1. General Provisions
1.1. This Privacy Policy (hereinafter referred to as the "Policy") is developed in accordance with Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, and defines the procedure for processing personal data and measures to ensure their security taken by the Operator.
1.2. The Operator's primary goal is to ensure the rights and freedoms of individuals while processing their personal data, including the protection of rights to privacy, personal and family secrets.
1.3. The use of the bazi.cards website signifies the user's unconditional consent to this Policy and the terms of processing their personal data. If the user disagrees, they must refrain from using the website.
2. What Data We Collect
2.1. The Operator processes the following categories of personal data:
| Category | Specific Data |
|---|---|
| Identification | Name (or pseudonym), email address, Telegram ID (when logging in via Telegram), Google ID (when logging in via OAuth) |
| Registration | Password hash (PBKDF2 + salt; original password is not stored), date and time of registration |
| Birth Data (for generating the Report) | Date of birth, exact time of birth, place of birth (city, country); optionally — data about family members/partners for whom the user creates additional charts |
| Payment | Transaction ID, amount, currency, status, payment method (without storing bank card data — they are processed solely by the payment service) |
| Technical | IP address, device ID, user-agent, browser type, operating system, country (by IP), geolocation (only with consent) |
| Behavioral | History of requests to the Oracle, usage of features, frequency of visits, saved charts, compatibility results |
| Cookies | Technical, analytical, and session cookies for the operation of the Website and Personal Cabinet |
3. Purposes of Personal Data Processing
3.1. The Operator processes personal data of the subject for the following purposes:
- identification of the user for the purposes of providing Services (Section 3 Public Offer);
- generation and provision of analytical Reports based on the user's birth data;
- fulfillment of contractual obligations (conclusion, execution, termination of the contract);
- processing payments and generating cash receipts;
- informing the user about the status of the order, technical notifications;
- ensuring the security of the Website (protection against bots, fraud, DDoS, brute force);
- compliance with the requirements of the legislation of the Russian Federation (tax, financial reporting, responses to requests from government bodies);
- improving the quality of Services, analyzing the statistics of website usage in anonymized form.
4. Legal Grounds for Processing
4.1. The processing of personal data is carried out on the following legal grounds:
- Consent of the subject (clause 1 part 1 article 6 of Law No. 152-FZ) — expressed by marking a checkbox during registration and/or payment;
- Execution of the contract (clause 5 part 1 article 6 of Law No. 152-FZ) — this Public Offer;
- Legitimate interests of the Operator (clause 7 part 1 article 6 of Law No. 152-FZ) — ensuring the security of the Website, combating fraud, maintaining a registry of requests;
- Fulfillment of a legal obligation (clause 2 part 1 article 6 of Law No. 152-FZ) — tax reporting, issuance of cash receipts.
5. Methods and Terms of Processing
5.1. The processing of personal data is carried out both using automation tools and without them, and includes collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), anonymization, blocking, deletion, and destruction.
5.2. Terms of storage of personal data:
- identification and registration data — for the entire duration of the account + 3 years after its deletion (to resolve possible disputes);
- birth data and generated Reports — for the entire duration of the account; after account deletion, Reports are anonymized (disassociated from the user ID);
- payment data and cash receipts — 5 (five) years from the date of the transaction in accordance with the requirements of Russian legislation on accounting;
- technical logs (IP, user-agent, timestamp) — up to 12 (twelve) months for security purposes;
- support requests (letters, complaints) — 3 (three) years from the date of the last request.
5.3. After the expiration of the storage periods, personal data shall be deleted or anonymized.
6. Transfer of Data to Third Parties
6.1. The Operator may transfer personal data to third parties only in the following cases and in the minimum necessary volume:
| Recipient | Purpose of Transfer | Transferred Data |
|---|---|---|
| Payment Services (YuKassa, SBP, acquiring banks) | Processing payments | Name, e-mail, amount, order ID |
| Hosting Provider | Hosting the Website | All data on servers (encrypted during transfer) |
| Analytics Services (Google Analytics, Yandex.Metrica — in anonymized form) | Traffic analysis | Anonymized data on behavior on the Website |
| Mailing and Notification Services | Delivery of receipts, technical notifications | E-mail, name, message text |
| Government Authorities | Compliance with legal requirements | Upon motivated request in accordance with the law |
| AI Infrastructure Providers (for generating Report texts) | Formation of analytical texts | Anonymized chart data (without name, e-mail, IP) |
6.2. The transfer of personal data to countries that do not provide adequate protection is carried out only with the written consent of the subject and/or other grounds provided for by Article 12 of Law No. 152-FZ.
6.3. The Operator does not transfer personal data of subjects to third parties for commercial purposes (advertising databases, spam mailings, etc.).
7. Measures to Protect Personal Data
7.1. The Operator takes the following technical and organizational measures to protect personal data from unauthorized access, alteration, copying, distribution, or destruction:
- encryption of the data transmission channel using the HTTPS protocol (TLS 1.2+);
- storage of passwords as cryptographic hashes (PBKDF2-HMAC SHA-256, 260,000 iterations, individual salt);
- restricting access to server infrastructure based on the principle of minimal necessary rights;
- protection against automated attacks (mathematical captcha, rate limit, honeypot traps);
- regular updates of server software;
- separate storage of identification and financial data;
- logging actions with personal data;
- legal regulation of personal data handling (regulatory legal acts, instructions, training).
8. Rights of the Personal Data Subject
8.1. The personal data subject has the right to:
- receive information about the presence of their personal data with the Operator and its processing;
- request clarification, blocking, or destruction of their personal data in cases provided for by Law No. 152-FZ;
- revoke their consent to the processing of personal data at any time;
- request the Operator to cease processing their personal data;
- appeal the actions or inaction of the Operator to Roskomnadzor or in court;
- protect their rights and legitimate interests, including compensation for damages and moral harm.
8.2. To exercise these rights, the subject sends a written request to support@bazi.cards indicating:
- last name, first name, patronymic (if available);
- information confirming the identity of the subject or their representative;
- information confirming the existence of relations with the Operator (e-mail, account ID);
- signature (electronic signature or scan of handwritten).
8.3. The response time of the Operator to the request is no more than 30 days from the date of receipt.
9. Use of Cookies
9.1. The website uses cookies — small text files stored in the user's browser. Cookies are used for:
- Technical purposes — maintaining the user's session in the Personal Cabinet, storing language settings, dark theme, etc.;
- Security — protection against CSRF attacks, detection of suspicious actions;
- Analytics — analyzing user behavior on the Website in anonymized form (Google Analytics, Yandex.Metrica).
9.2. The user can disable cookies at any time in their browser settings. Disabling technical and session cookies may lead to the inability to use the Personal Cabinet.
10. Processing Data of Children
10.1. The website is not intended for use by individuals under the age of 18. The Operator does not consciously collect data from minors.
10.2. If a legal representative of a minor independently creates a natal chart for their child, the responsibility for the accuracy and legality of providing such data lies with the legal representative.
11. Changes to the Policy
11.1. The Operator has the right to make changes to this Policy by publishing an updated version on the Website. Significant changes affecting the rights of subjects are additionally published in users' Personal Cabinets at least 14 days before they take effect.
11.2. Continued use of the Website after the publication of the updated Policy signifies agreement with its new version.