The Spread Logo The Spread ← Home

Privacy Policy (US‑only)

Effective Date: December 6, 2025

Entity / Controller: WSTBD LLC (“WSTBD,” “we,” “our,” “us”)
Address: 218 W 123RD St, New York, NY 10027-5683, United States
Website: https://the-spread.org
Contact (Privacy): support@the-spread.orglegal@the-spread.org

This Privacy Policy explains how we collect, use, disclose, and protect information when you use The Spread Reflection mobile application, website, and related services (the "Service"). The Service is a personal journaling and reflection tool that uses tarot symbolism for self-discovery and introspection—it is not a fortune-telling or prediction service. This Policy applies to U.S. residents only. By using the Service, you agree to this Policy.

1) Overview & Scope

  • We collect only what we need to run and improve the Service you request.
  • We do not sell or share personal information for cross-context behavioral advertising (as those terms are defined under California law).
  • We use trusted service providers (e.g., authentication, hosting, storage, diagnostics, basic analytics).
  • This Policy incorporates the Notice at Collection for California and discloses the categories of personal information we collect, the purposes, sources, and disclosures.

2) Notice at Collection (What we collect, why, from whom, and to whom)

We may collect the following categories of personal information. The examples are illustrative; actual data depends on how you use the Service.

Category (CPRA) Examples Purpose of Use Sources Disclosed To Typical Retention
Identifiers Name, email, online identifiers (such as IP address and device identifiers) Account creation/login, security, deliver core features, fraud prevention You; your device Service providers (auth, hosting, security) Account life + up to 24 months backups/logs
Customer Records Profile name, date of birth (DOB) (required for age verification), support requests Age verification (17+ requirement), personalization you choose, support You Service providers Account life + up to 24 months backups
User Content Daily reflections, journal entries, spread sessions (questions and card selections), Personal Story chapters, weekly reflection summaries, saved readings, notes, tags; photos you upload (e.g., avatar) Core journaling and reflection features (save/reflect/view privately), pattern analysis, Personal Story generation, tarot-based self-reflection prompts, library management You Service providers (storage/hosting, AI processing via Yandex Cloud) While in your library + up to 12 months in backups
Internet / Activity App interactions, diagnostic & crash logs, device/OS metadata Security, fraud prevention, debugging, quality, performance Your device/SDKs Service providers (diagnostics/analytics) 90–180 days unless needed longer for security or legal
Approximate Location Country/region inferred from IP or device settings Localization, security/abuse signals Device/SDKs Service providers 90–180 days
Commercial Information Subscription status (active/inactive), subscription type (e.g., monthly/yearly), renewal or expiration date, transaction identifiers from Apple Enable and manage Premium subscription features, verify purchases, and provide subscription-related support Apple App Store / your Apple ID purchase history Service providers (e.g., authentication/security and limited billing verification tooling) Subscription life + up to 24 months for support and record-keeping
Sensitive Personal Information (SPI) Account access credentials (e.g., authentication identifiers/tokens; passwords are handled by our authentication provider) Authenticate and secure your account You Service providers (authentication/security) Account life + security backups

Important about SPI. We use Sensitive Personal Information (account access credentials) only to provide and secure your account. We do not use SPI to infer characteristics. We store account access credentials using appropriate security measures. Because our use is limited to permitted purposes, a "Limit Use of Sensitive PI" link is not required.

2.5) AI Processing & Personal Story

The Service uses artificial intelligence to generate personalized insights, reflections, and narrative content based on your journal entries and tarot-based self-reflection sessions. This processing happens via our secure backend and Yandex Cloud (YandexGPT API):

  • What we send: The text you submit for generation (for example, reflections, journal entries, questions, and card selections) and only the limited metadata needed to provide the feature (for example, language, timestamps, and the feature type).
  • How it's used: Yandex Cloud's AI processes your content to generate personalized insights, narrative chapters, pattern analysis, tarot interpretations, and weekly reflection summaries. This is done on-demand when you create reflections, spreads, or reach Personal Story milestones.
  • Purpose: AI-generated content serves as a tool for self-reflection and personal insight—not for fortune-telling, prediction, or professional advice.
  • Your consent & control: By using features that generate AI content (spreads, Personal Story, weekly reflections), you consent to your content being processed by Yandex Cloud's AI. You can choose not to use these features and rely solely on manual journaling. Generated content (insights, chapters, interpretations) and your source reflections belong to you. You can delete them anytime through the app.
  • Retention by Yandex Cloud: Yandex Cloud processes data in accordance with its terms and privacy policy, which may include retention practices we do not control. We transmit content only when you use generation features, and we do not use this processing for advertising or cross-context behavioral advertising.
  • Security: All data is transmitted over encrypted connections (HTTPS/TLS).
  • No advertising / no sale/share: We do not use your generation content for advertising, and we do not sell or share it for cross-context behavioral advertising.

For more information about Yandex Cloud's data handling practices, see Yandex's privacy policy at https://yandex.com/legal/confidential/.

3) Do we sell or share personal information?

No. We do not sell personal information and do not share it for cross-context behavioral advertising. If this changes, we will update this Policy and provide a clear “Do Not Sell or Share My Personal Information” link before such activities occur.

4) Sources of Personal Information

  • Information you provide (e.g., account, profile, date of birth, daily reflections, journal entries, spread session questions and card selections, Personal Story content, weekly reflections, saved readings, notes, tags, photos).
  • Information from your device and in-app activity (e.g., diagnostics, security logs, performance).
  • Information from service providers that support authentication, hosting, storage, AI processing (Yandex Cloud), diagnostics, and security.
  • Information from Apple about your in-app purchases and subscription status (for example, whether a Premium subscription is active or expired, product type, and transaction identifiers) when you buy a Premium subscription.

5) How we use information (Purposes)

  • Verify age eligibility (17+ requirement) using your date of birth.
  • Provide the Service you request (accounts, journaling features, tarot-based reflection prompts, spread sessions, Personal Story generation, weekly reflection summaries, pattern analysis, saved readings, photos you upload).
  • Generate insights and content using AI processing (Yandex Cloud API) based on your reflections, journal entries, and spread sessions—for self-reflection purposes only, not for fortune-telling or prediction.
  • Operate, secure, and troubleshoot the Service (diagnostics, error logs, anti-abuse/fraud).
  • Improve quality and performance (product analytics configured for product operations, not ad targeting).
  • Communicate with you about the Service (e.g., support responses, important notices, chapter readiness notifications).
  • Enable and manage Premium subscriptions (verify purchases with Apple, unlock Premium features, and handle subscription-related support).
  • Comply with law and enforce terms, protect users, our rights, and the Service.

We do not use personal information for cross-context behavioral advertising, fortune-telling, or predictions about future events. The Service is a tool for personal reflection and self-discovery only.

6) Disclosures to Service Providers (and When Else We Disclose)

We disclose information to service providers under written agreements limiting their use to our instructions, including for:

  • Authentication and account security
  • Cloud hosting, database, and storage
  • AI processing and content generation (Yandex Cloud API for Personal Story chapters, tarot interpretations, reflection analysis, and insights—used solely for self-reflection, not fortune-telling)
  • Diagnostics, crash reporting, and product analytics (configured for product quality/security)
  • Customer support tools and anti-abuse/security

We may also disclose information:

  • If required by law or legal process, or to protect users, our rights, or the Service
  • In connection with a business transfer (e.g., merger, acquisition); if ownership changes, we will notify you if required and your information will remain protected under this Policy or an equivalent policy

We do not allow service providers to sell or share your personal information for advertising.

7) Your Privacy Rights (U.S. State Laws, incl. California)

Subject to applicable law and verification, you may have the right to:

  • Know/Access the categories and specific pieces of personal information we collected about you.
  • Delete personal information (with legal/operational exceptions, e.g., security or compliance).
  • Correct inaccurate personal information.
  • Obtain a portable copy of certain information.
  • Opt out of sale or sharing of personal information (we do not sell/share; if that changes, we will provide opt-out mechanisms).
  • Limit use of Sensitive Personal Information (not required here because we use SPI only for permitted purposes).
  • Non-discrimination for exercising rights.
  • Appeal a decision regarding your privacy request (see below).

How to exercise your rights

To exercise your rights, use the in-app privacy controls (Profile → tap your avatar → Privacy Requests) or email support@the-spread.org or legal@the-spread.org with subject "Privacy Request." We will verify your identity (e.g., signed-in request, email verification, reasonable match against account data). We typically respond within 45 days; we may extend once if reasonably necessary and permitted by law, and will notify you of the extension.

Data portability

Where required by applicable law and subject to verification, you may request a portable copy of certain personal information in a commonly used format (for example, JSON or CSV where feasible). To request a data export, contact us at support@the-spread.org with subject "Privacy Request."

Authorized agents

An authorized agent may submit a request on your behalf if they provide proof of authorization and we can verify your identity and the agent’s authority.

Appeals process

If we deny your request (in whole or in part), you may appeal by replying to our decision or emailing legal@the-spread.org with subject “Privacy Appeal”. We will review and respond within applicable legal timelines.

“Do Not Track” and Global Privacy Control

There is no uniform “Do Not Track” standard; however, we honor applicable Global Privacy Control (GPC) signals to the extent required by law. Our current practice of no sale/share means your opt-out is already respected.

Financial incentives

We do not offer financial incentives related to personal information.

8) Children's Privacy

The Service is intended for individuals 17 years of age or older in the United States. We require users to verify their age (17+) through a mandatory date of birth field during onboarding. We do not knowingly collect personal information from individuals under 17.

If we discover that we have inadvertently collected personal information from someone under 17, we will:

  • Delete the account and all associated data within a reasonable time and as required by applicable law
  • Cease all processing of that individual's information
  • Not use the information for any purpose

If you are a parent or guardian and believe your child under 17 has provided personal information to us, please contact us immediately at legal@the-spread.org with subject line "Minor Privacy Issue" and we will promptly delete the account and data.

9) Security

We implement reasonable technical and organizational safeguards appropriate to the nature of the data and the risks of processing (e.g., encryption in transit, access controls, monitoring). No method is 100% secure; use a strong, unique password and keep it confidential.

10) Data Retention

We retain personal information only as long as necessary for the purposes described above or as required by law. Typical retention periods:

  • Account & Profile (including identifiers and date of birth): while your account is active + up to 24 months in backups/logs.
  • Reflections, journal entries, spread sessions, Personal Story chapters, weekly reflections & photos: while you keep them in your library + up to 12 months in backups.
  • AI processing data: Your content is processed by Yandex Cloud according to their retention policies; we do not separately store intermediate AI processing data. Generated outputs (insights, chapters, interpretations) are stored as part of your User Content (see above).
  • Diagnostics / logs: typically 90–180 days, unless needed longer for security/legal.

Actual periods may vary based on law, disputes, enforcement, or technical limitations (e.g., backup overwriting cycles).

11) Additional Disclosures (California "Last 12 Months")

In the last 12 months, we collected the categories listed in Section 2, disclosed them to service providers for business purposes, and did not sell or share personal information for cross-context behavioral advertising. We did not knowingly collect personal information from individuals under 17.

We do not share personal information with third parties for their direct marketing purposes.

12) International Use

The Service is intended for U.S. residents. We operate from the United States, and some of our service providers (for example, cloud hosting, storage, and AI processing vendors) may process data in other locations. If you access the Service from outside the United States, you understand that your information may be transferred to and processed in the United States and in other locations where our service providers operate, in accordance with this Policy.

13) Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. We will post the updated Policy with a new Effective Date and, where required by law, provide additional notice. Your continued use of the Service after the Effective Date means you acknowledge the updated Policy.

14) Accessibility

If you need this Policy in an alternative format, contact support@the-spread.org.

15) Data Breach Notification

Where required by applicable law, in the event of a data breach that affects your personal information, we will notify you without undue delay as required by applicable law. Notification will be provided via email to the address associated with your account and/or through an in-app notification. The notification will include the nature of the breach, the data affected, and steps you can take to protect yourself.

16) Contact Us

WSTBD LLC
218 W 123RD St, New York, NY 10027-5683, United States
General inquiries: support@the-spread.org
Privacy & legal matters: legal@the-spread.org
Security issues: legal@the-spread.org

17) Key Definitions (plain language)

  • "Personal information" (or "PI"): Information that identifies, relates to, or could reasonably be linked with an individual or household (as defined by applicable U.S. state privacy laws).
  • "Sensitive Personal Information" (SPI): Certain protected data (e.g., account access credentials). We use SPI only for permitted purposes (authentication and security).
  • "Sell" / "Share": Have the meanings under California law; we do not sell or share PI for cross-context behavioral advertising.
  • "Service providers": Vendors that process PI on our behalf under written contracts that restrict their use of PI to our instructions.
  • "User Content": Content you choose to write or save (e.g., daily reflections, journal entries, spread sessions, questions, card selections, notes, photos).
  • "AI Outputs": Text or other content generated by the Service (including Personal Story chapters, tarot interpretations, insights, and weekly reflection summaries) based on your inputs; used solely for self-reflection and personal growth, not for fortune-telling or prediction; governed by our Terms of Use.
  • "Personal Story": AI-generated narrative chapters created from your reflections and journal entries when you reach certain milestones.
  • "Spread": A tarot-based self-reflection session where you select cards and receive AI-generated interpretations as prompts for journaling and introspection—not fortune-telling.

Version: v1 • Effective Date: December 6, 2025