152-FZ · GDPR Art. 13/14Effective 1 June 2025

Privacy Policy

This Privacy Policy describes how CuatroTaro / CuatroRunes ("Service", "We") collects, uses, and protects personal data under Russian Federal Law No. 152-FZ and EU Regulation 2016/679 (GDPR).

1. Data Controller

The data controller is CuatroTaro / CuatroRunes. For data protection inquiries: privacy@cuatrotaro.com.

Under GDPR, we are the data controller for users from the EEA. A DPO is not required: processing does not fall within mandatory categories under Art. 37 GDPR.

2. Data We Collect

Category	Data	Source
Identifier	Telegram ID (numeric)	Automatic on bot start
Name	first_name from Telegram profile	Automatic
Language	language_code (ru / en)	Automatic; changeable via /language
Reading history	Cards, positions, interpretation text	On user request
Natal data	Date, time, place of birth	Only with explicit input (Premium)
Payment data	Email, transaction ID	On subscription purchase
Technical logs	IP address, User-Agent	Security and anti-fraud

We do not collect payment card numbers, passport data, real-time geolocation, or biometrics.

3. Legal Bases (GDPR Art. 6)

Purpose	Legal Basis
Subscription, personalisation, history	Art. 6(1)(b) — performance of contract
Natal data	Art. 6(1)(a) — explicit consent at time of input
Payments, tax obligations	Art. 6(1)(c) — legal obligation
Security, anti-fraud	Art. 6(1)(f) — legitimate interest
Anonymous analytics	Art. 6(1)(f) — legitimate interest (no re-identification)

4. Purposes of Processing

·Providing personalised readings within the subscribed tier.
·Astrological calculations (Swiss Ephemeris) when natal data is present.
·Subscription management: limits, payment history, refunds.
·Security: spam protection, rate limiting.
·Service improvement based on aggregate anonymous metrics.

We do not use data for advertising targeting and do not sell it to third parties.

5. Retention

Data	Period	Basis
Profile, reading history	Until deletion via /forget_me	Contract
Natal data	Until deletion; stored encrypted	Consent (revocable via /forget_me)
Payment records	5 years from transaction date	Tax obligations
Technical logs	90 days, then auto-deleted	Security

6. Security

·AES-256 encryption of natal data at rest.
·TLS 1.3 for all connections.
·Database access via VPN only, authorised services only.
·Payment data processed by providers on PCI DSS infrastructure — does not touch our servers.

7. Your Rights

·Access (Art. 15): Request your data — response within 30 days.
·Rectification (Art. 16): Name/language via Telegram; natal data by request.
·Erasure (Art. 17): /forget_me in the bot — full deletion within 24 hours.
·Portability (Art. 20): JSON export on request within 30 days.
·Objection (Art. 21): Right to object to processing based on legitimate interest.

8. Cookies

Only technically necessary cookies: session (HttpOnly, Secure, SameSite=Strict), locale (365 days), csrf_token (session). No advertising or analytics cookies. Analytics via Plausible Analytics (cookieless, GDPR-native).

9. Contact & Complaints

Email: privacy@cuatrotaro.com — response within 30 days.

Supervisory authorities:

·Russia — Roskomnadzor: rkn.gov.ru
·EU — EDPB members: edpb.europa.eu