legal entity you transact with or the consumer rights described in §6 below.
We do not sell your personal data.
5. Retention
Account: until 30 days after deletion (except records we must keep for tax / accounting law).
Reading inputs / reports: kept in your history until you delete; you can delete individual readings from the wallet page.
Vesperine Memory: kept until you delete the note or delete your account.
Payment records: kept for at least 7 years to meet New Zealand Inland Revenue and Companies Act record-keeping requirements that apply to the operating entity above.
Server logs: 90 days.
6. Your Rights
Australian users: under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you may request access to and correction of personal information we hold about you. You may also complain to the Office of the Australian Information Commissioner (OAIC, oaic.gov.au) if you believe your rights have been breached.
New Zealand users: under the New Zealand Privacy Act 2020, you may request access to and correction of personal information we hold about you, and you may complain to the Office of the Privacy Commissioner (privacy.org.nz) if you believe your rights have been breached.
EEA / UK users: GDPR / UK GDPR rights apply where relevant, including access, rectification, erasure, restriction, portability, and the right to lodge a complaint with your supervisory authority.
Canadian users: under PIPEDA, you may request access to and correction of personal information we hold about you, and you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca). We collect your birth date, time, and place solely to calculate your chart — that purpose is stated at the point of collection. Quebec residents: services are not currently directed to Quebec.
Hong Kong users: under the Personal Data (Privacy) Ordinance (PDPO), you may request access to and correction of your personal data. Direct-marketing email is sent only with your explicit opt-in consent and every message carries a working unsubscribe. As §4 discloses, data is processed on servers located in Taiwan. You may complain to the Office of the Privacy Commissioner for Personal Data (pcpd.org.hk).
Malaysian users: under the Personal Data Protection Act 2010 (as amended 2024), you may request access to and correction of your personal data and withdraw consent to processing. Data may be processed outside Malaysia as described in §4. You may complain to the Personal Data Protection Department (pdp.gov.my).
Korean users: under the Personal Information Protection Act (개인정보 보호법, PIPA), you may request access to, correction of, and deletion of your personal information, and withdraw consent at any time. Your data is processed on overseas servers (Taiwan / United States, per §4) — joining the early-access list or using the service constitutes the explicit overseas-transfer consent PIPA requires, and you may withdraw it by emailing us. You may contact the Personal Information Protection Commission (pipc.go.kr).
To make a request, email [email protected]. We respond within a reasonable period — typically 30 days — subject to records we must keep for tax, dispute handling, fraud prevention, security, and legal compliance.
7. Minors
Service is for users 18+. If you are under 18, do not register or use the service. We terminate underage accounts and delete data on discovery.
8. Security
TLS in transit; bcrypt for passwords; card data is handled directly by Stripe (PCI-DSS Level 1 certified) and never reaches our servers; cloud infrastructure (see §4) is configured with access control and least-privilege. No internet transmission is 100% secure.
9. Cookies
Essential: login session, CSRF token, locale. Cannot be disabled.
Analytics and ad measurement: see §2 (Cookies and similar technologies) and §4 (Marketing measurement) — same vendors and same masking rules apply, listed there in detail rather than duplicated here.
10. Updates
Policy version: 2026-05-12. Material changes will be announced on the site or by email. Continued use constitutes acceptance.