Skip to main content

Written in plain English

Privacy Policy.

Your spiritual journey is between you and God — not you and advertisers.

Last updated · June 6, 2026

Overview

Gospify is designed with a privacy-first approach on every platform:

  • The app is offline-first. You can use almost everything — lessons, quests, journal, memory verses, the offline Lumen study tools — without signing in and without sending anything off your device.
  • We do not sell your data, show ads, use tracking SDKs, or share information with advertisers or data brokers.
  • We use Firebase Crashlytics, Firebase Analytics, and Firebase Performance Monitoring (iOS only for Performance) to collect anonymous crash reports, usage events, and performance metrics. No personally identifiable information is attached to these events. We do not use Mixpanel, Amplitude, or any third-party marketing or advertising SDK.
  • We collect only what's strictly needed to (a) sync your progress across devices if you choose to sign in, and (b) power the "Ask Lumen" AI chat if you choose to use it.

Data stored on your device

Whether you sign in or not, the following lives locally and is only accessible to the Gospify app:

  • Lesson progress and completion status
  • Manna (XP), Embers (streak), and achievement history
  • Quest progress and reward claims
  • Lumen study data — explored topics, saved verses, notes, flashcard scores
  • Reading-plan progress
  • Personal reflections and journal entries
  • App preferences and settings

On iOS / macOS this is stored in UserDefaults. On Android it's stored in a local Room database in app-private storage. Only the Gospify app can read it.

Crash reporting, analytics & performance

To improve app stability and understand how features are used, Gospify uses the following Firebase services:

Firebase Crashlytics

Crashlytics automatically detects and reports crashes and non-fatal errors. When a crash occurs, the following anonymous data is collected:

  • Device model, OS version, and app version
  • Anonymous stack traces showing where the crash occurred
  • Breadcrumb events (e.g. which screen was active) to help reproduce the issue

Crashlytics does not collect your name, email, journal entries, study notes, lesson content, or any personal data. If you are signed in with Apple, your anonymous Apple user ID is associated with crash reports to help debug user-specific issues. You can clear this association by signing out.

Firebase Analytics

We log a small set of anonymous usage events to understand which features matter most:

  • lesson_completed — a lesson was finished
  • level_up — the user reached a new level
  • streak_extended — a streak milestone was reached
  • quest_claimed — a quest reward was claimed
  • lumen_query — an AI question was asked
  • verse_reviewed — a memory verse was reviewed

These events contain no personally identifiable information — no name, no email, no device ID, no content of your questions or reflections. They tell us things like "120 lessons were completed today across all users," not who completed them.

Firebase Performance Monitoring (iOS only)

Performance Monitoring collects anonymous app performance data — startup time, screen rendering speed, and network latency — to help identify and fix slowdowns. No personal data is included.

MetricKit (Apple)

On iOS, Apple's built-in MetricKit diagnostic system provides additional crash and performance data collected by the operating system itself. This data is forwarded to the developer through Apple's standard diagnostic pipeline. It includes crash logs, hang reports, and performance metrics. MetricKit data is governed by Apple's privacy policy.

Bug reporting (Shake-to-Report)

Gospify includes a "Shake to Report a Bug" feature. On iPhone, shake your device; on Mac, press ⌘⇧B; or go to Settings → Report a Bug.

When you trigger a bug report, the app composes an email in your default mail client pre-filled with device diagnostics (device model, OS version, app version, available storage, and current locale). Gospify does not store or transmit the report itself — your email app handles the entire send. You can review, edit, or discard the email before sending. The report is delivered to the developer's email inbox just like any other email.

Cross-device sync

Sync is optional. If you want your progress to follow you across devices — or survive a reinstall — here's how it works on each platform:

🍎 iOS & macOS · Apple iCloud (CloudKit)

On Apple devices, sync uses your personal iCloud account through Apple's CloudKit. Your data is encrypted by Apple and stored under your Apple ID. Gospify cannot see or access your iCloud data — only your own authenticated devices can read it. No third party receives your data. You can disable iCloud sync any time in Settings.

🤖 Android · Supabase

Android doesn't have CloudKit, so the Android app uses Supabase as its sync backend. If you sign in (email + password, Google, or Apple), the following syncs to our Supabase Postgres database:

  • Your email address and user ID
  • Display name, avatar letter, and optional bio
  • All progress data listed above — lessons, XP, streak, Mites, quests, achievements, cosmetics, reading plans, memory verses, journal reflections, settings
  • Your Lumen AI chat history and daily credit ledger (next section)

Data is transmitted over TLS (HTTPS / WSS) and stored encrypted at rest in EU Central (Frankfurt). Row-level security ensures only you can read or modify your own rows — not other users, not staff, not anyone with only an anonymous API key.

If you never sign in on Android, nothing is sent to Supabase — the app works fully offline.

Lumen AI chat

"Ask Lumen" is the optional AI chat feature powered by Claude, made by Anthropic, Inc. The data flow differs by platform:

🍎 iOS / macOS

On Apple platforms, Lumen AI chat routes through the Gospify API proxy — a Cloudflare Worker that the developer operates. Your message and recent conversation history travel over TLS to this proxy, which forwards them to Anthropic's Claude API using a server-side key. The proxy enforces daily credit limits and handles routing, but does not store your messages beyond the immediate request. Chat history lives only on your device.

Alongside your message, Lumen's system prompt — the stable instructions that shape Lumen's behavior — includes two non-identifying preferences if you've set them: your tradition (Catholic, Protestant, or Both) and your grammatical-gender preference for "How We Address You" (feminine, masculine, or unset). These are broad categories, not identifiers; they let Lumen respond in the right tradition and with correct grammatical agreement in gendered languages like Spanish or French.

🤖 Android

On Android, Lumen chat routes through a Supabase Edge Function we operate:

  1. Your message goes to our Edge Function over TLS.
  2. The function verifies you're signed in, checks your daily free-tier credit, and forwards the message plus recent context to Anthropic using our server-side API key.
  3. Anthropic generates a reply and returns it.
  4. The function stores your message + Anthropic's reply (so you can review past conversations and we can enforce the per-day limit), then returns the reply to the app.

You can delete individual conversations at any time from within the app, or request full account deletion — we purge within 7 days.

Anthropic's privacy policy applies to their servers: anthropic.com/legal/privacy. Per their policy, API inputs and outputs are not used to train their models.

You can use Gospify without the AI chat — every other Lumen tool (topics, cross-references, word studies, flashcards, quizzes, timeline, maps, Bible navigator) works fully offline.

Authentication methods

If you choose to sync on Android, you can sign in with:

  • Email and password — your email is stored by Supabase; your password is stored only as a salted hash. We never see your plaintext password.
  • Sign in with Google — we receive an opaque auth token tied to your Google account. We don't receive your Google password.
  • Sign in with Apple — Apple's privacy-preserving authentication. You can hide your real email; Apple relays via a private alias. No password is stored.

On iOS / macOS, Sign in with Apple is used where identity is needed. No Gospify-held password exists on Apple platforms.

Device permissions

The app uses only the permissions listed below, each for its stated purpose:

  • Notifications — optional; for daily study reminders and streak warnings. Never used for marketing.
  • Biometric (Face ID / fingerprint) — optional; used on-device to unlock your private journal. Biometric data never leaves your device and is never visible to the app — the OS returns a yes/no.
  • Vibration — for haptic feedback.
  • Microphone & speech recognition — optional; used only when you tap the mic icon during a memory verse recall exercise to recite the verse out loud. Audio is processed by Apple's on-device speech framework and discarded immediately after transcription. We never record, upload, or store audio. The microphone indicator turns off the moment you tap "stop" or finish the verse.
  • Calendar (optional) — only if you choose to add a study session or reading plan to your calendar; we write events to your default calendar and never read existing events.
  • Internet — required only for sync and Lumen AI chat. The rest works offline.

We do not request or access: your location, contacts, photos, camera, advertising ID, health data, or financial data. The microphone (above) is opt-in, scoped to one feature, and never records audio.

Children's privacy

Gospify is rated for ages 13 and up. We don't knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, email us and we'll delete it promptly. Parents and guardians are encouraged to review these terms and supervise their children's app usage.

Third parties we use

The only third parties who receive any of your data are listed below, each strictly to provide the infrastructure the app runs on:

  • Apple (CloudKit, Sign in with Apple, MetricKit) — iOS / macOS sync, authentication, and OS-level diagnostics. apple.com/legal/privacy
  • Google / Firebase (Crashlytics, Analytics, Performance Monitoring) — anonymous crash reporting, usage analytics, and performance telemetry. Also: Play Store distribution and optional OAuth sign-in on Android. policies.google.com/privacy
  • Cloudflare, Inc. — hosts the Gospify API proxy (Cloudflare Worker) that routes Lumen AI requests on iOS / macOS. cloudflare.com/privacypolicy
  • Supabase, Inc. — Android sync backend (auth + Postgres + Edge Functions). supabase.com/privacy
  • Anthropic, Inc. — processes Lumen chat messages (via our proxy — your messages are not sent directly to Anthropic from the app). anthropic.com/legal/privacy

No ad networks. No marketing attribution. No data brokers. Analytics events are anonymous and used solely for product improvement.

Data retention

  • Account and sync data — retained while your account is active. Deleted on request within 7 days, or automatically 2 years after your last sign-in, whichever comes first.
  • Lumen chat history (Android) — retained for the lifetime of your account. Delete individual conversations in-app any time.
  • Daily AI credit ledger — per-day counter tied to your user ID; contains no message content.
  • Database backups — encrypted backups retained 7 days. After 7 days even backups are purged.

Your rights

You may at any time:

  • Access your data — most is visible in the app; email us for a JSON export of everything we hold.
  • Correct your data — edit your profile in Settings → Edit Profile.
  • Delete your account and all data — open the app, go to Settings → Account → Delete Account. Your local data is wiped immediately, iCloud-synced data within 7 days. To request server-side deletion of anything we may still hold, contact us.
  • Withdraw consent — uninstall the app. If you were signed in, also email us to request deletion so nothing lingers.

If you're in the European Economic Area, United Kingdom, Switzerland, or California, you additionally have the rights granted by GDPR, UK GDPR, and CCPA respectively. Email us to exercise any of them.

Security by design

  • Encryption in transit — TLS 1.2+ on every request. Nothing in plaintext.
  • Encryption at rest — Supabase Postgres encrypts data at rest on AWS. Apple CloudKit encrypts under your Apple ID.
  • Row-level security — database policies guarantee you can only read and write your own data.
  • Server-side AI key — the Anthropic API key lives only on our server-side proxy (Cloudflare Worker on iOS/macOS, Supabase Edge Function on Android). Never in the app binary.
  • Biometric journal lock — on-device; the OS tells the app yes/no. The biometric never leaves your device.
  • Minimal request payloads — Lumen chat requests include only your message, recent conversation history, and the system prompt. No device ID, no ad ID, no third-party identifiers.
  • No advertising or marketing tracking — zero ad networks, attribution SDKs, or data brokers. Firebase Analytics collects only anonymous product-improvement events; no personal data is attached.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you by email within 72 hours as required by law.

Changes to this policy

We may update this policy as the app evolves. The "Last updated" date at the top reflects the most recent change. Material changes — anything that expands what we collect or who we share it with — will be announced in-app or by email.

Contact

Privacy questions, data-export, or data-deletion requests — a real human reads every message and responds within 48 hours.

honorius@neogy.dev