Privacy Policy

1. Who We Are

Prayer Warrior ("we", "us", "our") provides a mobile-first app that helps users generate and manage Scripture‑guided prayers. We act as the data controller for personal data processed through the app.

Contact: support@prayerwarrior.app

2. What We Process

Account & Authentication

• Email address and optional display name.
• Session data via cookies (Better Auth) with up to a 1‑year session duration.
• Verification and password reset tokens (short‑lived).

Prayer & Activity

• Prayer requests you create, generated prayers, and selected Scripture references.
• Prayer history, answered prayer records, and circle participation.

Subscription

• Subscription status, tier, and renewal dates (managed via Polar).
• We do not collect or store payment card details.

Usage, Security & Communications

• Server logs, rate‑limiting data, and IP address for security/abuse prevention.
• Real‑time and push events via Pulse (e.g., updates for shared content).
• Transactional emails (verification and password reset) via Resend.
• Theme preference and onboarding state stored locally on your device.

3. Purposes & Legal Bases (GDPR Art. 6)

• Provide the service (account, sessions, prayer features) — Contract performance (Art. 6(1)(b)).
• Subscription management (checkout, renewals) — Contract performance (Art. 6(1)(b)).
• Security & abuse prevention (rate‑limiting, logs, CSRF) — Legitimate interests (Art. 6(1)(f)).
• Transactional emails (verification, resets) — Legitimate interests/Contract (Art. 6(1)(f)/(b)).
• Product improvement (aggregated metrics) — Legitimate interests (Art. 6(1)(f)).
• Consent‑based communications (if any marketing) — Consent (Art. 6(1)(a)).

4. AI Prayer Generation

When you generate a prayer, we send only what’s necessary (topic, notes, and parameters) to our AI provider (OpenAI) to create Scripture‑guided text. We do not send payment data or unrelated profile data.

• Your prompts are processed to return text only; we fetch verse text from Bible APIs separately.
• OpenAI’s API policy does not use API data for training by default.

5. Cookies & Local Storage

• Session cookies (Better Auth) to keep you signed in (up to 1 year).
• CSRF cookie to protect state‑changing requests.
• Local storage for theme (e.g., prayer-warrior-theme) and onboarding state.

6. How We Share Data

We do not sell your data. We share limited data with processors to operate the service:

• OpenAI (AI text generation).
• Polar (subscriptions, customer portal, webhooks).
• Resend (transactional email delivery).
• Cloud & database providers for hosting, storage, and Redis‑backed rate limiting.

We also operate internal systems (e.g., real‑time delivery via Pulse) that are not third‑party processors.

We enter into data processing agreements (DPAs) with external processors where required by GDPR and apply appropriate transfer safeguards (e.g., SCCs) when data is processed outside the EU/EEA.

7. International Transfers

Some processors are located outside the EU/EEA (e.g., United States). Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms offered by those providers.

8. Security

• HTTPS/TLS in transit; database and secrets protected in our infrastructure.
• CSRF protection, rate limiting, and authentication best practices.
• Access limited to authorized personnel on a need‑to‑know basis.

9. Retention

We keep personal data only as long as necessary to provide the service and meet legal obligations. Session cookies may last up to one year. You may delete your account to remove prayer content and profile data, subject to legal retention requirements.

10. Your GDPR Rights

Subject to conditions and exemptions, you have the right to:

• Access, rectify, or erase your personal data.
• Restrict or object to processing (including legitimate‑interest processing).
• Data portability.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

Contact us at support@prayerwarrior.app to exercise these rights.

11. Children’s Privacy

The service is not directed to children under 13, and we do not knowingly collect their personal data. If you believe a child has provided personal data, please contact us to delete it.

12. Updates to This Policy

We may update this policy to reflect changes in law or our service. We will notify you of material changes. Continued use of the service after an update indicates acceptance.