Privacy Policy

This policy explains how Chiromantija.com collects, uses, stores, and protects your personal data under GDPR and applicable Lithuanian laws.

1. Data controller and contact details

Chiromantija.com is operated by ETK IT Studio, MB (data controller).

  • Legal name:ETK IT Studio, MB
  • Company code:307200519
  • Address:Trinapolio g. 3-36, LT-08337 Vilnius, Lithuania
  • Phone:+370 63420465
  • Email:[email protected]
  • Privacy contact:[email protected](if a Data Protection Officer is appointed, their contact details will be published on this page).

2. Personal data we collect

  • Order data:email address, selected reading type, language, order metadata.
  • Uploaded files:palm photos used to deliver the service.
  • Payment data:processed by payment providers (we do not store card details).
  • Technical data:IP address, device/browser data, logs, and cookie identifiers.
  • Communications:messages you send to support.

3. Purposes and legal bases (GDPR Article 6)

  • Contract performance (Article 6(1)(b)):to process orders, deliver reports, and provide support.
  • Legal obligation (Article 6(1)(c)):to keep accounting and transaction records.
  • Legitimate interests (Article 6(1)(f)):to secure services, prevent fraud, and improve product quality.
  • Consent (Article 6(1)(a)):to use optional analytics/marketing cookies and similar tracking tools, where required.

4. Data source and requirement to provide data

Most personal data is provided directly by you. Some technical data is collected automatically. If mandatory order data is not provided, we may be unable to deliver the service.

5. Data recipients and processors

We share data only when necessary with trusted service providers, including hosting/infrastructure providers, payment processors (Paysera, PayPal), email delivery providers, analytics tools (such as Google Analytics), advertising platforms (such as Meta, where consent is given), and anti-spam/security providers. Processors are contractually required to protect personal data. We do not sell your personal data.

6. International data transfers

Data is primarily processed in the European Union. If data is transferred outside the EEA, we apply safeguards required by GDPR (such as adequacy decisions or standard contractual clauses).

7. Data retention periods

  • Order and service data:up to 90 days after delivery unless a longer period is required for dispute handling.
  • Uploaded photos and analysis materials:up to 90 days after service delivery, then deleted earlier on request where legally possible.
  • Financial/accounting records:10 years, as required by Lithuanian law.
  • Cookie preferences and technical logs:for periods defined by technical necessity and cookie settings.

8. Data security

We use organizational and technical measures, including access control, secure hosting environments, encrypted transmission where applicable, and restricted access to personal data based on need-to-know principles.

9. Automated decision-making

We do not use fully automated decision-making that produces legal or similarly significant effects under GDPR Article 22.

10. Your rights under GDPR

  • Right of access to your personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten"), where applicable.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time, where processing is based on consent.

11. Consent withdrawal and marketing choices

Where processing is based on your consent, you can withdraw that consent at any time using Privacy Choices or by contacting us. Consent withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can also opt out of direct marketing at any time.

12. How to exercise your rights

Send your request to [email protected]. We may ask for identity verification before processing requests. We respond within one month, unless GDPR allows an extension.

13. Right to complain

You can file a complaint with the State Data Protection Inspectorate of Lithuania (Valstybine duomenu apsaugos inspekcija, VDAI): vdai.lrv.lt, or with the supervisory authority in your EEA country of habitual residence.

14. Cookies and privacy controls

We use essential cookies and optional analytics/marketing cookies. You can manage your choices through Privacy Choices. More details are available in our Cookie Policy.

Meta Pixel and Consent Mode v2

Our website uses the Meta Pixel (Facebook Pixel) to measure conversions and analyze advertising performance. The Pixel is loaded on page load and fires a single PageViewevent in "granted" state so basic visit attribution works for paid-advertising traffic. The PageView event transmits the IP address, user-agent, and the _fbpcookie identifier to Meta. The legal basis for this minimal transmission is our legitimate interest in measuring advertising effectiveness (GDPR Art. 6(1)(f)).

All higher-value events — Lead, AddPaymentInfo, InitiateCheckout, Purchase, CompleteRegistration— are fired only after you grant consent via the cookie banner. If you reject or ignore the banner, these events are blocked both in the browser pixel and in the server-side Conversions API.

  • Before your consent: Meta receives only the PageView event with the data listed above; no conversion-quality user identifiers (email, internal ID) are transmitted.
  • After your consent: full Pixel and Conversions API functionality is activated for conversion tracking.
  • Upon withdrawal of consent: the Pixel switches to "revoked" state — no further events are sent — and server-side Conversions API stops transmitting data.

You can change your consent at any time via Privacy Choices.

TikTok Pixel and Events API

We use the TikTok Pixel and the TikTok Events API to measure conversions and analyze advertising performance on TikTok Ads. The browser pixel is gated by the same consent banner as the Meta Pixel; server-side events sent through the TikTok Events API are dispatched only after you have granted consent through the cookie banner. Data transmitted: hashed email address (SHA-256), IP address, user-agent, hashed internal user identifier (SHA-256). Recipients: TikTok Pte. Ltd. (Singapore) and TikTok Technology Ltd. (Ireland). Standard Contractual Clauses apply for transfers outside the EEA.

Conversions API (server-to-server)

Alongside browser pixels, we use server-to-server transmission directly from our servers to Meta and TikTok ("Meta Conversions API", "TikTok Events API"). This helps measure conversions when browser cookies are blocked by ad-blockers or privacy tools. Data transmitted: hashed email addresses, IP addresses, user agents, hashed internal user identifiers, and city/country derived from IP geolocation. Server-to-server transmission is gated by your consent — if you do not grant consent through the cookie banner, no data is transmitted to Meta or TikTok via server-side channels.

15. Children

Our services are intended for adults (18+). We do not knowingly collect personal data from children.

16. Policy updates

We may update this policy from time to time. The latest version is always published on this page.

Last updated: 2026-05-05