Privacy Policy
Effective Date: April 23, 2026RhemaOS ("we", "us", "our") operates the RhemaOS platform at rhemaos.app. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data.
What We Collect
When you use RhemaOS, we collect and store the following categories of data:
Account Information
Your email address, display name, and authentication credentials. This data is required to create and maintain your account.
Prayer History
Records of which Scripture chapters and verses you have prayed through, including the prayer adaptation used, timestamps, and completion status. This powers your progress tracking and streak features.
Bible Study Data
Notes and highlights you create while studying Scripture are stored per user. This data is private to your account and is permanently deleted when your account is deleted.
Personal Context
If you provide personal context to customise your prayer experience (via Altar Programs), this data is treated as sensitive. It is:
- Never logged — not written to any server log, analytics pipeline, or monitoring system
- Never shared — not disclosed to third parties, not used for advertising, not included in aggregated analytics
- Never exposed in admin views — platform administrators cannot see your personal context
- Permanently deleted when your account is deleted
Usage Data (Consent-Gated)
If you accept analytics cookies on the banner, we collect anonymised usage metrics (pages visited, features used) via PostHog and Google Analytics 4 to improve the product. No personal context, prayer content, or Bible study notes are included in analytics data. IP addresses are anonymised.
Advertising Attribution (Consent-Gated)
If you accept advertising cookies on the banner, we record that your visit originated from one of our paid ad campaigns (via TikTok Pixel or Google Ads conversion tracking). This is used purely to measure campaign effectiveness — we do not receive profile data, demographics, or interest segments back from these platforms.
How We Use Your Data
Your data is used exclusively to:
- Provide and personalise your prayer and Bible study experience
- Enforce subscription tier limits (daily chapters, AI message caps)
- Process payments via LemonSqueezy (USD) and Flutterwave (NGN)
- Send transactional emails (account verification, password reset, subscription updates)
- Improve the platform based on aggregated, anonymised usage patterns (with your consent)
- Measure the effectiveness of our paid ad campaigns (with your consent)
Data Storage and Security
Your data is stored in Supabase (PostgreSQL) with row-level security (RLS) policies ensuring that each user can only access their own data. All connections are encrypted in transit via TLS. Service role access is restricted to server-side operations only.
Third-Party Processors
We share limited data with the following processors only to the extent necessary to provide the Service. Consent-gated processors are only engaged after you accept the cookie banner.
| Processor | Purpose | Consent Required | Privacy Policy |
|---|---|---|---|
| Supabase | Database and authentication | No (essential) | supabase.com/privacy |
| Vercel | Hosting and edge functions | No (essential) | vercel.com/legal/privacy-policy |
| Anthropic | AI prayer and study generation (Claude) | No (essential to feature) | anthropic.com/privacy |
| OpenAI | Bible audio TTS | No (essential to feature) | openai.com/privacy |
| OpenRouter | AI request routing | No (essential to feature) | openrouter.ai/privacy |
| LemonSqueezy | Payment processing (USD) | No (essential at checkout) | lemonsqueezy.com/privacy |
| Flutterwave | Payment processing (NGN) | No (essential at checkout) | flutterwave.com/us/privacy |
| Sentry | Error monitoring | No (essential) | sentry.io/privacy |
| Brevo | Transactional email delivery | No (essential) | brevo.com/legal/privacypolicy |
| PostHog | Product analytics (anonymised) | Yes | posthog.com/privacy |
| Google Analytics 4 | Aggregated usage analytics | Yes | policies.google.com/privacy |
| TikTok Pixel | Ad conversion measurement | Yes | tiktok.com/legal/page/global/privacy-policy |
| Google Ads | Ad conversion measurement | Yes | policies.google.com/privacy |
GDPR Legal Bases
For users in the European Economic Area (EEA) and United Kingdom (UK), we process personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Delivering prayer features and tracking | Contract performance |
| Payment processing | Contract performance |
| Transactional emails | Contract performance |
| AI prayer personalisation | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Newsletter emails | Consent |
| Product analytics (PostHog, GA4) | Consent |
| Advertising attribution (TikTok, Google Ads) | Consent |
| Legal and tax compliance | Legal obligation |
Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Deleted within 30 days of account deletion request |
| Prayer history | Until account is deleted |
| Bible study notes and highlights | Until account is deleted |
| Personal context (Altar Programs) | Until account is deleted or user removes it |
| Payment records | 7 years (legal and tax obligation) |
| AI session logs | Not retained beyond the session |
| Server and access logs | 30 days |
| Analytics events (consent-gated) | 12 months |
| Advertising attribution signals (consent-gated) | Up to 13 months (TikTok) / 90 days (Google Ads) |
Account Inactivity and Deletion
Free-tier accounts that have been inactive for 90 consecutive days are subject to automatic deletion. Before deletion occurs:
1. A warning email is sent at 60 days of inactivity 2. A second warning is sent at 75 days 3. A third warning is sent at 85 days 4. A final notice is sent at 89 days, giving you 24 hours to log in
Any login during the inactivity period resets the counter. Paid subscribers are never subject to inactivity deletion while their subscription is active.
Your Rights
You have the right to:
- Access — request a copy of all personal data we hold about you
- Correction — request correction of any inaccurate data
- Deletion — request permanent deletion of your account and all associated data
- Portability — request your data in a machine-readable format
- Withdraw Consent — withdraw optional analytics or advertising consent at any time by clearing site data and re-answering the cookie banner, or by emailing us
Contact
For any questions about this policy or your personal data:
- Email: legal@rhemaos.app
- Phone: +234 (0) 816 289 8032