Privacy Policy

Last updated: May 16, 2026

Data controller: Markiva Solutions LLP, operator of Rhemabase.

1. Plain-English Summary

Rhemabase is a faith platform where you read the Bible, journal, and connect with other believers. Here's what you should know up front:

  • We do not sell your data to anyone.
  • We do not run advertising trackers.
  • Direct messages and group chats are private to the participants, but they are not end-to-end encrypted — our administrators can read them when responding to abuse reports or court orders.
  • Anything you post publicly (community posts, testimonies, prayer requests not marked anonymous) is visible to other signed-in users.
  • You can export or delete your data at any time. Account deletion is permanent.

2. Information We Collect

Account information

Email address, display name, optional bio, and (if you sign in with Google) name + profile picture + the OAuth identifier that Google sends us. Password is never stored in plaintext — Supabase handles hashing.

User-generated content

Anything you write inside the platform: journal entries, notes, highlights, bookmarks, reading plan progress, community posts, prayer requests, testimonies, mentorship messages, accountability check-ins, group messages, direct messages, group/church descriptions, and content reports.

Relationship data

Circle connections, group memberships, mentorship matches, accountability partnerships, church memberships, and the timestamps on each.

Usage data

Pages visited, Bible chapters read, features used, timestamps, and approximate location derived from IP for fraud prevention and rate-limiting. We use Vercel Analytics and Vercel Speed Insights for aggregate (non-identifying) performance data.

Payment information

When you subscribe, payment details (card number, UPI ID, etc.) are collected by Cashfree Payments, our payment processor. We never see or store full card numbers. We only receive a Cashfree customer/order/token identifier, the amount, and the status of the payment.

Diagnostic data

When something breaks, we log the error message, stack trace, page URL, and your user ID so admins can fix it. These appear in our internal “errors” queue and are kept for 90 days.

3. Communication Features — Who Sees What

Different surfaces have different visibility. We've made this explicit so you can make informed choices.

Direct messages (DMs)

Private to the two participants. Stored in our database under row-level security. Not end-to-end encrypted — this means our administrators using the service role key can technically read them. We only do so when responding to abuse reports, legal requests, or to debug serious bugs. You can edit or delete your own messages at any time.

Group chats and mentorship chats

Visible to every member of the group or mentorship match (and our administrators). Same encryption status as DMs.

Community posts, testimonies, prayer requests

Visible to every signed-in user on Rhemabase. Prayer requests marked “Anonymous” hide your display name from other users but are still associated with your account internally for moderation. Posts you delete are removed from the public feed immediately.

Profile fields

Your display name, bio, founding-member badge (if applicable), and approximate join date are visible to other signed-in users who interact with you (e.g. via Circle search, group rosters, post author labels). Your email address is never shown to other users.

Private content

Journal entries, notes, bookmarks, reading-plan progress, and accountability check-in details are visible only to you (and administrators when handling support requests).

4. Moderation and Automated Filtering

We run an automated profanity filter on every user-text input (display names, posts, prayers, testimonies, group/mentorship/ DM messages, group names). Content the filter flags is rejected client-side and never reaches our database.

Any user can report any post or message. Reports contain the reporter's user ID, the reason, optional details, and the content being reported. Reports are reviewed by administrators who can read the surrounding context (including the parent message thread). Reports are retained for 12 months.

5. How We Use Your Information

  • To provide, maintain, and improve the platform
  • To personalize the dashboard, reading plan suggestions, and translation defaults
  • To process subscriptions and payments via Cashfree
  • To send transactional emails (sign-in confirmations, payment receipts, account changes)
  • To respond to support requests
  • To detect and prevent abuse, spam, and harassment
  • To enforce our Terms of Service and respond to legal requests
  • To compile non-identifying usage statistics for product decisions

We do not use your data for advertising, sell it to data brokers, or train third-party AI models on it.

6. Subprocessors

We use the following service providers to operate the platform. Each has its own privacy policy that governs their handling of your data.

  • Supabase — database, authentication, file storage, and real-time messaging infrastructure. Data residency: see Supabase project region.
  • Vercel — web application hosting, edge compute, analytics, and speed insights.
  • Google — OAuth sign-in (only if you choose “Continue with Google”).
  • Cashfree Payments — subscription billing, card / UPI / netbanking processing, recurring charges, and refunds.
  • hCaptcha — bot detection on the signup form. Collects browser fingerprint signals (used only for the human check, never for ads).
  • Resend — transactional email delivery (sign-in confirmations, receipts, password resets).
  • bolls.life and bible-api.com — Bible text content. We send only the verse reference you request (e.g. “John 3:16”), no personal information.
  • Frankfurter API — daily USD/INR exchange rate for displayed pricing. We send no personal information.

7. Data Storage and Security

Your data is stored in Supabase's managed PostgreSQL with row-level security policies that prevent users from reading each other's private data at the database layer. All traffic is encrypted in transit (HTTPS / TLS). Data at rest is encrypted by Supabase using AES-256.

Administrative access using the Supabase service role is restricted to Markiva Solutions LLP staff and logged. We follow industry standard practices but no system on the public internet is 100% secure. We will notify affected users promptly in the event of a confirmed data breach.

8. Cookies and Tracking

We use cookies and similar storage only for essential platform functions: authentication, session management, your language / translation preference, and the founding-member celebration modal. We do not use advertising cookies, third-party cross-site trackers, or fingerprinting. We do not run Facebook Pixel, Google Analytics, or any equivalent.

9. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data (most fields are self-editable in /profile)
  • Delete your account and associated data
  • Export your data in a portable format
  • Opt out of non-essential email communications
  • Withdraw consent for data processing (note: this may require account deletion since most processing is necessary to provide the service)

To exercise any of these rights, email support@rhemabase.com from the address associated with your account. We respond within 30 days.

10. Account Deletion

You can delete your account from /profile under “Delete Account”. When you do:

  • Your auth record, profile, notes, bookmarks, journal entries, reading-plan progress, group memberships, Circle connections, direct messages, and subscriptions are deleted from our database.
  • We retain a minimal record of the deletion (user id, email, deletion timestamp, optional reason) for fraud prevention and accounting compliance.
  • Messages you sent that other people received: the content is deleted from our database, but other participants' copies (in transit, in cached views) may persist briefly until the recipient's next page load.
  • Cashfree retains payment records as required by Indian tax and AML law (typically 7–10 years) regardless of your account status with us.
  • If you lead a small group or church with other members, account deletion is blocked until you transfer leadership or delete those entities. This prevents accidentally wiping out a community by deleting your own account.

11. Children's Privacy

The platform is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@rhemabase.com and we will delete it.

The Kids & Family features (Bible Stories, Memory Verses, Family Devotionals) are designed to be used by parents and guardians together with their children, under a parent or guardian's own account. They are not a separate child-account product.

12. International Data Transfers

Our subprocessors operate in multiple jurisdictions including the United States, India, and the European Union. By using Rhemabase you consent to the transfer of your data to these jurisdictions for the purpose of providing the service. Where required by law (e.g. EU GDPR), our subprocessors operate under standard contractual clauses.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. We will notify users of material changes via the platform or email at least 14 days before they take effect. Your continued use of the platform after that period constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions, data subject requests, or to report a privacy concern, contact us at support@rhemabase.com.

Data controller: Markiva Solutions LLP. All correspondence regarding personal data may also be addressed to the legal entity at the same email.