Privacy Policy for BlessSoul

Effective Date: January 1, 2025 | Last Updated: December 27, 2025

Introduction

BlessSoul ("we," "our," or "us") is developed and operated by Praveena H D, a sole proprietor and individual developer based in Shivamogga, Karnataka, India. We are committed to protecting your privacy and ensuring the security of your personal information within the constraints of a one-person operation. This Privacy Policy explains how we collect, use, store, protect, and share your data when you use the BlessSoul mobile application (the "App").

By using BlessSoul, you agree to the collection and use of information in accordance with this Privacy Policy.

Your use of BlessSoul is also governed by our Terms of Service. This Privacy Policy should be read in conjunction with our Terms of Service. Please review both documents before using the app.

Solo Developer Context

CRITICAL DISCLOSURE: BlessSoul is operated by one individual developer with limited resources. This affects our privacy practices:

We take your privacy seriously and comply with all applicable privacy laws, though response times may be at the maximum allowed by law due to the one-person operation.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:
- Email address (required for account creation and authentication)
- Password (hashed using bcrypt and securely stored - we never store passwords in plain text)
- Display name (optional)
- Date of birth (optional, for personalization and age verification)
- Profile picture (optional, stored locally on your device only - NOT synced to cloud)

User-Generated Content:
- Goals and milestones: Title, description, category, progress, target dates, completion status
- Schedule and time blocks: Time, title, category, duration, notes
- Reminders: Title, due date, priority, recurrence, linked goals
- Manifestation practices: Intentions, methods, affirmations, progress tracking
- Divine signs: Type (repeating numbers, nature, dreams, songs, synchronicity, feathers/coins, other), description, date observed
- Soul Portal preferences: Notification settings for cosmic events (stored locally only)
- Personal notes and reflections: Associated with goals, manifestations, or entries
- Favorites and preferences: Liked quotes, theme settings, notification preferences

Onboarding Data (Collected During Setup):
- Phase 1 (Required): Acquisition source, age range, gender, primary motivation, primary goal, manifestation belief, focus life area
- Phase 2 (Optional): Relationship status, religious preference, zodiac sign, consistency struggles, improvement areas, current mood, avoidance areas
- Phase 3 - Soul Spark (Optional): Quote style preference, quote interaction preference, mental health practices, followed topics (3-8 selected from 12 main categories)
- Purpose: Personalizing your experience, filtering content (religious/zodiac quotes), and improving recommendations

Subscription Information:
- Subscription plan (monthly, quarterly, yearly)
- Subscription status (active, expired, cancelled)
- Subscription start and end dates
- Anonymous RevenueCat customer ID (UUID, not personally identifiable)
- Note: Payment information is processed and stored securely by Apple's App Store - we do NOT receive or store your payment card details, billing address, or financial information

1.2 Automatically Collected Information

Usage Analytics (Firebase Analytics - Production Only):
- App launch and session duration
- Feature usage patterns (which screens viewed, features used)
- Button clicks and interactions
- Authentication events (sign up, login, logout)
- Goal creation, quote views (counts only, not content)
- Settings changes (theme preference, etc.)
- Data sync success/failure events
- App version and update adoption
- Language preference
- General geographic location (country/region level only, derived from App Store, NOT precise GPS location)

Technical Information:
- Device model (e.g., iPhone 14 Pro)
- Device unique identifier (anonymous, for analytics)
- iOS version (e.g., iOS 17.0)
- App version (e.g., 1.0.0)
- Network connectivity status (Wi-Fi, cellular, offline)
- App crashes, errors, and performance data (Firebase Crashlytics - production builds only)
- Stack traces for debugging (containing no personal information)

1.3 Information We Do NOT Collect

We value your privacy and do NOT collect the following:

2. How We Use Your Information

We use your information for the following purposes:

2.1 Core App Functionality

2.2 Service Improvement

2.3 Communication

Email Frequency: We send transactional emails only (no marketing). You will receive:
- Welcome email upon first subscription purchase
- Welcome back email if you resubscribe after cancellation
- Subscription expired email (Day 0 after expiration) - personalized based on your engagement level
- Final warning email (Day 23) - 7 days before automatic account deletion
- Account deleted confirmation (Day 30) - after automatic deletion
- Password reset emails (when requested)
- Support responses (when you contact us)

2.4 Legal and Security

2.5 Analytics and Research (Anonymous)

Important: Analytics data is anonymized and cannot be linked back to you personally.

3. Legal Basis for Processing (GDPR)

3.1 Why We Are Allowed to Process Your Data

Under the General Data Protection Regulation (GDPR), we must have a legal basis to process your personal data. We rely on the following legal grounds under GDPR Article 6(1):

1. Contract Performance (Article 6(1)(b)):

We process your data to fulfill our contract with you (Terms of Service) and provide the Service you subscribed to:
- Account creation and authentication
- Subscription management and billing
- Service delivery (goals, schedules, manifestations, reminders)
- Data synchronization across your devices
- Customer support and issue resolution
- Email communications about your account

2. Consent (Article 6(1)(a)):

We process certain data only with your explicit consent, which you can withdraw at any time:
- Firebase Analytics (Settings → Data & Privacy → Usage Analytics)
- Optional Google Sign-In authentication
- Push notifications (iOS Settings → Notifications)
- Optional profile picture upload

3. Legitimate Interests (Article 6(1)(f)):

We process certain data based on our legitimate interests, which are balanced against your rights:
- Fraud prevention and security: Detecting suspicious account activity, preventing abuse
- Service improvement: Anonymous analytics to improve features and fix bugs
- Crash reporting: Firebase Crashlytics to identify and fix app crashes
- Business operations: Understanding usage patterns, retention analysis
- Legal compliance: Maintaining records required by law

Your Right to Object: You have the right to object to processing based on legitimate interests. Contact support@blesssoul.com with subject "GDPR - Object to Processing" to exercise this right.

4. Legal Obligation (Article 6(1)(c)):

We process certain data to comply with legal obligations:
- Subscription records for tax compliance (India tax law: 7 years retention)
- Response to court orders, subpoenas, or government requests
- Compliance with data protection laws (breach notifications, etc.)

3.2 Withdrawal of Consent

For processing based on your consent, you can withdraw consent at any time:

To Withdraw Consent:
- Analytics: Settings → Data & Privacy → Usage Analytics (toggle off)
- Google Sign-In: Switch to email/password authentication in Settings
- Notifications: iOS Settings → Notifications → BlessSoul (disable)
- Profile Picture: Settings → Profile → Remove Profile Picture

Important: Withdrawal of consent does not affect the lawfulness of processing before withdrawal. Withdrawing consent for essential features (account management, sync) may make the Service unusable.

4. How We Store Your Information

4.1 Data Storage Locations

Supabase (Primary Cloud Database):
- What's stored:
- Account information (email, name, profile picture, preferences)
- Goals, milestones, and progress data
- Schedules and time blocks
- Reminders and tasks
- Manifestation practices, affirmations, and gratitude entries
- Quote interactions (favorites, views)
- Subscription tracking (status, plan, dates)
- Location: United States (Google Cloud Platform infrastructure)
- Security: Row-level security, PostgreSQL database, HTTPS/TLS encryption
- Privacy Policy: https://supabase.com/privacy

Local Device Storage (CoreData):
- What's stored:
- Cached data for offline access
- User preferences and settings
- Session tokens
- Draft content
- Location: Your device only
- Security: iOS app sandbox, encrypted storage

iOS Keychain (Secure Enclave):
- What's stored:
- Encryption keys for secure data
- Stored with kSecAttrAccessibleWhenUnlockedThisDeviceOnly (highest security)
- Location: Device-only, never synced
- Security: Hardware-backed encryption, protected by device passcode/biometrics

4.2 Data Security Measures

We implement industry-standard and best-practice security measures within the constraints of a solo developer operation:

Encryption in Transit:
- All data transmitted between your device and our servers uses HTTPS/TLS 1.3 encryption
- Certificate pinning prevents man-in-the-middle attacks
- Secure WebSocket connections for real-time sync

Encryption at Rest:
- Passwords: bcrypt hashing with salt (never stored in plain text)
- Database: Encrypted at rest by Supabase/Google Cloud

Access Controls:
- Row-level security: Users can only access their own data in Supabase
- API authentication: All requests require valid authentication tokens
- Rate limiting: Prevents brute force attacks
- Session management: Automatic logout after inactivity

Biometric Protection (Optional):
- Biometric data is processed locally by iOS and never sent to us or stored
- Requires device passcode as backup

Security Audits:
- Regular security reviews and updates (within solo developer capacity)
- Monitoring for suspicious activity
- Prompt patching of vulnerabilities
- Third-party security assessments of critical services (Supabase, Firebase, etc.)

Solo Developer Access:
- Developer has minimal access to production data
- No routine access to user content
- Database queries require authentication and are logged
- Developer cannot view your private data

LIMITATION: As a solo developer, we cannot provide enterprise-level security infrastructure, dedicated security team, or 24/7 monitoring. We implement best practices within our resource constraints.

5. Third-Party Services

BlessSoul uses the following third-party services to provide functionality. Each service may collect and process data as described:

5.1 Supabase (Backend Infrastructure)

5.2 Firebase (Google LLC)

5.3 Google Sign-In (Optional Authentication)

5.4 RevenueCat (Subscription Management)

5.5 Resend (Email Delivery)

5.6 Apple App Store (Payment Processing)

5.7 OpenAI (AI Content Generation)

CRITICAL DISCLOSURE:

5.8 Soul Spark Quotes (AI-Generated Content)

IMPORTANT DISCLOSURE: The inspirational quotes displayed in the Soul Spark feature were originally generated using artificial intelligence.

See Terms of Service for full AI content disclaimers regarding copyright and accuracy.

5.9 Soul Portal (Cosmic Event Calendar)

5.10 Live Activities and Widgets

LOCK SCREEN VISIBILITY DISCLOSURE:

5.11 Divine Signs Feature

Important Notes:
- We do NOT share your data with advertising networks, data brokers, or marketing companies
- We do NOT sell, rent, or trade your personal information
- Third-party services are carefully vetted for security and privacy compliance (within solo developer capacity)
- You can review each service's privacy policy via the links above

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for any purpose. Your data is not a commodity.

6.2 When We May Share Information

We only share your information in the following limited circumstances:

With Your Explicit Consent:
- When you explicitly choose to share content (e.g., exporting data, saving quote images to your device)
- When you grant permission for specific data sharing

Service Providers (Section 4):
- With the third-party services listed in Section 4, solely to provide app functionality
- Under data processing agreements (where available)
- Service providers may not use data for their own purposes (per their policies)

Legal Requirements:
- If required by law, regulation, court order, or government request
- To comply with legal processes (subpoenas, warrants)
- To protect our rights, safety, property, or that of our users
- To investigate, prevent, or take action regarding fraud, abuse, or Terms violations
- To prevent imminent harm to any person
- We will notify you of legal requests unless prohibited by law

Business Transfers:
- In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your data may be transferred to the successor entity
- You will be notified via email and in-app notice (when possible)
- The successor must honor this Privacy Policy or obtain your consent for changes
- You will have the option to delete your account before the transfer (when possible)

Aggregated Anonymous Data:
- We may share aggregated, anonymized, non-personally identifiable statistics
- Examples: "80% of users create goals in their first week"
- This data cannot be traced back to you

6.3 No Sharing for Marketing

We do NOT share your information with:
- Advertising networks or ad exchanges
- Marketing agencies or email list brokers
- Data aggregators or data brokers
- Social media platforms (unless you explicitly share)
- Other apps or services for cross-promotion

6. Your Privacy Rights

6.1 Access and Control

You have the following rights regarding your data:

Access Your Data:
- View all your data within the app: Settings → Data Management
- See what information we have about you

Export Your Data:
- Download a complete copy of your data in JSON format: Settings → Data Management → Export Data
- Includes: goals, manifestations, schedules, reminders, gratitude entries, profile info
- Data portability: Use your data with other services

Delete Your Data:
- Permanently delete your account and all associated data: Settings → Data Management → Delete Account
- Immediate and irreversible deletion from all systems
- Cannot be recovered after deletion
- See Section 7.2 for full deletion details

Correct Your Data:
- Update profile information anytime: Profile → Edit
- Edit goals, schedules, etc. within their respective screens

Opt-Out of Analytics:
- Disable Firebase Analytics: Settings → Data & Privacy → Usage Analytics (toggle off)
- Note: This does not affect core functionality

Manage Notifications:
- Control notification types: Settings → Notifications
- Disable all notifications in iOS Settings → BlessSoul → Notifications

6.2 GDPR Rights (European Economic Area Users)

SOLO DEVELOPER NOTICE: As a one-person operation, privacy rights requests are handled by the sole developer. Response times may be at the maximum timeframes permitted by GDPR (30 days, extendable to 60 days for complex requests with notification).

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Right to Access:
- Request a copy of all personal data we hold about you
- Receive information about how we process your data

Right to Rectification:
- Correct inaccurate or incomplete personal data

Right to Erasure ("Right to be Forgotten"):
- Request deletion of your personal data
- We will delete data unless we have a legal obligation to retain it

Right to Restriction of Processing:
- Request that we limit how we use your data in certain circumstances

Right to Data Portability:
- Receive your data in a structured, commonly used, machine-readable format (JSON)
- Transmit your data to another service provider

Right to Object:
- Object to processing of your data for certain purposes (e.g., analytics)
- We will stop processing unless we have compelling legitimate grounds

Right to Withdraw Consent:
- Withdraw consent for data processing at any time
- Does not affect the lawfulness of processing before withdrawal

Right to Lodge a Complaint:
- File a complaint with your local data protection authority if you believe we've violated GDPR
- EU: https://edpb.europa.eu/about-edpb/board/members_en

How to Exercise GDPR Rights:
- Email: support@blesssoul.com with subject line "GDPR Request"
- Include: Your registered email, specific request, and verification information
- Response time: Within 30 days as required by GDPR Article 12(3)
- Extension: May be extended to 60 days for complex requests; we will inform you of any extension within the first 30 days and explain the reasons for the delay
- Solo Developer Note: As a one-person operation, complex requests may require the full 60-day extension period

6.3 CCPA Rights (California Residents)

SOLO DEVELOPER NOTICE: As a one-person operation, privacy rights requests are handled by the sole developer. Response times may be at the maximum timeframes permitted by CCPA (45 days, extendable to 90 days for complex requests with notification).

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know:
- What personal information we collect
- Categories of sources from which we collect information
- Business or commercial purpose for collecting information
- Categories of third parties with whom we share information

Right to Delete:
- Request deletion of your personal information
- Exceptions: We may retain data if required by law or necessary for legal compliance

Right to Opt-Out of Sale:
- We do NOT sell personal information (nothing to opt out of)

Right to Non-Discrimination:
- We will not discriminate against you for exercising your CCPA rights
- Same service, quality, and pricing regardless of rights exercise

How to Exercise CCPA Rights:
- Email: support@blesssoul.com with subject line "CCPA Request" or "California Privacy Request"
- Include: Your registered email, specific request, and verification information
- Verification required: We may ask for additional information to verify your identity
- Response time: Within 45 days as required by CCPA
- Extension: May be extended to 90 days for complex requests; we will inform you of any extension within the first 45 days and explain the reasons for the delay
- Solo Developer Note: As a one-person operation, complex requests may require the full 90-day extension period

Authorized Agent:
- You may designate an authorized agent to make requests on your behalf
- We require written proof of authorization

6.4 Other Regional Rights

Brazilian Users (LGPD):
- Similar rights to GDPR users
- Contact: support@blesssoul.com with subject "LGPD Request"
- Response within 30-60 days (solo developer constraints)

Canadian Users (PIPEDA):
- Right to access and correct personal information
- Contact: support@blesssoul.com
- Response within 30 days

Indian Users (Personal Data Protection Bill - when enacted):
- We will comply with Indian data protection laws when enacted
- Contact: support@blesssoul.com with privacy requests
- As an Indian developer, we are committed to complying with Indian data protection regulations

All Users:
- Regardless of location, we honor data privacy requests within the timeframes required by applicable law
- Contact support@blesssoul.com with any privacy concerns
- Solo Developer Note: As a one-person operation, we may require the full time permitted by law to process complex requests

7. Data Retention and Deletion

7.1 Active Accounts

We retain your data as long as your account is active and you maintain a subscription or are within the grace period.

Data Lifecycle:
- Active subscription: Full data retention and sync
- Grace period (30 days post-expiration): Read-only data retention
- Day 30 post-expiration: Automatic deletion (see Section 7.3)

7.2 Manual Account Deletion (User-Initiated)

When you manually delete your account (Settings → Data Management → Delete Account):

Immediate Deletion (Within seconds):
- Your profile is removed from Supabase database
- All user-generated content deleted:
- Goals, milestones, progress data
- Manifestations, affirmations, gratitude entries
- Schedule blocks and time blocks
- Reminders and tasks
- Profile picture from storage
- Quote favorites and interactions
- Subscription tracking records
- Your authentication session is terminated
- Local device storage is cleared:
- CoreData database erased
- Cached files removed
- Encryption keys deleted from Keychain

Within 24-48 Hours:
- Cloud backups no longer contain your data

Within 30 Days:
- Backups containing your data are purged
- Any residual logs are anonymized

Permanent and Irreversible:
- Once deletion is initiated, it cannot be undone
- Data cannot be recovered by you or by us
- Your email address is released and can be used for a new account

What May Be Retained (Legal Requirements):
- Minimal information for legal compliance (e.g., fraud prevention, tax records): anonymized user ID, subscription dates (no personal content)
- Anonymous analytics data (cannot be linked back to you)
- Deletion logs (for audit purposes)
- Retention period: As required by Indian law (typically 5-7 years for financial records)

Confirmation:
- You'll receive a confirmation email that account deletion is complete
- Email sent to your registered email address (last communication)

7.3 Automatic Account Deletion (Subscription Lapse)

If your subscription expires and is not renewed:

Timeline:

Days 0-29 (Grace Period):
- Your account remains active but in read-only mode
- All data is retained and accessible
- You can view but not edit content
- Email reminders sent

Day 30 (Account Deletion):
- Account is automatically and permanently deleted
- Same deletion process as manual deletion (Section 7.2)
- Final "Account Deleted" email sent before deletion
- Data cannot be recovered

Resubscribe to Prevent Deletion:
- Resubscribing at any time before day 30 immediately restores full access
- All your data is preserved
- No data loss

7.4 Subscription Cancellation (Different from Account Deletion)

Important: Cancelling your subscription is NOT the same as deleting your account.

When you cancel your subscription through Apple:
- Access continues until the end of your current billing period
- After the billing period ends, your account enters the grace period (Days 0-29)
- Your data is NOT immediately deleted
- You have 30 days total to resubscribe before automatic deletion

To avoid automatic deletion:
- Resubscribe before day 30, OR
- Manually export your data (Settings → Data Management → Export Data)

7.5 Data Retention for Deleted Accounts

Personal Data: Permanently deleted (see Section 7.2)

Anonymous Analytics: May be retained indefinitely (cannot be linked to you)

Legal Records: Minimal data retained as required by Indian law (anonymized where possible):
- Subscription billing history (for tax compliance): 7 years
- Fraud prevention records: 5 years
- Legal hold requests: Duration of legal matter

Backups: Purged within 30 days of account deletion

8. Children's Privacy

8.1 Age Requirement

BlessSoul is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age.

8.2 COPPA Compliance

In compliance with the Children's Online Privacy Protection Act (COPPA):
- We do not knowingly collect, use, or disclose personal information from children under 13
- We do not market to children under 13
- We do not display advertising to any users (including those 13+)

8.3 Parental Notice

If you believe we have inadvertently collected information from a child under 13:
- Contact us immediately: support@blesssoul.com with subject line "Child Privacy Concern"
- Provide: The child's name, email (if known), and your relationship to the child
- We will promptly:
- Investigate the matter
- Delete the child's account and all associated data
- Implement additional safeguards to prevent future occurrences
- Respond to you within 48-72 hours (solo developer response time)

8.4 Age Verification

8.5 Parental Rights

Parents/guardians of users aged 13-17 may:
- Request access to their child's account information
- Request deletion of their child's account
- Contact: support@blesssoul.com with proof of guardianship
- Response within 5-10 business days (solo developer constraints)

9. AI-Generated Content and Privacy Implications

9.1 OpenAI Integration (Manifestation Features Only)

IMPORTANT DISCLOSURE: BlessSoul uses OpenAI's GPT models to provide AI-powered features exclusively for the Soul Manifest (manifestation) feature. OpenAI is NOT used for Soul Spark quotes.

Privacy Implications:

What is NOT Shared with OpenAI:
- ✗ Your personal information (name, email)
- ✗ Your user ID or account identifiers
- ✗ Your subscription information
- ✗ Your device information
- ✗ Your schedules, reminders, or other app data
- ✗ Any personally identifiable information

What IS Shared with OpenAI:
- ✓ Manifestation intention text you enter (e.g., "I want to achieve financial freedom")
- ✓ Selected categories (career, health, relationships, etc.)
- ✓ Goal titles when requesting AI suggestions
- ✓ Manifestation method selections
- ✓ These are sent as anonymous API requests without user identifiers

Data Processing:
- Requests to OpenAI API are made directly from your device
- Requests do not include user identifiers or personal information
- OpenAI does not use API data to train models (per their API data usage policy)
- OpenAI retains API data for up to 30 days for abuse monitoring
- AI responses are displayed directly and not stored on our servers

OpenAI's Privacy Policy:
- Subject to OpenAI's privacy policy: https://openai.com/privacy
- OpenAI's API data usage policy: https://openai.com/policies/api-data-usage-policies
- OpenAI does not receive your personal data through our integration

9.2 Soul Spark Quotes (Pre-Generated AI Content)

Important Distinction: Soul Spark quotes were generated using AI technology BEFORE being added to our database. They are NOT generated in real-time.

Quote Privacy:
- No real-time AI calls: Quotes are served from our Supabase database, not OpenAI
- No personal data sent: Your information is never sent to AI when viewing quotes
- Pre-curated content: All 11,000+ quotes were generated, reviewed, and stored in our database
- Quote filtering: Religious and zodiac preferences filter which quotes you see (preferences stay in our system)

When you save or share a quote:
- Quote is saved to your local device (your control)
- If you share to social media, subject to that platform's privacy policy
- We track quote interactions (views, likes, shares, skips) for recommendation improvement

9.3 AI Content Disclaimers

Privacy-Related Disclaimers:
- Soul Spark quotes are pre-generated and served from our database (no real-time AI)
- Manifestation affirmations are generated in real-time via OpenAI (intention text shared)
- Quotes are filtered based on your preferences but not personalized to your specific life details
- Your use of quotes does not reveal personal information about you to third parties

See Terms of Service for full AI content disclaimers regarding copyright and accuracy.

10. Mental Health Crisis Resources

10.1 NOT A MENTAL HEALTH SERVICE

CRITICAL REMINDER: BlessSoul's features are for personal reflection and goal tracking ONLY, not mental health treatment.

If experiencing mental health crisis, severe depression, anxiety, or suicidal thoughts:

GLOBAL CRISIS RESOURCES:

INDIA:
- Emergency Services: 112 (Police/Medical/Fire)
- Mental Health Directory: https://www.nimhans.ac.in/
- Global Helpline Directory: https://findahelpline.com

UNITED STATES:
- 988 Suicide & Crisis Lifeline: Call or text 988
- Crisis Text Line: Text HOME to 741741

UNITED KINGDOM:
- Samaritans: 116 123 (free 24/7)
- Emergency Services: 999 or 112

GLOBAL:
- Find Local Helplines: https://findahelpline.com
- International Crisis Resources: https://www.iasp.info/resources/Crisis_Centres/

IMPORTANT: Close the app and get professional help immediately if in crisis. This app cannot replace professional mental health care.

11. International Data Transfers

11.1 Global Availability

BlessSoul is available globally (excluding certain regions in the initial release). Your data may be transferred to, stored in, and processed in countries outside your country of residence, including the United States, where our servers and third-party service providers are located.

Developer Location: The developer is based in Shivamogga, Karnataka, India, but backend infrastructure is located in the United States.

11.2 Data Transfer Mechanisms

We ensure appropriate safeguards are in place to protect your data during international transfers (within solo developer resource constraints):

For EEA/UK/Swiss Users:
- Data transfers to the United States are conducted under:
- Standard Contractual Clauses (SCCs) (where available from service providers)
- Adequacy decisions where applicable
- Additional safeguards: Encryption, access controls, data minimization
- Solo Developer Limitation: We rely on third-party service providers' compliance mechanisms (Supabase, Firebase, etc.) as we lack resources for independent legal frameworks

For All Users:
- Data protection standards equivalent to this Privacy Policy
- Contractual obligations with service providers (where available)
- Regular review of service provider practices (within solo developer capacity)

11.3 Data Storage Locations

11.4 Your Consent

By using BlessSoul, you consent to:
- Transfer of your information to the United States and other countries
- Processing of your data in countries that may have different data protection laws than your country of residence (including India)
- Application of this Privacy Policy and Indian law (see Terms of Service Section 14)

If you do not agree, please do not use BlessSoul.

11.5 Indian Users

For users in India:
- Developer is based in India (Shivamogga, Karnataka)
- Data is transferred to US for backend processing (Supabase, Firebase)
- We comply with applicable Indian data protection laws
- When India's Personal Data Protection Bill becomes law, we will update our practices accordingly

12. Cookies and Tracking Technologies

12.1 No Cookies for Advertising

BlessSoul does NOT use cookies or similar tracking technologies for advertising, marketing, or behavioral targeting purposes.

12.2 Local Storage (Not Cookies)

We use minimal local storage on your iOS device for essential functionality:

Session Management:
- Authentication tokens (to keep you logged in)
- Session expiration management
- Stored securely in iOS Keychain

Caching:
- Offline access to your data
- Faster loading times
- Reduced network usage

Preferences:
- Theme settings (light/dark mode)
- Notification preferences
- Language settings
- Feature onboarding states (which tutorials you've seen)

Analytics (Firebase):
- Anonymous device identifiers for analytics
- Can be disabled in Settings → Data & Privacy → Usage Analytics

12.3 Third-Party Tracking

12.4 Your Control

You can clear local data by:
- Signing out of the app
- Deleting and reinstalling the app
- Deleting your account entirely

13. Security Incident Response

13.1 Our Commitment

We take security incidents seriously and have procedures in place to respond promptly (within solo developer constraints).

13.2 In the Event of a Data Breach

Our Response:
- Immediate investigation and containment (as soon as developer is aware)
- Assessment of affected data and users
- Notification to affected users within 72 hours as required by GDPR Article 33-34
- Notification to relevant authorities (as required by law)
- Remediation and prevention measures

What You'll Receive:
- Email notification describing the incident
- Information about what data was affected
- Steps we're taking to address the breach
- Recommended actions you should take
- Contact information for questions

Solo Developer Limitation:
- Response may be delayed if breach occurs during off-hours, weekends, or developer illness
- We will respond as quickly as possible given one-person operation
- We aim to meet the 72-hour notification requirement; in case of developer illness or emergency, notification may be delayed but will occur as soon as reasonably practicable

13.3 Your Role

If you suspect unauthorized access to your account:
- Change your password immediately
- Enable additional security (if available)
- Contact us: support@blesssoul.com with subject "Security Concern"
- Review recent activity in your account

13.4 Security Best Practices

14. Changes to This Privacy Policy

14.1 Updates and Revisions

We may update this Privacy Policy from time to time to reflect:
- Changes in our data practices
- New features or services
- Feedback from users
- Changes in applicable laws (GDPR, CCPA, Indian data protection laws, etc.)
- Security improvements
- Changes to third-party services

14.2 Notification of Changes

We will notify you of material changes by:
- Updating the "Last Updated" date at the top of this policy
- Displaying a prominent notice in the app upon your next login
- Sending an email to your registered email address
- Requiring acceptance of updated policy before continuing to use the app (for material changes)

Notification Timeline:
- Minor changes (clarifications, formatting): Notice at time of change
- Material changes (new data collection, new third-party services): 30 days' advance notice (when reasonably possible)

14.3 Your Acceptance

14.4 Version History

We maintain a history of Privacy Policy changes:
- Request previous versions by emailing support@blesssoul.com
- Significant changes will be summarized in the app

15. Contact Us

15.1 Privacy Questions and Requests

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: support@blesssoul.com

Subject Lines for Specific Requests:
- General questions: "Privacy Question"
- GDPR requests: "GDPR Request"
- CCPA requests: "CCPA Request"
- Data deletion: "Delete My Data"
- Data export: "Export My Data"
- Security concerns: "Security Concern"
- Child privacy: "Child Privacy Concern"

Developer: Praveena H D
Location: Shivamogga, Karnataka, India
Support Hours: Monday - Friday, 9 AM - 5 PM India Standard Time (IST)
Response Time: We aim to respond within 2-5 business days for general inquiries

For GDPR/CCPA requests:
- GDPR: 30 days (extendable to 60 days for complex requests)
- CCPA: 45 days (extendable to 90 days for complex requests)
- Complex requests may require the full extension period due to solo developer constraints

15.2 Information to Include in Requests

To process your request efficiently, please include:
- Your registered email address
- Specific nature of your request
- Any relevant details or documentation
- For data access/deletion: Verification information (we may ask for additional verification)

15.3 Data Protection Officer (DPO)

Solo Developer Note: As a one-person operation, we do not have a dedicated Data Protection Officer. All privacy inquiries are handled by the developer directly.

16. Dispute Resolution

16.1 Informal Resolution

If you have a complaint about our privacy practices:

Step 1: Contact us first at support@blesssoul.com
- We will make good-faith efforts to resolve your concern
- Most issues can be resolved quickly through communication
- Timeframe: We'll respond within 2-5 business days and work toward resolution within 30 days

16.2 Regulatory Authorities

If your concern is not resolved to your satisfaction, you may file a complaint with your local data protection authority:

European Economic Area (EEA):
- Contact your national Data Protection Authority
- Directory: https://edpb.europa.eu/about-edpb/board/members_en

California Residents:
- California Attorney General
- Website: https://oag.ca.gov/contact
- Phone: (916) 210-6276

Indian Residents:
- Once India's data protection authority is established, contact information will be provided
- Currently: Ministry of Electronics and Information Technology (MeitY)

Other Regions:
- Contact your local consumer protection or data privacy authority

16.3 Arbitration

Privacy disputes may be subject to the arbitration and dispute resolution provisions in our Terms of Service (Section 14), including:
- Exclusive jurisdiction in Shivamogga, Karnataka, India
- Mandatory mediation before litigation
- Fee shifting (loser pays winner's legal costs)

17. Your Consent and Acknowledgment

17.1 By Using BlessSoul, You Consent To:

17.2 If You Do Not Agree

If you do not agree to this Privacy Policy:
- Do not create an account or use BlessSoul
- If you have an existing account, delete it via Settings → Data Management → Delete Account
- Contact us with questions before using the Service

18. Additional Information

18.1 Do Not Track (DNT)

18.2 Biometric Data Clarification

18.3 Data Minimization

We practice data minimization (within resource constraints):
- We collect only data necessary to provide the Service
- We do not collect data "just in case" we might need it later
- Optional fields (date of birth, profile picture) are truly optional

18.4 Privacy by Design

Privacy is built into BlessSoul from the ground up:
- Secure data storage
- Anonymous analytics (cannot be linked to you personally)
- Local-first data storage with optional cloud sync
- No advertising or tracking
- User control over data (export, delete)

18.5 Solo Developer Transparency

We believe in transparency about our limitations:
- This is a one-person operation with limited resources
- We cannot provide enterprise-level privacy infrastructure
- We comply with applicable privacy regulations within the requirements of the law
- We prioritize user privacy within our capabilities
- We appreciate your understanding and patience

19. Quick Reference Guide

Key Privacy Facts At a Glance:

Data Collection:
- Account info, user-generated content, usage analytics
- NO precise location, contacts, photos (except profile), or biometric data

Data Storage:
- Supabase (US), local device
- Encryption: HTTPS for all connections, secure local storage

Third-Party Services:
- 7 total: Supabase, Firebase, Google Sign-In, RevenueCat, Resend, App Store, OpenAI (manifestations only)
- NO advertising networks or data brokers

Your Rights:
- Access, export, delete, correct, opt-out
- GDPR compliant (EEA users)
- CCPA compliant (California users)

Data Selling:
- NEVER - we don't sell your data

Advertising:
- NONE - no ads, no ad trackers

Age Requirement:
- 13+ years

Data Deletion:
- Immediate and permanent
- Backups purged within 30 days

Auto-Deletion:
- Day 30 after subscription expires

AI Content:
- Manifestation AI: OpenAI GPT-4o-mini (intention text shared for affirmations/suggestions)
- Soul Spark quotes: Pre-generated by AI, served from database (NO real-time AI, NO data sent)
- NO personal identifiers sent to OpenAI

Solo Developer:
- One-person operation
- General inquiries: 2-5 business days
- GDPR: 30 days (extendable to 60)
- CCPA: 45 days (extendable to 90)

Contact:
- support@blesssoul.com
- Shivamogga, Karnataka, India

This Privacy Policy is effective as of January 1, 2025.
Last Updated: December 27, 2025

© 2025 Praveena H D. All rights reserved.

END OF PRIVACY POLICY