Privacy Policy

Privacy Policy

Effective date: May 28, 2026

Introduction

Brews and Bloom is a small, person-run tarot reading room and shop founded by Dylan W. LaRue. This policy explains what personal information we collect when you visit the site, book a reading, place an order, or use one of the free tools, and how we look after that information once it's in our hands.

We try to collect as little as possible, keep it only as long as we need it, and treat it the way we'd want our own data treated. If anything here is unclear, or you want a copy of what we hold about you, write to us at dylan@brews-and-bloom.com and we'll respond as quickly as we can.

By using the site you agree to the practices described below.

What we collect

The information we hold depends on what you do on the site.

When you place an order or book a reading: your name, email address, billing address (when needed), shipping address (for physical items), the items or services purchased, and a record of the transaction. Payment card numbers and bank details go directly to Stripe and are never seen or stored by us.

When you request an instant reading or dream interpretation: your email address (so we can send the link), the question or dream text you submitted, and the reading or interpretation we generated for you. These are stored under a private share-token URL — a long random string only you (or anyone you forward the link to) can use to open the page.

When you book a live reading with Dylan: your name, email address, the date and time of the session, any notes or context you chose to share when booking, and a Google Calendar event with a Google Meet link tied to that session.

When you subscribe to the newsletter: your email address (and your name if you give it), the date you signed up, and your consent status. Newsletter subscriptions are mirrored to a private Google Sheet so we can keep a backup outside the database.

When you create an account (when accounts launch): your email address, a hashed password, and an order and booking history tied to that account.

When you use the free tools (card library, spreads, runes, I Ching, birth chart, Mystic Cards constellation generator): generally nothing identifying. Anonymous draws are not tied to an account. For Mystic Cards and live weather we may ask your browser for an approximate latitude and longitude — this is sent on request, used to pick the constellation overhead and the current weather, and not retained on our server.

Automatic information: standard server logs (IP address, user agent, page requested, response time, error traces) that web servers keep for security and debugging. We keep these short and rotate them.

We do not collect special-category data (health, religion, biometric, political) on purpose. The nature of tarot means people sometimes share emotional or spiritual context in the questions they submit. We treat that text the same way we treat any other personal information — privately, and for the purpose you sent it for.

How we use it

We use what we collect to do the things you asked us to do:

• Send you the reading, interpretation, calendar invite, order confirmation, or shipping notice you signed up for.
• Run the booking calendar and avoid double-booking.
• Fulfill orders, including handing your shipping address to the carrier.
• Send the newsletter you subscribed to, and let you unsubscribe at any time.
• Answer your emails when you write to support.
• Keep the site working — logs help us find bugs, defend against abuse, and meet our tax and accounting obligations.

We do not use your information to train machine-learning or automated models. We do not sell, rent, or trade personal information to anyone. If we ever change that, we will tell you in advance and ask first.

Third-party services

Brews and Bloom is small, but a handful of trusted services do the heavy lifting. Each one only sees the information it needs.

Stripe processes every payment on the site, including card payments and Google Pay. When you check out, your payment details go straight to Stripe under their security and privacy practices. We receive a transaction record and the basic billing details Stripe shares back, never the card number. Stripe's privacy policy applies to the payment portion of your interaction.

Google Workspace powers three things behind the scenes:

• Google Calendar — when you book a live or group reading, an event is created on Dylan's calendar and a Google Meet link is generated.
• Google Sheets — newsletter signups are mirrored to a private spreadsheet as a backup.
• Gmail API — transactional emails (order receipts, booking confirmations, reading links, shipping updates) are sent through Gmail using an OAuth refresh token Dylan authorized.

The Calendar and Sheets connections use a Google service account — a non-human identity scoped only to the specific calendar and spreadsheet it needs. The Gmail connection sends only the transactional messages the site is built to send.

Text-generation service. Instant readings and dream interpretations are generated using an automated text-generation service provided by Google (Vertex AI). Your question or dream text is sent to Google's API to generate the response. We do not store your text with the provider beyond the duration of that single API call, and the provider's terms restrict it from training on API traffic without consent. Provider details:

• Google Cloud: cloud.google.com/terms

Open-Meteo is the weather API behind the live weather widget. When the widget asks for the current weather at your approximate location, your latitude and longitude are sent to Open-Meteo to look up the forecast. Open-Meteo does not require an account and does not link the request to your identity.

Plausible Analytics (if enabled) is a privacy-first analytics tool that does not use cookies, does not fingerprint visitors, and does not collect personal data. It records page views and aggregate traffic only.

Google AdSense displays the ads on this site. Google and its advertising partners may use cookies or similar identifiers to show ads based on your prior visits to this site and other sites on the web. Google uses the DoubleClick cookie to serve those ads. You can opt out of personalized advertising by visiting Google's Ads Settings or, for non-Google vendors, the aboutads.info opt-out tool. For visitors in the European Economic Area, the United Kingdom, Switzerland, and California, we use Google's Funding Choices consent management platform to ask for permission before serving personalized ads — declining there causes Google to serve only non-personalized ads, and we honor that signal via Google's Consent Mode v2. You can re-open Funding Choices at any time using the privacy icon Google places in the bottom-right corner of pages where ads appear. Google's advertising privacy practices are described at https://policies.google.com/technologies/ads.

We will keep this list up to date as the site grows. If we ever add a service that handles personal data in a meaningful new way, this section will be updated and the effective date at the top will move.

Cookies and similar technologies

We use a small number of first-party cookies — cookies set by brews-and-bloom.com itself, not by an outside ad network — plus the third-party cookies Google AdSense relies on to serve ads (see the AdSense entry above for opt-out details).

• Cart cookie: keeps the items in your cart while you browse, until you check out or clear them.
• Consent cookie: remembers your choices from the cookie banner so we don't ask again every visit.
• Admin session cookie: only set if you're signed in to the admin panel (Dylan).
• Location preference cookie: remembers whether you let the Mystic Cards tool use your approximate location.

We do not use third-party advertising cookies. We do not embed trackers from social networks, ad exchanges, or data brokers. The cookie banner lets you accept or decline non-essential cookies; essential cookies (cart, consent, admin) are required for the site to function.

Data retention

We keep personal information only as long as we need it for the purpose we collected it for.

• Orders and bookings are kept for the lifetime of the account, and afterward for as long as tax and accounting rules require (typically seven years in the US).
• Instant readings and dream interpretations are kept under their private share-token URL for as long as the account or order exists, and you may request earlier deletion at any time.
• Newsletter subscriptions are kept until you unsubscribe.
• Server logs are typically rotated within 30 days.
• Location data for Mystic Cards and weather is used in the moment and not stored on the server.

When you ask us to delete data, we delete the records we control and ask the third-party services (Stripe, Google) to do the same, within the limits of their own retention rules — Stripe, for instance, is required to retain payment records for a period set by financial regulators.

Your rights

Wherever you live, you can ask us to:

• Access the personal information we hold about you.
• Correct anything that's wrong.
• Delete your data (subject to the retention rules above).
• Export a copy in a portable format.
• Withdraw consent for the newsletter or location features at any time.
• Object to a particular use of your data.

If you live in California, the EU, the UK, or another jurisdiction with specific privacy rights (CCPA, GDPR, UK GDPR), those rights also apply, and we will honor them on the same timelines those laws require.

The simplest way to exercise any of these rights is to email dylan@brews-and-bloom.com with a short note about what you want. We will confirm your request and, where we need to verify your identity, do so in the lightest way that makes sense — usually by replying from the email address tied to the account.

International users

The site is hosted in the United States, and any personal data you send us will be processed there. If you visit from outside the US, you understand that your information will be transferred to and stored in the US, where data protection laws may differ from your home country. We apply the same care to the data of international visitors as we do to US visitors.

We do not currently market the site to residents of the EU or UK, but if you choose to use it from those regions we honor GDPR / UK GDPR rights and respond to requests on the timelines those laws set.

Children

The site is intended for adults. Paid services — live and group readings, shop purchases, gift cards — are available only to people 18 years of age or older. Free tools and instant readings may be used by anyone old enough to navigate the web safely; we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has submitted personal information to us, write to us and we will delete it.

Changes to this policy

We will update this policy when the site changes meaningfully — a new third-party service, a new kind of data collected, a new way data is shared. When we do, the Effective date at the top of the page will change. For significant updates we'll also email people on the newsletter or post a notice on the site so the change isn't quiet.

Contact us

For anything related to privacy — questions, requests, complaints, corrections — write to:

dylan@brews-and-bloom.com

Brews and Bloom is operated by Dylan W. LaRue in the United States. We try to reply to privacy requests within seven days, and always within thirty.

---

This document is a sensible starter draft prepared as a best-effort by the Brews and Bloom team. It is not legal advice and has not been reviewed by an attorney. Before scaling operations, taking high-value bookings, or expanding internationally, Brews and Bloom should have these policies reviewed by qualified legal counsel.