Privacy Policy

This Privacy Policy describes how Asha Hug ("we", "us") collects, uses, and protects your personal data when you use our Service. We are committed to transparency and to compliance with the Russian Federal Law on Personal Data (152-ФЗ) and the EU General Data Protection Regulation (GDPR) where applicable.

1. Data Controller

Data controller: Asha Hug service. Contact: privacy@aifriend.ticketsmarkets.ru

2. Data We Collect

We collect the following categories of personal data: (a) Account data: email, name (optional), password hash; (b) Conversation data: messages you send and receive, character choices, timestamps; (c) Usage data: IP address, browser type, device info, pages visited, session duration; (d) Payment data: handled by YooKassa — we never store full card numbers; (e) Cookies: session tokens, preferences (see Section 7).

3. Purposes of Processing

We process your data to: (a) provide and improve the Service; (b) maintain conversation memory across sessions (long-term personalization); (c) detect and respond to crisis situations; (d) process payments and prevent fraud; (e) communicate with you about your account; (f) comply with legal obligations.

4. Legal Basis (GDPR)

For EU users, our legal bases are: (a) Contract — providing the Service you signed up for; (b) Consent — for non-essential cookies and marketing; (c) Legitimate interest — for security, fraud prevention, and Service improvement; (d) Legal obligation — when required by law.

5. Data Storage and Security

Your data is stored on servers located in the Russian Federation with industry-standard security measures: encrypted in transit (TLS 1.3), encrypted at rest, access controls, and regular backups. Passwords are hashed with bcrypt. We retain your data for as long as your account is active, plus 90 days after deletion (for recovery), unless longer retention is required by law.

6. Your Rights (GDPR Art. 15–22)

You have the right to: (a) Access your data (request a copy); (b) Rectify inaccurate data; (c) Erase your data ("right to be forgotten"); (d) Restrict processing; (e) Data portability (machine-readable export); (f) Object to processing; (g) Withdraw consent at any time. To exercise these rights, go to Settings → Delete Account, or contact privacy@aifriend.ticketsmarkets.ru. We respond within 30 days.

7. Cookies and Local Storage

We use the following storage technologies: (a) Essential: sessionStorage for access token (security), cookies for refresh token (HttpOnly, cannot be read by JavaScript); (b) Functional: localStorage for theme and language preferences; (c) Analytics: only if you give consent (off by default). You can manage cookie preferences at any time via the cookie banner.

8. Third-Party Services

We use the following processors: (a) MiniMax (LLM API, China) for generating AI responses — data is sent as conversation text only, no personal identifiers; (b) YooKassa (RU) for payment processing; (c) Sentry (US) for error monitoring, with PII stripped; (d) Langfuse (self-hosted) for LLM call logging. All processors are bound by data processing agreements.

9. International Data Transfers

Some of our processors (MiniMax, Sentry) are located outside the Russian Federation. We rely on Standard Contractual Clauses (GDPR Art. 46) and equivalent safeguards under 152-ФЗ for such transfers.

10. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect data from children. If you believe a child has provided data, contact privacy@aifriend.ticketsmarkets.ru and we will delete it.

11. Changes to This Policy

We may update this Policy. Material changes will be announced by email or in-app notification at least 14 days before they take effect.

12. Contact

Privacy questions or requests: privacy@aifriend.ticketsmarkets.ru. EU representative: privacy@ashahug.com