Privacy Policy

This is a translation of the German Privacy Policy (Datenschutzerklärung). In case of any discrepancy, the German version shall be the legally binding document.

Last updated: March 18, 2026

1. Data Controller

Theosis OÜ
Harju maakond, Tallinn, Kesklinna linnaosa
Registry code: 270425
Email: support@theosis-app.com

Competent data protection supervisory authority: Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia.

2. Overview of Processing

THEOSIS is an Orthodox spiritual companion app. We process personal data exclusively within the scope of the purposes and legal bases described below.

3. Data Collected and Purposes

3.1 Registration and Authentication

Upon registration, we collect:

• Email address (required)
• Name (optional; obtained from the provider in case of social login)
• Provider ID (Google or Apple ID in case of social login)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Social login data is processed only on the basis of your active decision.

Provider: Authentication is handled via Supabase Auth (GoTrue), hosted in the EU (AWS Frankfurt). In case of social login, data is transmitted from Google LLC or Apple Inc. (see Section 8).

3.2 App Usage Data

During use of the App, we store the following in your user account:

• Reading progress, bookmarks, notes, highlights
• Prayer history and settings
• Onboarding preferences (chosen path, interests)
• Gamification data (experience points, badges, streaks)
• Settings (language, calendar type, font size, theme)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.3 Community Features

When you use community features, the following data is processed:

• Community posts, questions, and answers (publicly visible to other users)
• Friend requests and connections
• Username and profile picture (publicly visible)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Note on AI moderation: Community posts are automatically reviewed by an AI system (Google Gemini via OpenRouter) for violations of the community guidelines. No automated decision with legal effect is made; flagged content is reviewed manually. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the safety of the community).

3.4 Payment Data

When subscribing (EUR 55/year), payment data is processed exclusively by Stripe, Inc. We only store the subscription status and Stripe Customer ID, but no payment method details.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.5 Transactional Emails

We send you the following emails:

• Confirmation email upon registration
• Password reset
• Welcome email after onboarding

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.6 Marketing Emails (Drip Campaign)

After registration, you may opt in to our welcome email series (day 1, 3, and 7 after registration). These emails contain tips on using the App and invitation codes.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time -- in the settings under "Email notifications" or via the unsubscribe link in each email.

3.7 Error Reports and Performance

For error detection, we use Sentry. Technical data such as stack traces, browser information, and (anonymized) IP addresses are transmitted. A sampling rate of 10% applies.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stability of the App).

3.8 Rate Limiting

To protect against abuse, we use Upstash Redis for rate limiting. IP addresses and request counters are stored for a short period.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).

4. Cookies and Tracking

4.1 Strictly Necessary Cookies

• Supabase Auth Cookies: Session management (strictly necessary)
• tw_ok: Whitelist cache cookie (5 min, httpOnly) -- access control
• NEXT_LOCALE: Language selection

Legal basis: Art. 6(1)(f) GDPR (legitimate interest); strictly necessary under applicable ePrivacy legislation.

4.2 Analytics and Marketing Cookies

We only deploy analytics and marketing cookies when you actively consent via our consent banner (Usercentrics):

• Google Analytics 4 (via Google Tag Manager) -- usage analysis
• Meta Pixel -- conversion tracking
• TikTok Pixel -- conversion tracking
• Klaviyo -- email marketing analytics

Legal basis: Art. 6(1)(a) GDPR (consent via Usercentrics). The default consent setting is "declined" (Consent Mode v2) -- without your active consent, no tracking cookies are set.

You may withdraw your consent at any time via the cookie banner (fingerprint icon at the bottom left or in the settings).

5. Recipients and Data Processors

We share your data with the following categories of recipients:

5.1 Hosting and Infrastructure

• Supabase, Inc. -- Database, authentication, storage (AWS Frankfurt, EU)
• Vercel, Inc. -- Hosting, CDN, Edge Functions (Frankfurt region)
• Upstash, Inc. -- Redis rate limiting (EU)

5.2 Authentication

• Google LLC -- Google OAuth (social login): email, name, profile picture URL, Google ID
• Apple Inc. -- Apple OAuth (social login): email (possibly relay address), name, Apple ID

5.3 Communication

• Resend, Inc. -- Email delivery (transactional and marketing emails)

5.4 Payment Processing

• Stripe, Inc. -- Subscription management, payment processing (PCI-DSS certified)

5.5 Analytics and Marketing (with consent only)

• Google LLC -- Google Analytics 4, Google Tag Manager
• Meta Platforms, Inc. -- Meta Pixel
• ByteDance Ltd. -- TikTok Pixel
• Klaviyo, Inc. -- Email marketing tracking
• Usercentrics GmbH -- Consent management

5.6 Error Tracking

• Sentry (Functional Software, Inc.) -- Error/performance tracking

5.7 AI Services

We use AI models for various functions. Processing is carried out through the following providers:

• OpenRouter, Inc. -- AI aggregator/router (forwards requests to the respective model providers)
• Google LLC (Gemini) -- Community moderation, content translations (via OpenRouter)
• OpenAI, Inc. (GPT) -- Text processing and generation (via OpenRouter)
• Anthropic, PBC (Claude) -- Text processing, translations, support assistance (via OpenRouter or directly)
• Groq, Inc. -- Speech-to-text processing (Voice API)
• ElevenLabs, Inc. -- Text-to-speech for liturgical texts

Note: For community moderation, user-generated content is transmitted to the respective AI provider. The providers process this data exclusively for the purpose of fulfilling the request and do not use it for training their own models (API usage). For all other AI functions (translations, TTS), no personal data is transmitted.

6. Transfers to Third Countries

Some of our data processors are based in the United States. Data transfers are carried out on the basis of the EU-US Data Privacy Framework (DPF) pursuant to Art. 45(3) GDPR and/or on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Specifically:

• Google, Apple, Vercel, Supabase, Stripe, Sentry, Resend, Klaviyo, Meta: EU-US DPF + SCCs
• OpenAI, Anthropic: EU-US DPF + SCCs
• ByteDance (TikTok): SCCs -- only with your explicit consent via the consent banner
• OpenRouter, ElevenLabs, Groq: SCCs

7. Data Retention

• Account data: Until deletion of your account
• Usage data (progress, notes, etc.): Until deletion of your account
• Payment data (at Stripe): In accordance with statutory retention periods (6-10 years)
• Error reports (Sentry): 90 days
• Rate limit data: A few minutes (automatic deletion)
• Password reset tokens: 1 hour (automatic deletion)
• Server logs (Vercel): 30 days
• Consent records: 3 years (in accordance with documentation obligations)

8. Your Rights

Under the GDPR, you have the following rights:

• Access (Art. 15) -- You may request information about the data we process about you.
• Rectification (Art. 16) -- You may request the correction of inaccurate data.
• Erasure (Art. 17) -- You may request the deletion of your data. Upon account deletion, all your data is immediately and permanently deleted from 18 database tables.
• Restriction (Art. 18) -- You may request the restriction of processing.
• Data portability (Art. 20) -- You may receive your data in a machine-readable format.
• Objection (Art. 21) -- You may object to processing based on legitimate interests.
• Withdrawal of consent (Art. 7(3)) -- You may withdraw consent at any time (e.g., cookies via the banner, marketing emails in the settings).

To exercise your rights, please write to: support@theosis-app.com

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Web: https://www.aki.ee

You may also contact the supervisory authority of the member state in which you reside or are located.

10. Account Deletion

You may delete your account at any time in the App settings, or contact support@theosis-app.com. Upon deletion, all personal data is immediately and permanently removed from 18 database tables (cascade deletion). Recovery is not possible.

11. Changes

We reserve the right to amend this Privacy Policy as needed, for example in the event of changes to our services or the legal situation. The current version is always available at this URL.