Privacy Policy
Effective Date: [TO BE SET ON LAUNCH] Last Updated: 2026-05-30 Status: DRAFT — pending legal review by qualified Thai counsel
1. Who We Are
Muteloo ("we," "us," or "our") is a digital fortune-telling and self-reflection platform that synthesizes Western astrology, Korean Saju (사주), and Thai astrological traditions (มูเตลู).
The service is operated by [FRIEND'S THAI ENTITY NAME — TO BE FILLED], a company registered in Thailand, acting as the data controller under the Thai Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and as data controller under the EU General Data Protection Regulation ("GDPR") where applicable.
- Contact: privacy@muteloo.com
- Data Protection Officer (DPO): [TO BE NAMED]
- Registered address: [TO BE FILLED]
This Privacy Policy is available in English, Thai (ไทย), and Korean (한국어). In case of conflict between language versions, the Thai version prevails for users in Thailand and for matters before Thai courts.
2. Information We Collect
We collect only what is necessary to provide our service. We do not collect your real name, phone number, or government-issued ID.
2.1 Information you provide
| Field | Required | Purpose |
|---|---|---|
| Email address | Yes | Account, receipts, refunds, important service notices |
| Date of birth, time, place | Yes | Core astrological/Saju calculation |
| Birth sex (assigned at birth) | Yes | Used solely for Saju (Korean four-pillars) calculation; never displayed in reading text |
| Pronouns | Optional | Used in reading text (defaults to "they/them" if not provided) |
| Gender identity / sexual orientation ("Identifies-as") | Optional | Used to adjust reading tone; treated as sensitive personal data |
| Nickname | Optional | Used for address only |
| Occupation / field | Optional | Used to add context to career/finance readings |
| Relationship status | Optional | Used to add context to love/compatibility readings |
| Current location | Optional | Used to add context where it differs from birth place |
| Payment information | Yes (at payment) | Processed by Opn Payments; we do not store card or bank details |
2.2 Information collected automatically
- Cookies and similar technologies for session management and analytics
- IP address (used for fraud prevention, abuse detection, and rough geographic localization)
- Device and browser information
- Pages visited, reading topics requested, and other usage events (anonymized where possible)
2.3 Information we do NOT collect
- Your real legal name
- Phone numbers
- Government-issued identification
- Precise GPS location
- Biometric data
3. Legal Basis for Processing
Under PDPA (Thailand): We process personal data on the basis of your explicit consent given at signup, and as necessary for the performance of a contract (providing the reading you paid for).
Under GDPR (EU/EEA users): We rely on:
- Consent (Art. 6(1)(a)) for sensitive data such as Identifies-as and for marketing communications
- Contract (Art. 6(1)(b)) for providing the reading service
- Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and service improvement
You may withdraw consent at any time (see Section 7).
4. How We Use Your Information
- To generate personalized astrology and fortune-telling readings
- To process payments and deliver paid content
- To send transactional emails (receipts, account notices)
- To provide customer support
- To prevent fraud, abuse, and policy violations
- To improve our services (using aggregated, anonymized data where possible)
- To send marketing communications (only with separate opt-in consent)
- To measure and optimize advertising on Google, Meta, and similar platforms (only with consent for tracking cookies/pixels — EU/EEA visitors are prompted; non-EU visitors may opt out via cookie controls)
We do not use your personal data to make automated decisions that have legal or similarly significant effects on you, beyond generating your reading content.
AI-generated content disclosure: Reading content is generated by large language models. We use your birth and optional context data as input to AI providers (see Section 5). We do not train AI models on your data; providers process inputs ephemerally under standard enterprise/API terms.
5. Sharing and Third-Party Processors
We share information with the following categories of processors, each bound by appropriate data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Anthropic, OpenAI, Google | AI model inference for reading generation | United States |
| Opn Payments (formerly Omise) | Payment processing (PromptPay, cards) | Thailand |
| Vercel | Frontend hosting | United States |
| Railway (or equivalent) | Backend hosting and database | United States |
| PostHog | Product analytics (anonymized) | United States / EU |
| Sentry | Error monitoring (PII-scrubbed) | United States |
| Resend (or equivalent) | Transactional email delivery | United States |
| Google (Google Ads, Google Analytics, Google Tag Manager) | Conversion tracking, ad measurement, remarketing — consented users only | United States |
| Meta (Facebook/Instagram Pixel, Conversions API) | Conversion tracking, ad measurement, remarketing — consented users only | United States / Ireland |
| TikTok Ads (Pixel) — if used | Conversion tracking, ad measurement — consented users only | United States / Singapore |
We do not sell your personal data. We share only the minimum data needed for conversion measurement with ad platforms (typically: event name, anonymized event ID, hashed email if consented). Sensitive data (Identifies-as, gender identity, sexual orientation) is NEVER shared with ad platforms, never used for ad targeting, and never used to build lookalike audiences.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside Thailand and the EU/EEA, including the United States. Where required by law, we rely on:
- GDPR Standard Contractual Clauses for transfers from the EU/EEA
- PDPA cross-border transfer safeguards for transfers from Thailand
- Your explicit consent as an additional safeguard
7. Your Rights
You have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Correction — request that we correct inaccurate data
- Deletion — request that we delete your data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Restriction — request that we limit processing
- Withdraw consent — at any time, without affecting prior lawful processing
- Complaint — lodge a complaint with the relevant data protection authority (Thailand Personal Data Protection Committee, or your local EU supervisory authority)
To exercise any of these rights, email privacy@muteloo.com. We will respond within 5 business days under PDPA and within 30 days under GDPR (we aim for 5 business days for all requests).
8. Data Retention
- Account data: retained while your account is active
- After account deletion request: permanently deleted within 30 days, except where law requires longer retention (e.g., tax/accounting records: 5 years per Thai law)
- Reading content: stored for as long as your account is active; deleted with account
- Anonymized analytics: may be retained indefinitely
- Payment records: retained by Opn Payments per Thai financial regulations
9. Security
We implement reasonable technical and organizational measures to protect your data, including:
- TLS encryption in transit
- Encryption at rest for sensitive fields
- Access controls and least-privilege principles
- Regular security review
No system is perfectly secure. In the event of a data breach, we will notify affected users and relevant authorities within 72 hours of discovery, as required by PDPA and GDPR.
10. Children's Privacy
Muteloo is intended for users aged 13 and older. By using the service, you confirm that you are at least 13.
If you are under 18, we strongly recommend that you use Muteloo with parental awareness. Fortune-telling content is for self-reflection only and is not a substitute for guidance from trusted adults or licensed professionals.
We do not knowingly collect data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.
Parents or guardians who believe their child under 13 has provided data may contact privacy@muteloo.com.
11. Sensitive Personal Data (PDPA + GDPR Special Categories)
The following optional fields are treated as sensitive personal data:
- Gender identity / sexual orientation ("Identifies-as")
- Inferences about religion or beliefs derived from spiritual content choices
For sensitive data, we:
- Collect only with explicit, separate consent
- Store with stricter access controls
- Allow you to leave these fields blank without losing core functionality
- Allow you to delete these fields at any time without deleting your account
- Never share with advertising platforms (Google, Meta, TikTok) under any circumstance
- Never use for ad targeting, lookalike audiences, or third-party profiling
- Never use to build automated inferences about you beyond the reading you requested
12. Crisis Topics and Safety
If you describe self-harm, suicide, or related crisis content in your input, Muteloo's AI will stop the reading and provide redirect information to professional resources:
- Thailand: Samaritans Thailand 02-713-6791 (English/Thai)
- Global: findahelpline.com
We log only anonymous frequency data for these events to monitor service safety; no identifiable content is retained.
13. Cookies and Tracking Technologies
We use the following categories of cookies and similar technologies:
- Strictly necessary cookies — session, authentication, fraud prevention. No consent needed (PDPA/GDPR exemption).
- Analytics cookies — PostHog product analytics. Consent prompted for EU/EEA visitors via cookie banner; anonymized where possible elsewhere.
- Advertising and measurement cookies/pixels — Google Ads conversion tag, Google Analytics, Meta Pixel + Conversions API, TikTok Pixel (if used). Consent prompted for EU/EEA visitors via cookie banner. Used solely for:
- Measuring whether ad clicks led to sign-ups or purchases
- Remarketing to prior visitors (excluded if you opt out)
- Building non-sensitive lookalike audiences (e.g., people who completed a purchase) — sensitive data fields (Identifies-as, gender identity, sexual orientation) are never included
You can control cookies via your browser settings and via our cookie consent banner (EU/EEA). Opting out of advertising cookies does not block your access to the Service.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be notified to users via email and an in-app banner at least 7 days before they take effect.
15. Governing Law
This Privacy Policy is governed by the laws of the Kingdom of Thailand. Any disputes shall be resolved in the courts of Thailand. EU/EEA users retain their statutory rights under GDPR and may lodge complaints with their local supervisory authority.
16. Contact
- Privacy email: privacy@muteloo.com
- General contact: hello@muteloo.com
- DPO: [TO BE NAMED]
- Postal address: [TO BE FILLED]
⚠ DRAFT NOTICE: This document is a working draft prepared with AI assistance. Before publication, this policy must be reviewed by qualified Thai legal counsel familiar with PDPA, GDPR, and Thai consumer/digital-service regulation. Specific items pending: [FRIEND'S ENTITY NAME], registered address, DPO name, effective date.