Privacy Policy

This policy explains what personal information Koracle (koracle.app — including K-Saju at saju.koracle.app and our K-pop compatibility readings, operated by Koracle in Seoul, Republic of Korea) collects, why we collect it, how we use and share it, and the rights you have over it. Some features let you enter another person's or a public figure's (such as a K-pop idol's) birth date to generate a compatibility reading; you are responsible for any third-party birth detail you choose to enter. By using the Service you agree to the practices described here.

1. Information we collect

We collect the following categories of personal information:

• Birth information you submit at checkout: name, gender (optional), date of birth, time of birth (optional), birthplace city, country, and IANA timezone.
• Contact details: email address (used to deliver the report and provide support).
• Payment metadata from our processor: order ID, amount, currency, payment method type, billing country, last four digits of the card. We never see or store full card numbers; those go directly to our payment processor (currently one of Dodo Payments, Payhip, or Lemon Squeezy — see Section 3).
• Generated content: the saju chart and the AI-authored reading associated with your purchase.
• Device & usage signals: IP address, user agent, referrer, analytics events (page view, form steps, checkout, purchase), UTM parameters from referring ads, and advertising identifiers (Meta _fbp/_fbc and TikTok ttp) used to measure ad conversions.
• Customer support correspondence: emails and messages you send us.

2. How we use it

• Generate your saju reading
• Deliver the PDF and provide customer support
• Process payment, prevent fraud, and handle refunds
• Measure ad effectiveness (Meta Conversions API and TikTok Events API; we share a hashed email plus event data and advertising identifiers, never birth details)
• Improve the Service through aggregate analytics
• Comply with legal obligations and respond to lawful requests

3. Sharing & processors

We share data only with vetted processors needed to deliver the Service:

• Payment processing — Dodo Payments, Payhip, or Lemon Squeezy (one is active at any given time; we may switch between them for reliability, regional support, or pricing, and will update this page within 30 days of a change)
• Resend — transactional email delivery
• Vercel — application hosting (US infrastructure)
• Supabase — managed Postgres database + object storage (Asia/US infrastructure)
• Inngest — job queue
• AI generation — OpenAI and/or Anthropic; input is your computed saju chart only (no name, no email, no IP)
• Meta & TikTok — ad measurement via their Conversions API / Events API and pixels (loaded through Google Tag Manager): hashed email + event metadata + advertising identifiers fbp/fbc/ttp, IP, and user agent

We do not sell your personal data, and we do not share it with marketing partners beyond ad attribution noted above.

4. Retention

Birth information and the generated reading are retained for up to 24 months from purchase to support re-download and customer service. After 24 months we delete or anonymize them. Aggregated analytics, financial records required for tax purposes, and webhook logs may be retained longer where required by law.

5. International transfers

Our infrastructure is located in the United States and Asia. Where applicable, transfers between regions are protected by Standard Contractual Clauses or equivalent safeguards.

6. Your rights

Subject to your jurisdiction, you have the right to access, correct, delete, or export your personal data, restrict or object to certain processing, and withdraw consent. Specifically:

• Korea (PIPA): access, correct, delete, suspend processing
• EU/UK (GDPR): access, rectification, erasure, portability, restriction, objection, withdraw consent
• California (CCPA/CPRA): know, delete, correct, opt out of "sale or sharing"

To exercise any right, email koraclelabs@gmail.com with your purchase email and the request. We respond within 30 days.

7. Security

We use TLS 1.3 in transit, encrypted backups at rest, scoped service-role keys for database access, HMAC-signed URLs for PDF downloads with 7-day expiry, and standard webhook signature verification. No system is perfectly secure, but these are reasonable industry measures.

8. Children

The Service is offered for entertainment and is intended for a general audience. It is not directed to children under 13, and we do not knowingly collect personal data from children under 13; if you believe a child under 13 has provided us data, please contact us and we will delete it. Minors below the age of majority should use the Service only with the involvement of a parent or guardian. Purchases require you to be at least 18, or the age of majority in your jurisdiction.

9. Cookies & analytics

The Service uses cookies for session, analytics, and advertising-measurement purposes. Through Google Tag Manager we may load the Meta (Facebook) Pixel and TikTok Pixel, which can set advertising cookies such as _fbp and _fbc. We also send conversion events server-side via the Meta Conversions API and TikTok Events API, matching them with a hashed email plus event metadata and, where available, advertising identifiers (fbp/fbc/ttp), IP address, and user agent. We use this only to measure ad performance — we do not sell your data or build profiles beyond that. You can limit it through your browser cookie settings and device-level ad controls.

10. Changes to this policy

We may update this policy. The "Last updated" date at the top reflects the most recent version. Material changes will be communicated via email or a banner on the Service.

11. Contact & data protection officer

Privacy questions or rights requests: koraclelabs@gmail.com. Business mailing address is published on our Contact page.