GraceNotes Daily

Privacy Policy

Last updated: June 1, 2026

GraceNotes Daily is built around a simple conviction: what you write to God stays between you and God. This Privacy Policy explains in plain terms what personal information we collect, why we collect it, how we protect it, and what rights you have over it. It applies to all users of the GraceNotes Daily web application and any future mobile applications accessible at gracenotesdaily.com.

Please read this policy carefully. By creating an account or using GraceNotes Daily, you acknowledge that you have read and understood it.

1. Who We Are

GraceNotes Daily ("we," "us," or "our") is operated by GraceNotes Daily and accessible at https://www.gracenotesdaily.com. For privacy-related enquiries, you may contact us at privacy@gracenotesdaily.com.

For users in the European Economic Area (EEA) or United Kingdom, GraceNotes Daily acts as the data controller of your personal data as defined under the General Data Protection Regulation (GDPR) and the UK GDPR.

2. What Personal Data We Collect

We collect the following categories of personal data:

  • Account information: Your name, email address, and authentication credentials. If you sign in via Google OAuth, we receive your name, email address, and profile image from Google.
  • Profile and preference data: Your faith phase (exploring, growing, or deepening), preferred daily rhythms (morning, midday, evening, night), current life seasons, tone preferences, Bible translation preference, and time zone. You provide this during onboarding and may update it in Settings.
  • User-generated spiritual content: Heart Notes (daily journal reflections), prayer entries including any you mark as answered, devotional responses, and daily chat messages. This is the most sensitive category of data we hold. It is private by design and is never used for advertising, never sold, and never shared with third parties for their own purposes.
  • Usage and habit data: Daily habit completion records (whether you completed your devotional, daily message, and heart note on a given day), streak counts, and journey archive data. This is used solely to display your progress within the app.
  • Device and technical data: Browser type and version, operating system, IP address, and general geographic location (country/region level only). This data is collected automatically when you access the service and is used for security, fraud prevention, and service improvement.
  • Communications: If you contact us by email or through a contact form, we retain records of that correspondence.

3. How We Collect Your Data

We collect data in three ways: (1) directly from you when you create an account, complete onboarding, or use the app; (2) automatically through your use of the service via cookies, server logs, and similar technologies; and (3) from third-party authentication providers (currently Google) when you choose to sign in using those services.

We use session cookies necessary for authentication and service delivery. We do not use advertising cookies or third-party tracking cookies.

Preference cookie ("gn_has_account"): When you successfully sign in or create an account on a device, we set a small non-essential cookie on that device that simply records "this device has signed in before." It contains no personal information and no identifier. We use it only to decide whether the sign-in page should greet you as a returning user ("Welcome back") or a new visitor ("Begin your journey"). It expires after one year. Clearing it from your browser has no effect on your account or your data — you can sign in exactly the same way. The cookie is set by GraceNotes Daily directly and is not shared with any third party.

4. Legal Basis for Processing (GDPR)

If you are located in the EEA or UK, we rely on the following legal bases under the GDPR:

  • Contract performance: Processing your account information and user-generated content is necessary to provide the service you signed up for.
  • Legitimate interests: We process technical and usage data to maintain security, prevent abuse, and improve the service. Our legitimate interests do not override your fundamental rights.
  • Legal obligation: In limited circumstances, we may process data to comply with applicable law.
  • Consent: Where we rely on consent, such as for optional communications, you may withdraw it at any time without affecting prior processing.

5. How We Use Your Data

We use your personal data only for the purposes for which it was collected:

  • To provide, personalise, and improve the GraceNotes Daily service
  • To generate your daily grace note, devotional, and AI-powered responses, personalised to your profile and spiritual journey
  • To maintain your streak, habit records, and journey archive
  • To authenticate your identity and maintain account security
  • To respond to support enquiries
  • To comply with legal obligations
  • To send you service-related notifications (never marketing without your explicit consent)

We do not use your data to build advertising profiles, sell to data brokers, or train AI models on your personal spiritual content.

6. Artificial Intelligence Processing

GraceNotes Daily uses artificial intelligence to generate personalised spiritual content. Specifically:

  • Claude by Anthropic: Used to generate your daily grace note, devotional reading, and responses to heart notes. Your profile data (faith phase, rhythms, seasons, voice preference) is sent to Anthropic's API to personalise generation. The content of your individual journal entries and prayers is not sent to Anthropic unless you are using the heart note response feature, in which case the text of that specific entry is transmitted solely to generate a response for you.
  • OpenAI GPT: Used to generate conversational replies in the daily chat feature. Your chat messages are transmitted to OpenAI's API for this purpose only.

Both Anthropic and OpenAI are contractually prohibited from using API inputs to train their models unless you separately consent through their own platforms. Your spiritual content is processed for the sole purpose of generating your personalised response and is not retained by these providers beyond the context of each request.

AI-generated content in GraceNotes Daily is for personal spiritual enrichment only. It is not a substitute for pastoral care, professional counselling, or medical advice. We make no representations that AI-generated devotionals or grace notes are doctrinally authoritative.

7. Third-Party Service Providers

We share limited personal data with the following categories of trusted third-party providers, solely to operate the service:

  • Supabase: Our database and authentication infrastructure provider. Your account data, user-generated content, and habit data are stored in Supabase. Supabase is SOC 2 Type II compliant and encrypts data at rest and in transit.
  • Cloudflare: Our hosting and edge delivery provider. Cloudflare processes technical request data (IP addresses, headers) as part of delivering the service and providing security protections.
  • Google (OAuth): If you sign in with Google, Google processes your authentication. We receive only your name, email, and profile image.
  • Anthropic: AI model provider. See Section 6 above.
  • OpenAI: AI model provider. See Section 6 above.
  • Future payment processors: We anticipate introducing premium subscription features and an in-app store in future. If and when payments are enabled, they will be processed by a PCI DSS-compliant payment provider such as Stripe. GraceNotes Daily will not store your full card number or payment credentials. We will update this policy and notify you before any payment processing begins.

We do not sell your data to any third party. We do not share your personal data with advertisers, data brokers, or analytics companies for their own commercial use.

8. International Data Transfers

GraceNotes Daily operates from servers located in the United States. If you are accessing the service from the European Economic Area, United Kingdom, or other jurisdictions with data protection laws, your personal data will be transferred to and processed in the United States.

Where required by applicable law, such transfers are made subject to appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms under UK law. You may request details of the transfer mechanisms in place by contacting us at privacy@gracenotesdaily.com.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. If you delete your account, your personal data including all journal entries, prayers, and heart notes will be permanently deleted within 30 days of your deletion request, except where retention is required to comply with a legal obligation or to resolve a dispute.

Anonymised, aggregated usage statistics that cannot identify you personally may be retained indefinitely for service improvement purposes.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate data. Most profile data can be updated directly in Settings.
  • Right to erasure ("right to be forgotten"): You may request deletion of your personal data. You can delete your account directly in Settings, which initiates permanent deletion of all your content.
  • Right to data portability: You may request your personal data in a structured, machine-readable format.
  • Right to object: You may object to processing based on legitimate interests.
  • Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority. In the EU, this is your national supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at privacy@gracenotesdaily.com. We will respond within 30 days.

11. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

  • Encryption of all data in transit using TLS 1.2 or higher
  • Encryption of data at rest in our database infrastructure
  • Row-level security policies ensuring no user can access another user's data
  • Access controls limiting which personnel can access production systems
  • Authentication through industry-standard OAuth 2.0 protocols

No method of transmission over the internet or electronic storage is 100% secure. While we take robust precautions, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

12. Children's Privacy

GraceNotes Daily is not directed at children under the age of 13 (or 16 in certain EEA jurisdictions). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data without appropriate consent, please contact us at privacy@gracenotesdaily.com and we will delete it promptly.

13. Future Commerce and Payments

GraceNotes Daily may introduce premium subscription tiers, digital goods, and a curated in-app store featuring Christian products and resources in future. Any such features will be clearly labelled, opt-in, and will not be introduced without advance notice to existing users and an update to this Privacy Policy.

If payment processing is introduced, it will be handled by a PCI DSS-compliant third-party provider such as Stripe. GraceNotes Daily will not store full payment card details. Any personal data processed for commerce purposes will be described in an updated version of this policy prior to activation.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and display a notice within the app at least 14 days before the changes take effect. Your continued use of GraceNotes Daily after the effective date of any update constitutes acceptance of the revised policy.

The date at the top of this page always reflects when the policy was last updated.

15. Contact Us

For any questions, requests, or concerns about this Privacy Policy or the handling of your personal data, please contact us:

  • Email: privacy@gracenotesdaily.com
  • Website: https://www.gracenotesdaily.com/contact

We aim to respond to all privacy-related enquiries within 5 business days.