Privacy Policy
Last Updated: February 21, 2026
Effective: February 21, 2026
This Privacy Policy explains how Tailored Devotional ("we", "us", "our") collects, uses, and protects your personal information in compliance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.
1. Data Controller
The data controller responsible for your personal data is Rikard Roitto, operating as Tailored Devotional.
Contact: support@tailoreddevotional.com
2. What Data We Collect
Account Information
- Email address (required for account creation)
- Display name (optional)
- Preferred language
- Country (optional)
- Timezone (auto-detected, adjustable)
Preferences & Settings
- Lectionary choice (which biblical reading tradition you follow)
- Theologian selections (1-3 theological voices)
- Spiritual interests (optional, user-provided text)
- Life circumstances (optional, user-provided text)
- Devotional style preferences (optional, user-provided text)
- Piety style (contemplative, balanced, active)
- Devotional length preference (short, medium, long)
- Audio preferences (voice, provider, speed)
Usage Data
- Generated devotionals (stored for your access)
- Login timestamps
- Last active date
Consent Records (GDPR Compliance)
- Terms acceptance timestamp
- Privacy policy acceptance timestamp
- Age verification (confirmation you are 16+)
Special Categories of Personal Data (GDPR Article 9)
We may process special categories of data that require explicit consent:
- Religious beliefs (implied by lectionary and theologian choices)
- Health information (if you mention illness in "life circumstances")
Why this consent is necessary: The core function of the Service is to generate personalized Christian devotional content, which inherently involves processing data related to religious beliefs. The Service cannot fulfill its purpose without this processing. You may withdraw this consent at any time by deleting your account.
Important: We recommend you keep this information general rather than specific. For example, "chronic illness" rather than "I have diabetes" or "stage 3 cancer."
3. How We Use Your Data
Legal Basis for Processing
| Purpose | Legal Basis |
|---|
| Account management | Contract performance |
| Generate personalized devotionals | Contract performance + Consent |
| Send email notifications | Consent (opt-in) |
| Service improvements | Legitimate interest |
| Process special category data (religious beliefs, health information) | Explicit consent (GDPR Art. 9(2)(a)), collected separately during account setup |
Specific Uses
- AI Content Generation: Your preferences, interests, and theologian selections are sent to Google Gemini and OpenAI APIs to generate personalized devotionals
- Audio Generation: Devotional text is sent to OpenAI or ElevenLabs to create audio versions
- Email Notifications: If enabled, we email you when your daily devotional is ready
- Service Improvement: Anonymized usage patterns help us improve the Service
4. Data Sharing & Third-Party Processors
We share your data with these third-party processors to provide the Service. We have Data Processing Agreements (DPAs) in place with each processor, incorporating Standard Contractual Clauses where required by GDPR Article 28.
| Provider | Purpose | Data Shared | Location |
|---|
| Supabase | Database & hosting | All account & preference data | EU (AWS Frankfurt) |
| Google Gemini | AI content generation | Preferences, interests, theologian selections, lectionary readings | USA |
| OpenAI | AI generation, embeddings, TTS | Same as Gemini + devotional text for audio | USA |
| ElevenLabs | Text-to-speech | Devotional text only | USA |
| Render | Web hosting | Application traffic | USA/EU |
| Resend | Email notifications | User email, notification content | USA |
International Data Transfers
Some processors (Google, OpenAI, ElevenLabs, Render, Resend) are located in the USA. Data transfers are protected by:
- EU-US Data Privacy Framework (DPF): Google and OpenAI are certified under the DPF, providing an adequacy basis for data transfers to these processors
- Standard Contractual Clauses (SCCs): For processors not covered by the DPF, we rely on SCCs as approved by the European Commission (June 2021)
5. Data Retention
- Active accounts: Data is retained for the duration of your account. Accounts inactive for more than 24 months may be flagged for deletion with 30 days prior notice.
- Generated devotionals: Stored for 12 months, after which they are automatically deleted to minimize data retention.
- Deleted accounts: All personal data deleted within 30 days of account deletion.
- Anonymized analytics: May be retained indefinitely (cannot be linked back to you).
- Legal obligations: Some data may be retained longer if required by law (e.g., tax records, fraud prevention).
6. Your Rights (GDPR)
You have the following rights regarding your personal data:
Right to Access
You can export all your data at any time via Settings → Export Data. You will receive a JSON file with all your information.
Right to Rectification
You can update your profile, preferences, and settings at any time via the Settings page.
Right to Erasure ("Right to be Forgotten")
You can delete your account at any time via Settings → Delete Account. This will:
- Permanently delete all your personal data
- Remove all generated devotionals
- Cancel any active subscriptions
- Cannot be undone
Right to Data Portability
The export function provides your data in a machine-readable JSON format that can be transferred to another service.
Right to Object
You can object to processing based on legitimate interests by contacting us.
Right to Withdraw Consent
You can withdraw consent at any time by:
- Disabling email notifications (Settings)
- Deleting optional preference fields
- Deleting your account entirely
Right to Lodge a Complaint
If you believe we have violated your privacy rights, you can file a complaint with your local data protection authority:
7. Data Security
We implement security measures including:
- Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
- Access controls: Row-level security (RLS) in database
- Authentication: Secure login via Supabase Auth
- Monitoring: Logging and alerting for suspicious activity
8. Cookies & Tracking
We use minimal, strictly necessary cookies:
- Authentication cookies: Required for login sessions (cannot be disabled)
- Language preference cookie (preferred_locale): Stores your selected UI language. This is a strictly necessary functional cookie under the ePrivacy Directive and does not require a cookie consent banner.
- No advertising, analytics, or tracking cookies
9. Children's Privacy
The Service is not intended for children under 16 years old. We do not knowingly collect data from users under 16.
If you are under 16, do not use this Service. If we discover we have collected data from a user under 16, we will delete it promptly.
10. Privacy by Design
We recommend you follow these privacy best practices when using the Service:
✅ Good Privacy Practices
- Use general terms: "grief" not "my daughter Emma's death"
- Avoid identifying details: "chronic illness" not "stage 3 cancer"
- No names or places: "career transition" not "I left Google"
- Keep it broad: "new parent" not "my 6-month-old son Noah"
11. Changes to Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified via:
- Email notification to registered users
- In-app notification on next login
- Updated "Last Updated" date at the top of this page
12. Contact Us
For privacy-related questions or to exercise your rights:
Email: support@tailoreddevotional.com
Subject line: "Privacy Request" or "GDPR Request"
We will respond within 30 days as required by GDPR.
By using Tailored Devotional, you acknowledge that you have read and understood this Privacy Policy.