This Privacy Policy explains how Mavk Analytics LTD ("we", "us", "our", "Duetto") collects, uses, shares, and protects personal data when you use the Duetto service via Telegram (the "Service"). It applies to users worldwide, with specific provisions for residents of the United Kingdom, the European Economic Area, and California.
1. Who we are
Duetto is operated by Mavk Analytics LTD, a private limited company registered in England and Wales.
- Company number: 17024096
- Registered office: 20 Wenlock Road, London N1 7GU, England
- Privacy contact: privacy@theduetto.com
- General contact: support@theduetto.com
For the purposes of the UK GDPR and the EU GDPR, Mavk Analytics LTD is the data controller of your personal data.
2. Data we collect
We collect the following categories of personal data:
a) Telegram account data (received automatically when you open the Mini App):
- Telegram numerical user ID (
tg_id) - Username (if set on your Telegram account)
- First name and last name (as shown on your Telegram account)
- Profile photo URL
- Telegram language code (used to set your initial Duetto locale)
b) Birth data (provided by you during onboarding):
- Your name (free-text, you choose)
- Date of birth
- Time of birth (optional)
- Place of birth (city label and geographic coordinates resolved from your selection)
- Time zone of birth (derived from coordinates)
c) Partner birth data (provided by you for synastry readings):
- Same fields as above, for any partner you create
d) Reading content (generated by us):
- Astrological calculations performed by our deterministic engine
- Narrative text generated by an AI language model based on your data
- Reading metadata (type, timestamp, locale)
e) Payment data (when you make a purchase):
- For Telegram Stars: Telegram-issued charge ID, amount in Stars, product code, timestamp. We do not receive your payment instrument.
f) Usage data:
- Anonymous analytics events (e.g. "reading_started", "paywall_viewed") with timestamps
- IP address (collected at session start for rate limiting; stored for up to 30 days)
- User agent string (browser/device information from your Telegram client)
- JWT session identifiers (stored in our database to allow session revocation)
g) Referral data:
- Your unique referral code (assigned automatically)
- The referral code, if any, you used to sign up
- Aggregate counts of users you have referred
3. Why we collect this data and our legal basis
| Purpose | Categories | Legal basis (UK/EU GDPR) |
|---|---|---|
| Authenticate you and deliver the Service | a, f | Contract (Art. 6(1)(b)) |
| Compute your astrological chart and generate readings | b, c, d | Contract (Art. 6(1)(b)) |
| Process payments | e | Contract (Art. 6(1)(b)) |
| Detect and prevent abuse (including free-tier rotation after account deletion) | a, f, plus deletion tombstones (see § 7) | Legitimate interest (Art. 6(1)(f)) |
| Improve the Service, debug errors, and understand aggregate usage | f | Legitimate interest (Art. 6(1)(f)) |
| Send daily transit notifications (if you enable them) | a, b | Consent (Art. 6(1)(a)) |
| Operate the referral program | g | Contract (Art. 6(1)(b)) |
| Comply with legal obligations (e.g. tax records) | e | Legal obligation (Art. 6(1)(c)) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of earlier processing.
Where we rely on legitimate interest, we have balanced our interest in operating and securing the Service against your rights and freedoms. You may object to such processing — see § 9.
4. Special categories of data
Birth data (date, time, place) is not, by itself, a "special category" of personal data under the UK/EU GDPR. We do not knowingly collect health data, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, or biometric data. You should not enter such information into free-text fields. If you do, you acknowledge that you have voluntarily provided it and consent to its processing as part of your reading.
5. AI and automated processing
We use a third-party AI language model provider to generate the narrative portion of your readings. The astrological calculations themselves are deterministic and performed by our own engine.
Your birth data is included in prompts sent to the AI provider. We use the AI provider's API with data-processing terms that prohibit them from training their models on your data. We do not make decisions about you that produce legal or similarly significant effects through automated means.
If you object to AI processing of your data, you should not use the Service, as it is integral to delivering readings.
6. Who we share data with
We share your data with the following categories of recipients ("subprocessors"):
| Recipient | Purpose | Country |
|---|---|---|
| Telegram FZ-LLC | Authentication, message delivery, Telegram Stars payments | United Arab Emirates |
| Third-party AI / LLM provider | AI-generated reading narratives | United States |
| Railway Corp. (data hosted in Amsterdam) | Application hosting and database | Netherlands (EEA) |
| Functional Software, Inc. (d/b/a Sentry) | Error monitoring | United States |
| Cloudflare, Inc. | DNS, edge network, email routing | United States |
We do not sell your personal data. We do not share it with advertisers. We may disclose data to law enforcement or regulators if we are legally compelled (e.g. a UK production order) or to protect the rights, property, or safety of users or third parties.
7. International data transfers
Your core account and birth data are stored in our primary database, which is hosted within the EEA (Amsterdam, Netherlands). Some of our subprocessors are nonetheless located outside the UK and the EEA, primarily in the United States — for example, the third-party AI provider that generates reading narratives and our error-monitoring provider. Where we transfer your personal data outside the UK/EEA, we rely on one of the following safeguards:
- UK International Data Transfer Agreement / EU Standard Contractual Clauses signed with the recipient
- UK Extension to the EU-US Data Privacy Framework where applicable (e.g. recipients certified under the DPF)
- Adequacy decisions of the UK Government or European Commission for certain countries
You may request a copy of the transfer safeguards we use by contacting privacy@theduetto.com.
8. How long we keep your data
| Data | Retention period |
|---|---|
| Active account data (categories a, b, c, d) | While your account is active |
| Account deletion tombstone (Telegram user ID + deletion timestamp, no other PII) | Indefinitely, for abuse prevention (see below) |
| Payment records | Seven (7) years after the transaction, to comply with UK tax and accounting law |
| Server logs (IP, user agent) | Up to 30 days |
| Analytics events | Up to 24 months in aggregated form |
| JWT session records | Until expiry (1 hour) and then up to 7 days for revocation evidence |
Anti-abuse tombstone. When you delete your account, we permanently remove your name, username, profile photo, birth data, partner data, reading content, and other identifying information. However, we retain a non-identifying record indicating that an account previously existed for your Telegram user ID. We use this solely to prevent a single Telegram user from repeatedly creating, deleting, and recreating accounts to obtain multiple free readings. The tombstone does not contain your name, username, photo, birth data, partner data, or any reading content. Legal basis: legitimate interest (Art. 6(1)(f) UK/EU GDPR). If you object to this processing on grounds relating to your particular situation, contact privacy@theduetto.com.
9. Your rights
If you are in the UK or the EEA, you have the right to:
- Access the personal data we hold about you and receive a copy
- Rectify inaccurate or incomplete data (also available in-app via the profile editor)
- Erase your data ("right to be forgotten") — also available in-app via "Delete account"
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent for any processing based on consent (e.g. daily transit notifications)
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority
If you are a California resident, you have rights under the CCPA/CPRA including the right to know, delete, correct, and limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights. We do not sell or "share" (as defined under the CPRA) your personal information.
To exercise any right, email privacy@theduetto.com from the email address you can verify, or use in-app self-service where available. We will respond within 30 days (or 45 days for complex requests, with notice). There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.
10. Children
The Service is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you become aware that a person under 18 has provided us with personal data, contact privacy@theduetto.com and we will delete it.
11. Security
We use industry-standard technical and organisational measures to protect your data, including TLS encryption in transit; field-level (application-layer) encryption of sensitive personal data — your name and all birth data (date, time and place of birth, coordinates, and the computed natal chart) — using authenticated encryption with key rotation; encryption at rest at the storage layer; access controls; and audit logging. No method of transmission or storage is 100% secure; we cannot guarantee absolute security. If we become aware of a personal data breach affecting your rights, we will notify the UK ICO within 72 hours and notify you without undue delay if required by law.
12. Cookies
The Telegram Mini App does not use cookies. Our landing website at theduetto.com uses cookies and similar technologies — see our Cookie Policy for details and how to control them.
13. Changes to this Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top. For material changes, we will notify you in-app or by message before the change takes effect, and where required by law we will obtain fresh consent.
14. Contact us
For any privacy question, request, or complaint:
- Email: privacy@theduetto.com
- Postal: Mavk Analytics LTD, 20 Wenlock Road, London N1 7GU, England
If you are not satisfied with our response, you have the right to complain to:
- UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
- EU: Your local Data Protection Authority — see edpb.europa.eu
- California: California Privacy Protection Agency — cppa.ca.gov
This is the master English version. Translations are provided for convenience; in case of conflict, the English version prevails.