Revision dated May 27, 2026.
This Privacy Policy explains what personal data we collect on the website astroway.info and related services, on what legal basis we process it, with whom we share it, how long we store it, and what rights you have. The document complies with the Law of Ukraine No. 2297-VI “On Personal Data Protection” and Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR). It should be read together with the Cookie Policy and the Public Offer Agreement.
1. Who we are
The data controller for personal data processed on this Site is individual entrepreneur Burhan Lilia Oleksiivna, operating under the trademark “Astro Way.”
- RNOKPP: 3181911021
- Address: Ukraine, 49014, Dnipro, vul. Nezalezhnosti, 27, apt. 50
- Email (contact for data protection issues): info@astroway.info
- Website: https://astroway.info
Requests sent to this email are processed within 30 days — pursuant to Article 12(3) GDPR and Article 8 of the Law of Ukraine “On Personal Data Protection.”
2. What data we process
2.1. Account and order data
- first and last name;
- email address;
- password in hashed form (we do not store passwords in plain text);
- contact phone number (if provided);
- shipping address (for physical goods, e.g., Birth Book Hardcover);
- order history, invoices, and payment documents.
2.2. Data for astrological calculations
To provide astrological, numerological, and tarot services, we process: date, exact time, and place of birth. Optional data includes gender, another person’s data for synastry, questions to the astrologer, and preferences regarding the consultation format.
2.3. Payment data
Payment information (card number, CVV, expiry) is processed directly by payment services (Monobank Acquiring, LiqPay) and is never stored on Astro Way servers. We only receive the transaction status, masked card number (first 6 and last 4 digits), and recipient details — only to the extent necessary for accounting and refunds.
2.4. Technical data from visits
- IP address (pseudonymized for GA4 analytics);
- browser User-Agent, device type, OS, language settings;
- HTTP referrer (source website);
- pages viewed, session duration, actions on the site;
- cookies and similar technologies — see the Cookie Policy for details.
2.5. Content you post
If you leave reviews, comments, or questions for the astrologer, we store the text, publication date, your name/nickname, IP address, and User-Agent (to detect spam). If you upload files (photos, audio), we recommend removing EXIF metadata, as it may contain GPS coordinates.
2.6. API client data
If you purchased the AstroWay API plan, we additionally process: hashed API key, API call logs (timestamp, endpoint, status, response data volume), and usage statistics to monitor rate limits. Request parameters (including birth dates passed to the API) are processed transiently and stored only to the extent necessary for service operation and security auditing.
3. Legal bases and purposes of processing
| Data category | Processing purpose | Legal basis (GDPR) |
|---|---|---|
| Account, contact details | Registration, authentication, service provision, correspondence | Performance of contract, Art. 6(1)(b) |
| Orders, payment history | Contract fulfillment, invoicing, refunds | Performance of contract, Art. 6(1)(b); legal obligation (accounting), Art. 6(1)(c) |
| Birth data | Astrological calculations, generation of personalized content | Explicit consent, Art. 9(2)(a) — special categories |
| Email for newsletters | Marketing emails, promotions, news (only after subscription) | Consent, Art. 6(1)(a) — can be withdrawn at any time |
| Technical data, IP, cookies | Security, analytics, optimization | Legitimate interest, Art. 6(1)(f); for analytics — consent via cookie banner, Art. 6(1)(a) |
| API call logs | Security audit, rate limit control, overage billing | Performance of contract, Art. 6(1)(b); legitimate interest, Art. 6(1)(f) |
| User-generated content (reviews) | Publication on the Site, anti-spam | Consent via publication, Art. 6(1)(a) |
4. Special categories of data — birth data and astrological findings
When you request a natal chart, consultation, Birth Book, or use astrological calculators, we process your date, exact time, and place of birth. Astrological analysis based on this data may produce findings about your worldview or religious beliefs. Pursuant to Article 9 GDPR and Article 7 of the Law of Ukraine No. 2297-VI, such findings may qualify as special categories of personal data.
Legal basis: your explicit consent — Article 9(2)(a) GDPR. By placing an order or using the calculator, you grant explicit consent for the processing of birth data for astrological calculations and any subsequent findings derived therefrom.
You may withdraw this consent at any time by emailing info@astroway.info. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, but after withdrawal we will delete your birth data from active storage systems (subject to accounting retention periods that prevent immediate deletion of related orders).
5. With whom we share data — subprocessors
To provide services, we transfer limited amounts of personal data to the following subprocessors:
| Subprocessor | Purpose | Location | Guarantees |
|---|---|---|---|
| Cloudflare Inc. | CDN, DDoS protection, WAF | USA / global network | Standard Contractual Clauses (SCC) Module 3 + Cloudflare DPA |
| Hetzner Online GmbH | Compute, storage, server hosting | Germany (EU) | GDPR-compliant; DPA signed |
| Monobank (JSC “UNIVERSAL BANK”) | Card payment acceptance | Ukraine | Law of Ukraine “On Protection of Personal Data”; PCI DSS |
| LiqPay (PrivatBank) | Card payment acceptance (backup) | Ukraine | Law of Ukraine “On Protection of Personal Data”; PCI DSS |
| Anthropic PBC | AI text generation (Claude) | USA | SCC Module 3; Anthropic DPA; processing without use for model training |
| OpenAI L.L.C. | AI text generation (backup channel) | USA | SCC Module 3; OpenAI API DPA; opt-out from training |
| Groq Inc. | Accelerated AI compute | USA | SCC Module 3 |
| Google LLC | Google Analytics 4, Tag Manager, Search Console, Sign-in with Google | USA | SCC Module 3; gating via Consent Mode v2 — loaded only after consent |
| Ahrefs Pte. Ltd. | Alternative traffic analytics | Singapore | SCC Module 3 |
| Automattic Inc. | Akismet anti-spam service (for comments) | USA | SCC Module 3; Akismet Privacy Policy |
| Lulu Press Inc. | Print-on-demand for printed books (if ordered) | USA | SCC Module 3 |
In addition to the listed subprocessors, we do not transfer personal data to third parties except as required by law (requests from law enforcement or judicial authorities) or with your separate consent.
6. International data transfer
Transfer of personal data to the USA and other countries outside the EU/EEA is carried out on the basis of EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with additional safeguards in accordance with Schrems II requirements (encryption during transfer and storage, pseudonymization, minimal necessary data volume). Copies of the relevant DPA and SCC are available upon request — email info@astroway.info.
7. Storage periods
| Category | Period | Basis |
|---|---|---|
| Account | While the account is active + 24 months after the last activity | Contract performance; legitimate interest (anti-fraud) |
| Orders, invoices, accounting documents | 3 (three) years after order closure | Tax Code of Ukraine, Art. 44; accounting requirements |
| Birth data for a one-time service | Until the service is completed + 6 months (in case of a repeat request) | Contract performance; explicit consent |
| Birth data in the Personal Cabinet (stored by you) | Until you delete them | User consent |
| Comments and reviews | Indefinitely or until a deletion request | Public publication; consent |
| Email for marketing | Until consent is withdrawn (unsubscribe link in every email) | Consent |
| API call logs | 90 days detailed + 24 months aggregated metrics | Security audit; legitimate interest |
| Nginx logs, error logs | 30 days | Website security; legitimate interest |
| Cookies | See Cookie Policy — from session to 2 years | Consent / legitimate interest |
After the specified periods expire, personal data is deleted or anonymized (replacing identifiers with hashed values that do not allow identification of the person).
8. Your rights
In accordance with GDPR and the Law of Ukraine “On Protection of Personal Data,” you have the following rights:
- Right of access (Art. 15 GDPR) — request a copy of all your personal data we process.
- Right to rectification (Art. 16 GDPR) — require correction of inaccurate or outdated data.
- Right to erasure / “right to be forgotten” (Art. 17 GDPR) — request deletion of data, subject to legal storage periods.
- Right to restriction of processing (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
- Right to object to processing (Art. 21 GDPR) — including direct marketing.
- Right not to be subject to automated individual decision-making (Art. 22 GDPR) — see Section 11.
- Right to withdraw consent at any time when processing is based on consent.
- Right to lodge a complaint with a supervisory authority — see Section 13.
To exercise any of these rights, send a request to info@astroway.info. We will respond within 30 days. In complex cases, this period may be extended by another 60 days — we will notify you of this in advance.
9. Cookies and similar technologies
The website uses cookies — a detailed list, purposes, periods, and management are described in a separate Cookie Policy. Analytical and marketing cookies are loaded only after your explicit consent via the cookie banner. You can change your settings at any time by clicking “Cookie settings” in the website footer.
10. Data security
- All connections to the website are protected by HTTPS protocol (TLS 1.3) with a certificate issued by a trusted authority.
- Passwords are stored as bcrypt hashes — the original password is never accessible to website administrators.
- Access to servers is restricted: SSH only via keys (not passwords), firewall (fail2ban), Cloudflare WAF, Wordfence.
- Database and file backups are performed daily and stored in encrypted form.
- Access to personal data among employees is restricted based on the principle of minimal necessary rights.
- In case of a data breach that poses a risk to the rights and freedoms of data subjects, we will notify the supervisory authority within 72 hours and affected users without undue delay (Arts. 33–34 GDPR).
11. Automated decision-making and AI generation
Part of our services (natal chart, Birth Book, AI interpretations, horoscopes) uses automated processing and AI models (including Claude from Anthropic and GPT from OpenAI as a backup) to generate textual content based on your birth data. According to Art. 22 GDPR, you have the right to:
- request human intervention in decisions based solely on automated processing;
- express your point of view;
- challenge the decision.
In practice, automated decisions in our services have no legal consequences and do not significantly affect your rights (astrological content is for informational and entertainment purposes — see Public Offer Agreement, para. 2.5). If you still want to receive a “human” version of a particular interpretation, email info@astroway.info — within available resources, we will provide a manual version.
AI providers (Anthropic, OpenAI, Groq) process data in a mode without using it for model training (opt-out from training). Your birth data is transmitted to AI providers in prompt format, processed transitively, and not stored by the provider longer than necessary to generate a response.
12. Geographical restrictions
Astro Way is not available for residents of countries under international sanctions (Russian Federation, Republic of Belarus, Iran, DPRK, Syria, Cuba), for temporarily occupied territories of Ukraine, and for individuals included in UN/EU/US/UK sanctions lists. For details, see the Terms of Use, section 14.
13. How to file a complaint
- For residents of Ukraine: The Ukrainian Parliament Commissioner for Human Rights — ombudsman.gov.ua.
- For EU/EEA residents: the data protection authority of your country of habitual residence, place of work, or place of alleged infringement — full list at edpb.europa.eu/about-edpb/members.
- For residents of the United Kingdom: Information Commissioner’s Office — ico.org.uk.
Before contacting a supervisory authority, we ask you to first contact us — in many cases, issues can be resolved quickly and without formal procedures.
14. Changes to the Privacy Policy
We may periodically update this Policy. The current version is always published on this page with the revision date indicated. We notify you of material changes (including new subprocessors, new processing purposes) by email at least 14 days before they take effect.
15. Contact for data protection matters
All requests, complaints, consent withdrawals, GDPR rights exercise — at the email address info@astroway.info. Data controller: Lilia Burhan, FOP, Ukraine, 49014, Dnipro, vul. Nezalezhnosti, 27, kv. 50.
