Privacy Policy

Last updated: January 2026

1. Who We Are

Bazi Candle (“Bazi Candle,” “we,” or “us”) operates the website bazicandle.com and provides AI-assisted Bazi (Four Pillars of Destiny) readings. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. For purposes of the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and Brazil’s Lei Geral de Proteção de Dados (LGPD), Bazi Candle is the “controller” of the personal information described below.

2. Information We Collect

2.1 Information you provide

  • Email address — collected at checkout and used to deliver your report, send order-related notifications, and handle support.
  • Birth information — date, clock time (local), and place of birth of the subject of the reading, plus optionally a name and gender label. This information is sensitive to you; we treat it with the protections described below.
  • Payment data — card or wallet details are collected directly by our payment processor (Creem). Bazi Candle does not see or store full card numbers, only the transaction identifier, last four digits, and authorization result.
  • Support correspondence — messages you send to our support address.

2.2 Information collected automatically

  • Device and log data — IP address, user-agent, referrer, and request timestamps.
  • Product analytics (PostHog) — pages viewed, features used, performance metrics, session replay for error pages. Only loaded after you grant cookie consent.
  • Advertising signals (Meta Pixel, Google Ads tag, Meta Conversions API, Google Ads Enhanced Conversions) — hashed email, hashed IP, click identifiers, event payloads, used to measure and optimize advertising. Only loaded after cookie consent.

3. Why We Use Your Information (Legal Bases)

  • Performance of a contract. We use your email, birth data, and payment record to produce and deliver the report you ordered.
  • Legitimate interest. We use aggregated analytics and server logs to detect abuse, prevent fraud, secure the service, and improve the product.
  • Consent. We use advertising and non-essential analytics cookies only with your explicit consent (EU/EEA/UK) or opt-in where otherwise required.
  • Legal obligation. We retain invoicing records for the period required by applicable tax and accounting laws.

4. Sharing and Subprocessors

We share your personal data only with the following categories of service providers, each bound by contractual data-protection obligations:

  • Neon (US East region) — managed PostgreSQL hosting for our application database.
  • Vercel — application hosting, edge network, blob-storage for generated PDFs, Workflow/Inngest orchestration.
  • Creem — payment processing.
  • Resend — transactional email delivery.
  • Vercel AI Gateway (Anthropic, OpenAI models) — generation of narrative report text from your Bazi chart data.
  • PostHog — product analytics and session insight.
  • Meta Platforms — Pixel and Conversions API for advertising measurement, with data transmitted in hashed form.
  • Google — Google Ads tag and Enhanced Conversions API for advertising measurement, with data transmitted in hashed form.
  • Cloudflare — Turnstile bot mitigation on our forms.
  • Sentry — error and performance monitoring.

We do not sell your personal information. We do not share your personal information with advertising networks for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, unless you have given explicit consent through the cookie banner.

5. International Transfers

Your personal data is processed in the United States. For transfers of data from the European Economic Area, the United Kingdom, and Switzerland to the United States, we rely on the Standard Contractual Clauses adopted by the European Commission and, where applicable, the UK International Data Transfer Addendum, supplemented by technical and organizational measures.

6. Retention

  • Reports, orders, and birth profiles are retained indefinitely so that you may re-download your report. You may delete them at any time (see Section 8).
  • Payment and invoicing records are retained for seven (7) years to comply with tax and accounting obligations.
  • Product analytics events are retained for fourteen (14) months and then automatically aggregated.
  • Server and security logs are retained for thirty (30) days, unless required for an ongoing investigation.

7. Security

We apply industry-standard technical and organizational measures including TLS 1.2+ encryption in transit, AES-256 encryption at rest (provided by Neon and Vercel Blob), least-privilege access controls, audit logging, signed download URLs, and bot mitigation. No system is perfect; we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have rights to: (a) access your personal data; (b) have inaccurate data corrected; (c) request deletion; (d) export a machine-readable copy; (e) object to or restrict processing; (f) withdraw consent at any time (this will not affect prior lawful processing); and (g) lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@bazicandle.com or use the self-service deletion flow at /privacy/delete. A confirmation email will be sent to the requesting address; deletion completes twenty-four (24) hours after confirmation to provide a cooling-off window.

California residents have additional rights under the CCPA/CPRA, including the right to know, correct, delete, and limit the use of sensitive personal information. We do not sell personal information and do not engage in cross-context behavioral advertising without consent. We do not discriminate against users who exercise their rights. Authorized agents may submit requests on your behalf with a signed verification.

Brazilian residents have rights under LGPD equivalent to those listed above and may contact our data-protection officer at the email above.

9. Cookies

We use the following cookies and similar technologies:

  • Essential — session state, CSRF protection, cookie consent preference. Always on.
  • Analytics — PostHog (ph_*). Loaded only after consent.
  • Advertising — Meta Pixel (_fbp), Google Ads (_gcl_aw, _gcl_au). Loaded only after consent.
  • Bot mitigation — Cloudflare Turnstile tokens, ephemeral per-form-submission.

You can change your choice at any time using the “Privacy” control visible at the bottom of the page, or by clearing your browser storage for bazicandle.com.

10. Children

The service is not directed to children under sixteen (16). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes

We will post changes to this policy with an updated “Last updated” date. Material changes will be announced on the homepage at least seven (7) days before taking effect.

12. Contact

For any privacy question you may write to privacy@bazicandle.com. You may also contact the supervisory authority of your country of residence.