1. Information We Collect

1.1 Information You Provide

• Account information: When you create an account, we collect your email address and display name. If you sign in with Google, we receive your name, email address, and profile picture from Google.
• User content: Notes, highlights, custom translation text, word locks, and reading preferences you create within the Service.
• Payment information: If you subscribe to the premium tier, payment is processed by our payment provider (Stripe). We do not store your credit card number or bank details. We receive confirmation of your subscription status, billing period, and transaction amounts.
• Communications: If you contact us via email, we collect your email address and the content of your message.
• Waitlist: If you join our waitlist via the marketing website, we collect your email address.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, reading patterns (e.g., which books/chapters are read, which translations are compared), session duration, and interaction events. This data is collected in aggregate and is not linked to identified individuals unless you are signed in.
• Device information: Browser type, operating system, screen resolution, and device type (mobile/desktop).
• Log data: IP address, access times, and referring URLs. IP addresses are not stored long-term and are used only for security and abuse prevention.

1.3 Cookies and Local Storage

We use:

• Essential cookies: For authentication session management (Supabase Auth cookies). These are necessary for the Service to function and cannot be disabled.
• Local storage: To persist your reading preferences, settings, highlights, notes, and other user content on your device. This data stays on your device and is not transmitted to us unless you have an account and use the sync feature.
• Analytics cookies: [If/when implemented] To understand how the Service is used in aggregate. These can be disabled.

We do not use advertising cookies or tracking pixels. We do not sell or share your data with advertisers.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Sync your preferences, notes, and highlights across devices (if you have an account)
• Process premium subscription payments
• Respond to your questions and support requests
• Send you important Service updates (e.g., changes to Terms of Service, security alerts)
• Analyse usage patterns in aggregate to improve the Service
• Prevent abuse, fraud, and security threats

We do not use your information to:

• Train AI or machine learning models
• Sell to or share with third parties for marketing purposes
• Send unsolicited marketing emails (unless you have opted in to our newsletter/waitlist)
• Build advertising profiles

3. How We Share Your Information

We share your information only in the following circumstances:

• Service providers: We use third-party services to operate the Service, including Supabase (database hosting and authentication), Vercel (website and app hosting), and Stripe (payment processing). These providers access your data only to perform services on our behalf and are bound by their own privacy policies and data protection obligations.
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Business transfers: If OpenScripture is acquired or merged with another entity, your information may be transferred as part of that transaction. We will notify you of any such change.

We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.

4. Data Storage and Security

Your data is stored on servers operated by Supabase (hosted on AWS infrastructure). Data may be stored in regions outside Australia, including the United States. By using the Service, you consent to this transfer.

We implement reasonable security measures to protect your information, including:

• Encrypted data transmission (HTTPS/TLS)
• Secure authentication via Supabase Auth (magic links and OAuth)
• Input validation and XSS sanitisation
• Security headers (CSP, HSTS, X-Frame-Options)
• Row-level security on database tables

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly if we become aware of a data breach affecting your personal information.

5. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access your personal information that we hold
• Correct inaccurate or incomplete personal information
• Request deletion of your personal information (subject to any legal obligations we have to retain it)
• Withdraw consent for optional data processing (e.g., analytics)
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your information

To exercise any of these rights, contact us at openscriptureapp@gmail.com. We will respond within 30 days.

For users in the European Economic Area (EEA) or United Kingdom

If you are located in the EEA or UK, you may also have rights under the General Data Protection Regulation (GDPR), including the right to data portability and the right to restrict processing. Our legal basis for processing your data is: consent (for optional features like analytics), contractual necessity (for providing the Service), and legitimate interests (for security and service improvement).

6. Data Retention

• Account data: Retained for as long as your account is active, plus 90 days after deletion to allow recovery.
• User content (notes, highlights, preferences): Retained for as long as your account is active. Deleted within 90 days of account deletion.
• Usage analytics: Retained in aggregate (non-identifiable) form indefinitely. Individual session data is retained for no more than 12 months.
• Payment records: Retained for 7 years as required by Australian tax law.
• Waitlist emails: Retained until you unsubscribe or the waitlist is closed.
• Support correspondence: Retained for 2 years after resolution.

7. Children’s Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us and we will delete it promptly.

Users between 13 and 18 may use the Service with parental or guardian consent, as described in our Terms of Service.

8. Third-Party Links

The Service may contain links to third-party websites (e.g., Bible publisher websites, commentary sources). We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the “Last Updated” date. For material changes, we will also notify registered users by email.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

OpenScripture
Email: openscriptureapp@gmail.com
Website: openscripture.io

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:

OAIC
Website: www.oaic.gov.au
Phone: 1300 363 992