Privacy Policy
Version 3.1 · Effective: 5 May 2026
1. Who we are
Data controller: Bashar Waleed, operating as Aum Mystic LLC, a limited liability company registered in the State of Wyoming, United States.
Email: hello@thelineagecode.com Website: thelineagecode.com
As a business that accepts customers in the European Union and European Economic Area, we operate in full compliance with the General Data Protection Regulation (GDPR).
For all data protection matters — access requests, deletion requests, complaints — contact us directly at hello@thelineagecode.com. If you are not satisfied with our response, you have the right to contact your national supervisory authority (see §10).
2. What data we collect
We collect only what we need to deliver the service.
2a. Intake data — what you provide
When you complete the intake form, we collect:
- Your name, email address, phone/WhatsApp number, and country of residence
- Your date of birth, time of birth, and place of birth — used solely to calculate your birth chart. These three fields are deleted from our systems within minutes of the chart being generated. The chart output (which contains no date or time values) is what flows into the rest of the report.
- Your answers to all intake questions, which will include information about:
- Your emotional and mental state, life history, and current circumstances
- Your family relationships — parents, siblings, significant others, children
- Difficult or traumatic experiences in your past or present
- Your sexuality, and any spiritual, religious, or cultural beliefs
- Other people in your life, as you describe your relationship with them
This intake data falls under special category data (GDPR Article 9) — the most protected data category under EU law. We process it only with your explicit prior consent.
2b. Purchase data
When you purchase, Stripe processes your payment and we receive from Stripe: your name, email address, the product purchased, the amount paid, currency, and a Stripe payment reference. We do not receive or store your payment card details at any point.
2c. Consent records
When you tick the pre-purchase consent box, we log: the date, time, your IP country, your browser language, the URL you were on, and a version identifier of the Terms and disclaimer text shown to you at that moment. This record is retained as legally required evidence of informed consent.
2d. Technical and communications data
If you contact us by email, we retain that correspondence. When you use our website, we use Plausible Analytics — a privacy-first analytics tool that uses no cookies and collects no personal data. Only aggregate traffic data (page visits, country, referrer) is collected. No individual-level tracking occurs on our site.
3. Legal basis for processing
We rely on the following legal bases under GDPR Articles 6 and 9:
| Processing activity | Legal basis |
|---|---|
| Processing intake responses, including all special category data | Art. 9(2)(a) + Art. 6(1)(a) — your explicit consent, given by ticking the consent_explicit checkbox on Page 1 of the intake form. This consent must be given before any sensitive answers are entered. |
| Calculating your birth chart from date, time, and place of birth | Art. 9(2)(a) + Art. 6(1)(a) — same explicit consent. These three fields are deleted minutes after use. |
| Generating and delivering your Map PDF | Art. 6(1)(b) — contract performance. Once you have purchased and consented, generating and sending your Map is what you paid for. |
| Sending reminder emails to complete an unfinished intake | Art. 6(1)(b) — contract performance. You paid for a Map; reminders to complete the intake are part of fulfilling that contract. |
| Resending your PDF if the original email was not received | Art. 6(1)(b) — contract performance. |
| Retaining your invoice record | Art. 6(1)(c) — legal obligation. Invoice records must be retained for 10 years under applicable accounting law. |
| Retaining consent log records | Art. 6(1)(f) — legitimate interest. We have a legitimate interest in being able to demonstrate, if needed, that pre-contract information was provided to you at the time of purchase. |
| Sending the newsletter and field notes from Bashar | Art. 6(1)(a) — consent, given via the optional consent_newsletter checkbox at the end of the intake form. Defaulted OFF. You can withdraw at any time. |
| Retaining anonymised data for engine improvement | Art. 6(1)(a) — consent, given via the optional consent_training checkbox at the end of the intake form. Defaulted OFF. You can withdraw at any time. |
| Customer support (email and phone) | Art. 6(1)(b) — contract performance. |
4. Special category data
Your intake includes information about your mental and emotional state, family relationships, sexuality, spiritual or religious beliefs, and difficult life experiences. Under GDPR Article 9, this is "special category" data — the most legally protected data we hold.
We process it only on the basis of your explicit, specific consent (Art. 9(2)(a)), which you give by ticking the required consent_explicit checkbox on Page 1 of the intake form. This checkbox must be ticked before you can enter any sensitive answers. It is not bundled with any other consent.
You can withdraw this consent at any time by emailing hello@thelineagecode.com. Withdrawal will not affect the lawfulness of processing that already took place before you withdrew. If you withdraw before your Map is generated, we will stop all processing and issue a full refund.
5. Information about other people
When you complete the intake, you may describe family members, caregivers, or other individuals — their history, their behaviour toward you, and how your relationship with them shaped you.
We use this information only to understand the relational patterns in your own history. We do not collect, store, or profile those individuals independently. Any reference to a named or described person in your Map reflects your subjective account of how that relationship shaped you — it is not a clinical assessment of any other person.
We do not share information about third parties mentioned in your intake with anyone else. That information is deleted along with your intake data at the end of the retention period.
6. How long we keep your data
| Data | Retention period | What happens at the end |
|---|---|---|
| Date of birth, time of birth, place of birth | Minutes after birth chart calculation | Permanently deleted from all systems |
| Intake responses (all special category data) | 30 days from the date of intake submission | Permanently deleted. If you gave consent_training, anonymised first — then the original is deleted. |
| Your Map (PDF file) | 30 days from delivery date | Permanently deleted from our servers. Save your own copy. |
| Intermediate processing files (session data created during report generation) | Up to 30 days | Deleted automatically |
| Your name, email address, phone number | Retained while you are an active customer | Deleted on receipt of a full erasure request, or on your own request |
| Invoice records | 10 years | Required by accounting law — cannot be deleted, but can be anonymised on request where permitted |
| Consent log records | Retained indefinitely | Required as legal evidence — cannot be deleted, but your name/email can be scrubbed on a full erasure request |
| Audit and event logs | Retained indefinitely | PII fields scrubbed to [ERASED] on full erasure request; rows kept for compliance integrity |
| Anonymised research corpus | Retained indefinitely | Once fully anonymised (all identifiers removed), this data is outside GDPR scope under Recital 26 |
Abandoned intakes — if you start the intake form but do not submit, any partial responses are deleted after 30 days of inactivity.
7. Who we share your data with
We share your data with as few parties as possible. The sub-processors we use are:
| Category | Purpose | Location | Notes |
|---|---|---|---|
| Hosting infrastructure | Stores all application data, database, and API | EU | ISO 27001 certified · DPA in place under Art. 28 GDPR |
| Payment processing | Processes your payment; receives name, email, purchase amount | Ireland, EU | Stripe Payments Europe Ltd · DPA in place under Art. 28 GDPR |
| Transactional email | Delivers intake link, Map PDF, and support replies; receives name, email, message content | International | DPA in place under Art. 28 GDPR · Standard Contractual Clauses for transfers outside the EU |
| AI processing | Generates the content of your Map from your intake responses | USA (EU→US transfer) | 30-day API data retention (provider standard terms) · training on customer data disabled · SOC 2 Type 2 + ISO 27001 certified · transfer under Standard Contractual Clauses in provider's commercial terms |
| Birth chart calculation | Computes your birth chart from date, time, and place of birth | International | DPA in place · Standard Contractual Clauses · birth data deleted from our systems within minutes |
All outputs are subject to human oversight by Bashar Waleed prior to or alongside delivery, to ensure quality and prevent purely automated decision-making.
A full, specific list of our active sub-processors (including our enterprise AI providers) is available to customers upon request — email hello@thelineagecode.com.
We do not sell your data. We do not share your data with advertisers. We do not use your data for behavioural profiling or for any automated decision-making that produces legal or similarly significant effects without a human in the loop.
8. International data transfers
Our primary infrastructure is hosted in the European Union. Some of our sub-processors operate outside the EU. For all such transfers we rely on:
- Standard Contractual Clauses (SCCs) — the EU-approved legal mechanism for international transfers, ensuring your data receives equivalent protection outside the EU
- Provider retention limits — the AI processing provider retains API inputs and outputs for up to 30 days under their standard commercial terms; training on customer data is disabled
- Minutes-only retention upstream — birth chart inputs (date, time, place of birth) are sent to the chart calculation API only for processing and removed from our systems within minutes
9. Your rights under GDPR
If you are in the EU or EEA, you have the following rights. These rights apply from the moment you purchase.
| Right | What it means in practice |
|---|---|
| Right of access (Art. 15) | You can ask us for a copy of all personal data we hold about you. We will provide it within 30 days, in a readable format. |
| Right to rectification (Art. 16) | You can ask us to correct inaccurate data. |
| Right to erasure (Art. 17) | You can ask us to delete your personal data. We offer two levels: full erasure (everything except legally required records) and intake-only erasure (deletes the report and intake, retains your email/name for the newsletter if you opted in). We will complete erasure within 30 days. |
| Right to restriction (Art. 18) | You can ask us to pause processing while a dispute is resolved. |
| Right to portability (Art. 20) | You can ask for your intake data in a machine-readable format (JSON). |
| Right to object (Art. 21) | You can object at any time to processing based on legitimate interests (Art. 6(1)(f)). |
| Right to withdraw consent (Art. 7(3)) | You can withdraw any consent — including your consent to intake processing — at any time by emailing us. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right not to be subject to automated decisions (Art. 22) | All outputs are subject to human oversight by Bashar Waleed prior to or alongside delivery. No purely automated decision is ever made that produces significant effects for you. |
Complaint to a supervisory authority: If you believe we have violated your rights, you have the right to lodge a complaint with your national data protection authority. You do not have to contact us first, though we would appreciate the opportunity to address your concern directly.
10. How to exercise your rights
Email hello@thelineagecode.com with the subject line: "Data request — [your name]". Please use the email address you provided at purchase so we can verify your identity quickly.
We will acknowledge your request within 72 hours and respond in full within 30 days. For complex requests, we may extend by a further 60 days — we will notify you if this applies.
There is no charge for exercising your rights.
Supervisory authority contacts:
- Ireland: Data Protection Commission — dataprotection.ie
- Germany: Your Landesbeauftragte für Datenschutz (state-level authority)
- Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- UK: Information Commissioner's Office — ico.org.uk
- All EU/EEA authorities: edpb.europa.eu/about-edpb/board/members_en
11. Age threshold
The Lineage Code is not available to anyone under 21 years of age. The depth of the material and the nature of consent required for systemic lineage work are the reason for this minimum, which is set above the legal age of contractual majority in most jurisdictions. We do not knowingly collect personal data from anyone under 21. If you believe we have received data relating to a person under 21, contact us immediately at hello@thelineagecode.com and we will delete it.
12. How we protect your data
We take the security of your data seriously. The measures we have in place include:
- All data in transit is encrypted via TLS (HTTPS everywhere)
- Personally identifiable data — including all intake responses, names, and email addresses — is encrypted at rest at the database level using AES-256 encryption (Fernet) before being written to disk
- All outputs are subject to human oversight by Bashar Waleed prior to or alongside delivery
- Servers housed in an access-controlled, EU-located data centre
- Production system access is restricted to named individuals via SSH key authentication only — no password login
- Access to the admin dashboard is password-protected and access-logged
In the event of a data breach: if we become aware of a breach that is likely to affect your rights or freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay.
13. Analytics
We use Plausible Analytics on our website. Plausible is a privacy-first analytics service that uses no cookies, collects no personal data, and requires no consent banner. We collect only aggregate, anonymised traffic data (pages visited, approximate country, referrer source). No individual user is tracked.
14. Changes to this policy
When we update this policy, we change the version number and effective date at the top of the page.
For material changes — changes that affect how we process your special category data, what data we collect, who we share it with, or your rights — we will email you before the change takes effect and, where GDPR requires it, ask for fresh consent before the new processing begins.
For minor changes — corrections, clarifications that do not change the substance of what we do — we will update the document without direct notification.
15. Contact
Data controller: Bashar Waleed / Aum Mystic LLC Email: hello@thelineagecode.com Website: thelineagecode.com
For data protection matters: use the subject line "Data request" or "GDPR" so your message reaches us promptly.
Looking for the version you agreed to? Email hello@thelineagecode.com with your purchase date — we'll send you the exact archived text.
Version 3.1 · Effective: 5 May 2026