152-FZ · GDPR Art. 13/14Effective 12 June 2026

Privacy Policy

This Privacy Policy describes how CuatroTaro / CuatroRunes ("Service", "We") collects, uses, and protects personal data under Russian Federal Law No. 152-FZ and EU Regulation 2016/679 (GDPR).

1. Data Controller

The data controller is CuatroTaro / CuatroRunes. For data protection inquiries: privacy@cuatrotarot.org.

Under GDPR, we are the data controller for users from the EEA. A DPO is not required: processing does not fall within mandatory categories under Art. 37 GDPR.

2. Data We Collect

Category	Data	Source
Identifier	Telegram ID (numeric)	Automatic on bot start
Name	first_name from Telegram profile	Automatic
Language	language_code (ru / en)	Automatic; changeable via /language
Reading history	Cards, positions, interpretation text	On user request
Natal data	Date, time, place of birth	Only with explicit input (Premium)
Payment data	Email, transaction ID	On subscription purchase
TikTok account	open_id, union_id, display name, avatar URL	Via TikTok OAuth — when user voluntarily connects a TikTok account
TikTok tokens	Access token, refresh token	Via TikTok OAuth — to execute publishing actions you request
Technical logs	IP address, User-Agent	Security and anti-fraud

We do not collect payment card numbers, passport data, real-time geolocation, or biometrics.

3. Legal Bases (GDPR Art. 6)

Purpose	Legal Basis
Subscription, personalisation, history	Art. 6(1)(b) — performance of contract
Natal data	Art. 6(1)(a) — explicit consent at time of input
TikTok authentication and content publishing on request	Art. 6(1)(b) — performance of contract; Art. 6(1)(a) — consent given via TikTok OAuth screen
Payments, tax obligations	Art. 6(1)(c) — legal obligation
Security, anti-fraud	Art. 6(1)(f) — legitimate interest
Anonymous analytics	Art. 6(1)(f) — legitimate interest (no re-identification)

4. Purposes of Processing

·Providing personalised readings within the subscribed tier.
·Astrological calculations (Swiss Ephemeris) when natal data is present.
·Subscription management: limits, payment history, refunds.
·TikTok authentication and executing video publish / draft upload actions at the user's explicit request.
·Security: spam protection, rate limiting.
·Service improvement based on aggregate anonymous metrics.

We do not use data for advertising targeting and do not sell it to third parties.

5. Third-Party Platform Data (TikTok)

The Service offers an optional TikTok integration. Connecting a TikTok account is only possible via the official TikTok OAuth screen and requires an explicit action by the user.

Data received

When a TikTok account is connected, we receive the following data via the TikTok API within the granted scopes:

·Identifiers: open_id and union_id — unique identifiers for your TikTok account within our application.
·Public profile: display name and avatar URL — via the user.info.basic scope.
·Tokens: access token and refresh token — to perform publish and draft upload actions you request, within the video.publish and video.upload scopes.

Legal bases

·GDPR Art. 6(1)(b) — performance of contract: authentication and executing the publishing actions you request.
·GDPR Art. 6(1)(a) — consent: given when you connect your account via the TikTok OAuth screen.

Purposes and restrictions

·TikTok data is used solely for authentication and for publishing or uploading content at the user's explicit request.
·Content is posted or uploaded as a draft ONLY upon the user's explicit action — never automatically.
·TikTok data is never sold, never shared with third parties, and never used for advertising or profiling.

Retention

TikTok profile data and tokens are stored only while the integration is connected. After disconnection or upon request, data is deleted within 30 days.

Revoking access

You can disconnect the integration at any time in two ways:

·In TikTok: Profile → Settings → Security → Apps & permissions → remove CuatroTaro.
·By email: privacy@cuatrotarot.org — we will delete your data within 30 days.

Use of TikTok features is also subject to TikTok's Privacy Policy.

6. Retention

Data	Period	Basis
Profile, reading history	Until deletion via /forget_me	Contract
Natal data	Until deletion; stored encrypted	Consent (revocable via /forget_me)
TikTok profile data & tokens	While integration is connected; deleted within 30 days of disconnection or on request	Contract / Consent
Payment records	5 years from transaction date	Tax obligations
Technical logs	90 days, then auto-deleted	Security

7. Security

·AES-256 encryption of natal data at rest.
·TLS 1.3 for all connections.
·Database access via VPN only, authorised services only.
·Payment data processed by providers on PCI DSS infrastructure — does not touch our servers.

8. Your Rights

·Access (Art. 15): Request your data — response within 30 days.
·Rectification (Art. 16): Name/language via Telegram; natal data by request.
·Erasure (Art. 17): /forget_me in the bot — full deletion within 24 hours.
·Portability (Art. 20): JSON export on request within 30 days.
·Objection (Art. 21): Right to object to processing based on legitimate interest.

9. Cookies

Only technically necessary cookies: session (HttpOnly, Secure, SameSite=Strict), locale (365 days), csrf_token (session). No advertising or analytics cookies. Analytics via Plausible Analytics (cookieless, GDPR-native).

10. Contact & Complaints

Email: privacy@cuatrotarot.org — response within 30 days.

Supervisory authorities:

·Russia — Roskomnadzor: rkn.gov.ru
·EU — EDPB members: edpb.europa.eu