Privacy & GDPR

Privacy Policy

How Tikkoun collects, uses and protects your personal data — in compliance with the General Data Protection Regulation (GDPR / EU 2016/679).

Last updated: May 2026

1. Data controller

The controller of your data is:
Tikkoun
Belgium
Contact: [email protected]

2. Data collected

We only collect data strictly necessary for the operation of the services offered.

Category Data Purpose Legal basis
User account E-mail address, first / last name, password (hashed) Account creation and management, authentication Contract performance
Orders Name, delivery address, phone number (optional) Order processing and shipping Contract performance
Payments No raw bank data — processed exclusively by Stripe Billing, subscriptions Contract performance
AI usage Tokkoun balance, AI request history (anonymised) Credit deduction, abuse prevention Legitimate interest
Browsing data Local storage (localStorage, IndexedDB) — on your device only Saving readings, preferences (visual theme) Legitimate interest

Tikkoun does not process any “sensitive” data within the meaning of Article 9 of the GDPR (health, beliefs, ethnic origin, etc.).

3. Sub-processors and transfers outside the EU

We use the following providers, each subject to adequate contractual guarantees (standard contractual clauses of the European Commission or adequacy decision):

Provider Role Location
Supabase Database, user authentication EU (AWS eu-central-1)
Stripe Payment and subscription processing EU / United States — PCI DSS certified
Printful Print on demand and shipping (t-shirts) EU (Latvia)
Heroku (Salesforce) Python backend hosting United States — configurable EU server
Anthropic (Claude API) AI interpretation generation United States — anonymised requests, no persistent storage
bPost Parcel transport and delivery in Belgium Belgium

No sale or rental of your data to third parties for commercial purposes.

4. Retention periods

  • User account: retained as long as the account is active. Deleted within 30 days of your account closure request.
  • Orders and invoices: 7 years in accordance with Belgian accounting legislation.
  • Local browsing data: stored on your device; deleted by clearing your browser cache.
  • Server logs: retained for a maximum of 90 days for security purposes.

5. Cookies and local storage

Tikkoun uses no advertising cookies or third-party tracking tools. The Comfortaa font is self-hosted — no request is sent to Google Fonts. The site uses only:

  • localStorage: saving readings, display preferences (Sunny/Moony mode), cart contents, acknowledgement of the cookie notice (tik_cookie_notice_v1).
  • IndexedDB: storage of generated birth chart PDFs, kept locally on your device.
  • Supabase session cookie: maintaining your login (strictly necessary cookie, session duration).
  • Stripe cookies: during a transaction, Stripe places strictly necessary cookies for payment security (fraud protection, PCI DSS compliance). These cookies are only activated on payment pages.

These mechanisms are exclusively functional (legal basis: legitimate interest and contract performance) and transmit no data to advertising networks.

6. Your GDPR rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

Right of access

Obtain a copy of the data we hold about you.

Right of rectification

Correct inaccurate or incomplete data.

Right to erasure

Request deletion of your data (“right to be forgotten”), except where legally required to retain it.

Right to restriction

Restrict the processing of your data in certain cases provided for by the GDPR.

Right to portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on our legitimate interest.

To exercise any of these rights, write to: [email protected]
We will respond within 30 days of receiving your request.

7. Right to lodge a complaint

If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Data Protection Authority (APD/GBA)
Rue de la Presse 35, 1000 Brussels
www.apd-gba.be

8. Data security

We implement appropriate technical and organisational measures to protect your data against loss, unauthorised access, disclosure or destruction:

  • Encrypted communications via HTTPS (TLS 1.2+)
  • Hashed passwords (bcrypt via Supabase Auth)
  • Database access restricted by roles (Supabase Row-Level Security)
  • Payments delegated to Stripe — no raw bank data on our servers

9. Changes to this policy

We reserve the right to update this privacy policy to reflect legal developments or changes to our services. The date of last update is indicated at the top of this page. In the event of a material change, users with an account will be notified by e-mail.