Lantern

Legal

Privacy Policy

Last updated: 10 March 2026

Ancient Source (“we”, “us”, “our”) operates Lantern at ancientsource.app. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it.

We are committed to your privacy. We do not sell your data. We do not run advertising. Lantern is funded solely by subscriptions.

1. Who controls your data

Data controller: Ancient Source
Contact: privacy@ancientsource.app

For UK/EU users, Ancient Source acts as data controller under the UK GDPR and EU GDPR respectively. For California residents, Ancient Source is a “business” under the CCPA.

2. Data we collect

Account data

  • Email address (when you sign in with email or OAuth)
  • Name and profile picture (from Google or Apple OAuth, if provided)
  • Subscription tier and billing status (via Stripe)
  • Age verification confirmation (COPPA compliance)
  • Email marketing consent preference

Usage data

  • Daily message count (for the free tier limit)
  • Mood and intention selections from the onboarding flow
  • Conversation messages (your questions and Lantern’s responses)
  • Wisdom Journal entries you choose to save

Technical data

  • Session tokens (stored in cookies — strictly necessary)
  • Pseudonymised IP address hash (for consent audit records only)
  • Browser/device type (in consent records)

Special category data (GDPR Article 9)

Your conversations may reveal religious or philosophical beliefs, which are a special category under GDPR. We process this data solely to provide the service you have requested (Article 9(2)(a) explicit consent). It is never shared, sold, or used for profiling.

3. Lawful basis for processing (GDPR)

Contract performance (Article 6(1)(b)) — providing the Lantern service, managing your account, processing subscription payments.

Explicit consent (Article 6(1)(a) + 9(2)(a)) — processing spiritual/religious content in conversations; sending marketing emails.

Legal obligation (Article 6(1)(c)) — retaining transaction records for tax and fraud prevention purposes.

Legitimate interests (Article 6(1)(f)) — security, fraud prevention, service improvement based on aggregated (non-personal) analytics.

4. Cookies

We use only strictly necessary cookies. These are required for you to stay signed in and for the service to function. They cannot be disabled without breaking the service.

CookiePurposeExpiry
sb-*Supabase session token (authentication)Session / 1 week

We do not use analytics, advertising, or third-party tracking cookies.

5. Third-party processors

We share the minimum necessary data with the following processors, each bound by a Data Processing Agreement (DPA):

SupabaseDatabase, authentication, storageEU (AWS eu-west-1)Policy ↗
StripeSubscription billing and payment processingUSA (EU SCCs)Policy ↗
OpenRouter / AI providerProcessing conversation messages to generate responsesUSA (EU SCCs)Policy ↗

For transfers to the USA, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission.

6. Data retention

Anonymous user (no account)30 days of inactivity, then auto-deleted
Free accountAccount active + 90 days after deletion request
Paid accountSubscription period + 90 days after cancellation
Billing / transaction records7 years (legal obligation)
Consent records3 years from date of consent

7. Your rights

UK/EU GDPR rights

  • Access — request a copy of your personal data
  • Erasure — request deletion of your account and data
  • Portability — download your data in machine-readable format
  • Rectification — correct inaccurate data
  • Restriction — ask us to pause processing
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, without affecting prior lawful processing

Exercise these rights via the Data & Privacy Rights page or by emailing privacy@ancientsource.app. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local EU supervisory authority.

California (CCPA) rights

  • Know — what personal information we collect and how we use it
  • Delete — request deletion of your personal information
  • Opt-out of salewe do not sell your personal information
  • Non-discrimination — we will not discriminate against you for exercising your rights

We do not sell personal information to third parties. We do not share personal information for cross-context behavioural advertising.

8. Email marketing (CASL — Canada)

We only send marketing emails (such as the Weekly Wisdom Digest) to users who have explicitly opted in. You may unsubscribe at any time via the unsubscribe link in any email, or via your account settings. We comply with Canada’s Anti-Spam Legislation (CASL).

9. Children’s privacy (COPPA)

Lantern is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are under 13, you may not use Lantern. If you believe we have inadvertently collected data from a child under 13, please contact us immediately at privacy@ancientsource.app and we will delete it promptly.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, row-level security in our database, and strict access controls. No system is perfectly secure; in the event of a breach we will notify affected users and relevant supervisory authorities as required by law.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email (if you have an account) and by a notice on this page. The “last updated” date at the top always reflects the current version.

Questions? Email privacy@ancientsource.app · Terms of Service · Data & Privacy Rights