VerseRootsBack to app

Privacy Policy

Your study is yours.

We keep what we need to make VerseRoots work, and nothing more. This page explains what we collect, where it lives, who we share it with, and how to take it with you or ask us to delete it.

What we collect

When you use VerseRoots, we collect:

  • Account basics — your email address and first name, so we can sign you in and greet you.
  • Time zone — captured from your browser at signup (editable in Settings). We use it to set your daily reminder and the 3 AM local rollover for streaks and Grace Days.
  • Birth year — asked once at signup. We use it only to confirm you are 13 or older (see Children below). If you are under 13, we do not create an account and we discard the birth year right away.
  • Your study activity — which devotionals you have completed, flashcard reviews, quiz scores, streak count, XP, level, and Grace Day balance.
  • Your journal entries and reflections — the notes you write inside the devotional. These are yours. See How we handle your journal below.
  • Subscription state — plan (monthly or yearly), trial end date, next charge date, and cancellation status. This comes back to us from Shopify; we never see your card details.
  • Basic diagnostics — anonymized page views, feature usage, and crash reports, so we can fix what is slow or not working right (see Analytics and error reporting).

How we handle your journal

Your journal entries get special treatment. They are written on your device, stored on our database (Supabase managed Postgres) with AES-256 encryption at rest, and sent over TLS in transit.

Session replay and analytics tools never capture the contents of your journal, the scripture passage you are reading, or any other text you type. Every journal field and scripture block in the app is tagged so our analytics provider masks it at the source.

We do not sell, trade, or share the text of your journal with anyone. No human on our team reads your entries as part of normal operations. If you export your data or delete your account, your journal follows the rules you pick.

Who we share data with

To run VerseRoots we rely on a small set of vetted service providers. Each one only sees the slice of data it needs to do its job.

  • Supabase — hosts our database and authentication. Your account, study activity, and journal entries live here, encrypted at rest.
  • Resend — sends transactional email (welcome, trial reminders, cancellation confirmations, password resets). They see your email address and the message we send to you.
  • PostHog — product analytics. Configured with input masking on so journal text, scripture text, and identifying fields are never captured in session replay.
  • Sentry — error monitoring. We scrub personally identifying fields from error payloads before they reach Sentry.
  • Shopify and Recharge — process your purchase and recurring subscription. They handle card details and billing; we only receive subscription state (plan, trial end, next charge, cancellation).

We do not sell your personal information. We do not share it with advertisers. If a legal process ever requires us to disclose data, we push back where we can and tell you where the law allows.

Analytics and error reporting

We use PostHog to understand which features help people stay in their study rhythm, and Sentry to catch bugs before they bother more than a handful of people. Both are configured with privacy in mind:

  • Session replay runs with input masking on. Your typed text is never recorded.
  • Journal fields and scripture containers are tagged so they are masked at the DOM level.
  • Sentry error reports scrub email, journal text, and scripture content before transmission.
  • We do not use Google Analytics, advertising pixels, or cross-site tracking of any kind.

Cookies

VerseRoots uses only the cookies required to keep you signed in. These are httpOnly session cookies set by our authentication system. We do not use tracking cookies, advertising cookies, or third-party cookies for analytics.

Your rights

You control your data. From Settings inside the app you can:

  • Export your data. We email you a JSON bundle with your journal entries, stats, and progress.
  • Delete your account. We soft-delete your account and queue a full erase after a 30-day restore window, in case you change your mind. After 30 days, your journal and study activity are removed from our active systems. Backups roll off on their own schedule (typically within 90 days).
  • Opt out of notifications. Turn off email reminders, push notifications, or both.
  • Opt out of the leaderboard. Your study activity stays private and your display name does not appear on any ranking.

If you live somewhere with extra privacy rights (California, the EU, the UK, Virginia, Colorado, and others), you have the right to request a copy of your data, correct it, or ask us to delete it. Email privacy@verseroots.com and we will respond within 30 days.

Children (COPPA)

VerseRoots is for people 13 and older. At signup we ask for your birth year. If the math says you are under 13, we block the account from being created and we discard the birth year right away. We do not knowingly collect personal information from anyone under 13.

If you are a parent or guardian and you believe a child under 13 has created an account or had data collected about them, email privacy@verseroots.com. We will delete the account and any data within 30 days and confirm the erase in writing.

Data retention

We keep your data as long as your account is active. When you delete your account, we start a 30-day restore window, then erase your journal and study activity from our active systems. Anonymized analytics events with no link back to you may be retained longer for product research. Billing records we are required to keep for tax and accounting purposes are retained per applicable law (typically seven years).

Security

We use TLS for data in transit and AES-256 encryption at rest for our database. We keep access to production data limited to the smallest set of team members who need it, and we log that access. No system is perfectly secure, but we take reasonable steps to protect what you share with us.

Changes to this policy

If we make a material change, we will email the address on your account at least 30 days before the change takes effect and post a notice in the app. The date at the bottom of this page always reflects the most recent revision.

Contact

Questions, requests, or concerns? Email privacy@verseroots.com. A real person will read it and respond.