Privacy Policy

This Privacy Policy explains how Orvani handles your personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), and is provided to you under Articles 13 and 14 GDPR.

1. Controller

The controller of your personal data under Article 4(7) GDPR is BK13, d.o.o., Arclinska cesta 12A, 3212 Vojnik. Registration number: 9636153000. VAT / tax number: SI74617249.

For any privacy question or to exercise your rights, contact us at info@askorvani.com.

We are not required to appoint a Data Protection Officer under Article 37 GDPR (we do not carry out large-scale regular and systematic monitoring, nor large-scale processing of special categories of data). Please send all privacy questions to the address above; we respond within the time stated in section 6.

2. What data we process

• Name — provided by you in the quiz; used to personalise your reading. Legal basis: contract (Art. 6(1)(b) GDPR).
• Date of birth — provided by you in the quiz; used to calculate your astrological sign and life number. Legal basis: contract (Art. 6(1)(b) GDPR).
• Quiz answers — provided by you in the quiz; used to personalise your reading. Legal basis: contract (Art. 6(1)(b) GDPR).
• Chosen cards / coins / stones — selected by you in the ritual; used to personalise your reading. Legal basis: contract (Art. 6(1)(b) GDPR).
• Email address — provided by you at the first step of the quiz, and confirmed at checkout (where it is also processed via Stripe); used to (a) deliver your reading and the contract confirmation (legal basis: contract, Art. 6(1)(b) GDPR), and (b) send you a single reminder if you start but do not complete your reading (legal basis: legitimate interest, Art. 6(1)(f) GDPR; you can object or unsubscribe at any time via the link in every email).
• IP address and infrastructure logs — collected automatically on visit; used for security, abuse prevention and basic hosting statistics. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

If you voluntarily type special-category data (for example about health, sexual life, religious or political beliefs) into a free-text field, you do so on the basis of your explicit consent (Art. 9(2)(a) GDPR) given by submitting that text. We recommend you do not enter such data — a symbolic answer can be prepared without it.

3. Legal bases

We rely on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to prepare and deliver the reading you requested.
• Consent (Art. 6(1)(a)) — for non-essential cookies and similar technologies (see the Cookie Policy) and for any special-category data you choose to enter (Art. 9(2)(a)); you may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)) — for website security, abuse prevention and basic server logs, and for sending a one-off reminder about an unfinished reading (you can object at any time).
• Legal obligation (Art. 6(1)(c)) — to keep accounting and tax records for paid services for as long as the law requires.

4. Who we share data with (processors)

We share data only with the processors we need to operate the service. Each is bound by confidentiality and by appropriate technical and organisational safeguards under a data-processing agreement (Art. 28 GDPR).

• Anthropic, PBC (USA) — generates the text of the introductory and paid readings (large language model).
• Vercel, Inc. (USA / EU region) — website hosting and infrastructure logs.
• Resend, Inc. (USA) — sends our emails (reading deliveries, confirmations, reminders). Resend receives your email address, name and the content of the delivered reading, and acts only as a processor for delivery.
• Stripe Payments Europe, Ltd. (Ireland, EU) — processes payments for the paid packages.
• Google Ireland Limited (Ireland, EU) — provides Google Analytics 4 for aggregate audience and traffic measurement. Loaded only after you accept analytics cookies in our cookie notice; before consent it is not active. Google Analytics processes your IP address (and the analytics cookies described in the Cookie Policy) only after consent. Data may be transferred to Google LLC (USA); the transfer is covered by the European Commission's Standard Contractual Clauses (Art. 46 GDPR) together with Google's Data Processing Terms (Art. 28 GDPR). Legal basis: your consent (Art. 6(1)(a) GDPR).

5. International transfers

Some of the processors above are located in the United States. Where we transfer your personal data to a third country, we do so under appropriate safeguards within the meaning of Article 46 GDPR — principally the European Commission's Standard Contractual Clauses — or, where the recipient is certified, on the basis of the EU–US Data Privacy Framework adequacy decision (Article 45 GDPR). You may request a copy of the relevant safeguards by writing to us at info@askorvani.com.

6. Retention

• Introductory (free) reading and quiz session data: up to 30 days on the server, then released.
• Paid reading content: up to 30 days in our database so you can return via the email link; deleted after 30 days.
• Accounting records (Stripe receipts, tax records): as required by applicable tax law (typically up to 10 years).
• Emails (confirmations, summaries, reminders): held by Resend per their policy (up to 30 days in delivery logs); we do not retain sent messages ourselves.
• Your reading list in your browser: until you delete it (on the My readings page or in your browser settings).
• Hosting infrastructure logs (Vercel): up to 90 days, with no access to message content.

7. Your rights

Under the GDPR (Articles 15–22) you have the right to:

• access your data (Art. 15),
• rectify inaccurate data (Art. 16),
• erasure ("right to be forgotten") (Art. 17),
• restrict processing (Art. 18),
• data portability in a machine-readable format (Art. 20),
• object to processing carried out on the basis of legitimate interest (Art. 21),
• withdraw consent at any time where consent is the legal basis, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).

Send your request to info@askorvani.com. Under Article 12(3) GDPR we respond without undue delay and at the latest within one month of receiving the request; for particularly complex or numerous requests we may extend this by up to two further months, and will tell you, with reasons, within the initial one-month window.

If you believe we are breaching data-protection law, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). As we are established in Slovenia, our lead supervisory authority under the GDPR one-stop-shop (Art. 56) is:

Informacijski pooblaščenec (Information Commissioner of the Republic of Slovenia), Dunajska cesta 22, SI-1000 Ljubljana, Slovenia — tel. +386 1 230 97 30 · gp.ip@ip-rs.si · www.ip-rs.si. You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of the alleged infringement (Art. 77 GDPR).

8. AI-generated content disclosure

In accordance with Article 50(1) of the EU AI Act (Regulation (EU) 2024/1689): the text of the introductory and paid readings is generated by a large language model (provided by Anthropic), and you are interacting with output from an AI system rather than a human reader. The personas are not real people. The content is for entertainment only and does not replace medical, legal or financial advice.

This is automated processing, but it is not solely-automated individual decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR — a reading triggers no decision about you (such as insurance, credit or employment). You can read, reflect on, or discard the interpretation; it has no binding effect.

9. Changes to this policy

We may update this policy. We will publish material changes on this page and, for significant changes, ask you to confirm the cookie notice again.