Privacy Policy.

🛡️Overview

Gospify is designed with a privacy-first approach on every platform:

• The app is offline-first. You can use almost everything — lessons, quests, journal, memory verses, the offline Lumen study tools — without signing in and without sending anything off your device.
• We do not sell your data, show ads, use tracking SDKs, or share information with advertisers or data brokers.
• There are no analytics trackers (no Firebase Analytics, Mixpanel, Amplitude, etc.) beyond standard crash and performance telemetry that Apple and Google Play collect automatically.
• We collect only what's strictly needed to (a) sync your progress across devices if you choose to sign in, and (b) power the "Ask Lumen" AI chat if you choose to use it.

📱Data stored on your device

Whether you sign in or not, the following lives locally and is only accessible to the Gospify app:

• Lesson progress and completion status
• Manna (XP), Embers (streak), and achievement history
• Quest progress and reward claims
• Lumen study data — explored topics, saved verses, notes, flashcard scores
• Reading-plan progress
• Personal reflections and journal entries
• App preferences and settings

On iOS / macOS this is stored in UserDefaults. On Android it's stored in a local Room database in app-private storage. Only the Gospify app can read it.

☁️Cross-device sync

Sync is optional. If you want your progress to follow you across devices — or survive a reinstall — here's how it works on each platform:

🍎 iOS & macOS · Apple iCloud (CloudKit)

On Apple devices, sync uses your personal iCloud account through Apple's CloudKit. Your data is encrypted by Apple and stored under your Apple ID. Gospify cannot see or access your iCloud data — only your own authenticated devices can read it. No third party receives your data. You can disable iCloud sync any time in Settings.

🤖 Android · Supabase

Android doesn't have CloudKit, so the Android app uses Supabase as its sync backend. If you sign in (email + password, Google, or Apple), the following syncs to our Supabase Postgres database:

• Your email address and user ID
• Display name, avatar letter, and optional bio
• All progress data listed above — lessons, XP, streak, Mites, quests, achievements, cosmetics, reading plans, memory verses, journal reflections, settings
• Your Lumen AI chat history and daily credit ledger (next section)

Data is transmitted over TLS (HTTPS / WSS) and stored encrypted at rest in EU Central (Frankfurt). Row-level security ensures only you can read or modify your own rows — not other users, not staff, not anyone with only an anonymous API key.

If you never sign in on Android, nothing is sent to Supabase — the app works fully offline.

💬Lumen AI chat

"Ask Lumen" is the optional AI chat feature powered by Claude, made by Anthropic, Inc. The data flow differs by platform:

🍎 iOS / macOS

The iOS / macOS apps call Anthropic's API directly from your device. Your message and recent conversation history go to Anthropic's servers to generate a reply. Per Anthropic's published policies, API traffic is not used to train their models. We do not store your Lumen chat history on any server we control — it lives only on your device.

Alongside your message, Lumen's system prompt — the stable instructions that shape Lumen's behavior — includes two non-identifying preferences if you've set them: your tradition (Catholic, Protestant, or Both) and your grammatical-gender preference for "How We Address You" (feminine, masculine, or unset). These are broad categories, not identifiers; they let Lumen respond in the right tradition and with correct grammatical agreement in gendered languages like Spanish or French.

🤖 Android

The Android app can't safely ship an Anthropic API key in the binary, so Lumen chat routes through a Supabase Edge Function we operate:

1. Your message goes to our Edge Function over TLS.
2. The function verifies you're signed in, checks your daily free-tier credit, and forwards the message plus recent context to Anthropic using our server-side API key.
3. Anthropic generates a reply and returns it.
4. The function stores your message + Anthropic's reply (so you can review past conversations and we can enforce the per-day limit), then returns the reply to the app.

You can delete individual conversations at any time from within the app, or request full account deletion — we purge within 7 days.

Anthropic's privacy policy applies to their servers: anthropic.com/legal/privacy. Per their policy, API inputs and outputs are not used to train their models.

You can use Gospify without the AI chat — every other Lumen tool (topics, cross-references, word studies, flashcards, quizzes, timeline, maps, Bible navigator) works fully offline.

🔑Authentication methods

If you choose to sync on Android, you can sign in with:

• Email and password — your email is stored by Supabase; your password is stored only as a salted hash. We never see your plaintext password.
• Sign in with Google — we receive an opaque auth token tied to your Google account. We don't receive your Google password.
• Sign in with Apple — Apple's privacy-preserving authentication. You can hide your real email; Apple relays via a private alias. No password is stored.

On iOS / macOS, Sign in with Apple is used where identity is needed. No Gospify-held password exists on Apple platforms.

📲Device permissions

The app uses only the permissions listed below, each for its stated purpose:

• Notifications — optional; for daily study reminders and streak warnings. Never used for marketing.
• Biometric (Face ID / fingerprint) — optional; used on-device to unlock your private journal. Biometric data never leaves your device and is never visible to the app — the OS returns a yes/no.
• Vibration — for haptic feedback.
• Internet — required only for sync and Lumen AI chat. The rest works offline.

We do not request or access: your location, contacts, photos, camera, microphone, device advertising ID, health data, or financial data.

👨‍👩‍👧Children's privacy

Gospify is rated for ages 13 and up. We don't knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, email us and we'll delete it promptly. Parents and guardians are encouraged to review these terms and supervise their children's app usage.

🤝Third parties we use

The only third parties who receive any of your data are listed below, each strictly to provide the infrastructure the app runs on:

• Apple (CloudKit, Sign in with Apple) — iOS / macOS sync and authentication. apple.com/legal/privacy
• Supabase, Inc. — Android sync backend (auth + Postgres + Edge Functions). supabase.com/privacy
• Anthropic, Inc. — processes Lumen chat messages. anthropic.com/legal/privacy
• Google (Play Store, Sign in with Google) — app distribution and optional OAuth sign-in on Android. policies.google.com/privacy

No ad networks. No analytics SDKs. No marketing attribution. No data brokers.

🗄️Data retention

• Account and sync data — retained while your account is active. Deleted on request within 7 days, or automatically 2 years after your last sign-in, whichever comes first.
• Lumen chat history (Android) — retained for the lifetime of your account. Delete individual conversations in-app any time.
• Daily AI credit ledger — per-day counter tied to your user ID; contains no message content.
• Database backups — encrypted backups retained 7 days. After 7 days even backups are purged.

⚖️Your rights

You may at any time:

• Access your data — most is visible in the app; email us for a JSON export of everything we hold.
• Correct your data — edit your profile in Settings → Edit Profile.
• Delete your account and all data — follow the Delete Account steps. We delete within 7 days.
• Withdraw consent — uninstall the app. If you were signed in, also email us to request deletion so nothing lingers.

If you're in the European Economic Area, United Kingdom, Switzerland, or California, you additionally have the rights granted by GDPR, UK GDPR, and CCPA respectively. Email us to exercise any of them.

🔍Security by design

• Encryption in transit — TLS 1.2+ on every request. Nothing in plaintext.
• Encryption at rest — Supabase Postgres encrypts data at rest on AWS. Apple CloudKit encrypts under your Apple ID.
• Row-level security — database policies guarantee you can only read and write your own data.
• Server-side AI key — the Anthropic key for Android Lumen lives only on our Edge Function. Never in the app binary.
• Biometric journal lock — on-device; the OS tells the app yes/no. The biometric never leaves your device.
• Minimal request payloads — Lumen chat requests include only your message, recent conversation history, and the system prompt. No device ID, no ad ID, no third-party identifiers.
• No tracking — zero analytics SDKs, ad networks, or telemetry.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you by email within 72 hours as required by law.

🔄Changes to this policy

We may update this policy as the app evolves. The "Last updated" date at the top reflects the most recent change. Material changes — anything that expands what we collect or who we share it with — will be announced in-app or by email.

✉️Contact

Privacy questions, data-export, or data-deletion requests — a real human reads every message and responds within 48 hours.