Privacy Policy

Last updated: April 27, 2026

1. Information We Collect

When you sign in with Google, we receive:

• Profile information: Name, email address, and profile photo
• Google ID: A unique identifier for your Google account

When you use the Service, we also collect:

• User content: Sermon notes, transcripts, study-question answers, devotional progress, Scripture Bites, and other text you create
• Usage data: Pages visited, features used, and interaction patterns (via Google Analytics 4)
• Audio data: If you use live transcription, audio is streamed in real time to Deepgram for transcription. We do not store the raw audio on our servers.
• Payment information: Processed and stored by Stripe. We do not store credit card numbers.
• Push notification tokens: If you enable notifications, we store your browser's push subscription endpoint and keys so we can send you daily devotional reminders.
• App activity: Streak history, login timestamps, and engagement metrics so the streak and reminder features work.

2. How We Use Your Information

• To provide and improve the Service
• To authenticate your identity and maintain your session
• To process subscription payments via Stripe
• To generate AI-powered features (Deep Dive, devotionals, Scripture Bites, live transcription)
• To send timed daily devotional reminders if you opt in to push notifications
• To analyze usage patterns and improve the user experience

3. Third-Party Services and Data Sharing

To power the Service, the following third parties may process your data on our behalf:

• Google (OAuth): Verifies your identity at sign-in. We request only your email and profile name.
• Google (Gemini API): Processes your sermon text to generate Deep Dive analysis, devotional content, and Scripture Bites.
• Google Analytics 4: Aggregated and pseudonymized usage analytics. GA4 may set first-party cookies and collect a client identifier. EU/UK visitors who decline analytics consent are excluded.
• Stripe: Processes subscription payments and stores billing information. Triggers webhook events for subscription state changes.
• Deepgram: Processes live audio for real-time transcription. Audio is streamed via secure WebSocket and is not retained by Deepgram or by us beyond the live session.
• Railway: Hosts the application servers and database (US-region infrastructure).
• Resend: Sends transactional and devotional email when configured.
• Web push providers: Browser-vendor push services (Mozilla autopush, Google FCM, Apple APNs) deliver notifications.

Each service handles your data according to its own privacy policy. We send only the minimum data required for the feature to work and we do not sell, rent, or otherwise commercialize your personal information.

4. Analytics and Cookies

We use Google Analytics 4 (GA4) to understand how the Service is used. GA4 collects pseudonymized usage data including pages visited, session duration, and device type. We also set a first-party session cookie required for sign-in. EU/UK visitors are presented with a consent banner before any analytics cookies are set; you can decline at any time.

5. Data Storage, Security, and Retention

• Your data is stored in an encrypted SQLite database on Railway's US-region infrastructure (encryption at rest provided by the volume layer; encryption in transit via HTTPS/TLS 1.2+).
• Sessions are secured with HTTP-only, Secure, SameSite cookies.
• Retention: Account and content data are retained for as long as your account is active. When you delete your account, all data is permanently removed within 30 days. Backup snapshots are purged within 90 days.
• Live audio is not retained — only the transcribed text becomes part of your saved sermon note.
• We do not sell, rent, or share your personal information with third parties for marketing.

6. International Data Transfers

The Service is hosted in the United States. If you access it from outside the US, your data is transferred to and processed in the US. By using the Service you consent to this transfer. Where required, our third-party processors rely on Standard Contractual Clauses or equivalent transfer mechanisms.

7. Your Rights

You have the right to:

• Access your data through the app at any time
• Delete your account and all associated data immediately and self-serve from Preferences or the public Delete Account page
• Export your notes as JSON from the Preferences page
• Withdraw consent for analytics at any time via the cookie banner or by clearing site data in your browser
• Lodge a complaint with your local supervisory authority (EU/UK GDPR users)

EU/UK/California residents have additional rights under GDPR and CCPA — including the right to object, restrict processing, and request data portability. Contact us at the address below to exercise these rights.

8. Children's Privacy

The Service is not directed at children under 13 and is intended for users 13 years of age or older. We do not knowingly collect information from children under 13. If you believe a child has provided us personal information, please contact us and we will delete the data.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of significant changes through the app or email and update the "Last updated" date above.

10. Contact

Questions about your privacy, or want to exercise any of your rights? Email us at support@votional.com.