← Back
Privacy Policy
Last updated: April 6, 2026
Data Controller
CrushIT, operated by Roman Nikitin, based in Spain ("we", "us", "our"), is the data controller for the Skein mobile application ("the App"). Skein was previously known as "Tarot Deck" during development.
Contact: r.nikitin.crushitapp@gmail.com
Information We Collect
Information You Provide
- Account data: If you sign in with Apple or Google, we receive your name and email address (Apple users may choose to hide their email).
- Profile data: Username, avatar selection, and location (city/coordinates) if you choose to set it.
- Journal entries: Personal reflections you write are stored on your device and optionally synced to our servers if you sign in.
Information Collected Automatically
- Usage analytics: We use PostHog (hosted in the EU) to collect anonymized usage data such as screens viewed, features used, and app events. This helps us improve the App. You may opt out of analytics in Settings.
- Device information: Device type, operating system version, app version, timezone, and language preference.
- Push notification tokens: If you enable notifications, we store your device's push token to send reminders.
Information We Do NOT Collect
- We do not collect payment information. All purchases are processed by Apple (App Store) or Google (Play Store).
- We do not collect precise real-time location tracking. Location is set once manually or via GPS and stored locally.
- We do not collect contacts, photos, health data, or other personal files.
- We do not engage in profiling or automated decision-making as defined by GDPR Art. 22.
Legal Basis for Processing (GDPR Art. 6)
| Processing Activity |
Legal Basis |
| Account creation & authentication |
Consent (Art. 6(1)(a)) |
| App functionality (readings, journal, sync) |
Contract performance (Art. 6(1)(b)) |
| Push notifications |
Consent (Art. 6(1)(a)) — opt-in required |
| Usage analytics |
Legitimate interest (Art. 6(1)(f)) — improving the App |
| Purchase verification |
Contract performance (Art. 6(1)(b)) |
| Security & fraud prevention |
Legitimate interest (Art. 6(1)(f)) |
How We Use Your Information
- App functionality: To provide tarot readings, daily cards, streak tracking, astrology features, and journal.
- Sync & backup: To sync your data across devices when signed in.
- Notifications: To send daily card reminders and streak alerts you opted into.
- Analytics: To understand how features are used and improve the App.
- Purchases: To verify and deliver cosmetic items you purchase.
Data Storage & Transfers
- Local-first: All data is stored on your device first. The App works fully offline without an account.
- Cloud sync: If you sign in, data is synced to Supabase (servers in the EU — Frankfurt, Germany) for backup and cross-device access.
- Analytics: PostHog is hosted in the EU (Frankfurt). No personal data leaves the EU.
- Purchase verification: RevenueCat processes purchase receipts. RevenueCat is a US-based company with EU Standard Contractual Clauses (SCCs) in place for GDPR compliance.
- Authentication: Apple and Google process authentication data under their respective privacy policies and GDPR commitments.
- Cosmetic assets: Purchased card decks and card backs are cached locally on your device.
Data Processors
We use the following third-party processors, all with Data Processing Agreements (DPAs) or equivalent safeguards:
| Processor |
Purpose |
Data Location |
Safeguards |
| Supabase |
Database, auth, storage |
EU (Frankfurt) |
GDPR-compliant, DPA |
| PostHog |
Analytics |
EU (Frankfurt) |
GDPR-compliant, DPA |
| RevenueCat |
Purchase verification |
US |
Standard Contractual Clauses |
| Apple |
Authentication, IAP |
US/EU |
GDPR commitments |
| Google |
Authentication |
US/EU |
Standard Contractual Clauses |
Data Sharing
We do not sell, rent, or share your personal information with third parties for marketing purposes. Data is shared only with the processors listed above for the purposes described, and when required by law.
Your Rights
You can:
- Access your data through the App (Profile, Journal, Settings).
- Delete your account and all associated data by contacting us.
- Export your reading history through the Journal screen.
- Opt out of analytics in Settings.
- Disable notifications at any time through Settings or your device settings.
- Withdraw consent for any processing based on consent, without affecting prior processing.
GDPR Rights (Art. 15-22)
As our operations are based in Spain, we comply with the General Data Protection Regulation (GDPR). You have the right to:
- Access (Art. 15) — receive a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — "right to be forgotten," request deletion of your data.
- Restriction (Art. 18) — restrict processing in certain circumstances.
- Data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
- Object (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
To exercise these rights, contact us at r.nikitin.crushitapp@gmail.com. We will respond without undue delay, and in any event within 30 days (extendable by 60 days for complex requests, with notification).
You may also lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es.
Children's Privacy
The App is not directed at children under 16 in the EU or under 13 elsewhere. We do not knowingly collect information from children. If we become aware that a child has provided personal data, we will delete it promptly.
Data Retention
| Data Type |
Retention Period |
| Account data |
Until you delete your account |
| Journal entries & readings |
Until you delete them or your account |
| Analytics (anonymized) |
Up to 12 months |
| Push tokens |
Removed on sign out or uninstall |
| Purchase records |
Retained for legal/tax obligations (up to 7 years) |
After account deletion, all personal data is removed from our servers within 30 days, except where retention is required by law.
Security
We implement appropriate technical and organizational measures (GDPR Art. 32):
- Encrypted connections (TLS/HTTPS) for all data in transit.
- Row-level security (RLS) policies ensuring users access only their own data.
- Secure token storage on device (expo-secure-store).
- Authentication via established providers (Apple, Google) — we never store passwords.
- Regular access review of database and storage permissions.
Changes to This Policy
We will notify you of material changes to this policy through:
- An in-app notification or prompt.
- Updating the "Last updated" date at the top.
For significant changes affecting your rights or how we process your data, we will provide at least 14 days' notice before the changes take effect. Continued use after the notice period constitutes acceptance.
Contact
If you have questions about this Privacy Policy or wish to exercise your GDPR rights:
Email: r.nikitin.crushitapp@gmail.com
Data Protection Authority: AEPD — www.aepd.es