Privacy Policy for BlessSoul

Effective Date: January 1, 2025 | Last Updated: November 1, 2025

Introduction

BlessSoul ("we," "our," or "us") is developed and operated by Praveena H D, a sole proprietor and individual developer based in Shivamogga, Karnataka, India. We are committed to protecting your privacy and ensuring the security of your personal information within the constraints of a one-person operation. This Privacy Policy explains how we collect, use, store, protect, and share your data when you use the BlessSoul mobile application (the "App").

By using BlessSoul, you agree to the collection and use of information in accordance with this Privacy Policy.

Your use of BlessSoul is also governed by our Terms of Service. This Privacy Policy should be read in conjunction with our Terms of Service. Please review both documents before using the app.

Solo Developer Context

CRITICAL DISCLOSURE: BlessSoul is operated by one individual developer with limited resources. This affects our privacy practices:

We take your privacy seriously and comply with all applicable privacy laws, though response times may be at the maximum allowed by law due to the one-person operation.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:
- Email address (required for account creation and authentication)
- Password (hashed using bcrypt and securely stored - we never store passwords in plain text)
- Display name (optional)
- Date of birth (optional, for personalization and age verification)
- Profile picture (optional, stored in Supabase Storage)

User-Generated Content:
- Goals and milestones: Title, description, category, progress, target dates, completion status
- Schedule and time blocks: Time, title, category, duration, notes
- Reminders: Title, due date, priority, recurrence, linked goals
- Diary entries: Text content, mood, photos, tags (encrypted with AES-256-GCM encryption)
- Manifestation practices: Intentions, methods, affirmations, progress, divine signs
- Gratitude entries: Daily gratitude lists and reflections
- Personal notes and reflections: Associated with goals, manifestations, or entries
- Favorites and preferences: Liked quotes, theme settings, notification preferences

Subscription Information:
- Subscription plan (monthly, quarterly, yearly)
- Subscription status (trial, active, expired, cancelled)
- Subscription start and end dates
- Anonymous RevenueCat customer ID (UUID, not personally identifiable)
- Note: Payment information is processed and stored securely by Apple's App Store - we do NOT receive or store your payment card details, billing address, or financial information

1.2 Automatically Collected Information

Usage Analytics (Firebase Analytics - Production Only):
- App launch and session duration
- Feature usage patterns (which screens viewed, features used)
- Button clicks and interactions
- Authentication events (sign up, login, logout)
- Goal creation, diary entry creation, quote views (counts only, not content)
- Settings changes (theme preference, etc.)
- CloudKit sync success/failure events
- App version and update adoption
- Language preference
- General geographic location (country/region level only, derived from App Store, NOT precise GPS location)

Technical Information:
- Device model (e.g., iPhone 14 Pro)
- Device unique identifier (anonymous, for analytics)
- iOS version (e.g., iOS 17.0)
- App version (e.g., 1.0.0)
- Network connectivity status (Wi-Fi, cellular, offline)
- App crashes, errors, and performance data (Firebase Crashlytics - production builds only)
- Stack traces for debugging (containing no personal information)

1.3 Information We Do NOT Collect

We value your privacy and do NOT collect the following:

2. How We Use Your Information

We use your information for the following purposes:

2.1 Core App Functionality

2.2 Service Improvement

2.3 Communication

Email Frequency: We send transactional emails only (no marketing). You will receive:
- Welcome email upon signup
- Trial ending reminder (day 6 of trial)
- Subscription expiration notices (if applicable)
- Grace period reminders (if subscription expires)
- Password reset emails (when requested)
- Support responses (when you contact us)

2.4 Legal and Security

2.5 Analytics and Research (Anonymous)

Important: Analytics data is anonymized and cannot be linked back to you personally.

3. Legal Basis for Processing (GDPR)

3.1 Why We Are Allowed to Process Your Data

Under the General Data Protection Regulation (GDPR), we must have a legal basis to process your personal data. We rely on the following legal grounds under GDPR Article 6(1):

1. Contract Performance (Article 6(1)(b)):

We process your data to fulfill our contract with you (Terms of Service) and provide the Service you subscribed to:
- Account creation and authentication
- Subscription management and billing
- Service delivery (goals, diary, schedules, manifestations, reminders)
- Data synchronization across your devices
- Customer support and issue resolution
- Email communications about your account

2. Consent (Article 6(1)(a)):

We process certain data only with your explicit consent, which you can withdraw at any time:
- Firebase Analytics (Settings → Privacy → Analytics)
- Optional Google Sign-In authentication
- Optional iCloud sync (iOS Settings → iCloud)
- Push notifications (iOS Settings → Notifications)
- Optional profile picture upload

3. Legitimate Interests (Article 6(1)(f)):

We process certain data based on our legitimate interests, which are balanced against your rights:
- Fraud prevention and security: Detecting suspicious account activity, preventing abuse
- Service improvement: Anonymous analytics to improve features and fix bugs
- Crash reporting: Firebase Crashlytics to identify and fix app crashes
- Business operations: Understanding usage patterns, retention analysis
- Legal compliance: Maintaining records required by law

Your Right to Object: You have the right to object to processing based on legitimate interests. Contact support@blesssoul.com with subject "GDPR - Object to Processing" to exercise this right.

4. Legal Obligation (Article 6(1)(c)):

We process certain data to comply with legal obligations:
- Subscription records for tax compliance (India tax law: 7 years retention)
- Response to court orders, subpoenas, or government requests
- Compliance with data protection laws (breach notifications, etc.)

3.2 Withdrawal of Consent

For processing based on your consent, you can withdraw consent at any time:

To Withdraw Consent:
- Analytics: Settings → Privacy → Analytics (toggle off)
- Google Sign-In: Switch to email/password authentication in Settings
- iCloud Sync: iOS Settings → Apple ID → iCloud → BlessSoul (toggle off)
- Notifications: iOS Settings → Notifications → BlessSoul (disable)
- Profile Picture: Settings → Profile → Remove Profile Picture

Important: Withdrawal of consent does not affect the lawfulness of processing before withdrawal. Withdrawing consent for essential features (account management, sync) may make the Service unusable.

4. How We Store Your Information

4.1 Data Storage Locations

Supabase (Primary Cloud Database):
- What's stored:
- Account information (email, name, profile picture, preferences)
- Goals, milestones, and progress data
- Schedules and time blocks
- Reminders and tasks
- Manifestation practices, affirmations, and gratitude entries
- Quote interactions (favorites, views)
- Subscription tracking (status, plan, dates)
- Location: United States (Google Cloud Platform infrastructure)
- Security: Row-level security, PostgreSQL database, HTTPS/TLS encryption
- Privacy Policy: https://supabase.com/privacy

Apple iCloud (CloudKit) - Optional:
- What's stored:
- Synced copy of your goals, schedules, reminders, manifestations
- Enables automatic backup and sync across your Apple devices (iPhone, iPad, Mac)
- Control: You control whether iCloud sync is enabled (Settings → Apple ID → iCloud)
- Location: Apple data centers (varies by your country)
- Security: Encrypted in transit and at rest by Apple
- Privacy Policy: https://www.apple.com/legal/privacy/

Local Device Storage (CoreData):
- What's stored:
- Encrypted diary entries (AES-256-GCM encryption)
- Cached data for offline access
- User preferences and settings
- Session tokens
- Draft content
- Location: Your device only
- Security: iOS app sandbox, encrypted storage

iOS Keychain (Secure Enclave):
- What's stored:
- Encryption keys for diary entries
- Stored with kSecAttrAccessibleWhenUnlockedThisDeviceOnly (highest security)
- Location: Device-only, never synced
- Security: Hardware-backed encryption, protected by device passcode/biometrics

4.2 Data Security Measures

We implement industry-standard and best-practice security measures within the constraints of a solo developer operation:

Encryption in Transit:
- All data transmitted between your device and our servers uses HTTPS/TLS 1.3 encryption
- Certificate pinning prevents man-in-the-middle attacks
- Secure WebSocket connections for real-time sync

Encryption at Rest:
- Diary entries: AES-256-GCM encryption (military-grade)
- Passwords: bcrypt hashing with salt (never stored in plain text)
- Database: Encrypted at rest by Supabase/Google Cloud

Access Controls:
- Row-level security: Users can only access their own data in Supabase
- API authentication: All requests require valid authentication tokens
- Rate limiting: Prevents brute force attacks
- Session management: Automatic logout after inactivity

Biometric Protection (Optional):
- Diary access can be protected with Face ID/Touch ID
- Biometric data is processed locally by iOS and never sent to us or stored
- Requires device passcode as backup

Security Audits:
- Regular security reviews and updates (within solo developer capacity)
- Monitoring for suspicious activity
- Prompt patching of vulnerabilities
- Third-party security assessments of critical services (Supabase, Firebase, etc.)

Solo Developer Access:
- Developer has minimal access to production data
- No routine access to user content
- Database queries require authentication and are logged
- Developer cannot view encrypted diary entries (keys are device-only)

LIMITATION: As a solo developer, we cannot provide enterprise-level security infrastructure, dedicated security team, or 24/7 monitoring. We implement best practices within our resource constraints.

5. Third-Party Services

BlessSoul uses the following third-party services to provide functionality. Each service may collect and process data as described:

5.1 Supabase (Backend Infrastructure)

5.2 Firebase (Google LLC)

5.3 Google Sign-In (Optional Authentication)

5.4 RevenueCat (Subscription Management)

5.5 Apple iCloud (CloudKit) - Optional

5.6 Resend (Email Delivery)

5.7 Apple App Store (Payment Processing)

5.8 Claude AI by Anthropic (AI Content Generation)

NEW - CRITICAL DISCLOSURE:

Important Notes:
- We do NOT share your data with advertising networks, data brokers, or marketing companies
- We do NOT sell, rent, or trade your personal information
- Third-party services are carefully vetted for security and privacy compliance (within solo developer capacity)
- You can review each service's privacy policy via the links above

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for any purpose. Your data is not a commodity.

5.2 When We May Share Information

We only share your information in the following limited circumstances:

With Your Explicit Consent:
- When you explicitly choose to share content (e.g., exporting data, saving quote images to your device)
- When you grant permission for specific data sharing

Service Providers (Section 4):
- With the third-party services listed in Section 4, solely to provide app functionality
- Under data processing agreements (where available)
- Service providers may not use data for their own purposes (per their policies)

Legal Requirements:
- If required by law, regulation, court order, or government request
- To comply with legal processes (subpoenas, warrants)
- To protect our rights, safety, property, or that of our users
- To investigate, prevent, or take action regarding fraud, abuse, or Terms violations
- To prevent imminent harm to any person
- We will notify you of legal requests unless prohibited by law

Business Transfers:
- In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your data may be transferred to the successor entity
- You will be notified via email and in-app notice (when possible)
- The successor must honor this Privacy Policy or obtain your consent for changes
- You will have the option to delete your account before the transfer (when possible)

Aggregated Anonymous Data:
- We may share aggregated, anonymized, non-personally identifiable statistics
- Examples: "80% of users create goals in their first week"
- This data cannot be traced back to you

5.3 No Sharing for Marketing

We do NOT share your information with:
- Advertising networks or ad exchanges
- Marketing agencies or email list brokers
- Data aggregators or data brokers
- Social media platforms (unless you explicitly share)
- Other apps or services for cross-promotion

6. Your Privacy Rights

6.1 Access and Control

You have the following rights regarding your data:

Access Your Data:
- View all your data within the app: Settings → Data Management
- See what information we have about you

Export Your Data:
- Download a complete copy of your data in JSON format: Settings → Data Management → Export Data
- Includes: goals, diary entries, manifestations, schedules, reminders, gratitude entries, profile info
- Data portability: Use your data with other services

Delete Your Data:
- Permanently delete your account and all associated data: Settings → Data Management → Delete Account
- Immediate and irreversible deletion from all systems
- Cannot be recovered after deletion
- See Section 7.2 for full deletion details

Correct Your Data:
- Update profile information anytime: Profile → Edit
- Edit goals, diary entries, schedules, etc. within their respective screens

Opt-Out of Analytics:
- Disable Firebase Analytics: Settings → Privacy → Analytics (toggle off)
- Note: This does not affect core functionality

Manage Notifications:
- Control notification types: Settings → Notifications
- Disable all notifications in iOS Settings → BlessSoul → Notifications

Control iCloud Sync:
- Enable/disable iCloud sync: iOS Settings → Apple ID → iCloud → BlessSoul

6.2 GDPR Rights (European Economic Area Users)

SOLO DEVELOPER NOTICE: As a one-person operation, privacy rights requests are handled by the sole developer. Response times may be at the maximum timeframes permitted by GDPR (30 days, extendable to 60 days for complex requests with notification).

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Right to Access:
- Request a copy of all personal data we hold about you
- Receive information about how we process your data

Right to Rectification:
- Correct inaccurate or incomplete personal data

Right to Erasure ("Right to be Forgotten"):
- Request deletion of your personal data
- We will delete data unless we have a legal obligation to retain it

Right to Restriction of Processing:
- Request that we limit how we use your data in certain circumstances

Right to Data Portability:
- Receive your data in a structured, commonly used, machine-readable format (JSON)
- Transmit your data to another service provider

Right to Object:
- Object to processing of your data for certain purposes (e.g., analytics)
- We will stop processing unless we have compelling legitimate grounds

Right to Withdraw Consent:
- Withdraw consent for data processing at any time
- Does not affect the lawfulness of processing before withdrawal

Right to Lodge a Complaint:
- File a complaint with your local data protection authority if you believe we've violated GDPR
- EU: https://edpb.europa.eu/about-edpb/board/members_en

How to Exercise GDPR Rights:
- Email: support@blesssoul.com with subject line "GDPR Request"
- Include: Your registered email, specific request, and verification information
- Response time: Within 30 days as required by GDPR Article 12(3)
- Extension: May be extended to 60 days for complex requests; we will inform you of any extension within the first 30 days and explain the reasons for the delay
- Solo Developer Note: As a one-person operation, complex requests may require the full 60-day extension period

6.3 CCPA Rights (California Residents)

SOLO DEVELOPER NOTICE: As a one-person operation, privacy rights requests are handled by the sole developer. Response times may be at the maximum timeframes permitted by CCPA (45 days, extendable to 90 days for complex requests with notification).

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know:
- What personal information we collect
- Categories of sources from which we collect information
- Business or commercial purpose for collecting information
- Categories of third parties with whom we share information

Right to Delete:
- Request deletion of your personal information
- Exceptions: We may retain data if required by law or necessary for legal compliance

Right to Opt-Out of Sale:
- We do NOT sell personal information (nothing to opt out of)

Right to Non-Discrimination:
- We will not discriminate against you for exercising your CCPA rights
- Same service, quality, and pricing regardless of rights exercise

How to Exercise CCPA Rights:
- Email: support@blesssoul.com with subject line "CCPA Request" or "California Privacy Request"
- Include: Your registered email, specific request, and verification information
- Verification required: We may ask for additional information to verify your identity
- Response time: Within 45 days as required by CCPA
- Extension: May be extended to 90 days for complex requests; we will inform you of any extension within the first 45 days and explain the reasons for the delay
- Solo Developer Note: As a one-person operation, complex requests may require the full 90-day extension period

Authorized Agent:
- You may designate an authorized agent to make requests on your behalf
- We require written proof of authorization

6.4 Other Regional Rights

Brazilian Users (LGPD):
- Similar rights to GDPR users
- Contact: support@blesssoul.com with subject "LGPD Request"
- Response within 30-60 days (solo developer constraints)

Canadian Users (PIPEDA):
- Right to access and correct personal information
- Contact: support@blesssoul.com
- Response within 30 days

Indian Users (Personal Data Protection Bill - when enacted):
- We will comply with Indian data protection laws when enacted
- Contact: support@blesssoul.com with privacy requests
- As an Indian developer, we are committed to complying with Indian data protection regulations

All Users:
- Regardless of location, we honor data privacy requests within the timeframes required by applicable law
- Contact support@blesssoul.com with any privacy concerns
- Solo Developer Note: As a one-person operation, we may require the full time permitted by law to process complex requests

7. Data Retention and Deletion

7.1 Active Accounts

We retain your data as long as your account is active and you maintain a subscription or are within the grace period.

Data Lifecycle:
- During trial (7 days): Full data retention
- Active subscription: Full data retention and sync
- Grace period (30 days post-expiration): Read-only data retention
- Day 30 post-expiration: Automatic deletion (see Section 7.3)

7.2 Manual Account Deletion (User-Initiated)

When you manually delete your account (Settings → Data Management → Delete Account):

Immediate Deletion (Within seconds):
- Your profile is removed from Supabase database
- All user-generated content deleted:
- Goals, milestones, progress data
- Diary entries (encrypted)
- Manifestations, affirmations, gratitude entries
- Schedule blocks and time blocks
- Reminders and tasks
- Profile picture from storage
- Quote favorites and interactions
- Subscription tracking records
- Your authentication session is terminated
- CloudKit data is marked for deletion
- Local device storage is cleared:
- CoreData database erased
- Cached files removed
- Encryption keys deleted from Keychain

Within 24-48 Hours:
- CloudKit data fully removed from iCloud
- iCloud backups no longer contain your data

Within 30 Days:
- Backups containing your data are purged
- Any residual logs are anonymized

Permanent and Irreversible:
- Once deletion is initiated, it cannot be undone
- Data cannot be recovered by you or by us
- Your email address is released and can be used for a new account

What May Be Retained (Legal Requirements):
- Minimal information for legal compliance (e.g., fraud prevention, tax records): anonymized user ID, subscription dates (no personal content)
- Anonymous analytics data (cannot be linked back to you)
- Deletion logs (for audit purposes)
- Retention period: As required by Indian law (typically 5-7 years for financial records)

Confirmation:
- You'll receive a confirmation email that account deletion is complete
- Email sent to your registered email address (last communication)

7.3 Automatic Account Deletion (Subscription Lapse)

If your subscription expires and is not renewed:

Timeline:

Days 0-29 (Grace Period):
- Your account remains active but in read-only mode
- All data is retained and accessible
- You can view but not edit content
- Email reminders sent

Day 30 (Account Deletion):
- Account is automatically and permanently deleted
- Same deletion process as manual deletion (Section 7.2)
- Final "Account Deleted" email sent before deletion
- Data cannot be recovered

Resubscribe to Prevent Deletion:
- Resubscribing at any time before day 30 immediately restores full access
- All your data is preserved
- No data loss

7.4 Subscription Cancellation (Different from Account Deletion)

Important: Cancelling your subscription is NOT the same as deleting your account.

When you cancel your subscription through Apple:
- Access continues until the end of your current billing period
- After the billing period ends, your account enters the grace period (Days 0-29)
- Your data is NOT immediately deleted
- You have 30 days total to resubscribe before automatic deletion

To avoid automatic deletion:
- Resubscribe before day 30, OR
- Manually export your data (Settings → Data Management → Export Data)

7.5 Data Retention for Deleted Accounts

Personal Data: Permanently deleted (see Section 7.2)

Anonymous Analytics: May be retained indefinitely (cannot be linked to you)

Legal Records: Minimal data retained as required by Indian law (anonymized where possible):
- Subscription billing history (for tax compliance): 7 years
- Fraud prevention records: 5 years
- Legal hold requests: Duration of legal matter

Backups: Purged within 30 days of account deletion

8. Children's Privacy

8.1 Age Requirement

BlessSoul is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age.

8.2 COPPA Compliance

In compliance with the Children's Online Privacy Protection Act (COPPA):
- We do not knowingly collect, use, or disclose personal information from children under 13
- We do not market to children under 13
- We do not display advertising to any users (including those 13+)

8.3 Parental Notice

If you believe we have inadvertently collected information from a child under 13:
- Contact us immediately: support@blesssoul.com with subject line "Child Privacy Concern"
- Provide: The child's name, email (if known), and your relationship to the child
- We will promptly:
- Investigate the matter
- Delete the child's account and all associated data
- Implement additional safeguards to prevent future occurrences
- Respond to you within 48-72 hours (solo developer response time)

8.4 Age Verification

8.5 Parental Rights

Parents/guardians of users aged 13-17 may:
- Request access to their child's account information
- Request deletion of their child's account
- Contact: support@blesssoul.com with proof of guardianship
- Response within 5-10 business days (solo developer constraints)

9. Diary Content Analysis (Local NLP Processing)

9.1 Soul Spark Quote Personalization

IMPORTANT DISCLOSURE: BlessSoul uses LOCAL natural language processing (NLP) to analyze keywords in your diary entries for quote personalization in the "Soul Spark" feature.

What We Analyze:
- Keywords and mood-related words in your diary text (e.g., "stressed," "happy," "anxious," "work," "love," "family")
- Emotional context to suggest relevant inspirational quotes
- Analysis happens ON YOUR DEVICE ONLY - your diary content is NEVER sent to servers
- No human ever reads your diary - processing is automated and local

Example:
- You write in your diary: "Feeling anxious about work presentations"
- Local NLP detects keywords: "anxious," "work"
- App suggests quotes about: Calm, Confidence, Professional Success
- Your diary text is NOT transmitted anywhere

9.2 Privacy Protection

How This Protects Your Privacy:
- ✓ All NLP processing is LOCAL (happens on your iPhone/iPad only)
- ✓ Diary content NEVER leaves your device
- ✓ No data sent to our servers, Claude AI, or any third party
- ✓ Keywords are NOT stored - analysis is performed in real-time when you view Soul Spark
- ✓ You can disable by simply not using Soul Spark feature
- ✓ Encrypted diary entries remain encrypted (AES-256-GCM) - NLP only processes unencrypted entries

NLP Technology Used:
- Basic keyword matching using iOS natural language framework
- NOT cloud-based AI - no GPT, Claude, or other cloud services involved
- No machine learning - simple pattern matching only
- No data collection - analysis results are not logged or stored

You Control This:
- Don't use Soul Spark if you prefer no diary analysis
- Lock diary entries to exclude them from NLP (locked entries are encrypted and skipped)
- Delete diary entries anytime to remove them from analysis

10. AI-Generated Content and Privacy Implications

20.1 Claude AI Integration

IMPORTANT DISCLOSURE: BlessSoul uses Claude AI (developed by Anthropic, Inc.) to generate daily quotes and inspirational content.

Privacy Implications:

What is NOT Shared with Anthropic/Claude AI:
- ✗ Your personal information (name, email)
- ✗ Your user-generated content (goals, diary entries, schedules)
- ✗ Your subscription information
- ✗ Your device information
- ✗ Any personally identifiable information

What IS Shared with Anthropic/Claude AI:
- ✓ Generic prompts only (e.g., "Generate an inspirational quote about perseverance")
- ✓ No user-specific or personalized data
- ✓ API requests may be logged by Anthropic for abuse prevention (per their privacy policy)

Data Processing:
- Requests to Claude AI API are made from our backend server
- Requests do not include user identifiers
- Responses (quotes) are stored in our database for reuse (reduces API costs and improves performance)
- Stored quotes are not linked to individual users

Anthropic's Privacy Policy:
- Subject to Anthropic's privacy policy: https://www.anthropic.com/privacy
- Anthropic may log API requests for security and abuse prevention
- Anthropic does not receive your personal data through our integration

16.2 Quote Storage and Sharing

When you save or share a quote:
- Quote is saved to your local device (your control)
- If you share to social media, subject to that platform's privacy policy
- We do not track quote sharing (no analytics on external shares)

Privacy Best Practice:
- Do not include personal information when sharing quotes
- Be aware that shared content may be public (depending on platform)

16.3 AI Content Disclaimers

Privacy-Related Disclaimers:
- AI-generated quotes are not personalized to you (privacy-protective)
- We do not send your personal data to AI providers
- Quotes are generic and generated in batches (not linked to individual users)
- Your use of quotes does not reveal personal information about you

See Terms of Service Section 14 for full AI content disclaimers regarding copyright and accuracy.

19. Mental Health Crisis Resources

19.1 NOT A MENTAL HEALTH SERVICE

CRITICAL REMINDER: BlessSoul's mood tracking and diary features are for personal reflection ONLY, not mental health treatment.

If experiencing mental health crisis, severe depression, anxiety, or suicidal thoughts:

GLOBAL CRISIS RESOURCES:

INDIA:
- Emergency Services: 112 (Police/Medical/Fire)
- Mental Health Directory: https://www.nimhans.ac.in/
- Global Helpline Directory: https://findahelpline.com

UNITED STATES:
- 988 Suicide & Crisis Lifeline: Call or text 988
- Crisis Text Line: Text HOME to 741741

UNITED KINGDOM:
- Samaritans: 116 123 (free 24/7)
- Emergency Services: 999 or 112

GLOBAL:
- Find Local Helplines: https://findahelpline.com
- International Crisis Resources: https://www.iasp.info/resources/Crisis_Centres/

IMPORTANT: Close the app and get professional help immediately if in crisis. This app cannot replace professional mental health care.

20. International Data Transfers

20.1 Global Availability

BlessSoul is available globally (excluding certain regions in the initial release). Your data may be transferred to, stored in, and processed in countries outside your country of residence, including the United States, where our servers and third-party service providers are located.

Developer Location: The developer is based in Shivamogga, Karnataka, India, but backend infrastructure is located in the United States.

16.2 Data Transfer Mechanisms

We ensure appropriate safeguards are in place to protect your data during international transfers (within solo developer resource constraints):

For EEA/UK/Swiss Users:
- Data transfers to the United States are conducted under:
- Standard Contractual Clauses (SCCs) (where available from service providers)
- Adequacy decisions where applicable
- Additional safeguards: Encryption, access controls, data minimization
- Solo Developer Limitation: We rely on third-party service providers' compliance mechanisms (Supabase, Firebase, etc.) as we lack resources for independent legal frameworks

For All Users:
- Data protection standards equivalent to this Privacy Policy
- Contractual obligations with service providers (where available)
- Regular review of service provider practices (within solo developer capacity)

16.3 Data Storage Locations

14.4 Your Consent

By using BlessSoul, you consent to:
- Transfer of your information to the United States and other countries
- Processing of your data in countries that may have different data protection laws than your country of residence (including India)
- Application of this Privacy Policy and Indian law (see Terms of Service Section 14)

If you do not agree, please do not use BlessSoul.

12.5 Indian Users

For users in India:
- Developer is based in India (Shivamogga, Karnataka)
- Data is transferred to US for backend processing (Supabase, Firebase)
- We comply with applicable Indian data protection laws
- When India's Personal Data Protection Bill becomes law, we will update our practices accordingly

19. Cookies and Tracking Technologies

19.1 No Cookies for Advertising

BlessSoul does NOT use cookies or similar tracking technologies for advertising, marketing, or behavioral targeting purposes.

19.2 Local Storage (Not Cookies)

We use minimal local storage on your iOS device for essential functionality:

Session Management:
- Authentication tokens (to keep you logged in)
- Session expiration management
- Stored securely in iOS Keychain

Caching:
- Offline access to your data
- Faster loading times
- Reduced network usage

Preferences:
- Theme settings (light/dark mode)
- Notification preferences
- Language settings
- Feature onboarding states (which tutorials you've seen)

Analytics (Firebase):
- Anonymous device identifiers for analytics
- Can be disabled in Settings → Privacy → Analytics

13.3 Third-Party Tracking

13.4 Your Control

You can clear local data by:
- Signing out of the app
- Deleting and reinstalling the app
- Deleting your account entirely

20. Security Incident Response

20.1 Our Commitment

We take security incidents seriously and have procedures in place to respond promptly (within solo developer constraints).

16.2 In the Event of a Data Breach

Our Response:
- Immediate investigation and containment (as soon as developer is aware)
- Assessment of affected data and users
- Notification to affected users within 72 hours as required by GDPR Article 33-34
- Notification to relevant authorities (as required by law)
- Remediation and prevention measures

What You'll Receive:
- Email notification describing the incident
- Information about what data was affected
- Steps we're taking to address the breach
- Recommended actions you should take
- Contact information for questions

Solo Developer Limitation:
- Response may be delayed if breach occurs during off-hours, weekends, or developer illness
- We will respond as quickly as possible given one-person operation
- We aim to meet the 72-hour notification requirement; in case of developer illness or emergency, notification may be delayed but will occur as soon as reasonably practicable

16.3 Your Role

If you suspect unauthorized access to your account:
- Change your password immediately
- Enable additional security (if available)
- Contact us: support@blesssoul.com with subject "Security Concern"
- Review recent activity in your account

14.4 Security Best Practices

19. Changes to This Privacy Policy

19.1 Updates and Revisions

We may update this Privacy Policy from time to time to reflect:
- Changes in our data practices
- New features or services
- Feedback from users
- Changes in applicable laws (GDPR, CCPA, Indian data protection laws, etc.)
- Security improvements
- Changes to third-party services

19.2 Notification of Changes

We will notify you of material changes by:
- Updating the "Last Updated" date at the top of this policy
- Displaying a prominent notice in the app upon your next login
- Sending an email to your registered email address
- Requiring acceptance of updated policy before continuing to use the app (for material changes)

Notification Timeline:
- Minor changes (clarifications, formatting): Notice at time of change
- Material changes (new data collection, new third-party services): 30 days' advance notice (when reasonably possible)

13.3 Your Acceptance

13.4 Version History

We maintain a history of Privacy Policy changes:
- Request previous versions by emailing support@blesssoul.com
- Significant changes will be summarized in the app

20. Contact Us

20.1 Privacy Questions and Requests

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: support@blesssoul.com

Subject Lines for Specific Requests:
- General questions: "Privacy Question"
- GDPR requests: "GDPR Request"
- CCPA requests: "CCPA Request"
- Data deletion: "Delete My Data"
- Data export: "Export My Data"
- Security concerns: "Security Concern"
- Child privacy: "Child Privacy Concern"

Developer: Praveena H D
Location: Shivamogga, Karnataka, India
Support Hours: Monday - Friday, 9 AM - 5 PM India Standard Time (IST)
Response Time: We aim to respond within 2-5 business days for general inquiries

For GDPR/CCPA requests:
- GDPR: 30 days (extendable to 60 days for complex requests)
- CCPA: 45 days (extendable to 90 days for complex requests)
- Complex requests may require the full extension period due to solo developer constraints

16.2 Information to Include in Requests

To process your request efficiently, please include:
- Your registered email address
- Specific nature of your request
- Any relevant details or documentation
- For data access/deletion: Verification information (we may ask for additional verification)

16.3 Data Protection Officer (DPO)

Solo Developer Note: As a one-person operation, we do not have a dedicated Data Protection Officer. All privacy inquiries are handled by the developer directly.

19. Dispute Resolution

19.1 Informal Resolution

If you have a complaint about our privacy practices:

Step 1: Contact us first at support@blesssoul.com
- We will make good-faith efforts to resolve your concern
- Most issues can be resolved quickly through communication
- Timeframe: We'll respond within 2-5 business days and work toward resolution within 30 days

19.2 Regulatory Authorities

If your concern is not resolved to your satisfaction, you may file a complaint with your local data protection authority:

European Economic Area (EEA):
- Contact your national Data Protection Authority
- Directory: https://edpb.europa.eu/about-edpb/board/members_en

California Residents:
- California Attorney General
- Website: https://oag.ca.gov/contact
- Phone: (916) 210-6276

Indian Residents:
- Once India's data protection authority is established, contact information will be provided
- Currently: Ministry of Electronics and Information Technology (MeitY)

Other Regions:
- Contact your local consumer protection or data privacy authority

19.3 Arbitration

Privacy disputes may be subject to the arbitration and dispute resolution provisions in our Terms of Service (Section 14), including:
- Exclusive jurisdiction in Shivamogga, Karnataka, India
- Mandatory mediation before litigation
- Fee shifting (loser pays winner's legal costs)

20. Your Consent and Acknowledgment

20.1 By Using BlessSoul, You Consent To:

16.2 If You Do Not Agree

If you do not agree to this Privacy Policy:
- Do not create an account or use BlessSoul
- If you have an existing account, delete it via Settings → Data Management → Delete Account
- Contact us with questions before using the Service

19. Additional Information

19.1 Do Not Track (DNT)

19.2 Biometric Data Clarification

19.3 Data Minimization

We practice data minimization (within resource constraints):
- We collect only data necessary to provide the Service
- We do not collect data "just in case" we might need it later
- Optional fields (date of birth, profile picture) are truly optional

19.4 Privacy by Design

Privacy is built into BlessSoul from the ground up:
- End-to-end encryption for diary entries
- Anonymous analytics (cannot be linked to you personally)
- Local-first data storage with optional cloud sync
- No advertising or tracking
- User control over data (export, delete)

19.5 Solo Developer Transparency

We believe in transparency about our limitations:
- This is a one-person operation with limited resources
- We cannot provide enterprise-level privacy infrastructure
- We comply with applicable privacy regulations within the requirements of the law
- We prioritize user privacy within our capabilities
- We appreciate your understanding and patience

20. Quick Reference Guide

Key Privacy Facts At a Glance:

Data Collection:
- Account info, user-generated content, usage analytics
- NO precise location, contacts, photos (except profile), or biometric data

Data Storage:
- Supabase (US), iCloud (optional), local device
- Encryption: AES-256-GCM for diary entries, HTTPS for all connections

Third-Party Services:
- 8 total: Supabase, Firebase, Google Sign-In, RevenueCat, iCloud, Resend, App Store, Claude AI
- NO advertising networks or data brokers

Your Rights:
- Access, export, delete, correct, opt-out
- GDPR compliant (EEA users)
- CCPA compliant (California users)

Data Selling:
- NEVER - we don't sell your data

Advertising:
- NONE - no ads, no ad trackers

Age Requirement:
- 13+ years

Data Deletion:
- Immediate and permanent
- Backups purged within 30 days

Auto-Deletion:
- Day 30 after subscription expires

AI Content:
- Quotes generated by Claude AI
- Your personal data NOT shared with AI provider

Solo Developer:
- One-person operation
- General inquiries: 2-5 business days
- GDPR: 30 days (extendable to 60)
- CCPA: 45 days (extendable to 90)

Contact:
- support@blesssoul.com
- Shivamogga, Karnataka, India

This Privacy Policy is effective as of January 1, 2025.
Last Updated: November 1, 2025

© 2025 Praveena H D. All rights reserved.

END OF PRIVACY POLICY