Privacy Policy

Controller: Konnect Corp. (Korean: 주식회사 코네트), Business Registration No. 275-88-02518, 26 Hakdong-ro 101-gil, Gangnam-gu, Seoul, Republic of Korea.

Privacy & data-protection enquiries: privacy@fateon.net — General support: info@fateon.net. Please use the email registered on your FATEON account when exercising rights so we can verify your identity.

We do not require a dedicated EU representative today; EU residents may contact privacy@fateon.net and lodge a complaint with their local supervisory authority (Article 77 GDPR) if unsatisfied with our response.

Account & profile: email (when you authenticate), optional display name, birth date/time and related saju inputs, gender where collected, language/UI preferences, points balance metadata, subscription status flags.

Usage & technical: IP address, approximate region, user-agent, timestamps, error logs — needed for security, abuse prevention, and service reliability.

AI readings: text prompts and structured inputs you submit (e.g. birth data, tarot selections) are sent to Google Gemini to generate outputs. We do not sell prompts for unrelated advertising.

Face analysis: when you use face-reading, a portrait image is transmitted to Google’s Gemini API for that request. We do not store the image in our application database as a user-uploaded file for long-term profile photos.

Payments: card and billing data are processed exclusively by Paddle (Merchant of Record). FATEON does not store full card numbers on our servers.

Contract (Art. 6(1)(b)): providing the service you signed up for — account, saju/tarot/daily features, delivering paid entitlements.

Legitimate interests (Art. 6(1)(f)): security, fraud prevention, product analytics where permitted, improving reliability — balanced against your rights.

Consent (Art. 6(1)(a)): non-essential cookies (analytics such as GA4, marketing if enabled), browser push where you opt in, and any optional newsletter or similar feature we clearly label.

Legal obligation (Art. 6(1)(c)): retaining limited billing/tax records as required by accounting and consumer laws applicable to Paddle as MoR.

Supabase Inc. — PostgreSQL database, authentication, Row Level Security, optional Storage. Data is hosted in the region configured for our Supabase project (commonly United States). A data-processing role exists under Supabase’s DPA when we act as controller.

Google LLC / Alphabet — Gemini (Generative AI) processes prompts in the United States and other Google infrastructure regions per Google’s terms. See: https://policies.google.com/privacy

Paddle.com Market Ltd — Merchant of Record for payments, invoices, tax/VAT, refunds, and “click-to-cancel” subscription management via Paddle’s customer portal.

Vercel Inc. — hosting and edge delivery of the web application.

Google Analytics 4 — loaded in your browser only after you consent to Analytics cookies (see Cookie Policy).

Resend (or comparable transactional email provider) when enabled — sends account and receipt-related messages; content is limited to operational notices.

We maintain an internal sub-processor list and notify logged-in users of material changes where required. For enterprise DPA requests, contact privacy@fateon.net.

FATEON is established in the Republic of Korea. Our infrastructure and subprocessors (e.g. Supabase, Google, Vercel, Paddle) may process data in the United States, the European Economic Area, the United Kingdom, and other regions where they operate.

Where GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses implemented by our vendors, or adequacy decisions where available. Copies of relevant mechanisms may be requested via privacy@fateon.net subject to confidentiality.

Account & profile: retained while your account is active; after deletion request, personal data is erased or irreversibly anonymised within a commercially reasonable period (typically within 30–90 days) except where law requires longer retention.

Saju reports & cached AI outputs in our database: retained until you delete them or delete your account, unless a shorter product-specific rule is stated in-app.

Server logs: rolling retention on the order of days to a few months depending on subsystem — used for security and debugging.

Payment records: retained by Paddle as MoR according to Paddle’s legal obligations; FATEON retains minimal billing references (e.g. subscription ID, status) needed to unlock features.

Marketing consents & cookie choices: stored for proof of consent for the period required by applicable law.

Product promise: portrait images used for face-reading are not kept as a permanent user “photo gallery” in our Postgres database.

Processing path: your browser sends base64 image data to our API route, which forwards it to Google Gemini for a single inference. We do not write the raw image to our own long-term object storage for profile avatars.

Ephemeral copies: transient memory, reverse-proxy buffers, or short-lived logs on Google’s or our host’s side may exist for seconds to hours while the request completes. We do not use your image to train custom models.

Verification: you can inspect network calls in browser devtools — after the response, no separate “save photo” API is called. Our open-source-oriented posture: security researchers may request a architecture summary under coordinated disclosure via privacy@fateon.net.

If we materially change retention (e.g. optional “save my portrait” feature), we will update this policy and obtain consent where required.

You may request access, correction, deletion, restriction, objection (including to certain analytics), and portability where applicable (GDPR/UK GDPR/CCPA and similar laws).

How to submit a DSAR: email privacy@fateon.net from your registered account email with subject “DSAR” and describe the request (access, delete, export). We may ask for minimal additional verification to prevent fraud.

Response timelines: we aim to respond within 30 days (GDPR default) or as required by your jurisdiction (e.g. up to 45 days for some California requests).

Deletion vs billing: deleting your FATEON account does not automatically erase Paddle’s MoR billing history — you may also invoke Paddle’s tools or support for payment-side erasure where available.

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection authority in your country of residence, place of work, or place of alleged infringement (Article 77 GDPR).

We encourage you to contact us first at privacy@fateon.net so we can address your concern promptly.

AI-generated readings are assistive entertainment outputs, not legally significant solely automated decisions about you under Article 22 GDPR. You may disregard or reinterpret outputs.

Purchases require legal capacity (18+ or higher age of majority). If you believe a child has provided personal data without appropriate consent, contact privacy@fateon.net and we will take reasonable steps to delete it.

We maintain a separate Cookie Policy at fateon.net/cookies describing categories (Essential, Analytics, Marketing), GA4 loading rules, and how to withdraw consent.

For users in Japan: we obtain consent where required for cookies and similar technologies beyond what is strictly necessary, and for third-country transfers we rely on the APPI’s extraterritorial provisions and appropriate contractual safeguards offered by vendors.

Japanese-language disclosure: this page includes a JP tab; we also summarise third-party disclosure (Gemini, Supabase, Paddle, GA4) in Japanese here for transparency.

We may update this policy to reflect product, legal, or vendor changes. Material changes will be highlighted in-app or by email where appropriate. Continued use after the effective date constitutes notice where permitted by law.