Legal

Privacy Policy

Last updated: 25 May 2026

What information we collect, why we collect it, what we do with it — and what we never do.

01In short

Your readings, your questions, your saved spreads — these are private by default and visible only to you. We do not sell, share, or train on your data. Ever.

This policy explains what information we collect, why we collect it, the legal basis for collecting it, and the choices you have. It applies to everything on sanctumarcana.life and our Inner Temple Discord community. If anything is unclear, please write to support@sanctumarcana.life.

02Who we are

Sanctum Arcana is operated by Sanctum Arcana Ltd, a company registered in England and Wales (company number 16910382) with its registered office at Pandle House, 70 Grange Road East, Wirral, United Kingdom, CH41 5FE. For the purposes of UK GDPR, Sanctum Arcana Ltd is the data controller of your personal data.

We are registered with the UK Information Commissioner's Office as a data controller under reference number ZC147766. Our contact email for any privacy matter is support@sanctumarcana.life.

03What we collect

We collect the minimum information needed to run the service:

  • Account data. The email address, password (stored as a salted hash, never in plain text), and display name you give us at sign-up.
  • Authentication data. If you sign in with Google or Apple, we receive the email address associated with that account. If you connect your Sanctum Arcana account to Discord, we receive your Discord user ID and username — used only to grant the right roles in the Inner Temple.
  • Membership data. Your membership tier, your Stripe customer ID, and the dates of your subscription events (sign-up, upgrades, cancellations). Stripe holds your payment details on its own systems under PCI DSS — we never see or store your full card number.
  • Practice data. The readings, questions, journal entries, and rituals you generate while using the service. These are tied to your account and visible only to you.
  • Operational data. IP address, login times, basic device and browser information, and error logs — used to keep the service running, prevent abuse, and investigate issues. We do not use these to build a marketing profile of you.

We do not run advertising trackers, behavioural-profiling pixels, fingerprinting scripts, or session-replay tools. For analytics we use Plausible — a privacy-respecting tool that does not set cookies on your device, does not track you across the web, and collects only aggregate, anonymous usage data. It does not build a profile of you, and the data it gathers cannot be used to identify you.

04Lawful basis and how we use it

UK and EU data-protection law requires us to tell you the legal basis on which we process your personal data. We process your data on the following bases:

  • To run your account and deliver the service you have asked for — creating your account, authenticating sessions, generating AI readings and rituals, and saving your practice. Lawful basis: performance of a contract with you.
  • To take and process payments — charging your card via Stripe and recording invoices. Lawful basis: performance of a contract with you, and legal obligation (we are required to keep financial records).
  • To send operational emails — receipts, password resets, security and service notices, and important account changes. Lawful basis: performance of a contract with you.
  • To keep the service stable and secure — investigating bugs, defending against abuse, monitoring uptime, and recovering from incidents. Lawful basis: our legitimate interests in operating a working, safe service.
  • To comply with the law — including responding to lawful requests from authorities and meeting our tax, accounting, and consumer-protection obligations. Lawful basis: legal obligation.
  • To send any future marketing emails — should we choose to send newsletters or product updates. Lawful basis: your consent, which you can withdraw at any time. We do not send marketing emails today.

We do not use your readings, questions, journal entries, or rituals to train any AI system — ours or anyone else's. Your content is sent to Anthropic only to generate the immediate response you asked for, and is not retained for training under our agreement with them.

05Who we share with

We share data only with the small set of providers we need to run the service. Each is bound by their own data-processing terms and processes your data on our instructions.

  • Stripe — payment processing and subscription management.
  • Anthropic — AI inference for generating readings and rituals.
  • Supabase — database, authentication, and the delivery of account-related emails (sign-up confirmation, password reset). Your data is stored in Supabase's UK / EU region.
  • Vercel — site hosting.
  • Discord — only used for members who choose to connect their account to the Inner Temple. We share your Discord ID and membership tier with Discord's API to grant the right roles.
  • Google — used for Sign in with Google (if you choose it), for Google Search Console (aggregate search data only, no personal data about you), and for Google Workspace (the email service that powers support@sanctumarcana.life).
  • Plausible — privacy-respecting, cookieless website analytics, hosted in the EU. Plausible receives only aggregate, anonymous usage data; it is not given any information that identifies you.

We do not sell or rent your data to anyone. We do not share it with advertisers. If we are ever required to disclose data in response to a lawful request from a government or regulatory authority, we will tell the person affected unless we are legally prevented from doing so.

06International data transfers

Sanctum Arcana is operated from the United Kingdom and our database is hosted in the UK / EU. Some of the providers above are based in the United States — including Anthropic, Vercel, Discord, and Google.

When your data is transferred outside the UK, we rely on the legal mechanisms recognised under UK GDPR to keep it protected — the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK addendum, or any adequacy decision in force at the time. Each provider is contractually required to maintain a level of protection equivalent to UK data-protection law.

07How long we keep it

We keep your data only as long as we need it.

  • Account data, practice data, and authentication data — for as long as your account is active. If you close your account, this data is deleted within 30 days.
  • Financial records (invoices, payment events) — six years from the date of the transaction, in line with UK tax and accounting law.
  • Operational logs and error logs — up to 90 days, then rotated out.
  • Database backups — held on a 30-day rolling window, then overwritten.

08How we keep it secure

We take security seriously and follow industry-standard practice:

  • All connections between you and Sanctum Arcana are encrypted in transit using TLS.
  • Data stored in our database is encrypted at rest.
  • Passwords are stored as salted hashes, never in plain text.
  • Database access is governed by row-level security — every query is restricted to the rows owned by the requesting account.
  • Payment card details are handled by Stripe under PCI DSS and never touch our servers.

If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours and inform the people affected without undue delay.

09Your rights

Under UK GDPR — and equivalent laws in the EU and other comparable jurisdictions — you have the following rights:

  • Right to be informed — through this policy.
  • Right of access — to ask for a copy of the personal data we hold about you.
  • Right to rectification — to correct anything that is wrong.
  • Right to erasure — to ask us to delete your data, subject to any records we are legally required to keep.
  • Right to restrict processing — to ask us to pause processing in certain situations.
  • Right to data portability — to receive your data in a structured, common format.
  • Right to object — to processing we carry out under legitimate interests.
  • Right to withdraw consent — where we rely on consent (such as for any future marketing), at any time.
  • Right not to be subject to automated decision-making — see the next section.

Most of these are self-serve from your account settings — you can edit your profile, export your data, and close your account. For anything else, write to support@sanctumarcana.life and we will respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk if you believe we have mishandled your data. We would, of course, rather you tell us first.

10Automated decisions

We do not make any automated decisions that produce legal effects on you or otherwise significantly affect you. The AI that generates your readings and rituals is a creative interpreter — it does not score you, rank you, deny you a service, or take any decision about you. Tier assignments and account actions are driven by your own choices (your membership tier, your settings) and by the rules in our Terms.

11Cookies

We use a small number of strictly-necessary cookies and local-storage items to keep you logged in and to remember basic preferences. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for the full list.

12Children

Sanctum Arcana is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us and we will delete it.

13Changes to this policy

We may update this policy from time to time. If we make a material change — anything that affects your rights or how we handle your data — we will email registered members at least 14 days before the change takes effect. The "Last updated" date at the top of the page reflects the most recent change.

14Contact and complaints

For any privacy question, request, or complaint, please write to Sanctum Arcana Ltd at support@sanctumarcana.life, or by post to Pandle House, 70 Grange Road East, Wirral, United Kingdom, CH41 5FE.

If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk, or to the data-protection authority in your country of residence if you live in the EU or another jurisdiction with its own authority.

Questions about this privacy policy? Reach us at support@sanctumarcana.life.