Privacy Policy

Last updated: 26 May 2026

1. Who We Are

Chinese Culture Studio (“we”, “us”, “our”) operates the website at chinese-culture-app.onrender.com. We provide algorithmically generated Chinese cultural interpretations — naming, auspicious date selection, and I Ching divination.

For the purposes of the EU General Data Protection Regulation (GDPR), we act as the Data Controller. Our hosting infrastructure is located in the United States (Render, Oregon) with database services (Neon, US-East).

2. Data We Collect

We collect only the minimum data necessary to provide each service:

• Naming: Surname, gender, birth year/month/day/hour, style preference.
• Date Selection: Date range and event type (e.g. wedding, business).
• Divination: Optional question and casting method.
• Palm Reading: Palm photograph, hand side, gender (optional), age range (optional), and an optional question. See Section 3a for detailed handling.
• Visit Analytics: Page path, country (derived from IP, not stored as IP), and referrer. Your IP address is never persisted.

No account registration, email address, phone number, or full name is collected. All input is voluntarily provided by you when submitting a service form.

3a. Palm Image Processing (Biometric Data)

The Palm Reading service requires you to upload a photograph of your palm. Palm images may be considered biometric data under certain privacy laws including GDPR Article 9 and the Illinois Biometric Information Privacy Act (BIPA). We take the following measures:

• Explicit Consent: You must check a consent box before submitting. This constitutes your informed, explicit consent to the processing of your palm image for the sole purpose of generating this reading (GDPR Art. 9(2)(a); BIPA §15(b)).
• No Persistent Storage: Your palm image is held only in server memory (RAM) for a maximum of 5 minutes. It is never written to disk, never stored in a database, and automatically deleted after the reading is generated. If you abandon the checkout process, the image expires automatically within 5 minutes.
• Single Purpose: The image is used exclusively to generate your palm reading result. It is not used for identification, authentication, profiling, or any purpose other than this reading.
• No Training: We do not use your palm image to train machine learning models. Our AI provider's API is accessed via OpenRouter. Neither OpenRouter nor the underlying model provider (Qwen / Alibaba Cloud) train on API-submitted data.
• No Sale or Disclosure: We do not sell, lease, trade, or otherwise disclose your palm image to any third party. It is transmitted only to Anthropic's API for processing, and only over encrypted (TLS) connections.
• No Collection of Minors' Data: We do not knowingly process palm images from individuals under 18 years of age.

You may withdraw consent at any time by not submitting the form. Once a reading is generated, the image has already been deleted — there is nothing retained to revoke consent for.

3. Legal Basis for Processing (GDPR)

• Performance of a Contract (Art. 6(1)(b)): Processing your input data to generate the service result you requested.
• Legitimate Interest (Art. 6(1)(f)): Basic visit analytics (page path, country) to understand service usage and maintain security.
• Consent (Art. 6(1)(a)): Local storage for free-tier tracking. You may decline via the cookie banner without affecting core service functionality.

4. Payment Processing

All payments are processed by PayPal, a PCI-DSS compliant payment processor. We never receive, store, or transmit your credit card or PayPal account details. PayPal provides us only with a transaction ID and payment status to confirm completion. PayPal's privacy policy applies to all payment-related data: paypal.com/privacy.

5. Cookies & Local Storage

• Essential — Free Tier Tracking: One localStorage key (cc-free-tier) stores your remaining free readings count (a number, 0–2). No personal data.
• Essential — Consent Record: One localStorage key (cc-cookie-consent) records your cookie preference (“accepted” or “declined”).
• Session: Next.js sets a minimal server-side session cookie required for the payment redirect flow. This contains no personal data.

We do not use advertising cookies, tracking cookies, third-party analytics (Google Analytics, Facebook Pixel, etc.), fingerprinting, or cross-site trackers of any kind.

6. Data Retention

• Contribution records (input + result): Stored in our database. These records are kept to provide the service and support revenue reporting. They contain only the input you provided and the algorithmically generated result — no personal identifiers.
• Visit analytics: Stored in our database. Country-level data only. No IP addresses are retained.
• Local storage: Managed entirely in your browser. Clearing browser data removes free-tier count and consent preference immediately.

You may request deletion of your data at any time (see Section 7).

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

• Right of Access (Art. 15): Request confirmation of whether we process your data and a copy of that data.
• Right to Rectification (Art. 16): Request correction of inaccurate personal data.
• Right to Erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
• Right to Restriction (Art. 18): Request limitation of processing under certain conditions.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interest.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time. Clear your browser's localStorage or use the cookie banner to change your preference.

To exercise any of these rights, contact us at the email below. We will respond within 30 days. You also have the right to lodge a complaint with your local Data Protection Authority (Supervisory Authority).

8. Data Sharing & Third Parties

We do not sell, rent, trade, or share your data with any third parties. The only external services involved are:

• PayPal — Payment processing. Receives only your payment instrument details (not your cultural input data).
• OpenRouter (OpenRouter, Inc.) — AI API gateway routing Palm Reading requests. Receives only your palm image (transmitted over encrypted TLS). Underlying model inference is performed by Qwen (Alibaba Cloud). Neither OpenRouter nor Alibaba Cloud store API-submitted images or use them for model training.
• Render (Render Services, Inc.) — US-based cloud hosting. Our application code and database queries run on Render infrastructure.
• Neon, Inc. — US-based managed PostgreSQL database. All stored data resides in Neon's us-east-1 region.

Both Render and Neon are certified under the EU-US Data Privacy Framework (DPF) or have Standard Contractual Clauses (SCCs) in place for lawful international data transfers.

9. International Data Transfers

Our servers are located in the United States. If you access our service from outside the US (including the EEA), your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place, including reliance on DPF certifications and/or Standard Contractual Clauses, to protect your data in accordance with GDPR requirements.

10. Security

We implement appropriate technical and organizational measures to protect your data: HTTPS/TLS encryption in transit; database encryption at rest; access controls on all infrastructure; and principle of least privilege for database access.

11. Children's Privacy

Our service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates when changes were made. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries, to exercise your data rights, or to report concerns:

Email: privacy@easternwisdom.app
Response time: Within 30 days (as required by GDPR)

Chinese Culture Studio — Data Controller. Hosted on Render (Oregon, US) with Neon PostgreSQL (US-East).