Privacy Policy

Privacy Policy

Last updated: March 24, 2025

This Privacy Policy (the "Policy") describes what personal data Agata Magic (the "Service", "we", "us") collects and processes, how it is used, to whom it may be disclosed, and what your rights are.

The Policy applies to all components of the Service:

• website online-predictions.com
• Telegram bot @AgataG1_bot
• Google Chrome extension Agata Horoscope
• partner widget (white-label) embeddable on third-party sites

By using any of the listed components you confirm that you have read this Policy and agree to its terms.

1. Data Controller

The data controller is Agata Magic.
📧 support@online-predictions.com

2. What Data We Collect and Why

2.1 Registration & Authentication

• Telegram User ID, account name, first and last name — obtained from Telegram when you log in via the bot or Telegram Login widget. Used for identification and personalisation.
• One-time login code — sent to Telegram, stored as a bcrypt hash, deleted immediately after use or expiry.
• JWT authorisation tokens — stored in HttpOnly cookies (agata_access_token, agata_refresh_token) in your browser. Not readable by page scripts. Access token is valid for 1 hour; refresh token for 30 days.
• IP address — logged on login attempts to prevent brute-force attacks (rate limiting: max 3 requests/min, 10/hour).

2.2 User Profile

• Name, date of birth, gender — entered voluntarily, used for astrological calculations and horoscope personalisation.
• City and time zone — entered voluntarily, used to refine astrological data.
• Email address — entered voluntarily, used for VIP activation notices, referral payment notifications and promotional mailings (with your consent).
• Preferences — zodiac sign, horoscope detail level, language — stored for personalisation.

2.3 Readings & History

• Your query text — the question you ask when requesting a reading or personal spread.
• Reading result — the AI-generated answer, saved to your history for later review.
• Feedback — accuracy rating ("fulfilled / partial / not fulfilled") and comment — stored to improve model quality.
• Palm photo (palmistry) — uploaded voluntarily, passed to the OpenAI API for analysis (see Section 5) and not stored on our servers after the response is received.

2.4 Orders & Payments

• Order history — item, amount, currency, status, date — stored for accounting and support.
• Delivery address — physical goods only, passed to the delivery service.
• PayPal — on payment you are redirected to PayPal. We pass PayPal: name, order amount and internal ID. Card details are not stored on our servers. PayPal webhooks are verified by RSA-2048 cryptographic signature.
• PayPal VIP subscriptions — subscription identifier and status are stored by us for access control. Payment card details are not available to us.
• Referral payouts — when requesting a payout you provide your PayPal email. It is passed to the PayPal Payouts API and stored in our database for payout history.

2.5 Push Notifications

• Web push (site) — when you consent, the browser generates subscription keys (endpoint, p256dh, auth). These are stored on our server and used solely to send you notifications, encrypted per the Web Push Protocol.
• Chrome extension notifications — requested explicitly during onboarding. Settings are stored locally in chrome.storage.local and can be revoked at any time via extension settings.

2.6 Chrome Extension (Agata Horoscope)

• Name, date of birth, zodiac sign — entered on first launch, stored locally in chrome.storage.local on your device.
• Anonymous global identifier (global_user_id) — generated automatically, contains no personal data. Used to link horoscopes and feedback across sessions.
• Anonymous events — popup opens, horoscope views, button clicks, forecast ratings — sent to our server to improve the service. Contain no personal information.
• Event queue — if offline, events are temporarily stored in chrome.storage.local and sent when connectivity is restored.

The extension has no access to browsing history, page content, passwords, clipboard or other sites' data. Requested permissions: storage, notifications, alarms, activeTab.

2.7 Cross-Platform Profile

To provide a unified experience across the site, bot and extension we maintain a combined profile (global_user_id) linking your identifiers across Service components. Linking occurs only at your initiative (e.g. following a link from the extension into Telegram).

2.8 Behavioural Analytics

• Visit streak — consecutive days with activity — stored for gamification and notifications.
• Number of horoscopes viewed — tracked by platform and date.
• IP address when posting a review — logged to prevent fraud (max one review per IP per day).

2.9 Partner API & Widget

Partners embedding the horoscope widget use an API key. We log the number of requests per key (without linking to end users). The widget does not transmit visitors' data to us.

3. Third-Party Sub-processors

We use the following providers to operate the Service:

Provider	Purpose	Data Shared	Policy
Telegram	Authentication, bot notifications	User ID, notifications	telegram.org/privacy
PayPal	Payments, subscriptions, payouts	Name, amount, email (payouts)	paypal.com/privacy
OpenAI	Palm photo analysis (palmistry)	Photo in base64, query text	openai.com/privacy
DeepSeek	Horoscope generation	Zodiac sign, gender, date (no name)	deepseek.com/privacy
Yandex.Metrika	Website analytics	Anonymous visit data	yandex.ru/legal/confidential
Sentry	Error monitoring	Technical error data (no PII)	sentry.io/privacy
WeatherAPI	Moon phase for horoscopes	City name only (public request)	weatherapi.com/privacy

We do not sell your data to third parties for commercial purposes. Data is shared only to the extent necessary for the listed services to function.

4. Cookies & localStorage

• agata_access_token — HttpOnly, Secure, SameSite=Lax. JWT access token, valid 1 hour.
• agata_refresh_token — HttpOnly, Secure, SameSite=Lax. JWT session refresh token, valid 30 days. Immediately invalidated on logout.
• agata_cart (localStorage) — shopping cart contents, stored in your browser only.
• Yandex.Metrika — sets its own analytics cookies (_ym_uid, _ym_d, etc.). You can disable them via browser settings or the "Yandex.Metrika. Opt out" extension.

The Chrome extension does not use cookies. All extension data is stored only in chrome.storage.local.

5. Special Case: Palm Photos

When using the palmistry feature you voluntarily upload a photo of your palm. Important facts:

• The photo is sent directly to the OpenAI API (GPT-4o Vision) for analysis.
• The photo is not stored on our servers — we process it in RAM and discard it after receiving the API response.
• OpenAI processes the image in accordance with its Privacy Policy and API Usage Policy.
• We recommend not uploading photos that could identify you personally.

6. Data Storage & Security

• Data is stored on servers protected by HTTPS/TLS (encryption in transit).
• Passwords and secret keys are stored exclusively as bcrypt hashes.
• JWT tokens are stored in HttpOnly cookies inaccessible to page JavaScript.
• Database access is restricted to a limited number of individuals bound by confidentiality agreements.
• Error monitoring (Sentry) is configured with PII transmission disabled (send_default_pii=False).
• PayPal webhooks are verified by cryptographic signature, preventing payment event forgery.

7. Retention Periods

• Profile and reading history — retained while you have an account, or until a deletion request is received.
• Order and payment history — retained for a minimum of 5 years in accordance with accounting requirements.
• One-time login codes — deleted immediately after use or on expiry.
• Expired JWT tokens — invalid token records are automatically deleted on server start.
• Analytics events — retained for no more than 12 months from creation.
• Chrome extension data — stored locally on your device until removed via the "Reset data" button in the extension popup or by uninstalling the extension.

8. Your Rights

Under GDPR and applicable data-protection legislation you have the right to:

• Access — obtain a copy of all your data (available in your profile → "Export data").
• Rectification — update inaccurate data in your profile.
• Erasure — request deletion of your account and all associated data. Data is deleted within 30 days (except financial records we are legally required to retain).
• Restriction of processing — temporarily restrict the processing of your data.
• Portability — receive your data in a machine-readable format (JSON).
• Objection — object to processing your data for marketing purposes.
• Withdrawal of consent — unsubscribe from notifications at any time via extension settings, browser notification settings or a command in the Telegram bot.

To exercise your rights contact us at: support@online-predictions.com. Response time: up to 30 days.

Self-service: Chrome extension data can be deleted via the "Reset data" button in the extension popup.

9. Children

The Service is intended for persons aged 18 and over. We do not knowingly collect data from minors. If you learn that a child has registered without parental consent, please contact us and we will promptly delete their data.

10. Cross-Border Data Transfers

The Service uses providers whose servers may be located outside your country of residence (including the US and EU). Transfers to these jurisdictions are made using Standard Contractual Clauses (SCCs) or other mechanisms ensuring an adequate level of protection under GDPR.

11. Changes to This Policy

We may update this Policy. The date of the current version is always shown at the top of the page. For material changes we will notify you via the site or Telegram bot at least 7 days before they take effect. Continued use of the Service constitutes acceptance of the new version.

12. Contact

For all questions about personal data processing:
📧 support@online-predictions.com
💬 @AgataG1_bot on Telegram