← Back
Privacy Policy
Last updated: May 25, 2026
Data Controller
CrushIT, operated by Roman Nikitin, based in Spain ("we", "us", "our"), is the data controller for the Skein mobile application ("the App"). Skein was previously known as "Tarot Deck" during development.
Contact: r.nikitin.crushitapp@gmail.com
Information We Collect
Information You Provide
- Account data: If you sign in with Apple or Google, we receive your name and email address (Apple users may choose to hide their email).
- Profile data: Username, avatar selection, and location (city/coordinates) if you choose to set it.
- Journal entries: Personal reflections you write are stored on your device and optionally synced to our servers if you sign in.
- Photo attachments: If you attach photos to journal entries, we read those photos from your device's photo library (you control which ones, per Apple/Google's Photos picker). They live on your device. We upload them to our servers only if you opt in to cloud backup.
- Voice transcriptions: If you use voice reflection, your speech is transcribed by your device's speech-recognition system (Apple on-device speech recognition on iOS 17+ where available; otherwise the system speech service). We receive the resulting text only as part of your journal entry. We do not store the audio recording itself.
- Physical-deck registry: Names and optional photos of real-world tarot decks you choose to register, stored alongside your journal entries.
Information Collected Automatically
- Usage analytics: We use PostHog (hosted in the EU) to collect anonymized usage data such as screens viewed, features used, and app events. Plus-tier monetization funnel events (paywall opened, subscribe / restore / cancel) carry only the source surface and the chosen tier — never personal data. This helps us improve the App. You may opt out of analytics in Settings.
- Device information: Device type, operating system version, app version, timezone, and language preference.
- Push notification tokens: If you enable notifications, we store your device's push token to send reminders.
- Subscription status: If you subscribe to Skein Plus, RevenueCat (our subscription processor) tracks your entitlement status — active / cancelled / expired — so the App can unlock Plus features when you launch it on a new device. Apple processes the actual payment; we never see card numbers or billing addresses.
Information We Do NOT Collect
- We do not collect payment information. All purchases are processed by Apple (App Store) or Google (Play Store).
- We do not collect precise real-time location tracking. Location is set once manually or via GPS and stored locally.
- We do not collect contacts, health data, or other personal files.
- We do not collect voice audio recordings — speech-to-text runs on-device and we receive only the text result.
- We do not collect the contents of your photo library — only the specific photos you choose to attach to a journal entry via the system Photos picker.
- We do not engage in profiling or automated decision-making as defined by GDPR Art. 22.
System Permissions We Request
- Microphone (iOS / Android): Required for voice reflection. Voice is transcribed on-device by Apple Speech / Google Speech; the App receives only the resulting text. You can deny or revoke this permission at any time in your device Settings — voice reflection will simply be unavailable; typing remains fully functional.
- Photo library: Optional, requested only when you tap "Add photo" on a journal entry. We use the system Photos picker, which gives you per-photo control on iOS 14+ and Android 13+. We never request full-library access.
- Notifications: Optional, requested when you opt in to daily card or streak reminders.
- Location: Optional, requested only when you tap "Set location" in your profile (for astrological context).
- Speech recognition (iOS): Optional, requested the first time you tap the voice button in any entry editor.
Legal Basis for Processing (GDPR Art. 6)
| Processing Activity |
Legal Basis |
| Account creation & authentication |
Consent (Art. 6(1)(a)) |
| App functionality (readings, journal, sync) |
Contract performance (Art. 6(1)(b)) |
| Push notifications |
Consent (Art. 6(1)(a)) — opt-in required |
| Usage analytics |
Legitimate interest (Art. 6(1)(f)) — improving the App |
| Purchase verification |
Contract performance (Art. 6(1)(b)) |
| Security & fraud prevention |
Legitimate interest (Art. 6(1)(f)) |
How We Use Your Information
- App functionality: To provide the daily card ritual, journal entries with voice and photo capture, Pattern Mirror retrospective analytics over your own journal, streak tracking, astrological context, and journal themes.
- Sync & backup: To sync your data across devices when signed in.
- Notifications: To send daily card reminders and streak alerts you opted into.
- Analytics: To understand how features are used and improve the App. Plus-tier funnel telemetry helps us know which Plus features users actually engage with, so we invest in the right ones.
- Purchases & Plus subscription: To verify and deliver cosmetic items you purchase, and to keep your Skein Plus entitlement in sync across devices.
Data Storage & Transfers
- Local-first: All data is stored on your device first. The App works fully offline without an account.
- Cloud sync: If you sign in, data is synced to Supabase (servers in the EU — Frankfurt, Germany) for backup and cross-device access.
- Analytics: PostHog is hosted in the EU (Frankfurt). No personal data leaves the EU.
- Purchase verification: RevenueCat processes purchase receipts. RevenueCat is a US-based company with EU Standard Contractual Clauses (SCCs) in place for GDPR compliance.
- Authentication: Apple and Google process authentication data under their respective privacy policies and GDPR commitments.
- Cosmetic assets: Purchased card decks and card backs are cached locally on your device.
Data Processors
We use the following third-party processors, all with Data Processing Agreements (DPAs) or equivalent safeguards:
| Processor |
Purpose |
Data Location |
Safeguards |
| Supabase |
Database, auth, storage |
EU (Frankfurt) |
GDPR-compliant, DPA |
| PostHog |
Analytics |
EU (Frankfurt) |
GDPR-compliant, DPA |
| RevenueCat |
Purchase verification |
US |
Standard Contractual Clauses |
| Apple |
Authentication, IAP |
US/EU |
GDPR commitments |
| Google |
Authentication |
US/EU |
Standard Contractual Clauses |
Data Sharing
We do not sell, rent, or share your personal information with third parties for marketing purposes. Data is shared only with the processors listed above for the purposes described, and when required by law.
Your Rights
You can:
- Access your data through the App (Profile, Journal, Settings).
- Delete your account and all associated data by contacting us.
- Export your reading history through the Journal screen.
- Opt out of analytics in Settings.
- Disable notifications at any time through Settings or your device settings.
- Withdraw consent for any processing based on consent, without affecting prior processing.
GDPR Rights (Art. 15-22)
As our operations are based in Spain, we comply with the General Data Protection Regulation (GDPR). You have the right to:
- Access (Art. 15) — receive a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — "right to be forgotten," request deletion of your data.
- Restriction (Art. 18) — restrict processing in certain circumstances.
- Data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
- Object (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
To exercise these rights, contact us at r.nikitin.crushitapp@gmail.com. We will respond without undue delay, and in any event within 30 days (extendable by 60 days for complex requests, with notification).
You may also lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es.
Children's Privacy
The App is not directed at children under 16 in the EU or under 13 elsewhere. We do not knowingly collect information from children. If we become aware that a child has provided personal data, we will delete it promptly.
Data Retention
| Data Type |
Retention Period |
| Account data |
Until you delete your account |
| Journal entries & readings |
Until you delete them or your account |
| Analytics (anonymized) |
Up to 12 months |
| Push tokens |
Removed on sign out or uninstall |
| Purchase records |
Retained for legal/tax obligations (up to 7 years) |
After account deletion, all personal data is removed from our servers within 30 days, except where retention is required by law.
Security
We implement appropriate technical and organizational measures (GDPR Art. 32):
- Encrypted connections (TLS/HTTPS) for all data in transit.
- Row-level security (RLS) policies ensuring users access only their own data.
- Secure token storage on device (expo-secure-store).
- Authentication via established providers (Apple, Google) — we never store passwords.
- Regular access review of database and storage permissions.
Changes to This Policy
We will notify you of material changes to this policy through:
- An in-app notification or prompt.
- Updating the "Last updated" date at the top.
For significant changes affecting your rights or how we process your data, we will provide at least 14 days' notice before the changes take effect. Continued use after the notice period constitutes acceptance.
Contact
If you have questions about this Privacy Policy or wish to exercise your GDPR rights:
Email: r.nikitin.crushitapp@gmail.com
Data Protection Authority: AEPD — www.aepd.es