Flickerdeck

Privacy Policy

Version 1.1Effective: 2025-09-06Last updated: 2026-03-11

Welcome to Flickerdeck! We are Moments of Meaning Oy (“we,” “us,” “our,” or “Flickerdeck”), a Finnish company that operates the Flickerdeck digital tarot and oracle card application and the flickerdeck.com website. We take your privacy seriously and are committed to protecting your personal data in accordance with GDPR and other applicable laws.

This Privacy Policy explains how we collect, use, share, and protect your information when you use our mobile application and website (together, the “Service”).

Important: Our Service is designed for users aged 13 and above. If you are under 13, please do not use Flickerdeck.

2. Data Controller Information

  • Company: Moments of Meaning Oy
  • Business ID: 3496269-7
  • Address: PL 63105, Laskutus 00062, Finland
  • Email: privacy@flickerdeck.com

3. Information We Collect

3.1 Information You Provide

  • Demographics (optional): Age range (e.g., 18–22, 23–27) and gender (with “prefer not to say” option) collected during app onboarding for personalization.
  • Your Content: Questions and reflections you provide through text or voice input when using AI features in the app.
  • Support Communications: If you contact us for support, we may collect your email address and message content.

3.2 Information Collected Automatically

3.2.1 Mobile App

Device & App Information

  • Device identifier (Firebase UID)
  • Device type, model, and operating system
  • App version and language settings
  • Screen resolution
  • Country/region (from IP address) — for compliance and tax purposes only
  • Network type and carrier

Usage Analytics

We collect information about how you interact with our app:

  • Feature usage and interaction patterns (e.g., card interactions, reading flows)
  • Session duration and frequency
  • Navigation paths through the app
  • Error and crash logs
  • Performance metrics
  • Custom events related to product features

Attribution Analytics

  • How you discovered and installed our app
  • Campaign parameters from links you clicked
  • Marketing effectiveness measurement (without personal identification)

AI Processing Data

  • Your card selections and spreads
  • Questions and reflections you share with our AI
  • Session context for providing coherent readings

3.2.2 Website (flickerdeck.com)

When you visit our website, certain data is collected depending on your cookie preferences:

Always Collected (necessary for website operation)

  • IP address and basic request metadata (processed by our hosting provider Vercel for serving web pages)
  • IP address on certain interactions such as loading additional gallery content (processed by our database provider Supabase, hosted in the EU)
  • Country/region derived from IP address (for content delivery)

Collected With Your Consent (analytics cookies)

If you accept analytics cookies, Google Analytics collects: pages visited and navigation patterns, browser type, device, and screen resolution, referral source, session duration and interaction events, and IP address (anonymized by Google Analytics).

You can manage your cookie preferences at any time via the “Cookie Preferences” link in the website footer.

3.3 Information We DON'T Collect

  • Email addresses (unless you contact support)
  • Precise GPS location
  • Contact lists
  • Photos or media files
  • Device advertising identifiers
  • Any personal data from website visitors beyond what is described in Section 3.2.2

4. How We Use Your Information

We process your personal data based on the following legal grounds:

Contract Performance (GDPR Article 6(1)(b)):

  • Providing the Flickerdeck service and features
  • Processing payments and managing subscriptions
  • Delivering AI-powered card interpretations

Legitimate Interests (GDPR Article 6(1)(f)):

  • Improving our app and website and developing new features
  • Analyzing usage patterns to enhance user experience
  • Understanding how users discover our app (attribution analytics)
  • Preventing fraud and ensuring security
  • Sending service-related push notifications
  • Fixing bugs and technical issues

Where required by law (e.g., ePrivacy Directive), we obtain consent before enabling analytics. On our website, Google Analytics cookies are only activated after you give consent. Service notifications are limited to operational updates (new features, security alerts, purchase confirmations).

Legal Obligations (GDPR Article 6(1)(c)):

  • Tax and accounting requirements
  • Responding to legal requests

4.1 Service Improvement and Analytics

We use de-identified and aggregated usage metrics to improve our Service features and functionality, develop new products and services, understand user behavior patterns, conduct internal research and analysis, and enhance safety and security systems.

We do not use your individual reflections or personal content to train third-party AI models. This processing is based on our legitimate interest (GDPR Article 6(1)(f)) in improving our Service. Individual users cannot be identified from this aggregated data.

5. Cookies and Similar Technologies

5.1 Website Cookies

Our website uses cookies grouped into three categories:

Necessary Cookies

These are required for the website to function and cannot be disabled. They include cookies that remember your cookie consent preferences. No personal data is collected for purposes beyond website operation.

Analytics Cookies

With your consent, we use Google Analytics to understand how visitors use our website. These cookies collect information such as pages visited, time spent, and navigation patterns. Google Analytics anonymizes IP addresses. You can withdraw consent at any time via the “Cookie Preferences” link in the website footer.

Marketing Cookies

We do not currently use marketing cookies. This category is included in our consent banner for future use. If we add marketing cookies, we will update this policy and require your consent before activating them.

5.2 Mobile App

Our mobile app does not use cookies. Analytics in the app are handled through SDKs as described in Section 3.2.1. Where required by law (EU/UK), we obtain consent before enabling mobile analytics.

5.3 Managing Your Preferences

  • Website: Click “Cookie Preferences” in the website footer to change your choices at any time.
  • Mobile app: Manage analytics and notification preferences in Settings.
  • Browser settings: You can also control cookies through your browser settings.
  • Global Privacy Control: We honor GPC signals sent by your browser.

6. Service Providers We Use

We work with trusted service providers who process data on our behalf:

Google Firebase

Infrastructure, authentication, push notifications

United States · User data, app usage

Amplitude

Product analytics (app)

EU (for EU users) · Usage events, user properties

AppsFlyer

Attribution analytics (app)

United States · Install source, campaign data

OpenAI

AI text generation (app)

United States · Card context, user questions

RevenueCat

Subscription management (app)

United States · Device ID, purchase status

Apple/Google

Payment processing (app)

Various · Transaction data (as independent controllers)

Sentry

Error tracking (app)

United States · Technical logs, crash reports

Google Analytics

Website analytics

United States · Pages visited, browser info, session data (with consent only)

Vercel

Website hosting

Global CDN · IP address, request metadata (server logs)

Supabase

Website database

EU (Ireland) · IP address on certain browsing interactions

7. International Data Transfers

Your data may be transferred to and processed in the United States where several of our service providers are located. We ensure appropriate safeguards for these transfers:

  • Legal Protection: We use Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Technical Protection: All data is encrypted in transit and at rest.
  • Limited Access: We share only necessary data with each provider for their specific function.

Note: OpenAI retains API interaction logs for up to 30 days for safety and abuse monitoring, then automatically deletes them. This 30-day retention period applies even after deletion requests.

Our website database (Supabase) is hosted in the EU (Ireland), so deck gallery browsing data does not involve international transfers.

8. Data Retention

We keep your data only as long as necessary:

  • Your content and preferences: While you actively use the app, plus 2 years of inactivity.
  • Analytics data: 14–26 months (per platform policies).
  • Error logs: 90 days.
  • Payment records: 7 years (legal requirement).
  • Website server logs: Retained by Vercel per their standard retention period (typically 30 days).
  • Website analytics: 14 months (Google Analytics default).

You can delete your app data at any time through the app or by contacting us.

9. Your Rights

Under GDPR, you have the right to:

  • Access your personal data we hold
  • Rectify inaccurate information
  • Delete your data (“right to be forgotten”)
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a portable format
  • Object to processing based on legitimate interests
  • Withdraw consent where applicable

How to Exercise Your Rights

  • In-app: Settings → Delete Account (removes server data linked to your device). Note: Deleting the app only removes local data, not server data.
  • Email: privacy@flickerdeck.com (we may ask for verification such as a purchase receipt).
  • Response time: Within 30 days.

Identity Verification: Since we use device-based authentication, we may not be able to identify you from your device ID alone. If you contact us by email to exercise your rights, we may ask you to verify your identity (for example, with a purchase receipt) so we can fulfill requests that go beyond device-based controls. Under GDPR Article 11, we are not obligated to retain additional information solely to identify users for rights requests.

Supervisory Authority

You may lodge a complaint with:

Finland (Lead Authority):
Website: www.tietosuoja.fi
Address: P.O. Box 800, 00531 Helsinki, Finland

United Kingdom (if applicable):
Website: www.ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK

10. Push Notifications

Push notifications are used for service-related communications only:

  • Content updates (new decks and features)
  • Seasonal reminders
  • Important service announcements

You can enable or disable push notifications through your device's system settings. We require only the standard operating system permission for push notifications.

11. Security

We use industry-standard security measures to protect your personal data, including:

  • Encryption for data in transit and at rest
  • Access controls and authentication systems
  • Regular security reviews
  • Secure data storage practices

While we strive to protect your data, no method of transmission or storage is 100% secure. We encourage you to use strong device passwords and keep your app updated.

12. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours where required by law.
  • Notify affected users if the breach is likely to result in high risk to their rights and freedoms.
  • Document all breaches in our internal register.

13. Children's Privacy

Flickerdeck is not intended for children under 13. We do not knowingly collect data from children under 13. If we discover such collection, we will promptly delete the data.

Note for EU Users: Some EU countries require parental consent for users under 16. Our service is not intended for users below the age where they can provide their own consent under local law.

14. California Privacy Rights

For California residents under CCPA/CPRA:

Your Rights:

  • Do Not Sell or Share My Personal Information: We do not sell or share your personal information to third parties.
  • Limit the Use of My Sensitive Personal Information: We do not use sensitive personal information beyond what's necessary to provide our services.
  • Access and delete your personal information.
  • Correct inaccurate information.
  • Non-discrimination for exercising rights.

We honor Global Privacy Control (GPC) signals. To exercise your rights, contact: privacy@flickerdeck.com

15. Changes to This Policy

We may update this Privacy Policy occasionally. We'll notify you of material changes through the app. Your continued use after changes means you accept the updated policy.

16. Contact Us

For privacy questions or to exercise your rights:

Email: privacy@flickerdeck.com

We aim to respond within 5 business days.

Related legal documents

Terms of Service →

By Flickerdeck (Moments of Meaning Oy) · Version 1.1 · Last updated 2026-03-11