· ·

Privacy Policy

How Lunara handles your data on the web.

Draft — pending legal review. Adapted from the Lunara iOS policy for the web app (accounts, server-side storage, Stripe billing, and social features). Have counsel review before launch.

This Privacy Policy describes how Taco Truck Games, LLC ("we," "us," or "our") collects, uses, stores, and shares personal data when you use the Lunara web application at lunaraconnect.com ("the Service"). It is specific to the web app, which differs from the Lunara mobile app: the web app uses a user account and stores your data on our servers (via Supabase) so that social features such as profiles and messaging can work across devices.

Owner and Data Controller

Taco Truck Games, LLC
Seattle, WA, United States
Contact: lunara@tacotruckgames.com

Data We Collect and Store

When you create an account and use the Service, we collect and store the following on our servers:

  • Account data: your email address (for sign-in via magic link or Google), and an authentication session.
  • Profile data: display name, optional bio, an avatar (a generated seed or an image you upload), your sun/moon/rising signs, the languages you speak, and your intent (e.g. friendship or romantic) used for matching.
  • Birth chart data: birth date and time, and birth location (place label plus latitude, longitude, and timezone). This is used to compute your chart. It is private to your account and is never shown to other users.
  • Social data: connection requests, your connections, blocks, reports you submit, and the content of direct messages you send and receive.
  • Subscription data: if you subscribe to Mystic, a Stripe customer identifier and your subscription status, tier, and renewal date. We do not store your card number — Stripe processes all payments (see Third Parties).
  • Usage and technical data: server and request logs, including IP address, may be processed for security, abuse prevention, and operation of the Service.

Stored only on your device: your journal entries are saved in your browser's local storage and are not transmitted to or stored on our servers — unless you explicitly use an AI feature that analyzes a specific entry (see AI Features).

How and Where Data Is Stored

Account, profile, birth, social, and subscription data are stored in a managed PostgreSQL database (Supabase) protected by row-level security so that, in general, you can only read and write your own records and the records of users you are connected to. Data is processed in the United States and other countries where we or our processors operate.

AI Features (Mystic)

The Mystic feature uses a third-party generative AI service (Google Gemini) to produce readings. When you use it, limited context — such as your zodiac and chart signs, the day's horoscope, the card drawn, and any question text you submit (and a journal entry only if you explicitly choose to analyze it) — is sent to the AI provider to generate your reading. We do not send your name, email, or precise birth location, and we do not use your inputs to train models.

Third Parties (Processors)

  • Supabase — authentication and database hosting.
  • Stripe — subscription billing and payment processing. Stripe collects and stores your payment details under its own privacy policy.
  • Google — optional Google sign-in (OAuth) and the Google Gemini AI service used by Mystic.
  • Cloudflare — content delivery, DNS, and security for the Service.

The web app does not display third-party advertising and does not use advertising identifiers.

Legal Bases for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

  • Performance of a contract — to provide the account, profile, matching, messaging, and subscription features you request.
  • Consent — for optional features you choose to use, such as submitting content to AI analysis. You may withdraw consent at any time.
  • Legitimate interests — to keep the Service secure, prevent abuse, and maintain its reliability.
  • Legal obligation — where we must process data to comply with applicable law.

Data Retention

We retain your account and associated data for as long as your account is active. When you delete your account, we delete your personal data within 30 days, except where retention is required by law. Server logs are retained for a limited period for security and operations.

Your Rights

Depending on where you live (including under the GDPR and the CCPA/CPRA), you may have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to receive a portable copy of it.

  • Access & portability: from Settings you can export a copy of your data.
  • Erasure: from Settings you can permanently delete your account and data.
  • By email: you may also exercise any of these rights by contacting lunara@tacotruckgames.com.

We do not sell your personal information. EEA/UK users may lodge a complaint with their local data protection authority; California residents may exercise CCPA rights without discrimination. We honor Global Privacy Control (GPC) opt-out signals where applicable.

Cookies

The Service uses only strictly necessary cookies: an authentication session cookie (so you stay signed in) and a language-preference cookie. We do not use advertising or third-party tracking cookies.

Age Requirement

The Service is intended for users aged 18 and older and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

Data Breach Notification

In the event of a personal-data breach, we will notify affected users and the relevant supervisory authorities as required by applicable law.

Changes to This Policy

We may update this Policy from time to time. Material changes will be reflected by updating the date above and, where appropriate, by notice within the Service.

Contact

Questions about this Policy? Email lunara@tacotruckgames.com.

Last updated: June 2, 2026