Privacy and data protection when ordering grave services online

When you order a grave service online and the work happens 10,000 km away in Uzbekistan, your data has to cross borders. This article explains what we collect, how we protect it, and what you can do about your data.

What we collect. Mandatory: your name, contact (email and at least one of phone/Telegram/WhatsApp), address. About the deceased: name, dates of birth and death, cemetery and plot if known, religion (helps tailor service). About payment: card last 4 digits, country, currency. Optional: photos of the deceased (used for memorial design), family-tree data (used for genealogical search).

What we don't collect. Full card numbers (handled by payment provider, not by us). Passport scans beyond KYC verification (deleted after verification). Family tree branches not related to the deceased.

How long we keep data. Active service period plus 5 years (Uzbek civil law requirement for service contracts). For European clients — minimum required for tax/legal compliance, after which you can request deletion under GDPR Art. 17.

Where data is stored. Primary database on AWS Frankfurt (EU). Backups encrypted in AWS Ireland. Photos in object storage with access keys rotated quarterly. Logs anonymized after 90 days.

GDPR rights (European clients). Access (Art. 15) — view all your data on request. Rectification (Art. 16) — correct mistakes. Erasure (Art. 17) — delete after legal retention. Portability (Art. 20) — export in JSON. Lodge complaint with your country's data protection authority.

Non-European clients. We apply equivalent practices. California residents can request similar rights under CCPA. New York Bukharian community questions go to our designated privacy officer at privacy@grave.uz.

Security. SOC 2 Type II compliance (2024 audit). All data encrypted in transit (TLS 1.3) and at rest (AES-256). Staff access on need-to-know basis with two-factor authentication. Annual penetration test by external firm.