ζ˜“ I Ching Realm
Privacy Terms Refund Cookies GDPR LGPD CCPA
πŸ‡ͺπŸ‡Ί European Union / EEA

GDPR Compliance

Last updated: July 5, 2026

This page provides detailed information about how I Ching Realm complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") for users in the European Economic Area (EEA). This page supplements our Privacy Policy.

1. Data Controller

I Ching Realm is the data controller for the personal data processed through the Service. This means we determine the purposes and means of processing your personal data.

  • Data Controller: I Ching Realm
  • Contact: privacy@clayis.com
  • Privacy contact: privacy@clayis.com

We have appointed a Data Protection Officer who can be contacted regarding data protection matters. Our DPO operates independently and reports directly to the highest level of management.

2. Categories of Personal Data We Process

Category Examples Source
Oracle Input Data Personal questions submitted for readings Provided by you
Usage Data Pages visited, features used, session duration Collected automatically
Technical Data Browser type, OS, screen resolution, device type Collected automatically
Payment Data Transaction ID, purchase date, amount Payment provider
Cookie Data Consent preferences, session tokens Collected automatically

We do not collect: names, email addresses, phone numbers, physical addresses, government IDs, or precise geolocation data through the Service itself.

3. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data only when we have a lawful basis to do so:

  • Art. 6(1)(b) β€” Contractual Necessity Oracle Reading Delivery Processing your question and hexagram data to deliver the oracle reading you requested. This is necessary for the performance of the contract between us.
  • Art. 6(1)(f) β€” Legitimate Interest Service Improvement & Security We process anonymized usage data to improve the Service, fix bugs, and maintain security. We have conducted a Legitimate Interest Assessment (LIA) and confirmed that your rights and freedoms do not override our interest.
  • Art. 6(1)(a) β€” Consent Analytics & Non-Essential Cookies We do not currently use non-essential analytics or advertising cookies. If introduced, they will remain disabled until valid consent is obtained, and consent may be withdrawn at any time.
  • Art. 6(1)(c) β€” Legal Obligation Regulatory Compliance We may process data as required by law, such as retaining payment records for tax purposes or responding to lawful requests from authorities.

4. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

  • Art. 15 β€” Right of Access Access your data You have the right to obtain confirmation that your data is being processed and a copy of that data. We will provide the first copy free of charge.
  • Art. 16 β€” Right to Rectification Correct inaccurate data You have the right to request correction of any inaccurate personal data we hold about you.
  • Art. 17 β€” Right to Erasure ("Right to be Forgotten") Delete your data You have the right to request deletion of your personal data when: the data is no longer necessary; you withdraw consent; you object to processing; or the data was unlawfully processed. We will comply unless retention is required by law.
  • Art. 18 β€” Right to Restriction of Processing Limit how we use your data You may request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interest.
  • Art. 20 β€” Right to Data Portability Receive your data in a portable format You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), and to transmit that data to another controller.
  • Art. 21 β€” Right to Object Object to processing based on legitimate interest You have the right to object to processing of your data based on legitimate interest or for direct marketing purposes. If you object, we will stop processing unless we have compelling legitimate grounds.
  • Art. 7(3) β€” Right to Withdraw Consent Withdraw your consent at any time If we are processing your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Art. 22 β€” Rights Regarding Automated Decision-Making Not be subject to solely automated decisions You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. Our AI Deep Readings are for entertainment and personal reflection only β€” they do not produce legal or similarly significant effects.

4.1 How to Exercise Your Rights

To exercise any of these rights, please contact us:

  • Email: privacy@clayis.com
  • Privacy contact: privacy@clayis.com

We will respond to your request within one month. If your request is complex or you have made multiple requests, we may extend the response period by up to two additional months, in which case we will inform you of the extension and the reason for the delay.

We may need to verify your identity before processing your request. We will only request information necessary to confirm your identity.

5. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State where you reside, work, or where the alleged infringement took place.

Some EU supervisory authorities include:

  • Ireland: Data Protection Commission β€” dataprotection.ie
  • Germany: Federal Commissioner for Data Protection β€” bfdi.bund.de
  • France: CNIL β€” cnil.fr
  • Netherlands: Autoriteit Persoonsgegevens β€” autoriteitpersoonsgegevens.nl
  • Spain: Agencia EspaΓ±ola de ProtecciΓ³n de Datos β€” aepd.es

You may also contact the lead supervisory authority for our organization if applicable.

6. International Data Transfers

Your personal data may be transferred to countries outside the EEA, specifically:

  • United States: Where our AI API provider and hosting infrastructure are located. Transfers are made under the EU-US Data Privacy Framework where applicable, or under Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • China: Where our AI model provider may process data. We use SCCs and data processing agreements to ensure adequate protection levels.

All transfers are subject to appropriate safeguards as required by GDPR Chapter V (Articles 44–49). We have conducted Transfer Impact Assessments (TIAs) for all non-EEA data transfers.

7. Data Protection Impact Assessment (DPIA)

We have conducted a Data Protection Impact Assessment for the AI Deep Reading feature, as it involves automated processing of personal questions. Key findings:

  • The AI reading is initiated solely by the user's explicit request
  • Readings are for entertainment and personal reflection, not for decisions with legal or significant effects
  • Oracle questions are not stored after the session ends
  • AI providers are contractually prohibited from using your data for model training
  • Users are clearly informed that readings are AI-generated and not professional advice

We do not conduct systematic profiling or automated decision-making that produces legal or similarly significant effects.

8. Data Retention

Data Type Retention Period Reason
Oracle questions Session only (not stored) Not needed after reading delivered
AI reading results Not stored server-side Generated in real-time; user may save locally
Server logs (IP, timestamps) 30 days Security and operational purposes
Cookie consent records 1 year To remember your consent preferences
Payment records 7 years Tax and financial regulatory requirements
Data subject request records 3 years Compliance documentation

9. Sub-Processors

We use the following sub-processors who may process your personal data on our behalf:

Sub-Processor Purpose Location Transfer Mechanism
AI API Provider Generate AI Deep Readings United States / China SCCs / DPF
Cloud Hosting Provider Application hosting & delivery United States DPF / SCCs
Payment Processor Process premium reading payments United States DPF / PCI-DSS
Analytics provider Not currently used N/A N/A

We have executed Data Processing Agreements (DPAs) with all sub-processors in accordance with GDPR Article 28. We will notify you of any changes to sub-processors, and you may object to such changes.

10. Data Breach Notification

In accordance with GDPR Articles 33 and 34:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals.
  • If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
  • Notifications will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

11. Children's Data

Our Service is not directed at children under 16. In accordance with GDPR Article 8, we do not knowingly process personal data of children under 16 without verifiable parental consent. If we discover that we have collected data from a child under 16, we will delete it promptly.

12. Contact

For GDPR-related inquiries or to exercise your data subject rights:

  • General Privacy Inquiries: privacy@clayis.com
  • Privacy contact: privacy@clayis.com
  • Response Time: Within 30 days (may be extended by 60 days for complex requests)

Β© 2026 I Ching Realm. All rights reserved.

Privacy Terms Refund Cookies GDPR LGPD CCPA