Privacy Policy
Draft of 2026-06-25, before legal review. This document is not legal advice; a review by a lawyer is recommended before public launch and before accepting payments.
This Policy describes what personal data the website runoscript.com ("Runoscript", "the Service") processes, for what purposes and on what legal basis, with whom it is shared, and what rights you have.
Data controller: Anna Berelet, a natural person; contact for data requests — [email protected]. Jurisdiction: the Republic of Cyprus (applicable law — the law of the Republic of Cyprus).
1. What data we collect
- From your Google account (when you sign in with Google OAuth, scope
openid email profile): your email address, your permanent Google identifier (sub), your name and profile picture. We do not receive or store your Google password. - Reading history: your question and the text of the AI reading, the spread type and the runes drawn, the date. The question and the reading text are encrypted on our side before being stored.
- Pseudonym — if you choose to provide one (optional).
- Technical data: a session cookie (to keep you signed in), your IP address and request frequency (for abuse protection and limits).
- Analytics: anonymized usage statistics via Google Analytics 4 (see §4 and §6).
- Payment data: when you pay for reading packs, the payment is processed by Creem. Card details are entered on Creem's side — we do not receive or store them; we receive the fact of payment and a transaction identifier in order to credit your account.
We do not collect your date of birth.
2. Why and on what basis (GDPR)
| Purpose | Data | Legal basis |
|---|---|---|
| Sign-in and identification | email, Google sub, name |
performance of a contract (providing access) |
| Reading + limit/credit accounting | reading history, quota | performance of a contract |
| Abuse protection | IP, request frequency | legitimate interest |
| Analytics | anonymized events | consent (cookie banner) |
| Payment processing | the fact and id of the transaction | performance of a contract |
3. Storage and security
- Data is stored in a database reachable only from localhost; only the web application is exposed externally.
- The sensitive fields of the reading history (the question and the result) are stored encrypted; the encryption key is not kept together with the database.
- Retention: reading history is kept until the account is deleted. Payment records are kept to the extent and for the period required by the tax law of the Republic of Cyprus (typically 6 years).
4. With whom data is shared (third parties)
- Google — authentication (Sign in with Google).
- Google Analytics 4 — anonymized usage analytics.
- Cloudflare — site delivery and protection (CDN/tunnel).
- Creem — payment processing (merchant of record).
We do not sell your personal data.
5. Your rights
Under the GDPR you have the right to: access your data, rectify it, delete your account and data, restrict processing, obtain a copy (portability), and withdraw consent to analytics. Deleting your account erases your reading history. To exercise these rights, write to [email protected].
6. Cookies
- Session cookie (mandatory) — keeps you signed in; without it sign-in does not work.
- Analytics cookies (GA4) — set only with your consent (banner).
7. Minors
The Service is not intended for persons under 18. We do not knowingly collect data from minors.
8. Changes
We may update this Policy; the date at the top reflects the latest revision. We will notify you within the Service of any material changes.
9. Contact
Questions about data processing: [email protected].