Privacy Policy

1. Introduction

OnePulse ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our mobile application (available on iOS and Android) and related services (collectively, the "Service").

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service.

For details about website cookies and similar technologies, see our Cookie Policy at cookie-policy.html.

2. Information We Collect

2.1 Information You Provide Directly

2.1.1 Account Registration

When you create an OnePulse account, we collect:

• Email address (required)
• Password (securely hashed and managed by our authentication provider, Supabase)
• First name and last name
• Username (unique identifier)
• Display name
• Phone number (optional)

2.1.2 Profile Information

To help you connect with the Christian community, we collect:

• Bio/about section
• Spiritual testimony
• Favorite Bible verse
• Religious denomination
• Spiritual gifts
• Baptism date
• Salvation date
• Date of birth
• Gender identity
• Avatar image (profile picture)
• Cover image

2.1.3 Location Information

• Country, state/province, and city (user-provided)
• Precise GPS coordinates (latitude/longitude) - optional, used to connect you with nearby churches and community groups
• Timezone

2.1.4 User-Generated Content

We collect and store:

• Posts and comments you publish
• Reactions (likes, prayers, etc.) to other users' content
• Prayer requests and their specified privacy levels
• Prayer journal entries
• Bible notes and highlights
• Bookmarks of favorite content
• Direct messages between users
• Circle and hub participation and activity
• Media attachments (images, videos)

2.1.5 Communication Data

We retain records of:

• Messages you send via our in-app messaging service
• Support inquiries and correspondence
• Feedback, suggestions, or complaints you submit

2.2 Information Collected Automatically

2.2.1 Device Information

Through our error monitoring service (Sentry), we automatically collect:

• Device model and manufacturer
• Operating system version
• App version
• Device identifiers (for crash tracking purposes only)
• Crash reports and stack traces

2.2.2 Usage Analytics

Through Mixpanel (opt-in), we may collect:

• Features used and frequency
• Time spent in the app
• Session duration
• User interactions with interface elements
• App performance metrics

2.2.3 Push Notification Data

Through OneSignal, we collect and store:

• Device token (for delivering push notifications)
• Notification preferences and opt-out settings
• Notification engagement data (opened, dismissed)

2.2.4 Server Log Data

Our servers automatically log:

• IP address
• Request type and timestamp
• Pages or features accessed
• Error messages
• Approximate location (derived from IP)

2.3 Information from Third Parties

We may receive information about you from:

• Apple App Store or Google Play Store when you download our app (basic app analytics)
• Third-party sign-in providers if you use alternative authentication methods
• Other users who may upload contact lists or mention you in content
• Service providers and business partners with your consent

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Core Service Delivery

• Creating and maintaining your account
• Processing your registration and authentication
• Storing and displaying your profile information
• Delivering our messaging, prayer request, journal, and community features
• Connecting you with other users and communities
• Processing transactions and providing customer support

3.2 Location-Based Services

• Showing nearby churches, prayer groups, and community events in your area
• Connecting you with users in your geographic region (if you opt in)
• Improving local community recommendations

3.3 Communication

• Sending service-related announcements and updates
• Responding to your inquiries and support requests
• Sending push notifications about prayer requests, messages, and community activity (respecting your notification preferences)
• Sending email confirmations and account security notifications

3.4 Safety and Security

• Detecting, preventing, and addressing fraud, abuse, and security incidents
• Protecting against malicious, deceptive, or illegal activity
• Enforcing our Terms of Service and other legal agreements
• Complying with legal obligations and law enforcement requests

3.5 Analytics and Improvement

• Analyzing how users interact with our Service
• Identifying and fixing technical issues and bugs
• Understanding usage patterns to improve features and user experience
• Conducting research on community engagement and spiritual growth features
• Optimizing app performance and loading times

3.6 Personalization

• Customizing content recommendations based on your interests
• Tailoring notifications to your preferences
• Remembering your preferences and settings

3.7 Legal and Compliance

• Complying with applicable laws, regulations, and legal processes
• Establishing, exercising, or defending legal claims
• Protecting the rights, property, and safety of OnePulse, our users, and the public

4. Data Sharing and Disclosure

4.1 Information We Do NOT Share

• We do NOT sell your personal data to advertisers, marketing companies, or other third parties
• We do NOT share prayer requests, journal entries, or direct messages with third parties (except as required by law or with your explicit consent)
• We do NOT share passwords or authentication credentials with anyone

4.2 Information We Share

4.2.1 With Other Users

Depending on your privacy settings:

• Your public profile information (username, avatar, bio, denomination)
• Your public posts and comments
• Prayer requests you mark as "public"
• Your participation in public circles and hubs
• Your reactions to others' content

Private Content: Your prayer journal entries, private prayer requests, and direct messages are shared ONLY with intended recipients or remain completely private.

4.2.2 Service Providers

We share necessary information with third-party service providers to operate our Service:

Supabase (supabase.com)

• Email address, hashed password, profile data, user-generated content
• Purpose: User authentication, database hosting, and data storage
• Data location: EU/US (varies by Supabase data center)
• GDPR Data Processing Agreement: Yes

Cloudinary (cloudinary.com)

• Profile images, avatars, cover images, user-uploaded media
• Purpose: Image hosting, optimization, and CDN delivery
• Data location: AWS data centers (varies)
• Privacy Policy: https://cloudinary.com/privacy

Sentry (sentry.io)

• Device information, crash reports, stack traces
• Email (only if you provide feedback about a crash)
• Purpose: Error monitoring, crash reporting, performance tracking
• Data location: EU/US (varies by Sentry configuration)
• Privacy Policy: https://sentry.io/privacy/
• Note: Personal information in crash reports is automatically scrubbed

Mixpanel (mixpanel.com) (Analytics - Opt-in)

• Usage patterns, feature interactions, session data
• No personally identifiable information by default
• Purpose: Usage analytics and app improvement
• Data location: US
• Privacy Policy: https://mixpanel.com/legal/privacy-policy/
• Note: You can opt out of analytics collection

OneSignal (onesignal.com)

• Device tokens, notification preferences
• Purpose: Delivering push notifications
• Data location: US/EU (configurable)
• Privacy Policy: https://onesignal.com/privacy_policy

AWS (aws.amazon.com)

• Backend application data and server logs
• Purpose: Computing infrastructure and application hosting
• Data location: US/other regions (depends on configuration)
• Privacy Policy: https://aws.amazon.com/privacy/

4.2.3 Legal Requirements

We may disclose your information when required by law or if we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service and other agreements
• Protect the safety, rights, and property of OnePulse, our users, or the public
• Detect, prevent, or address fraud or security issues

4.2.4 Business Transfers

If OnePulse is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

4.2.5 With Your Consent

We may share your information for purposes other than those listed above, with your explicit consent.

5. Data Security

5.1 Security Measures

We implement comprehensive security measures to protect your information:

• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption (HTTPS)
• Authentication Security: Passwords are hashed using industry-standard algorithms by Supabase Auth; we never store plaintext passwords
• Access Controls: Employee access to personal data is restricted to those with a business need and is logged
• Firewalls and Intrusion Detection: AWS infrastructure includes firewalls and DDoS protection
• Regular Security Audits: We conduct periodic security assessments and penetration testing
• Incident Response Plan: We have procedures in place to respond to data breaches

5.2 Limitations

While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security of your information. Any transmission of data is at your own risk. You are responsible for maintaining the confidentiality of your password.

5.3 Data Retention

• Active Account Data: We retain your account information as long as your account is active
• Account Deletion: Upon deletion, we remove your authentication records, profile data, and user-generated content (see Section 8 for details)
• Server Logs: Server logs are retained for up to 30 days for security and troubleshooting purposes
• Backup Data: Deleted data may persist in backups for up to 90 days before being permanently deleted
• Analytics Data: Aggregated analytics data may be retained indefinitely (cannot identify individuals)

6. Children's Privacy (COPPA Compliance)

6.1 Age Restriction

OnePulse is designed for users 13 years of age and older. We comply with the Children's Online Privacy Protection Act (COPPA) in the United States and similar children's privacy laws worldwide.

6.2 Children Under 13

• We do not knowingly collect personal information from children under 13 without parental consent
• If we learn that we have collected information from a child under 13, we will promptly delete such information and notify the parent or guardian
• Parents who believe their child has provided information to OnePulse can contact us at support@onepulse.community

6.3 Children 13-18

• Users aged 13-18 have additional privacy protections
• Their data is treated with extra care
• Parents may request access to, or deletion of, a minor's account
• We do not sell personal information of minors
• We limit ad targeting and behavioral tracking for minors

7. Your Privacy Rights

7.1 GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access: You have the right to request a copy of your personal data that we hold, in a structured, commonly used, machine-readable format.

Right to Rectification: You have the right to correct inaccurate personal data.

Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data, subject to certain exceptions.

Right to Data Portability: You have the right to receive your personal data in a portable format and to transmit it to another controller.

Right to Restrict Processing: You have the right to request that we limit processing of your personal data.

Right to Object: You have the right to object to processing of your personal data for direct marketing, profiling, or other purposes.

Rights Related to Automated Decision Making: You have rights related to automated decision-making and profiling.

To exercise these rights, contact us at support@onepulse.community with "GDPR Request" in the subject line.

7.2 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know: You have the right to request what personal information we collect, use, share, and sell.

Right to Delete: You have the right to request deletion of personal information we have collected from you.

Right to Opt-Out of Sale: You have the right to opt out of the sale or sharing of your personal information (Note: OnePulse does not sell personal information).

Right to Correct: You have the right to request correction of inaccurate personal information.

Right to Limit Use and Disclosure: You have the right to limit our use and disclosure of sensitive personal information.

Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

To submit a CCPA request, email support@onepulse.community with "CCPA Request" in the subject line, or use our Data Access Form (if provided through the app).

7.3 LGPD Rights (Brazil)

If you are located in Brazil, the General Data Protection Law (LGPD) grants you the following rights:

• Right of access to your personal data
• Right to correction of inaccurate data
• Right to deletion of data
• Right to data portability
• Right to object to processing
• Right to obtain information about the purpose and use of your data

To exercise these rights, contact support@onepulse.community with "LGPD Request" in the subject line.

7.4 PIPEDA Rights (Canada)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides you:

• Right of access to your personal information
• Right to request correction of inaccurate information
• Right to request deletion of your information
• Right to understand how your information is being used
• Right to withdraw consent for processing

Contact us at support@onepulse.community to exercise these rights.

7.5 Other Jurisdictions

In other jurisdictions, similar privacy rights may apply under local data protection laws. We respect your privacy rights regardless of your location.

8. Account Deletion and Data Removal

8.1 How to Delete Your Account

You can delete your OnePulse account through the app settings:

1. Open OnePulse
2. Go to Settings → Account & Privacy → Delete Account
3. Follow the confirmation prompts
4. Enter your password to confirm the deletion request

Alternatively, email support@onepulse.community with "Account Deletion Request" in the subject line.

8.2 What Happens When You Delete Your Account

When you request account deletion:

Immediately Removed:

• Your authentication credentials and login access
• Your personal profile information (name, email, phone, date of birth, etc.)
• Your profile avatar and cover image
• Your bio, testimony, spiritual information
• Your private settings and preferences

Removed Within 24 Hours:

• Your user-generated content (posts, comments, journal entries)
• Your direct messages (from your account; recipients may retain copies)
• Your prayer requests and journal entries
• Your bookmarks and saved items
• Your circle and hub memberships and activity

Handled Separately:

• Public Content Attribution: Reactions and likes you made to other users' content remain visible but show as "Deleted User"
• Chat History: If another user has copy of your direct messages in their chat history, they may retain those copies
• Media in Backups: Your media may persist in encrypted backups for up to 90 days

8.3 Third-Party Data Removal

We will request that our service providers delete your data:

• Supabase: Database records deleted within 24 hours
• Cloudinary: Media files deleted within 24 hours
• OneSignal: Device tokens and notification records deleted within 24 hours
• Sentry: PII removed from error reports; logs deleted within 30 days
• Mixpanel: Data dissociated and anonymized

8.4 Data Retention After Deletion

Some data may be retained for limited periods:

• Server backups: up to 90 days
• Legal holds: indefinitely (if required by law)
• Aggregated/anonymized data: retained indefinitely (cannot identify you)
• Law enforcement requests: until fulfilled

9. Your Privacy Choices

9.1 Location Services

• You can disable precise location access through your device settings
• The app will continue to work without precise location, but location-based features (nearby churches, community discovery) will be limited

9.2 Push Notifications

• You can customize notification preferences within the app (Settings → Notifications)
• You can disable all notifications through your device settings
• Disabling notifications will not affect your ability to use OnePulse

9.3 Analytics and Crash Reporting

• Sentry (Crash Reporting): Enabled by default to help us identify and fix bugs. Crash reports are automatically scrubbed of personal information.
• Mixpanel (Usage Analytics): Opt-in only. You can enable or disable usage analytics in the app settings.
• Note: Disabling these services may limit our ability to identify and fix technical issues

9.4 Email Communications

• You can manage email preferences in Settings → Email Preferences
• You can unsubscribe from non-essential emails using the unsubscribe link in each email
• Service-related emails (password resets, security alerts) cannot be disabled

9.5 Prayer Request Privacy Levels

You can control who sees your prayer requests by selecting:

• Public: Visible to all OnePulse users
• Friends Only: Visible to your confirmed friends only
• Private: Visible only to you
• Anonymous: Public visibility but not linked to your profile

10. Contact Us for Privacy Inquiries

If you have questions about this Privacy Policy or our privacy practices:

Email:
support@onepulse.community

Mailing Address:
Available for verified legal, regulatory, and privacy requests. Email support@onepulse.community with subject "Mailing Address Request".

Response Timeline:

• We will respond to your privacy inquiry within 15 business days
• For GDPR/CCPA requests, we aim to respond within 30-45 days as required by law

11. Data Protection Officer (DPO)

For users in the EU and other jurisdictions requiring a Data Protection Officer:

DPO Contact:
dpo@onepulse.community

12. Changes to This Privacy Policy

12.1 Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

12.2 Notification

• Material Changes: We will notify you of material changes via email or through the app
• Non-Material Changes: Minor clarifications or updates may be made without specific notification
• Your Continued Use: Your continued use of OnePulse after changes constitutes acceptance of the updated policy

12.3 Version Control

• Effective Date: This policy is effective as of February 7, 2026
• Last Updated: February 7, 2026

13. International Data Transfers

13.1 Cross-Border Transfers

OnePulse operates globally. Your information may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws that differ from your home country.

13.2 Adequacy and Safeguards

For transfers from the EU to the US and other non-adequate jurisdictions, we rely on:

• Standard Contractual Clauses (SCC)
• Binding Corporate Rules (where applicable)
• Your explicit consent
• Necessary exceptions for contract performance or legal obligations

13.3 Your Consent

By using OnePulse, you consent to the transfer of your information to countries outside your country of residence as described in this policy.

14. Dispute Resolution

14.1 Informal Resolution

Please contact us first at support@onepulse.community to resolve any privacy concerns.

14.2 GDPR Complaints

EU users may lodge a complaint with their local data protection authority:

• Italy: https://www.garanteprivacy.it/
• Spain: https://www.aepd.es/
• Germany: https://www.bfdi.bund.de/
• Full EU authority list: https://edpb.europa.eu/about-edpb/about-edpb/members_en

14.3 CCPA Complaints

California residents may file a complaint with the California Attorney General:

• Website: https://oag.ca.gov/privacy
• Phone: 1-800-952-5225

15. Additional Information for Specific Jurisdictions

15.1 EU (GDPR)

• Lawful Basis: We process your data based on: (a) contract performance, (b) your consent, (c) our legitimate interests, or (d) legal compliance
• Data Processing Agreement: Available upon request for business customers
• Accountability: We maintain records of processing activities and conduct Data Protection Impact Assessments for high-risk processing

15.2 California (CCPA/CPRA)

• Categories of Personal Information: See Section 2 of this policy
• Sale or Sharing: OnePulse does not sell or share personal information
• Sensitive Personal Information: We limit collection and use of sensitive information (SSN, financial data, biometric data, etc.)
• Automated Decision-Making: We do not use automated decision-making for significant effects without human review

15.3 Brazil (LGPD)

• Data Controller: OnePulse
• Legal Basis for Processing: Performance of contract, fulfillment of legal obligations, protection of rights, or legitimate interests
• Data Protection Officer: To be designated if required
• Transfer Restrictions: International transfers may be restricted; we seek legal authorization before transfer

16. Prayer Request and Sensitive Data Handling

16.1 Special Handling of Prayer Requests

Prayer requests may contain sensitive health, personal, or family information. We implement additional safeguards:

• User Control: You set the privacy level for each prayer request
• Encryption: Prayer requests are encrypted during transit and at rest
• Limited Employee Access: Only support staff with legitimate need can view content
• No Monetization: Prayer request data is never used for marketing or sold
• Respectful Handling: All staff are trained on respectful handling of spiritual content

16.2 Direct Messages

• Direct messages are private communications between participants
• Messages are encrypted during transit
• We do not scan message content for ads or analytics
• Deleting your account removes message access from your account; message recipients may retain copies in their own chat history

16.3 Journal Entries

• Prayer journal entries are accessible only by you
• Not shared with other users
• Protected with the same encryption as other personal data
• Not used for targeting or profiling

17. Third-Party Links and Services

Our app may contain links to third-party websites and services (churches, Christian resources, etc.). This Privacy Policy does not apply to those third-party services. We are not responsible for their privacy practices. Please review their privacy policies before providing any information.

18. Accessibility

This Privacy Policy is available in English. If you need this policy in an alternative format (large print, audio, etc.), please contact support@onepulse.community.