Legal · Last updated February 12, 2026

Privacy Policy

This Privacy Policy explains how Cauldron Technologies, Inc. ("Cauldron," "we," "us") collects, uses, shares, and protects your information when you use the Cauldron web app, iOS app, Android app, and related services (collectively, the "Service"). It applies to all platforms — web at thecauldron.app, the Cauldron iOS app on the App Store, and the Cauldron Android app on Google Play.

Plain-English summary: We collect what we need to run the app (your account, profile, payments, content). We use Stripe for money, Twilio for video, Resend for email, MongoDB Atlas for storage, and Apple/Google for push and in-app purchases. We never sell your data. You can delete your account anytime from your profile — see how to delete your data.

1. Information We Collect

Account & profile

  • Name, email, hashed password, role (Client / Practitioner / Admin), phone (optional, for OTP & bookings)
  • Profile photo, banner, bio, business name, category, lineage, certifications, services offered, pricing
  • Identity-verification (KYC) documents you submit (government ID + selfie via Persona) — held by Persona, not by us

Payments & payouts

  • Stripe handles card data directly — we never see your full card number. We retain only Stripe-generated metadata (charge ID, last 4, brand, status, amount, currency)
  • Payout method metadata: bank account last-4 (Stripe), crypto wallet addresses you choose to register (we validate format but do not custody funds)
  • Cauldron Token (CAUL) ledger entries

Content you create

  • Posts, clips, comments, direct messages, livestream recordings (if you record), reviews, oracle readings, community posts

Device, mobile & usage data

  • IP address, user agent, app version, OS version, device model, language, timezone
  • Push notification tokens (APNs / FCM) — only collected if you grant the permission
  • Camera, microphone, photo library — accessed only during the flow you initiate (video call, profile photo upload, livestream, KYC selfie). We do not access them in the background
  • Approximate location — inferred from IP for fraud-prevention and to localize practitioner discovery. We do not request precise GPS location
  • Analytics events (page views, clicks) via Google Analytics 4 with IP-anonymization enabled

Communications

  • Transactional email metadata (Resend): send-time, open/click events for password resets, booking confirmations, payout notifications
  • Video call session metadata (Twilio): start/end time, participants, duration — not the call content itself unless you explicitly record

2. App Store / Play Store Privacy Disclosures

In line with Apple's App Privacy nutrition labels and Google Play's Data Safety form, here is exactly what mobile data is collected and how it is used:

Data TypePurposeLinked to You?Used for Tracking?
Contact info (email, name, phone)Account, supportYesNo
Payment infoTransactions (via Stripe)YesNo
User content (posts, photos, messages)App functionalityYesNo
Identifiers (user ID, push token)Auth, notificationsYesNo
Usage data (page views, clicks)Analytics, product improvementNo (aggregated)No
Diagnostics (crash logs)App stabilityNoNo

We do not use third-party advertising SDKs, fingerprinting, or cross-app tracking. If you opt out of Apple's App Tracking Transparency prompt, your Cauldron experience is identical.

3. Mobile Permissions We Request

  • Notifications — to deliver booking reminders, message alerts, livestream go-live pings, and payout notifications. You can revoke at any time in OS settings.
  • Camera — for video calls, livestreams, KYC selfie, and profile photo capture. Used only during the initiated flow.
  • Microphone — for voice/video calls and livestreams.
  • Photo library — to upload profile, banner, post, and clip media.
  • Face ID / Touch ID / Biometrics (optional, when enabled) — for fast re-authentication. Biometric data never leaves your device.

We do not request: contacts, calendars, reminders, health data, motion data, Bluetooth, NFC, or precise location.

4. How We Use Information

  • Operate, maintain, and improve the Service
  • Authenticate accounts and verify identity (KYC)
  • Process payments, payouts, and refunds
  • Send transactional and onboarding emails & push notifications
  • Match seekers with relevant practitioners
  • Detect, prevent, and respond to fraud, abuse, and policy violations
  • Comply with legal, tax, and regulatory obligations
  • Aggregate usage statistics to improve the product (never tied to your identity)

5. How We Share Information

We share data only with:

  • Other users — your public profile (name, avatar, businessName, posts, reviews, public clips) is visible to everyone. Direct messages and private bookings are visible only to the parties involved.
  • Service providers (sub-processors) — Stripe, Inc. (payments), Twilio, Inc. (video/messaging), Resend (email), MongoDB Atlas (database hosting), Cloudflare R2 / equivalent (object storage for media), Persona (KYC), Apple Push Notification Service / Firebase Cloud Messaging (push), Google Analytics 4 (anonymized analytics). Each acts under contractual privacy obligations equivalent to or stricter than this Policy.
  • Legal requirements — we may disclose information in response to lawful court orders, subpoenas, or government requests, or where we believe disclosure is necessary to prevent imminent harm.
  • Business transfers — in connection with a merger, acquisition, or asset sale (you'll be notified by email).

We do not sell your personal information for money or other valuable consideration.

6. Cookies, Tracking & Local Storage

On the web we use a single first-party authentication token stored in localStorage, plus a session-scoped UTM tracking cookie for ambassador attribution. No third-party advertising cookies, no cross-site fingerprinting, no behavioral retargeting. On mobile we use a Capacitor Preferences store for the same auth token. Google Analytics 4 is configured with IP-anonymization on; you can opt out via the GA opt-out browser add-on.

7. Email & Push Preferences

You may unsubscribe from onboarding and marketing emails via the link in every email footer or in your profile settings. Transactional emails (password resets, booking confirmations, payout notifications, security alerts) are required to operate the Service and cannot be disabled. Push notifications can be turned off in OS settings or per-category in the app's Notifications page.

8. Data Retention

We retain account data for as long as your account is active. After you delete your account, we erase profile, content, messages, and KYC documents within 30 days. Certain records (payment transactions, tax forms, audit logs, fraud signals) are retained for up to 7 years to comply with tax, AML, and regulatory obligations — these are kept in encrypted, access-restricted archives.

9. Your Rights (GDPR, UK GDPR, CCPA/CPRA, and similar)

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten") — see /account-deletion
  • Export your data in a portable format (JSON)
  • Restrict or object to certain processing
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority (EU/UK)
  • Opt out of "sale" or "sharing" of personal information (California) — we already do not sell, but you can confirm this preference in settings

Email privacy@thecauldron.app to exercise any of these rights. We respond within 30 days. We will not discriminate against you for exercising your rights.

10. Security

We use industry-standard protections: TLS 1.2+ in transit, bcrypt for password hashing, encrypted-at-rest object storage, least-privilege IAM, audit logging on admin actions, and regular dependency scanning. We perform security reviews on every major release. No system is perfectly secure; we cannot guarantee absolute security. If we learn of a breach affecting your data, we will notify you and the relevant authorities as required by law.

11. Children

The Service is not directed to children under 18 (or 16 in jurisdictions where lower) and is rated 17+ on the App Store. We do not knowingly collect personal information from children. If you believe a child has provided us data, email privacy@thecauldron.app and we will delete it promptly.

12. International Users & Data Transfers

The Service is operated from the United States. If you access from the EEA, UK, Switzerland, or other jurisdictions, your data will be transferred to and processed in the U.S. and other countries where our sub-processors operate. We rely on Standard Contractual Clauses and equivalent transfer mechanisms for cross-border transfers. By using the Service from outside the U.S., you consent to such transfers.

13. California Residents (CCPA / CPRA)

In the prior 12 months we have collected the categories of personal information described in Section 1. We disclose information only to the service providers listed in Section 5 for business purposes. We have not sold or shared personal information for cross-context behavioral advertising in the prior 12 months and have no plans to do so.

To exercise CCPA rights (know, delete, correct, opt-out, limit use of sensitive PI, non-discrimination), email privacy@thecauldron.app with subject line "California Privacy Request" or use our data deletion page.

14. EU / UK Residents (GDPR)

Our legal bases for processing: (a) Contract — to provide the Service you signed up for; (b) Legitimate interests — fraud prevention, product analytics; (c) Legal obligation — tax, AML, court orders; (d) Consent — marketing emails, optional push notifications.

Data Controller: Cauldron Technologies, Inc., contactable at dpo@thecauldron.app. EU/UK residents may lodge complaints with their local Data Protection Authority.

15. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced by email and in-app notice at least 7 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

16. Contact