Privacy
Privacy Policy
Seidwyn is a tool for entertainment and self-reflection. To give you a personalised reading we receive a small amount of information from you. This page explains what we receive, why, who else sees it, how long we keep it, and what control you have over it.
1. Who we are
"Seidwyn" refers to the operator of seidwyn.com, Arnar Arinbjörnsson (Iceland). You can reach us at privacy@seidwyn.com with any privacy question. We are the data controller for the information described below.
2. What we collect, and why
2.1 What you give us directly
- Quiz answers. Ten short answers from the onboarding quiz. We use them to personalise readings and to redirect you to a real support resource when you tell us today is genuinely hard.
- An image, if you choose to share one for an aura, eye, face, palm, companion, or compatibility reading. We hold the bytes only for the few seconds required to call our reading engine; we never write them to permanent storage. If the image includes another person, you confirm by uploading it that they are an adult and have consented.
- Free text, if you choose to write a few sentences for a dream, tarot, or numerology reading. Stored against your account so you can revisit the reading.
- Your email address, if you sign up for the prelaunch list or subscribe to a paid plan.
- Payment details, if you subscribe. Card details never reach our servers — they go directly to our payment processor (Stripe, Inc.).
2.2 What we collect automatically
- One session cookie (
sdw_sid) so we can remember your quiz answers across the funnel. It is strictly necessary for the service to work, contains no personal data beyond a random session identifier, and does not require a cookie banner under EU law because we set no advertising or analytics cookies. No third-party tracking pixels live on Seidwyn. - Your IP-derived country code (e.g. "US", "IS") for fraud triage and to route you to the appropriate regional support line if the quiz signals distress. We do not store your raw IP address beyond the request.
- Your browser user-agent string, truncated to 256 characters, for fraud triage only.
3. How we use your image
This is the part of the policy that matters most. When you submit an image:
- Your browser uploads the bytes to our Cloudflare Worker over TLS.
- The Worker hashes the bytes (SHA-256) and forwards them, together with your quiz answers, to the reading engine — see our sub-processor list for which provider handles which modality.
- The provider returns a text reading.
- We store the SHA-256 hash, the reading text, and a record that a reading happened. The image bytes are dropped from memory and are never written to disk on our infrastructure.
We do not generate or store face embeddings, gait signatures, or any other lasting biometric identifier. We do not retain the image after the reading is generated. We do not allow our sub-processors to retain it for training — see their respective contractual commitments linked in our sub-processor list.
4. Legal bases (GDPR)
If you are in the European Economic Area or the United Kingdom, our lawful bases are:
- Performance of a contract for the readings, subscription management, and your account — Article 6(1)(b) GDPR.
- Your consent for image processing and for optional marketing emails — Articles 6(1)(a) and 9(2)(a) GDPR. You can withdraw consent at any time by emailing privacy@seidwyn.com.
- Our legitimate interest in preventing fraud and abuse, narrowly applied, for the user-agent and country fields — Article 6(1)(f) GDPR.
5. Sub-processors
We use the following processors. We have signed data-processing addenda with each of them where applicable. The complete current list with links to their terms is at /legal/sub-processors/.
- Anthropic, PBC — runs Claude Sonnet 4 (vision) for aura and companion readings. Image bytes are sent to Anthropic, the reading text is returned, and the bytes are not retained by Anthropic for training under our API terms.
- Google LLC — runs Gemini Flash for the daily reflection. Text only; no image input.
- Cloudflare, Inc. — hosts the website, runs the Workers, stores account data in D1 (Cloudflare's managed SQL).
- Stripe, Inc. — processes subscription payments and the customer billing portal. Card details go to Stripe and never to us.
6. How long we keep things
- Images: 0 seconds after the reading is generated. We hold a SHA-256 hash to deduplicate retries.
- Quiz answers and readings: until you delete your account, or for 24 months from your last activity, whichever comes first.
- Account + subscription records: for the duration of your account, plus 7 years for billing records (Icelandic tax-law requirement).
- Prelaunch email list: until launch, at which point we email you once and ask whether to keep you on the list. If you do not opt in, we delete you.
7. Your rights
Wherever you are, you have the right to:
- Ask us what data we hold about you.
- Ask us to correct it.
- Ask us to delete it (subject to billing-record retention obligations).
- Ask us to export it in a portable format.
- Withdraw consent at any time for any processing based on consent.
- Object to our legitimate-interest processing.
Write to privacy@seidwyn.com and we will reply within 30 days. EU residents may also lodge a complaint with their national data-protection authority.
8. Children's privacy
Seidwyn is for adults only. We do not knowingly collect data from anyone under 18 and we do not target the service to anyone under 18. Do not upload images of minors for any modality, including companion readings of a child standing next to a pet. If you are a parent who believes a minor has used the service or appears in an uploaded image, write to us at privacy@seidwyn.com and we will delete the account and any associated records immediately.
9. International transfers
Anthropic, Google, Cloudflare, and Stripe are US companies. Where data leaves the European Economic Area we rely on the European Commission's Standard Contractual Clauses with each provider, plus their additional technical safeguards.
10. Security
Data in transit is TLS-encrypted end-to-end. Data at rest in our D1 database is encrypted at the disk level by Cloudflare. API keys for payment and reading providers are stored as Cloudflare Worker secrets, which are encrypted and accessible only to the running Worker code. We do not have access to your payment card number — that lives only at Stripe.
11. Changes
If we change this policy we will update the "Last updated" date at the top of this page. Material changes (sub-processor additions, retention increases) will be notified by email to subscribers.