Privacy Policy

Sacred Self Daily Operated by Sinal Group / Velocity Estates LLC

Effective Date: May 18, 2026 Last Updated: May 18, 2026 Legal Entity: Velocity Estates LLC (Illinois)

1. Introduction

Sacred Self Daily is an astrology, tarot, and personality content service operated by Velocity Estates LLC ("we," "us," "our"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have over it.

This policy applies to your use of sacredselfdaily.com and any associated mobile applications, email communications, and related services (collectively, the "Service").

By creating an account or using the Service, you acknowledge that you have read and understood this policy. If you do not agree with how we handle your data, do not use the Service.

This policy should be read alongside our Terms of Service.

2. Data We Collect

We collect the following categories of personal data:

2.1 Identity Data

2.2 Birth Data

Birth date, birth time, and birth location. This is sensitive personal data processed to generate your personalized natal chart and daily readings. Birth data is the core of the Service — without it, we cannot provide personalized content. Under GDPR, birth data that allows derivation of astrological identifiers is treated as personal data requiring a lawful basis for processing. We process it on the basis of your explicit consent and, for paid subscribers, the performance of our contract with you.

Birth data is used exclusively to generate content for you. It is not used for marketing profiling, sold to data brokers, or shared with third parties except as required to deliver the Service (see Section 6).

2.3 Partner Birth Data

If you use the synastry (relationship reading) feature (Sacred tier), you may enter birth data for a second person — a partner, family member, or friend. That person has rights over their own data even though they are not an account holder. See Section 11 (Partner Data) for the specific handling rules that apply.

2.4 Behavioral Data

We use behavioral data to improve content relevance and to model which content resonates with users in aggregate. Behavioral data is never sold. Individually identifiable behavioral data is deleted or anonymized when your account is deleted.

2.5 Technical Data

2.6 Subscription and Billing Data

We process subscription and billing transactions through Stripe. We do not store your full credit card number, card verification code, or bank account details on our servers. Stripe stores payment instrument data under its own PCI-DSS compliance program. We retain:

2.7 Marketing and Attribution Data

We use this data to understand which acquisition channels work and to credit affiliate partners appropriately when a purchase follows from an affiliate referral.

2.8 Consent Records

We maintain a complete audit log of your consent history: when you confirmed your email (for users in jurisdictions requiring confirmed opt-in), when you accepted or withdrew marketing consent, and the state of your consent at the time every marketing email was sent. This record is retained as a legal compliance record even after account deletion.

3. How We Use Your Data

We use your personal data for the following purposes:

To provide the Service. We process your birth data and behavioral signals to generate personalized daily readings, transit forecasts, tarot pulls, and other content. This is the primary purpose.

To deliver communications. We send you your daily reading, transactional emails (billing receipts, account security alerts, password resets), and, with your consent, marketing communications (welcome sequences, seasonal campaigns, upgrade offers).

To process subscription payments. We use your billing data and Stripe's infrastructure to charge, renew, pause, and cancel your subscription.

To enforce trial terms and prevent abuse. We retain a minimal record (email hash) after account deletion to prevent a deleted user from claiming a second $1 trial. This is a legitimate interest and fraud prevention basis.

To comply with legal obligations. We retain billing records for tax and financial compliance. We maintain deletion audit logs as required by GDPR Article 17. We retain consent records as evidence of lawful processing.

To improve the Service through aggregated analytics. We analyze aggregate usage patterns — which content formats generate higher engagement, which transit types resonate most — to improve content quality. This analysis operates on anonymized or aggregated data. No individual user's data is analyzed in isolation for product improvement purposes.

To detect and prevent fraud. We use technical signals (IP patterns, device fingerprints) to detect trial gaming and account abuse.

To support partner data removal requests. If a third party submits a request to remove birth data that another user entered about them, we process that request. See Section 11.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and other jurisdictions where GDPR-equivalent law applies, we identify the following lawful bases for each processing purpose:

Consent (GDPR Article 6(1)(a)):

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal. To withdraw marketing consent, use the unsubscribe link in any marketing email or adjust your preferences in account settings.

Contract performance (GDPR Article 6(1)(b)):

Legitimate interests (GDPR Article 6(1)(f)):

We have conducted a balancing test for each legitimate interest purpose. Where our interests conflict materially with your fundamental rights, we default to consent or contract performance as the basis instead. If you wish to object to processing on legitimate interest grounds, see Section 7 (Your Rights).

Legal obligation (GDPR Article 6(1)(c)):

5. Data Retention

We retain personal data for the periods described below:

Active account: We retain your account data for as long as your account is active.

Inactive account: If your account shows no activity for 24 consecutive months, we anonymize your personal data. Your account shell is retained but stripped of personally identifying information.

Deleted account: When you request deletion, we initiate a 7-day grace period during which you can rescind the request. After the grace period, we execute a hard delete of your personal data across all systems within 14 days (our operational target; the GDPR statutory deadline is 30 days). We issue a deletion certificate on completion.

Consent and audit records: Consent records, email send logs, and deletion audit logs are retained for 7 years after account closure. These records document that we processed your data lawfully. They contain minimal identifying information (user identifiers rather than your name or full email) and are used only for legal compliance purposes.

Financial records: Billing history, invoices, and payment records are retained for 7 years as required by tax law. Stripe retains transaction records under its own legal obligations; those records are subject to Stripe's retention policy.

Partner data: Partner birth data is retained while the account holder maintains the partner in their saved list. Upon removal by the account holder, partner data is soft-deleted and permanently erased 90 days later. Upon a valid partner-initiated removal request, partner data is permanently erased immediately after operator review. Upon deletion of the account holder's account, partner data is deleted as part of the account deletion.

6. Data Sharing

We do not sell your personal data. We share data with the following parties under the conditions described:

Stripe — Payment processing. Stripe processes your payment information under its own privacy policy and terms. We have a Data Processing Agreement (DPA) with Stripe. Stripe complies with GDPR through Standard Contractual Clauses (SCCs). Stripe retains transaction records as required by financial regulation; these are outside our control once transmitted.

Resend — Transactional and marketing email delivery. Resend operates in EU data regions for EU users. We have a Data Processing Agreement with Resend. Data transferred to Resend includes your email address, first name (if provided), and the content of the email being sent. Resend does not use your data for its own marketing purposes.

Supabase — Database hosting and authentication. All user data is stored in Supabase. EU user data is hosted in Supabase's EU region. US user data is hosted in Supabase's US region. We have a Data Processing Agreement with Supabase. Supabase provides GDPR compliance through Standard Contractual Clauses.

Affiliate networks — Only when you click an affiliate offer. Free-tier users see affiliate offers integrated into the Service. If you click an affiliate link, we transmit a referral identifier to the affiliate network to track the referral. We do not transmit your name, email address, birth data, or any other personal data to affiliate networks. The referral identifier links to an anonymized click event, not to your personal profile. You may opt out of receiving affiliate offers by updating your preferences in account settings.

Legal authorities — If required by law, court order, or regulatory order, we may disclose data to governmental authorities. We will attempt to notify you if we receive such a request, unless legally prohibited from doing so.

Service continuity — In the event of a merger, acquisition, or sale of the business, user data may be transferred to a successor entity. We will notify you in advance and give you the opportunity to delete your account before any transfer occurs.

We never share your data with: data brokers, advertising networks, social media platforms for retargeting purposes, third-party AI training datasets, or any party for purposes beyond what is described in this policy.

7. Your Rights

Depending on your jurisdiction, you have the following rights over your personal data. To exercise any right, contact us at privacy@sacredselfdaily.com.

Right of access. You may request a copy of all personal data we hold about you. We will provide this within 30 days of a verified request, in a commonly used electronic format.

Right to rectification. You may correct inaccurate personal data. You can update your birth data, email address, and country directly in account settings. For corrections that require us to recompute your chart or readings, we will do so upon your request.

Right to erasure (right to be forgotten). You may request deletion of your account and all personal data. We provide a self-service deletion flow in account settings. After a 7-day grace period, we execute a complete deletion of your personal data across all our systems and issue a deletion certificate. Some data is retained under legal exemptions (consent audit logs, billing records, compliance records subject to legal hold) — these are described in the deletion certificate we issue.

Right to restriction. You may request that we pause processing of your data while you dispute its accuracy or the lawfulness of our processing. During restriction, we retain your data but do not process it for any purpose other than storage.

Right to data portability. You may request an export of your personal data in a machine-readable format (JSON). This includes your profile data, birth data, reading history, and saved content.

Right to object. You may object to processing based on legitimate interests at any time. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for a legal claim.

Right to withdraw consent. Where processing is based on your consent, you may withdraw it at any time through account settings or by contacting us. Withdrawal does not affect processing that occurred before withdrawal.

Right to lodge a complaint. If you believe we have violated your data protection rights, you may lodge a complaint with your national data protection supervisory authority. EU users may contact the supervisory authority in their country of residence. UK users may contact the Information Commissioner's Office (ICO). US users may contact the Federal Trade Commission.

California-Specific Rights (CCPA / CPRA)

If you are a California resident:

California residents may submit requests to privacy@sacredselfdaily.com or through the account settings deletion flow. We will verify your identity before processing a deletion or disclosure request.

8. Cookies and similar technologies

We use a minimal set of cookies and similar storage to make the site work, remember your preferences, and measure how the site is used. We do not sell your data.

Essential — Required for sign-in, session management, fraud prevention, and CSRF protection. These are set whenever you use the site and cannot be disabled.

Functional — Your theme preference, reading persona, delivery time settings, and similar UI choices. Stored locally; not shared with third parties.

Analytics & measurement — When you grant analytics consent, we load two third-party tools that help us understand how the site performs and which content resonates:

aggregated audience patterns. We send Google an anonymized IP and limit retention to 14 months. See Google's privacy policy: https://policies.google.com/privacy.

with our paid advertising on Facebook and Instagram, and helps us reach similar audiences. We do not send Meta personally-identifying details beyond what you choose to share (e.g., email when you join the waitlist). See Meta's data policy: https://www.facebook.com/policy.php.

You can change your cookie preferences at any time by clicking "Cookie Preferences" in the footer of any page. If you decline analytics consent, Google Analytics and Meta Pixel do not load.

For users in the EU, EEA, and UK, non-essential cookies require your explicit consent before being set. A cookie consent banner is presented on first visit.

9. International Data Transfers

EU/EEA users: Your personal data is stored in Supabase's EU data region. Email delivery through Resend uses EU infrastructure where available. Payment data passes through Stripe's US infrastructure — this transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, which Stripe maintains. We do not transfer EU user data to countries without adequate data protection standards outside of these SCCs.

US users: Your personal data is stored in Supabase's US data region.

UK users: Post-Brexit, your data is processed under UK GDPR and the Data Protection Act 2018. The same protections as EU users apply. Transfers to our service providers are governed by the International Data Transfer Agreement (IDTA) where applicable.

Other jurisdictions: If you access the Service from a jurisdiction with its own data transfer rules, we apply the most protective standard applicable to your situation.

10. Children's Data

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18.

If we discover that an account holder is under 18, we will immediately terminate the account and delete all associated personal data.

For users under 13 (where COPPA applies), we do not collect personal information and have no mechanism for doing so intentionally. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly. Parents or guardians who believe we may have collected data from a child under 13 should contact us immediately at privacy@sacredselfdaily.com.

11. Partner Data (Synastry Feature)

The synastry reading feature (Sacred tier) allows you to enter birth data for a second person — a partner, family member, or friend — to generate relationship readings. This creates data rights obligations for that person (the "partner"), even though they are not a Sacred Self Daily account holder.

What we collect about partners: Name (or label you assign), birth date, birth time (optional), and birth location.

How we use partner data: Exclusively to generate relationship readings for you. Partner data is not used for marketing, not shared with advertisers, not used to train AI models, and not cross-referenced with other users' partner records except for the purpose of processing a partner-initiated removal request.

Retention: Partner data is retained while you keep the partner in your saved list. When you remove a partner, their data is soft-deleted and permanently erased 90 days later. This window allows you to restore the record if you removed it accidentally. If your account is deleted, all partner data is deleted at the same time.

Partner rights: Even though the partner has no Sacred Self Daily account, they have rights over their data:

Partner data removal: Partners (and anyone who believes their birth data may have been entered into the platform by another user) can request removal at: sacredselfdaily.com/partner-data-removal — no account required.

Your responsibility: When you enter another person's birth data, you attest that you have a legitimate personal reason for doing so. You cannot consent on another person's behalf, and entering someone's data without a legitimate basis is a misuse of the Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — changes that affect how we use your data in ways that differ materially from this version — we will:

For non-material changes (correcting typos, clarifying existing practices, adding detail without changing substance), we will update the policy and note the revision date without advance notice.

If you do not agree with a material change, you may close your account and request deletion of your data before the change takes effect. Your continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy.

13. Contact and Data Protection

Privacy inquiries: privacy@sacredselfdaily.com

Data subject rights requests: privacy@sacredselfdaily.com We respond to all verified requests within 30 days. Complex requests may require up to 90 days; we will notify you within 30 days if an extension is needed.

Legal mailing address for regulatory and legal notices:

Velocity Estates LLC [STREET ADDRESS] [CITY, STATE, ZIP] United States

Data Protection Officer (DPO):

Not applicable for the current US-only launch. Sacred Self Daily does not target or knowingly serve EU users at this time. A DPO will be appointed before any EU launch. For privacy inquiries in the meantime, contact privacy@sacredselfdaily.com.

*This Privacy Policy was prepared as a baseline for Sacred Self Daily. It is not a substitute for legal counsel. Operator should obtain a qualified privacy lawyer's review before launch, particularly for EU compliance under GDPR and the EU AI Act, and for any jurisdiction-specific obligations that arise as the user base scales.*

Privacy Policy | Sacred Self Daily