Pharos AI

1. Data Collected

1.1. Automatically from Telegram: Telegram ID, first name, last name, username, language.

1.2. Provided by User: Date/time of birth, gender, birth/current cities, marital status.

1.3. Chats & History: User and AI messages, agent role, date, session ID.

1.4. Transactions: Amount, date, type, Telegram payment ID or Paddle transaction ID.

1.5. Local (device localStorage): Guest ID, profile cache, last Tarot spread, language, usage counter.

1.6. We do not collect: phone number, contacts, real-time geolocation, photos, biometrics, bank card details (card payments processed by Paddle; Telegram Stars payments processed by Telegram).

2. Purposes of Processing

2.1. Personalisation of services (calculations, consultations).

2.2. Storing chat history for continuation.

2.3. Managing Stars balance and transactions.

2.4. App improvement (anonymized usage analysis).

2.5. Compliance with legal obligations (audit, reporting).

Processing is based on consent (Art. 8 Law on PD RK; Art. 6(1)(a) GDPR), contract performance, and legitimate interests (security, improvement). For special categories (e.g., date of birth), explicit consent is obtained. Consent valid for 5 years or until withdrawal.

3. Data Sharing with Third Parties

3.1. DeepSeek AI (China): Query text, context, date of birth, name for response generation. Minimized transfer; standard contractual clauses (SCCs) used for GDPR compliance. Note: China is not deemed adequate under GDPR.

3.2. Supabase (US/EU): Database storage (profiles, chats, transactions). Row Level Security (RLS) + SCCs.

3.3. Vercel (US): Hosting, request logs, IP addresses. SCCs applied.

3.4. Telegram (UAE): Authentication, payments, notifications. Subject to their policy.

3.5. Paddle (UK): Card payment processing. Acts as Merchant of Record. Subject to Paddle's privacy policy (paddle.com/legal/privacy).

3.6. Sharing only when necessary, with data protection agreements. For EU users: transfers outside EEA covered by SCCs or other safeguards. We do not sell data. In case of breach, notification within 72 hours (GDPR) or 3 days (RK law).

4. Storage and Security

4.1. Server data stored on Supabase (EU/US regions) for up to 5 years or until deletion request — then anonymized or deleted.

4.2. Measures: HTTPS, Telegram InitData authentication, RLS, encryption in transit and at rest. Risk assessment conducted (low risk; no mandatory DPIA under GDPR Art. 35). Automatic AI quality audit per Law on AI of RK.

4.3. Local data: controlled by User on device.

5. User Rights

5.1. Access, rectification, erasure, withdrawal of consent, restriction of processing (Arts. 19–22 Law on PD RK).

5.2. For EU users (GDPR): data portability (Art. 20), objection (Art. 21), complaint to DPA (Art. 77). No automated decisions with legal effects (Art. 22).

5.3. Requests: via bot or email. Processed within 15 days (RK) or 1 month (GDPR, extendable to 3).

5.4. Erasure: chats, profile, and account upon request. Withdrawal does not affect prior processing.

6. Automated Processing

6.1. AI generates responses without human review. Automatic quality audit in place. Users informed of AI interaction (EU AI Act Art. 50; Law on AI of RK Art. 13).

6.2. No automated decisions producing legal or similarly significant effects.

7. Changes to the Policy

We will notify via App or bot at least 30 days in advance. Continued use constitutes acceptance.

8. Contact

Email: agasheknet@gmail.com

Telegram: @agasheknet

Operator: Konstantin Sadykov, Almaty, Republic of Kazakhstan

Governing law: Republic of Kazakhstan, supplemented by GDPR / EU AI Act for EU users.

EU complaints: to your national DPA (e.g., BfDI in Germany).