Privacy Policy

This Privacy Policy describes how High Tribunal of the Coming Ruin ("the Tribunal," "we," "us," or "our") collects, uses, discloses, and safeguards information when you visit hightribunal.org, request entry to the waiting chamber, correspond with us, or otherwise interact with our services (collectively, the "Services").

We operate from Banning, California, United States. For any privacy inquiry, contact us at legal@hightribunal.org.

By using the Services, you acknowledge you have read this Policy. If you do not agree, do not use the Services.

We collect only what is necessary to operate the Tribunal, evaluate applications, communicate with members and applicants, and protect the integrity of our community.

2.1 Information You Provide Directly

• ◇Application data: name (or chosen name), email address, and any free-form responses you submit to the waiting-chamber form.
• ◇Account data: if you are admitted, credentials, profile fields, optional astrological/birth data you choose to share, and preferences.
• ◇Correspondence: the contents of emails or messages you send to us, including replies to our admit/decline notices.

2.2 Information Collected Automatically

• ◇Device & log data: IP address, user-agent, referrer, timestamps, pages visited, and similar diagnostic information.
• ◇Cookies & local storage: session cookies for authentication, preference storage, and security tokens (e.g., bot-mitigation challenges such as Cloudflare Turnstile).
• ◇Security signals: rate-limit data, failed login attempts, and anti-abuse fingerprints.

2.3 Information From Third Parties

• ◇Authentication providers (e.g., Google) supply your verified email and basic profile when you sign in via them.
• ◇Email delivery providers (e.g., Resend) report delivery, bounce, and complaint events for messages we send.
• ◇Infrastructure providers process technical metadata as part of hosting the Services.

We do not knowingly collect Social Security numbers, government IDs, payment-card numbers, or precise geolocation. If a feature requires sensitive data in the future, we will update this Policy and seek your consent where required by law.

We use the information we collect for the following purposes:

• ◇To operate the Services — process applications, issue admit or decline notices, send magic-link sign-in emails, and maintain accounts.
• ◇To communicate — respond to inquiries, deliver Tribunal notices, and send transactional messages relating to your application or membership.
• ◇To enforce the 90-day reapplication rule — if your application is declined, we record the decision and the date you may reapply.
• ◇To secure the Services — detect and prevent fraud, abuse, scraping, brute-force attempts, and other malicious activity.
• ◇To comply with law — respond to lawful requests, enforce our Terms of Service, and protect our rights, property, and members.
• ◇To improve the Services — diagnose errors, analyze aggregated usage patterns, and refine the experience.

We do not sell or rent your personal information. We do not engage in cross-context behavioral advertising.

Where the GDPR or UK GDPR applies, we rely on the following legal bases: (a) performance of a contract when you apply or hold an account; (b) legitimate interests in operating, securing, and improving the Services; (c) consent for optional cookies or optional disclosures; and (d) legal obligation where applicable.

We share information only as described below:

• ◇Service providers (processors) who host, secure, and operate the Services on our behalf, including hosting, database & authentication, edge & bot mitigation, and transactional email. Each is bound by contractual confidentiality and data-processing terms.
• ◇Authentication providers you choose to use (e.g., Google) for the limited purpose of verifying your identity.
• ◇Legal & safety disclosures when required by subpoena, court order, or applicable law, or when we believe in good faith that disclosure is necessary to protect rights, property, or safety.
• ◇Business transfers in connection with a merger, acquisition, dissolution, or sale of assets — in which case the recipient must honor commitments materially equivalent to this Policy.

We retain personal information only for as long as necessary to fulfill the purposes described above:

• ◇Active accounts: for the life of the account plus a reasonable period thereafter.
• ◇Declined applications: minimum 90 days to enforce the reapplication cooldown; longer where required for legal, security, or audit purposes.
• ◇Server logs and security events: typically 30–180 days.
• ◇Email delivery records: as long as the provider retains them under their standard policies.

Upon expiry, data is deleted, anonymized, or retained only in backups subject to standard rotation.

Depending on your jurisdiction, you may have the right to:

• ◇Access the personal information we hold about you.
• ◇Request correction of inaccurate information.
• ◇Request deletion of your information (subject to legal exceptions).
• ◇Object to or restrict certain processing.
• ◇Request portability of information you provided.
• ◇Withdraw consent where processing is based on consent.
• ◇Lodge a complaint with your local data protection authority.

7.1 California Residents (CCPA / CPRA)

California residents may request to know, delete, or correct personal information, and may opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We will not discriminate against you for exercising your rights.

To exercise any right, email legal@hightribunal.org from the address associated with your application or account. We will verify your request and respond within the time required by law (generally 45 days under the CCPA, with one 45-day extension where reasonably necessary).

We use a minimal set of cookies and similar technologies for authentication, security, and core functionality. We do not use third-party advertising cookies or cross-site tracking. You may block cookies in your browser, but parts of the Services may not function without them.

We honor Global Privacy Control (GPC) signals to the extent applicable.

We implement administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, encryption at rest by our infrastructure providers, role-based access control, row-level security policies on our database, HMAC-signed admin access tokens, and bot-mitigation on public endpoints.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and any required regulator without undue delay, consistent with applicable law.

Our infrastructure providers may process information in the United States and other countries. Where required, transfers are protected by appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

The Services are intended for adults aged 18 and older. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a minor has provided us information, contact us and we will delete it promptly.

The Services may link to third-party websites we do not operate. This Policy does not apply to those sites, and we are not responsible for their practices. Review their policies before providing information.

We may update this Policy from time to time. The "Effective" date at the top reflects the latest version. Material changes will be announced via the Services or by email to active members.

For privacy questions, requests, or complaints, write to:

High Tribunal of the Coming Ruin
Attn: Privacy
Banning, California, United States
Email: legal@hightribunal.org