Legal

Privacy Policy

Last updated: April 2026

Who we are and how to reach us

Divinely.me ("Divinely", "we", "us", "our") is a web application providing AI-assisted Christian spiritual guidance. We act as the data controller for all personal data processed through the Divinely service, meaning we determine why and how your data is used.

This Privacy Policy applies to all users of divinely.me and explains, in plain language, what personal data we collect, on what legal basis, how it is used and stored, who it is shared with, and the rights you have under the UK GDPR and EU GDPR.

Contact: privacy@divinely.me — we aim to respond to all privacy enquiries within 5 business days and to any formal rights request within 30 calendar days.

Data we collect and why

We collect only data that is necessary to provide and improve our service. The table below sets out each category of personal data, the purpose for which it is collected, and the legal basis under which it is processed.

Account data

Data collected

Email address; hashed password (if using email sign-in); authentication tokens.

Purpose

To create and authenticate your account and allow you to access the service.

Legal basis

Contract performance (Article 6(1)(b) UK/EU GDPR)

Profile data

Data collected

Optionally: first name, denomination, life stage, faith journey, personal struggles, preferred language, and Bible translation.

Purpose

To personalise AI responses to your faith background and preferences. You provide this voluntarily.

Legal basis

Consent (Article 6(1)(a)) — you may remove it at any time in Settings.

Conversation history

Data collected

Messages you send and AI-generated responses.

Purpose

To provide continuity of conversation and to allow you to review past reflections. Free users' messages are processed but not stored after the session.

Legal basis

Contract performance (Article 6(1)(b))

Prayer journal entries

Data collected

Text you write in the private prayer journal (Max plan only).

Purpose

To store your private journal entries. These are never shared and never sent to AI models unless you explicitly press "Reflect on my prayers".

Legal basis

Contract performance (Article 6(1)(b))

Devotional records

Data collected

Daily devotionals generated for your account.

Purpose

To deliver your daily devotional and avoid regenerating the same content.

Legal basis

Contract performance (Article 6(1)(b))

Usage data

Data collected

Daily message counts, last request timestamp, subscription tier, AI model used per message, bookmark and prayer wall activity.

Purpose

To enforce usage limits, prevent abuse, and provide accurate billing.

Legal basis

Legitimate interests (Article 6(1)(f)) — ensuring fair use and fraud prevention.

Billing data

Data collected

Stripe Customer ID, subscription status, plan tier, and payment timestamps. We never see or store card numbers, CVCs, or bank details.

Purpose

To process your subscription and manage billing.

Legal basis

Contract performance (Article 6(1)(b)); Legal obligation for record-keeping (Article 6(1)(c)).

Analytics data

Data collected

Aggregated, anonymised usage patterns (e.g. most-used features, session counts). No analytics are currently active.

Purpose

To understand how people use Divinely and improve the product.

Legal basis

Consent (Article 6(1)(a)) — only collected when you accept analytics cookies.

Push notification tokens

Data collected

Browser push subscription endpoint (if you enable notifications).

Purpose

To deliver opt-in push notifications.

Legal basis

Consent (Article 6(1)(a)) — you may revoke at any time via browser settings.

How AI processes your data

When you send a message, your text is transmitted to a third-party AI provider to generate a response. Please do not send sensitive personal data — such as government ID numbers, financial account details, or medical records — through the chat.

All AI responses are generated by Google LLC using the Google Gemini model, across all subscription plans (Free, Standard, and Max). Processing is governed by a GDPR-compliant Data Processing Agreement between Divinely and Google.

  • Google does not use your conversation data to train its models under the terms of our agreement.
  • Your messages are processed in accordance with Google's sub-processor commitments and Standard Contractual Clauses for international transfers.
  • Prayer journal entries are never sent to Google or any AI provider unless you explicitly press "Reflect on my prayers".
  • Bookmarks, profile settings, and devotional preferences are not sent to AI providers.

Who we share your data with

We do not sell, rent, or trade your personal data. We share data only with the following service providers who act as our data processors, bound by data processing agreements:

ProviderRoleLocation
Supabase Inc.Database hosting, authentication, and storageEU / USA (SCCs)
Vercel Inc.Application hosting and edge deliveryEU / USA (SCCs)
Google LLCAI response generation (Gemini API)USA (SCCs + DPA)
Stripe Inc.Payment processing and subscription managementUSA (SCCs)
Resend Inc.Transactional email deliveryUSA (SCCs)

We may also disclose data where required by law, court order, or to protect the safety of users or the public. We will notify you of any such disclosure where legally permitted to do so.

International data transfers

Our primary infrastructure is hosted in the EU (Supabase EU region, Vercel EU edge). Where data is processed outside the UK or EEA — including by Google, Stripe, and Resend in the United States — transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with each sub-processor
  • Technical and organisational safeguards (encryption in transit and at rest)

UK users are protected by the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

Data retention

  • Conversations and messages — retained for the lifetime of your account, or until you delete individual conversations from chat history.
  • Prayer journal entries — retained until you delete them or delete your account.
  • Devotional records — retained for 90 days, then deleted automatically.
  • Usage data — daily query counts are retained for 90 days for fraud prevention, then permanently deleted.
  • Account and profile data — retained until you delete your account. After deletion, all personal data is permanently removed within 30 days, except where a longer retention period is required by law.
  • Billing records — Stripe retains transaction records for 7 years as required by financial regulations. We retain only anonymised billing summaries (amount, date, plan) after account deletion.
  • Analytics data — aggregated only; individual records are not retained beyond 13 months.

Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These include:

  • Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security policies on all database tables, ensuring users can only access their own data
  • Supabase authentication with HttpOnly, Secure session cookies
  • Server-side-only access to all API keys and secrets (none exposed to the browser)
  • Regular review of access controls and third-party processor agreements

No transmission of data over the internet is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee the absolute security of data transmitted to or from our service.

If you discover a security vulnerability, please report it responsibly to privacy@divinely.me. We will acknowledge your report within 2 business days.

Your rights under UK/EU GDPR

You have the following rights in relation to your personal data. To exercise any of them, email privacy@divinely.me. We will respond within 30 calendar days and will not charge a fee for reasonable requests.

  • Right of access (Article 15) — request a copy of all personal data we hold about you. You can also export your conversation history and journal directly from Settings → Export data.
  • Right to erasure (Article 17) — delete your account and all associated data from Settings → Account → Delete account. Data is permanently removed within 30 days.
  • Right to rectification (Article 16) — correct inaccurate personal data by updating your profile in Settings at any time.
  • Right to restriction (Article 18) — request that we restrict processing of your data while a complaint or dispute is being resolved.
  • Right to portability (Article 20) — receive your conversation history and journal entries in a structured, machine-readable format (JSON) via Settings → Export data.
  • Right to object (Article 21) — object to processing based on legitimate interests (e.g. usage analytics). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Article 7(3)) — withdraw consent for optional data processing (profile personalisation, analytics, marketing cookies) at any time in Settings or via the cookie preference centre. Withdrawal does not affect the lawfulness of prior processing.
  • Right not to be subject to automated decisions (Article 22) — Divinely does not make solely automated decisions that produce significant legal or similarly significant effects.

If you are unhappy with how we handle your personal data or a rights request, you have the right to lodge a complaint with your national supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • Ireland: Data Protection Commission (DPC) — dataprotection.ie
  • EU: Your national data protection authority — edpb.europa.eu/about-edpb/about-edpb/members

Children

Divinely is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that a child under 16 has provided us with personal data, we will delete that data promptly. If you believe a child under 16 has created an account, please contact us at privacy@divinely.me.

Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time via the consent banner or by contacting us.

Changes to this policy

We may update this Privacy Policy when we change how we process personal data, add new features, or when required by law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all registered users at least 14 days before changes take effect
  • Display a notice within the app for 30 days after the change

For changes that require renewed consent (such as new categories of data processing), we will request your explicit consent before proceeding.

Contact and data controller details

Data controller: Divinely.me

Privacy enquiries: privacy@divinely.me

General support: support@divinely.me

We aim to respond to all privacy enquiries within 5 business days and formal rights requests within 30 calendar days, free of charge.