What we keep, and what we don't.
LAST UPDATED · MAY 30, 2026
Palm Reader Pro reads palms, threads them with your astrological chart, and lets you compare with people in your circle. The sections below describe what we collect to do that work, where it goes, and what you can do about it.
- Your name (or initial), birth date, optional birth time, optional birth place (city + coordinates), and dominant hand.
- Optional photos of your palms, captured when you start a reading.
- The reading-voice and theme preferences you pick.
- Any feedback you choose to send via Settings → Send feedback.
- If you sign in: an email address (passed to our auth provider) so your readings can sync across devices.
- If you add people to your circle: their name, relation to you, and any birth or palm details you choose to enter.
- Your sun, moon, and rising signs, and a full natal chart computed from the birth details above.
- Reading transcripts (the text generated for each palm reading or compare).
- Streak counts and earned badges.
- Birth details power the natal chart and the per-day horoscope.
- Palm photos are uploaded to our backend in memory, forwarded to Anthropic's Claude model for an interpretation, and dropped from server memory as soon as the response returns. The interpretation comes back as text that's saved to your account.
- An encrypted copy of your last seven palm photos is kept on your device only — encrypted and excluded from iCloud backup — so you can revisit the AR palm-line overlay on past readings without re-uploading. Because these copies never leave your device, we never see them.
- Members' Edition only: an encrypted copy of your last twenty palm photos is also uploaded to a private cloud bucket for cross-device sync. These cloud copies are encrypted, but by default the key that decrypts them is held in our server-side vault (so your readings can sync to a new device), which means we are able to read them. Switch on a recovery phrase or iCloud Keychain key in Settings → Advanced Security and the key never reaches us, so we can't. If you cancel, the cloud copies are soft-deleted with a 90-day re-subscribe grace and then permanently deleted by a daily sweep; the on-device cache stays.
- Reading-voice and theme preferences are read back on every screen so the app feels consistent across sessions.
- Streak data drives the badge unlock logic and the daily horoscope reminder schedule.
We do not sell your data, and we don't run ads inside the app. The one marketing exception: if you allow tracking on the iOS prompt, we share your app install and advertising identifier with our attribution provider so we can see which ad campaign brought you in — decline the prompt and none of that is shared.
The most personal data — your name, birth details, reading text, and compare results — is encrypted on your device before it reaches our servers. By default, the key that decrypts it is stored in our secure server-side vault — that's what lets us sync your data to new devices and restore it when you sign back in, but it also means we are able to decrypt it. If you'd rather we couldn't, switch on a recovery phrase or iCloud Keychain key in Settings → Advanced Security; then the key never reaches us and we can no longer read your data.
- Your readings, name, birth bundle, and natal chart are stored as ciphertext on Supabase. By default the key is held in our server-side vault so we can sync and recover your data; from Settings → Advanced Security you can instead move it onto your own device, synced through your iCloud Keychain or held under a recovery phrase you save yourself.
- Friend invitations sent to someone who already has a Palm Reader Pro account are encrypted directly to their device's public key — the server passes the ciphertext through without being able to read it.
- Friend invitations sent to someone who isn't on Palm Reader Pro yet are encrypted at rest under your account's key while they wait. If the recipient never accepts, the invitation is automatically deleted after 30 days.
- Messages you send to people in your circle are encrypted under a per-pairing AES key that's minted when you both accept the connection — one key per friendship. The pair keys live in our encrypted vault (separate from the application database) and are delivered to the two devices in the pair on demand. A database-only breach can't decrypt them, and a breach of one pair's key doesn't expose any others. We don't make a stronger end-to-end claim than that because the vault sits on our infrastructure; we'd need true client-side key agreement to do better, which we're not promising today.
- Share links you generate (Circle → Share) carry the encryption key in the URL fragment, which browsers never send to our servers. The recipient's web page decrypts client-side; we store only the opaque ciphertext.
In the default mode we can recover your data for you, because the key is in our vault. If you move the key onto your own device (recovery phrase or iCloud Keychain) and later lose both that key and all your Apple devices, we can't help — that's the deliberate trade-off for keeping the key off our servers.
- Supabase — hosts the database and auth service. Your account, profile, readings, and circle are stored on Supabase. Their privacy notice: https://supabase.com/privacy.
- Anthropic — receives your palm photos and birth details when you cast a reading or compare, returns the generated text. They commit not to train models on your input. Their notice: https://www.anthropic.com/privacy.
- OpenAI — generates the watermarked palm portrait that Members see at the end of a reading. Receives a short description derived from your reading (no raw photo, no name, no birth details) and returns an image.
- Apple — handles in-app subscription purchases and (if you opt in) push notifications. We do not see your payment details; we only know whether your account is currently subscribed.
- RevenueCat — sits on top of Apple's subscription infrastructure to manage entitlements and renewal state. RevenueCat sees subscription lifecycle events (started, renewed, cancelled) and an anonymous RevenueCat user ID. It does not see your name, palm photos, readings, or payment details.
- AppsFlyer — only if you tap "Allow" on the iOS Tracking prompt. AppsFlyer helps us see which ad campaign (Meta, TikTok, Google, etc.) brought you to the app so we can invest in the channels that actually work. When you allow tracking, your install event and your Apple-issued advertising ID (IDFA) are sent to AppsFlyer for that purpose. If you tap "Ask App Not to Track," none of that data is collected; AppsFlyer still records the install via Apple's privacy-preserving SKAdNetwork (aggregate-only, no IDFA, no per-user data).
- PostHog — first-party product analytics. PostHog sees what features you use inside the app (e.g. "completed a reading," "opened the paywall") so we can tell which surfaces are working and which need polish. It does not run cross-app tracking and does not trigger the iOS Tracking prompt. Events are anchored to your Palm Reader Pro account ID, not your name or contact info.
- Sentry — error and crash reporting. When the app crashes or a backend route fails, Sentry receives the stack trace and the build version so we can fix it. Crash reports are tagged with your account ID — a random identifier, never your name, email, or IP — so we can group the crashes a single person runs into.
- Resend — sends invitation emails for circle invites you initiate.
The following providers host or transmit our infrastructure. They see your IP address and the standard request headers your device or browser sends, logged briefly for security and abuse prevention. They do not see the encrypted contents above.
- Vercel — hosts the marketing site and share landing pages at palmreaderpro.app.
- Railway — hosts the backend API at api.palmreaderpro.app.
- Cloudflare — provides DNS for palmreaderpro.app and, when proxied, edge protection for the api subdomain.
If you choose to share a connection with a friend (Circle → Friend Share), the friend sees the fields you explicitly include in the share — no more.
While your account exists, we keep the data above so you can come back and read your past readings, see your streak, and pick up where you left off.
Your AI palm portrait is kept with your account until you delete it or your account. Both free and Members' Edition accounts have storage limits, and we regularly clean up older data in line with our storage and retention policies.
When you delete your account (Settings → Sync → Delete account), we wipe both the cloud copy and the local copy of your profile, readings, and circle in one step. Deletion is immediate and final — there's no recovery window.
Pending invitations you've sent that the recipient never accepts are deleted automatically after 30 days, whether or not the recipient has a Palm Reader Pro account.
Anonymous-tier users (no sign-in) keep all data on the device only. Deleting the app from the device clears it.
- Edit or remove any birth field from Settings → Profile.
- Toggle off birth time at any point — your chart still computes, with the moon marked approximate.
- Skip sign-in entirely; the app works as a local-only journal in that mode.
- Stop sharing with someone in your circle from Settings → Sharing — both sides lose the connection.
- Block someone from Settings → Blocked (or from a Circle profile) — they can't invite you again. Reversible from the Blocked list anytime.
- Delete your account and the cloud copy from Settings → Sync.
- Disable notifications from Settings → Notifications.
- Send us feedback or a deletion request from Settings → Send feedback.
- Right to access (GDPR Article 15) — request a copy of the data we hold about you.
- Right to rectification (Article 16) — most fields are editable in Settings → Profile; for anything you can't reach, email us.
- Right to erasure (Article 17) — Settings → Sync → Delete account is the fastest path; we wipe immediately on request.
- Right to restrict or object to processing (Articles 18 + 21) — email us.
- Right to data portability (Article 20) — email us and we'll provide the data we hold about you in a portable, machine-readable format. If you've moved your encryption key onto your device (Settings → Advanced Security), the readable copy of your readings already lives there.
- Right to complain to your supervisory authority (Article 77) — you can do this directly with your country's regulator.
If you're in California, you have the same rights to know, delete, and correct under the CCPA / CPRA, plus the right to non-discrimination for exercising them. We do not sell your personal information and we do not share it for cross-context behavioral advertising.
Email support@palmreaderpro.app to exercise any of these. We'll respond within the timeline your jurisdiction requires (30 days under GDPR, 45 days under CCPA).
You must be at least 13 years old to use Palm Reader Pro (16 in the United Kingdom, or the equivalent age of digital consent in your country). If you're under the age of majority where you live, you should have a parent or guardian agree on your behalf. We do not knowingly collect data from children under those ages. If you believe a child has created an account, email us at support@palmreaderpro.app and we'll remove the account.
When the policy changes in a meaningful way we bump the "Last updated" date at the top and surface the change in-app on the next launch. The current version always lives at the URL on the App Store listing and in-app on the Privacy screen.
Reach out at support@palmreaderpro.app and we'll respond within a few business days. You can delete your account anytime from Settings → Sync — that wipes both the cloud copy and the local copy in one step.