Your Privacy Matters.
At UNI CARDS we treat your personal data with the same care we bring to every reading. This policy explains what we collect, why we collect it, and the rights you hold over your own information — in plain language, the way it should be.
This Privacy Policy explains how UNI CARDS ('we', 'us', or 'our') collects, uses, stores, and protects your personal data when you use our website and services. As a service operating within the European Union, we are fully compliant with the General Data Protection Regulation (GDPR) (EU) 2016/679 and Bulgarian data protection law.
1. Data Controller
UNI CARDS
Email: [email protected]
2. What Data We Collect
2.1 Account & Registration Data
- Full name
- Email address
- Password (stored encrypted — we never see your plain-text password)
- Date of account creation
2.2 Payment Data Payments are processed by trusted third-party providers (e.g. Stripe or PayPal). We do not store your credit card or banking details. We only retain records of transaction amounts, dates, and subscription status.
2.3 Usage & Analytics Data
- Pages visited and time spent
- Cards drawn and reading sessions
- Device type, browser, and approximate location (country/city level)
- IP address (anonymised after 90 days)
3. Legal Basis for Processing (GDPR Article 6)
- Contract performance — to provide your account and subscription services
- Legitimate interests — to improve our services and prevent fraud
- Legal obligation — to comply with Bulgarian and EU tax/accounting law
- Consent — for optional marketing emails (you may withdraw at any time)
4. How We Use Your Data
- Create and manage your user account
- Process payments and manage subscriptions
- Deliver Tarot reading services and personalised guidance
- Send transactional emails (account confirmation, password reset, purchase delivery)
- Send newsletter/marketing emails (only with your explicit consent)
- Improve our platform through analytics
- Comply with legal and tax obligations
5. Data Sharing & Third Parties
We do not sell your personal data. We may share data with:
- Payment processors (e.g. Stripe, PayPal) — for payment handling
- Email service providers (e.g. Mailchimp, SendGrid) — for transactional emails
- Analytics providers (e.g. Google Analytics) — for anonymised usage statistics
- Hosting providers — our website is hosted on secure EU-based or EU-compliant servers
All third-party providers are bound by data processing agreements and comply with GDPR.
6. Data Retention
- Account data: retained for the duration of your account and up to 3 years after deletion for legal/tax purposes
- Payment records: retained for 10 years as required by Bulgarian accounting law
- Analytics data: anonymised after 90 days, deleted after 26 months
- Marketing consent records: retained until you withdraw consent
7. Your Rights Under GDPR
As an EU resident, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure ('right to be forgotten') — request deletion of your data
- Right to restriction — limit how we process your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — for marketing emails at any time
To exercise any of these rights, contact us at: [email protected]. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP): www.cpdp.bg
8. Cookies
We use cookies to:
- Keep you logged in (session cookies — essential)
- Remember your preferences (functional cookies)
- Analyse site usage (analytics cookies — only with your consent)
You may manage or withdraw cookie consent at any time via our Cookie Settings banner.
9. Security
We implement appropriate technical and organisational measures to protect your data, including SSL/TLS encryption, password hashing, and regular security reviews. No system is 100% secure; we will notify you and the relevant authorities in the event of a data breach within 72 hours, as required by GDPR.
10. Children's Privacy
Our service is not directed at children under 16. We do not knowingly collect data from minors. If you believe a child has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before significant changes take effect. Continued use of the service after that date constitutes acceptance.
12. Contact Us
For any privacy-related questions or requests:
UNI CARDS Team
Email: [email protected]
Love, UNI CARDS Team