Privacy

Your photos are analysed, then gone.

This is the full privacy policy. But if you only read one thing: we delete your photos within 60 seconds, we never use them for training, and we never sell your data.

Last updated: April 2026. We will notify you by email before any material changes take effect.

Photo handling

What happens to your photos, step by step.

Not archived. Not anonymised. Not “retained for service improvement.” Deleted.

You take a photo

A photo of your palm, taken on your device. The camera overlay guides framing and lighting.

Uploaded to memory only

Your photos are sent over an encrypted connection and held in server memory (tmpfs). Never written to disk. Never uploaded to a storage bucket.

AI reads your palm

Our AI analyses palm lines, hand shape, and features. It sees your photo, returns structured text, and the image reference is released.

Photo permanently deleted

Your image is purged from memory. No copy exists anywhere. Not on our servers, not in any backup, not in any AI training set. We retain only the derived reading: text descriptions and archetype classification.

Your reading stays, your photo doesn't

You keep your full palm reading for as long as you have an account. The pixels that generated it are gone within a minute of your result loading.

Data retention

What we collect, how long we keep it.

Data	Retention	Purpose
Palm photo	Deleted < 60s after analysis	Palm reading analysis only. Never written to disk.
Photo hashes (SHA-256)	30 days	Duplicate detection, re-run cache key.
Analysis result (JSON)	Until account deletion	Your palm reading report and personalised insights.
Quiz answers	Until account deletion	Hand archetype quiz responses for personalisation.
Email address	Until account deletion + 30 days	Authentication (magic link), transactional emails.
Payment data	Never held by us	Processed exclusively by Stripe.

Palm photo

Retention: Deleted < 60s after analysis

Purpose: Palm reading analysis only. Never written to disk.

Photo hashes (SHA-256)

Retention: 30 days

Purpose: Duplicate detection, re-run cache key.

Analysis result (JSON)

Retention: Until account deletion

Purpose: Your palm reading report and personalised insights.

Quiz answers

Retention: Until account deletion

Purpose: Hand archetype quiz responses for personalisation.

Email address

Retention: Until account deletion + 30 days

Purpose: Authentication (magic link), transactional emails.

Payment data

Retention: Never held by us

Purpose: Processed exclusively by Stripe.

Who we are

mypalms is operated by Clarvia Ltd, registered in England and Wales. ICO registration is in progress and the registration number will be published here once confirmed. For any privacy queries, contact [email protected].

Lawful basis for processing

We process your data under the following bases: (a) contract performance, for delivering the palm reading you purchased; (b) legitimate interest, for fraud prevention and service improvement; (c) consent, for optional marketing communications. You can withdraw consent at any time.

International transfers

Photo analysis is processed via Anthropic's API (US-based). This constitutes a UK-to-US data transfer. We use Anthropic's API under their standard terms of service as a paying customer. The transfer is limited to the 60-second analysis window; no personal data is retained by Anthropic after processing. Anthropic's privacy policy prohibits use of API inputs for model training.

Encryption

Email addresses and other personally identifiable information are encrypted at rest using AES-256 (Fernet). Access and refresh tokens are signed JWTs with session versioning, allowing instant revocation via sign-out-everywhere.

Cookies and analytics

We use Google Analytics 4 with IP anonymisation enabled, and strictly necessary cookies for authentication (session token). No advertising cookies, no third-party trackers, no fingerprinting.

Third-party processors

Anthropic (AI vision): photo analysis only, under their standard API terms. Photo data is not retained by Anthropic after processing.Stripe: payment processing. We never see or store card details.SendGrid: transactional email delivery (magic links, MFA codes, receipts). No marketing.Google Analytics: aggregated usage analytics with IP anonymisation.

Age restriction

mypalms is available to users aged 18 and over. We require age confirmation during onboarding. If we learn that a user is under 18, we will delete their account and all associated data.

Data breach notification

In the event of a personal data breach, we will notify the ICO within 72 hours where required, and affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The “last updated” date at the top of this page always reflects the current version.

Your rights

Your data, your call.

Access

Request a copy of all personal data we hold about you.

Rectification

Correct any inaccurate information in your profile.

Erasure

Delete your account and all associated data. One click in settings, or email [email protected].

Portability

Export your analysis results and profile in a machine-readable format.

Objection

Object to processing based on legitimate interest. We will stop unless we can demonstrate compelling grounds.

All requests are actioned within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk).

Contact [email protected]