Privacy Policy

Last updated: 3 June 2026

1. Who We Are

Chinese Culture Studio (“we”, “us”, “our”) operates the website at www.culture-of-china.com. We provide algorithmically generated Chinese cultural interpretations — naming, auspicious date selection, and I Ching divination.

For the purposes of the EU General Data Protection Regulation (GDPR), we act as the Data Controller. For users in Japan, this policy complies with theAct on Protection of Personal Information (APPI). For users in the Republic of Korea, this policy complies with the Personal Information Protection Act (PIPA). Our hosting infrastructure is located in the United States (Render, Oregon) with database services (Neon, US-East).

2. Data We Collect

We collect only the minimum data necessary to provide each service:

• Naming: Surname, gender, birth year/month/day/hour, style preference.
• Date Selection: Date range and event type (e.g. wedding, business).
• Divination: Optional question and casting method.
• Palm Reading: Palm photograph, hand side, gender (optional), age range (optional), and an optional question. See Section 3a for detailed handling.
• Visit Analytics: Page path, country (derived from IP, not stored as IP), and referrer. Your IP address is never persisted.

No account registration, email address, phone number, or full name is collected. All input is voluntarily provided by you when submitting a service form.

3a. Palm Image Processing (Biometric Data)

The Palm Reading service requires you to upload a photograph of your palm. Palm images may be considered biometric data under certain privacy laws including GDPR Article 9, Korea's PIPA Article 23 (Sensitive Information), and the Illinois Biometric Information Privacy Act (BIPA). We take the following measures:

• Explicit Consent: You must check a consent box before submitting. This constitutes your informed, explicit consent to the processing of your palm image for the sole purpose of generating this reading (GDPR Art. 9(2)(a); BIPA §15(b)).
• No Persistent Storage: Your palm image is held only in server memory (RAM) for a maximum of 5 minutes. It is never written to disk, never stored in a database, and automatically deleted after the reading is generated. If you abandon the checkout process, the image expires automatically within 5 minutes.
• Single Purpose: The image is used exclusively to generate your palm reading result. It is not used for identification, authentication, profiling, or any purpose other than this reading.
• No Training: We do not use your palm image to train machine learning models. Our AI provider's API is accessed via OpenRouter. Neither OpenRouter nor the underlying model provider (Qwen / Alibaba Cloud) train on API-submitted data.
• No Sale or Disclosure: We do not sell, lease, trade, or otherwise disclose your palm image to any third party. It is transmitted only to Anthropic's API for processing, and only over encrypted (TLS) connections.
• No Collection of Minors' Data: We do not knowingly process palm images from individuals under 18 years of age.

You may withdraw consent at any time by not submitting the form. Once a reading is generated, the image has already been deleted — there is nothing retained to revoke consent for.

3. Legal Basis for Processing

Depending on your jurisdiction, we rely on the following legal bases:

• Performance of a Contract (GDPR Art. 6(1)(b); APPI Art. 16(1); PIPA Art. 15): Processing your input data to generate the service result you requested.
• Legitimate Interest (GDPR Art. 6(1)(f); APPI Art. 16(3)): Basic visit analytics (page path, country) to understand service usage and maintain security. No IP addresses are retained.
• Legitimate Interest — Abuse Prevention (GDPR Art. 6(1)(f); APPI Art. 16(3); PIPA Art. 15(1)(vi)): Server-side anonymous fingerprint (SHA-256 hash of IP + User-Agent) to enforce free-tier limits and prevent abuse. The hash is irreversible and contains no personal data.
• Explicit Consent (GDPR Art. 9(2)(a); PIPA Art. 23(1)): Palm image processing for the Palm Reading service. You provide this consent via an explicit checkbox before submission. The image is held in memory for a maximum of 5 minutes and never stored.

4. Payment Processing

All payments are processed by Lemon Squeezy, a PCI-DSS compliant payment processor (which supports PayPal, Alipay, WeChat Pay, and major credit cards as checkout options). We never receive, store, or transmit your payment details. Lemon Squeezy provides us only with an order ID and payment status to confirm completion. Lemon Squeezy's privacy policy applies to all payment-related data: lemonsqueezy.com/privacy.

5. Cookies & Local Storage

• Essential — Free Tier Tracking: One localStorage key (cc-free-tier) stores your remaining free readings count for UX display. The authoritative limit is enforced server-side via anonymous fingerprint (SHA-256 hash of IP + User-Agent), with no personal data stored.
• Essential — Consent Record: One localStorage key (cc-cookie-consent) records your cookie preference (“accepted” or “declined”).
• Session: Next.js sets a minimal server-side session cookie required for the payment redirect flow. This contains no personal data.

We do not use advertising cookies, tracking cookies, third-party analytics (Google Analytics, Facebook Pixel, etc.), or cross-site trackers of any kind. The server-side free-tier fingerprint is a one-way hash used solely to enforce usage limits — it cannot be reversed to identify you or shared with third parties.

6. Data Retention

• Contribution records (input + result): Stored in our database. These records are kept to provide the service and support revenue reporting. They contain only the input you provided and the algorithmically generated result — no personal identifiers.
• Visit analytics: Stored in our database. Country-level data only. No IP addresses are retained.
• Free-tier fingerprint: A one-way SHA-256 hash of your IP and User-Agent, stored with your free-trial record to enforce the 1-use limit. The original IP is never stored — only the hash, which is irreversible.
• Local storage: Managed entirely in your browser. Clearing browser data removes free-tier display count and consent preference immediately (the server-side limit persists to prevent abuse).

You may request deletion of your data at any time (see Section 7).

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

• Right of Access (Art. 15): Request confirmation of whether we process your data and a copy of that data.
• Right to Rectification (Art. 16): Request correction of inaccurate personal data.
• Right to Erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
• Right to Restriction (Art. 18): Request limitation of processing under certain conditions.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interest.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time. Clear your browser's localStorage or use the cookie banner to change your preference.

To exercise any of these rights, contact us at the email below. We will respond within 30 days. You also have the right to lodge a complaint with your local Data Protection Authority (Supervisory Authority).

7a. Your Rights (Japan — APPI)

If you are located in Japan, you have the following rights under the Act on Protection of Personal Information (APPI):

• Right to Disclosure (Art. 28): Request disclosure of the personal data we hold about you and the purpose of its use.
• Right to Correction (Art. 29): Request correction, addition, or deletion of personal data that is inaccurate.
• Right to Suspension of Use (Art. 30): Request suspension of use or deletion of personal data that has been handled in violation of APPI or that is no longer necessary.
• Right to Suspension of Transfer (Art. 30(5)): Request suspension of transfer to third parties where such transfer violates APPI.
• Purpose-of-Use Notification (Art. 27): Request notification of the purpose of use of your retained personal data.

To exercise any of these rights, contact us at the email in Section 13. We will respond within 2 weeks as required by APPI. You may also file a complaint with the Personal Information Protection Commission (PPC) of Japan.

7b. Your Rights (Republic of Korea — PIPA)

If you are located in the Republic of Korea, you have the following rights under the Personal Information Protection Act (PIPA):

• Right to Access (Art. 35): Request access to and disclosure of your personal information.
• Right to Rectification (Art. 36): Request correction or deletion of inaccurate personal information.
• Right to Erasure (Art. 37): Request deletion of your personal information where retention is no longer necessary or lawful.
• Right to Suspension (Art. 37): Request suspension of processing of your personal information.
• Right to Data Portability (Art. 35-2): Request transfer of your personal information to you or a designated third party in a structured, machine-readable format.
• Right to Withdraw Consent (Art. 37(2)): Withdraw your consent to processing at any time. Clear your browser's localStorage or contact us.

To exercise any of these rights, contact us at the email in Section 13. We will respond within 10 days as required by PIPA. You may also file a complaint with the Personal Information Protection Commission (PIPC) of Korea or the Korea Internet & Security Agency (KISA).

8. Data Sharing & Third Parties

We do not sell, rent, trade, or share your data with any third parties. The only external services involved are:

• Lemon Squeezy — Payment processing (supports PayPal, Alipay, WeChat Pay, and cards). Receives only your payment instrument details (not your cultural input data).
• OpenRouter (OpenRouter, Inc.) — AI API gateway routing Palm Reading requests. Receives only your palm image (transmitted over encrypted TLS). Underlying model inference is performed by Qwen (Alibaba Cloud). Neither OpenRouter nor Alibaba Cloud store API-submitted images or use them for model training.
• Render (Render Services, Inc.) — US-based cloud hosting. Our application code and database queries run on Render infrastructure.
• Neon, Inc. — US-based managed PostgreSQL database. All stored data resides in Neon's us-east-1 region.

Both Render and Neon are certified under the EU-US Data Privacy Framework (DPF) or have Standard Contractual Clauses (SCCs) in place for lawful international data transfers.

9. International Data Transfers

Our servers are located in the United States. If you access our service from outside the US (including the EEA, Japan, or the Republic of Korea), your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place:

• EEA, UK, Switzerland: We rely on DPF certifications and/or Standard Contractual Clauses (SCCs) for lawful data transfers under GDPR.
• Japan: We inform you that your data will be transferred to servers in the United States. The US has been designated by the PPC as a country with a data protection framework meeting APPI standards for cross-border transfers. We implement organizational and technical safeguards to ensure equivalent protection.
• Republic of Korea: By using this service, you consent to the transfer of your personal information to the United States for processing as described in this policy, in accordance with PIPA Art. 28-8. We implement equivalent safeguards to those required under PIPA and ensure the recipient (our US-based infrastructure) meets the data protection standards required by Korean law.

By using our service, you acknowledge and agree to these international transfers. You may withdraw consent at any time by ceasing use of the service and contacting us.

10. Security

We implement appropriate technical and organizational measures to protect your data: HTTPS/TLS encryption in transit; database encryption at rest; access controls on all infrastructure; and principle of least privilege for database access.

11. Children's Privacy

Our service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates when changes were made. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries, to exercise your data rights, or to report concerns:

Email: privacy@easternwisdom.app
Response time: Within 10 days for users in Korea (PIPA), 2 weeks for users in Japan (APPI), 30 days for all other users (GDPR).

Chinese Culture Studio — Data Controller. Hosted on Render (Oregon, US) with Neon PostgreSQL (US-East).