Nostradamus ("we") provides palm reading and astrology readings at nostradamus.no. This page explains what personal information we collect when you use the service, how we use it, who we share it with, and how to delete it.
Data we collect
Account information. When you sign in with Google or Meta, we receive your name, email address, profile photo, and provider user ID. We do not receive your password.
Birth data. The location, date, time, and gender you provide during onboarding. We compute your natal chart from this and store both the raw values and the chart on your account.
Palm photographs. If you submit a palm reading, the photographs you upload are sent to our third-party visual-analysis providers for processing (see "Processors" below) and stored on your account alongside the resulting reading.
Profile photograph. If you upload one, it is stored on your account and shown on your public connection card and in your connections list.
Payment information. If you subscribe or buy an extra reading, Stripe processes your card. We never see or store your card number; we only receive Stripe's customer and subscription identifiers.
Usage and technical data. Standard server logs (IP address, user agent, request URLs) are kept for a short period for fraud prevention and debugging.
How long we keep things
Your account, birth data, and natal chart are kept for as long as your account exists. Generated readings (daily astrology, palm readings, newsletter sends) are kept for six months from when they were created and then automatically deleted by a nightly cleanup job.
Stripe payment records and Meta data-deletion audit logs are kept indefinitely because regulators require it.
How we use your data — lawful basis
We process your data on the following GDPR Article 6 bases:
- Contract performance (Art. 6(1)(b)). Producing the readings you request, computing your natal chart, processing your subscription, providing your connections list and the invite mechanic, sending transactional emails (sign-in, payment receipts).
- Consent (Art. 6(1)(a)). Sending the daily wisdom and monthly fortune newsletters you've opted into; firing analytics and marketing tracking only when you've granted those categories on the consent banner.
- Legitimate interests (Art. 6(1)(f)). Preventing abuse, debugging problems, and the basic server logging that comes with running an internet service.
- Legal obligation (Art. 6(1)(c)). Retaining Stripe payment records for the periods required by tax and accounting law.
We do not sell your data, and we do not use it to train any AI model.
Processors we share data with
- Supabase — database and storage hosting (your account, birth data, readings, palm photographs, profile photograph).
- Vercel — application hosting and request logs.
- Third-party machine-learning, OCR, and visual-analysis providers — read your palm photographs to extract palmistry markers (lines, mounts, markings) and render the annotated line overlays. The photograph leaves our servers and is sent for processing at the moment of generation. None of this data is used to train these providers' models.
- Third-party natural-language-model providers — compose the daily astrology readings, the daily wisdom, and the monthly fortune from your birth data and palm profile (text only — no photographs are sent here). None of this data is used to train these providers' models.
- Stripe — payment processing.
- Resend — newsletter and transactional email delivery.
- Google / Meta — only what they receive as your sign-in provider. When you've granted marketing consent, we additionally fire server-side conversion events (Meta CAPI, TikTok Events API, Google Measurement Protocol) so we can measure the effectiveness of our advertising. These events contain hashed identifiers (email, name, your user id) per industry standard, never raw personal data.
Cookies and tracking
Necessary. We set one session cookie for sign-in (Auth.js JWT) and rely on cookies set by Stripe during checkout. These cannot be turned off — the site doesn't function without them.
Analytics. When you grant the analytics category on the consent banner, we use a privacy-respecting product-analytics tool to understand how the site is used. Anonymous unless you're signed in.
Marketing. When you grant the marketing category, we set the Meta Pixel, TikTok Pixel, and Google tag and fire server-side conversion events to those platforms via their Conversions APIs (Meta CAPI, TikTok Events API, Google Measurement Protocol). This allows us to measure which ads brought you here and to reach people similar to our existing subscribers. We never share raw personal data — only hashed identifiers as the standards require.
You can change your choices any time on the Account page.
Your rights and choices (GDPR)
You have the rights granted by the GDPR over the personal data we hold about you:
Access (Art. 15). Sign in and visit the Account page (/me) — your birth data, chart, connections, and subscription state are all visible there.
Data portability (Art. 20). The "Download my data" button on the Account page produces a JSON file containing every personal-data row we hold about you, with links to your stored images. Available any time, no fee.
Rectification (Art. 16). Birth data, gender, and handedness can be updated by redoing onboarding from the Account page (a $1 charge applies). Email hello@nostradamus.no for anything else.
Withdraw consent (Art. 7(3)). Change your analytics or marketing consent any time from the Privacy & cookies card on the Account page. Withdrawing consent does not affect the lawfulness of processing that happened before.
Turn off the newsletter. Toggle it off on the Account page, or click "Unsubscribe" at the bottom of any newsletter email.
Cancel your subscription. Email hello@nostradamus.no and we will cancel via Stripe; your access remains until the end of the paid period.
Delete your account
See the dedicated data deletion pagefor full instructions. In short: email hello@nostradamus.no from the address you signed up with, and we'll complete the deletion within 30 days, cancelling any active subscription first.
Stripe payment records are retained per Stripe's own retention schedule, which is required for tax and accounting law.
Children
Nostradamus is not intended for users under 16. If you believe a minor has signed up, contact us and we'll delete the account.
Changes
We may update this policy as the service changes. Material changes will be announced by email to subscribers; the "Last updated" date above always reflects the current version.
Contact
Questions or requests: hello@nostradamus.no.