Privacy Policy

Controller: Konnect Corp. (Korean: 주식회사 코네트), Business Registration No. 275-88-02518, 26 Hakdong-ro 101-gil, Gangnam-gu, Seoul, Republic of Korea.

Privacy & data-protection enquiries: privacy@fateon.net — General support: info@fateon.net. Please use the email registered on your FATEON account when exercising rights so we can verify your identity.

We do not require a dedicated EU representative today; EU residents may contact privacy@fateon.net and lodge a complaint with their local supervisory authority (Article 77 GDPR) if unsatisfied with our response.

Service positioning: FATEON is a digital cultural-entertainment and hobby-software product; we process the data below to run that product — not to provide regulated professional services (medical, legal, tax, or investment).

Account & profile: email (when you authenticate), optional display name, birth date/time and related saju inputs, gender where collected, language/UI preferences, points balance metadata, subscription status flags.

Usage & technical: IP address, approximate region, user-agent, timestamps, error logs — needed for security, abuse prevention, and service reliability.

AI readings: text prompts and structured inputs you submit (e.g. birth data, tarot selections) are sent to Google Gemini to generate outputs. We do not sell prompts for unrelated advertising.

Face analysis: when you use face-reading, a portrait image is transmitted to Google’s Gemini API for that request. We do not store the image in our application database as a user-uploaded file for long-term profile photos.

Payments: card and billing data are processed exclusively by the independent Merchant of Record (MoR) named at checkout and on your receipt (e.g. Paddle, Lemon Squeezy, or another processor). FATEON does not store full card numbers on our servers.

Email data: collected when you sign in (Google OAuth or email/password). Used for account identity, password reset, subscription receipts routed via our MoR, and support. Stored in Supabase Auth and your profile row.

Date of birth data: collected when you enter saju profile information (date and optional time). Used to generate AI readings and personalize charts. Stored in the profiles table while your account is active.

AI consultation data: text questions, tarot selections, saju inputs, and generated responses sent to Google Gemini for inference. Stored in reading/oracle tables linked to your user ID until you delete content or your account.

Analytics data: Google Analytics 4 loads only after you consent to Analytics cookies. AdMob may process advertising identifiers in native app builds — see section 4 and our Cookie Policy.

Cookies & local storage: session tokens, language preference, optional guest saju snapshot, push tokens, and cookie-consent choices. See fateon.net/cookies for categories and withdrawal.

Contract (Art. 6(1)(b)): providing the service you signed up for — account, saju/tarot/daily features, delivering paid entitlements.

Legitimate interests (Art. 6(1)(f)): security, fraud prevention, product analytics where permitted, improving reliability — balanced against your rights.

Consent (Art. 6(1)(a)): non-essential cookies (analytics such as GA4, marketing if enabled), browser push where you opt in, and any optional newsletter or similar feature we clearly label.

Legal obligation (Art. 6(1)(c)): retaining limited billing/tax records as required by accounting and consumer laws applicable to the payment MoR.

Supabase Inc. — PostgreSQL database, authentication, Row Level Security, optional Storage. Data is hosted in the region configured for our Supabase project (commonly United States). A data-processing role exists under Supabase’s DPA when we act as controller.

Google LLC / Alphabet — Gemini (Generative AI) processes prompts in the United States and other Google infrastructure regions per Google’s terms. See: https://policies.google.com/privacy

Merchant of Record (MoR) — the licensed processor shown at checkout (e.g. Paddle, Lemon Squeezy) handles payments, invoices, tax/VAT, refunds, and subscription management through its own customer portal.

Vercel Inc. — hosting and edge delivery of the web application.

Google Analytics 4 — loaded in your browser only after you consent to Analytics cookies (see Cookie Policy).

Google AdMob & in-app advertising (Alphabet): On native Android/iOS app builds distributed through app stores, we may display advertisements through Google AdMob. Google may process your device advertising identifier (Advertising ID on Android; Identifier for Advertisers (IDFA) on iOS where applicable) to deliver and measure ads, including personalized ads in accordance with Google policies and your device-level choices. You can reset or limit ad personalization in your device settings (e.g. Google Settings → Ads on Android; Privacy → Tracking / Apple Advertising on iOS). Where required (for example in the EEA or UK), Google’s User Messaging Platform (UMP) may present a consent form before personalized ads. See https://policies.google.com/privacy.

Resend (or comparable transactional email provider) when enabled — sends account and receipt-related messages; content is limited to operational notices.

We maintain an internal sub-processor list and notify logged-in users of material changes where required. For enterprise DPA requests, contact privacy@fateon.net.

FATEON is established in the Republic of Korea. Our infrastructure and subprocessors (e.g. Supabase, Google, Vercel, and the payment MoR) may process data in the United States, the European Economic Area, the United Kingdom, and other regions where they operate.

Where GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses implemented by our vendors, or adequacy decisions where available. Copies of relevant mechanisms may be requested via privacy@fateon.net subject to confidentiality.

Account & profile: retained while your account is active; after deletion request, personal data is erased or irreversibly anonymised within a commercially reasonable period (typically within 30–90 days) except where law requires longer retention.

Saju reports & cached AI outputs in our database: retained until you delete them or delete your account, unless a shorter product-specific rule is stated in-app.

Server logs: rolling retention on the order of days to a few months depending on subsystem — used for security and debugging.

Payment records: retained by the MoR according to its legal obligations; FATEON retains minimal billing references (e.g. subscription ID, status) needed to unlock features.

Marketing consents & cookie choices: stored for proof of consent for the period required by applicable law.

Product promise: portrait images used for face-reading are not kept as a permanent user “photo gallery” in our Postgres database.

Processing path: your browser sends base64 image data to our API route, which forwards it to Google Gemini for a single inference. We do not write the raw image to our own long-term object storage for profile avatars.

Ephemeral copies: transient memory, reverse-proxy buffers, or short-lived logs on Google’s or our host’s side may exist for seconds to hours while the request completes. We do not use your image to train custom models.

Verification: you can inspect network calls in browser devtools — after the response, no separate “save photo” API is called. Our open-source-oriented posture: security researchers may request a architecture summary under coordinated disclosure via privacy@fateon.net.

If we materially change retention (e.g. optional “save my portrait” feature), we will update this policy and obtain consent where required.

You may request access, correction, deletion, restriction, objection (including to certain analytics), and portability where applicable (GDPR/UK GDPR/CCPA and similar laws).

In-app deletion: signed-in users can delete their account under My Page → Delete account (Settings). This permanently removes your auth user and associated app data from our database (subject to legal billing retention at the payment MoR).

How to submit a DSAR: email privacy@fateon.net from your registered account email with subject “DSAR” and describe the request (access, delete, export). We may ask for minimal additional verification to prevent fraud.

Response timelines: we aim to respond within 30 days (GDPR default) or as required by your jurisdiction (e.g. up to 45 days for some California requests).

Deletion vs billing: deleting your FATEON account does not automatically erase the MoR’s billing history — you may also invoke the MoR’s tools or support for payment-side erasure where available.

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection authority in your country of residence, place of work, or place of alleged infringement (Article 77 GDPR).

We encourage you to contact us first at privacy@fateon.net so we can address your concern promptly.

AI-generated readings are cultural-entertainment outputs, not legally significant solely automated decisions about you under Article 22 GDPR. You may disregard or reinterpret outputs.

FATEON is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. If we learn that a child under 13 has registered, we will delete the account and associated data.

Purchases require legal capacity (18+ or higher age of majority). If you believe a child has provided personal data without appropriate consent, contact privacy@fateon.net and we will take reasonable steps to delete it.

We maintain a separate Cookie Policy at fateon.net/cookies describing categories (Essential, Analytics, Marketing), GA4 loading rules, and how to withdraw consent.

For users in Japan: we obtain consent where required for cookies and similar technologies beyond what is strictly necessary, and for third-country transfers we rely on the APPI’s extraterritorial provisions and appropriate contractual safeguards offered by vendors.

Japanese-language disclosure: this page includes a JP tab; we also summarise third-party disclosure (Gemini, Supabase, payment MoR, GA4) in Japanese here for transparency.

We may update this policy to reflect product, legal, or vendor changes. Material changes will be highlighted in-app or by email where appropriate. Continued use after the effective date constitutes notice where permitted by law.