Privacy Policy

This is a translation of the German Privacy Policy (Datenschutzerklärung). In case of any discrepancy, the German version shall be the legally binding document.

Last updated: April 9, 2026

1. Data Controller

Theosis OÜ
Tornimae 5, Tallinn 10145, Estonia
Registry code: 17060489
Email: support@theosis-app.com

Competent data protection supervisory authority: Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia.

2. Overview of Processing

THEOSIS is an Orthodox spiritual companion app. We process personal data exclusively within the scope of the purposes and legal bases described below.

3. Data Collected and Purposes

3.1 Registration and Authentication

Upon registration, we collect:

Email address (required)
Name (optional; obtained from the provider in case of social login)
Provider ID (Google or Apple ID in case of social login)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Social login data is processed only on the basis of your active decision.

Provider: Authentication is handled via Supabase Auth (GoTrue), hosted in the EU (AWS Frankfurt). In case of social login, data is transmitted from Google LLC or Apple Inc. (see Section 8).

3.2 App Usage Data

During use of the App, we store the following in your user account:

Reading progress, bookmarks, notes, highlights
Prayer history and settings
Onboarding preferences (chosen path, interests)
Gamification data (experience points, badges, streaks)
Settings (language, calendar type, font size, theme)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.3 Community Features

When you use community features, the following data is processed:

Community posts, questions, and answers (publicly visible to other users)
Friend requests and connections
Username and profile picture (publicly visible)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Note on AI moderation: Community posts are automatically reviewed by an AI system (Google Gemini via OpenRouter) for violations of the community guidelines. No automated decision with legal effect is made; flagged content is reviewed manually. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the safety of the community).

3.4 Payment Data

When subscribing (EUR 55/year), payment data is processed exclusively by Stripe, Inc. We only store the subscription status and Stripe Customer ID, but no payment method details.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.5 Transactional Emails

We send you the following emails:

Confirmation email upon registration
Password reset
Welcome email after onboarding

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.6 Marketing Emails (Drip Campaign)

After registration, you may opt in to our welcome email series (day 1, 3, and 7 after registration). These emails contain tips on using the App and invitation codes.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time -- in the settings under "Email notifications" or via the unsubscribe link in each email.

3.7 Error Reports and Performance

For error detection, we use Sentry (in the app at app.theosis-app.com) and PostHog Error Tracking (on the landing page theosis-app.com). Technical data such as stack traces, browser information, and (anonymized) IP addresses are transmitted. Sentry applies a 10% sampling rate; PostHog captures all uncaught errors.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stability of the App).

3.8 Rate Limiting

To protect against abuse, we use Upstash Redis for rate limiting. IP addresses and request counters are stored for a short period.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).

3.9 Product Analytics, Heatmaps, and Session Replay

To improve the user experience, debug issues, and optimise our website, we use product analytics and session replay tools. They only load after you actively consent via our cookie banner (Usercentrics).

PostHog Cloud (EU) — captures pageviews, clicks, conversion funnels, device information (anonymised IP, browser, OS), and session replays (see below). Processing takes place exclusively in the EU cloud region (Frankfurt, Germany).
Microsoft Clarity — produces heatmaps (aggregated click, scroll, and movement maps) and session replays for UX analysis.

What is a session replay? A session replay is a reconstructed sequence of your interactions with the site (mouse movements, clicks, scrolls, page changes). It is not an actual video recording but a DOM-based playback. Sensitive input fields (passwords, payment details, email addresses in forms) and elements marked as confidential are masked by default and never recorded.

Legal basis: Art. 6(1)(a) GDPR (consent via the Usercentrics consent banner). Without your active consent, neither PostHog nor Clarity is loaded. You may withdraw your consent at any time via the cookie banner (fingerprint icon at the bottom left) — collection stops immediately.

Retention: PostHog events up to 12 months, PostHog session replays 30 days. Microsoft Clarity recordings 30 days; labelled/favourited sessions and aggregated heatmaps 13 months.

4. Cookies and Tracking

4.1 Strictly Necessary Cookies

Supabase Auth Cookies: Session management (strictly necessary)
tw_ok: Whitelist cache cookie (5 min, httpOnly) -- access control
NEXT_LOCALE: Language selection

Legal basis: Art. 6(1)(f) GDPR (legitimate interest); strictly necessary under applicable ePrivacy legislation.

4.2 Analytics and Marketing Cookies

We only deploy analytics and marketing cookies when you actively consent via our consent banner (Usercentrics):

PostHog Cloud (EU) -- product analytics, funnels, session replay, error tracking (see section 3.9)
Microsoft Clarity -- heatmaps, session replay, UX analysis (see section 3.9)
Google Analytics 4 (via Google Tag Manager) -- usage analysis
Meta Pixel -- conversion tracking
TikTok Pixel -- conversion tracking
Klaviyo -- email marketing analytics

Legal basis: Art. 6(1)(a) GDPR (consent via Usercentrics). The default consent setting is "declined" (Consent Mode v2) -- without your active consent, no tracking cookies are set.

You may withdraw your consent at any time via the cookie banner (fingerprint icon at the bottom left or in the settings).

5. Recipients and Data Processors

We share your data with the following categories of recipients:

5.1 Hosting and Infrastructure

Supabase, Inc. -- Database, authentication, storage (AWS Frankfurt, EU)
Vercel, Inc. -- Hosting, CDN, Edge Functions (Frankfurt region)
Upstash, Inc. -- Redis rate limiting (EU)

5.2 Authentication

Google LLC -- Google OAuth (social login): email, name, profile picture URL, Google ID
Apple Inc. -- Apple OAuth (social login): email (possibly relay address), name, Apple ID

5.3 Communication

Resend, Inc. -- Email delivery (transactional and marketing emails)

5.4 Payment Processing

Stripe, Inc. -- Subscription management, payment processing (PCI-DSS certified)

5.5 Analytics and Marketing (with consent only)

PostHog, Inc. -- product analytics, session replay, error tracking. Data processing takes place exclusively in the EU cloud region (Frankfurt, Germany).
Microsoft Corporation -- Microsoft Clarity (heatmaps, session replay)
Google LLC -- Google Analytics 4, Google Tag Manager
Meta Platforms, Inc. -- Meta Pixel
ByteDance Ltd. -- TikTok Pixel
Klaviyo, Inc. -- Email marketing tracking
Usercentrics GmbH -- Consent management

5.6 Error Tracking

Sentry (Functional Software, Inc.) -- Error/performance tracking

5.7 AI Services

We use AI models for various functions. Processing is carried out through the following providers:

OpenRouter, Inc. -- AI aggregator/router (forwards requests to the respective model providers)
Google LLC (Gemini) -- Community moderation, content translations (via OpenRouter)
OpenAI, Inc. (GPT) -- Text processing and generation (via OpenRouter)
Anthropic, PBC (Claude) -- Text processing, translations, support assistance (via OpenRouter or directly)
Groq, Inc. -- Speech-to-text processing (Voice API)
ElevenLabs, Inc. -- Text-to-speech for liturgical texts

Note: For community moderation, user-generated content is transmitted to the respective AI provider. The providers process this data exclusively for the purpose of fulfilling the request and do not use it for training their own models (API usage). For all other AI functions (translations, TTS), no personal data is transmitted.

6. Transfers to Third Countries

Some of our data processors are based in the United States. Data transfers are carried out on the basis of the EU-US Data Privacy Framework (DPF) pursuant to Art. 45(3) GDPR and/or on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Specifically:

Google, Apple, Vercel, Supabase, Stripe, Sentry, Resend, Klaviyo, Meta, Microsoft: EU-US DPF + SCCs
PostHog, Inc.: Although the company is based in the US, all data processing for our instance takes place exclusively in the EU cloud region (Frankfurt) -- no personal data is transferred to third countries. DPA in place under Art. 28 GDPR.
OpenAI, Anthropic: EU-US DPF + SCCs
ByteDance (TikTok): SCCs -- only with your explicit consent via the consent banner
OpenRouter, ElevenLabs, Groq: SCCs

7. Data Retention

Account data: Until deletion of your account
Usage data (progress, notes, etc.): Until deletion of your account
Payment data (at Stripe): In accordance with statutory retention periods (6-10 years)
Product analytics events (PostHog): 12 months
Session replays (PostHog): 30 days
Heatmaps + session replays (Microsoft Clarity): 30 days; labelled/favourited sessions and aggregated heatmaps 13 months
Error reports (Sentry): 90 days
Error reports (PostHog Error Tracking): 12 months
Rate limit data: A few minutes (automatic deletion)
Password reset tokens: 1 hour (automatic deletion)
Server logs (Vercel): 30 days
Consent records: 3 years (in accordance with documentation obligations)

8. Your Rights

Under the GDPR, you have the following rights:

Access (Art. 15) -- You may request information about the data we process about you.
Rectification (Art. 16) -- You may request the correction of inaccurate data.
Erasure (Art. 17) -- You may request the deletion of your data. Upon account deletion, all your data is immediately and permanently deleted from 18 database tables.
Restriction (Art. 18) -- You may request the restriction of processing.
Data portability (Art. 20) -- You may receive your data in a machine-readable format.
Objection (Art. 21) -- You may object to processing based on legitimate interests.
Withdrawal of consent (Art. 7(3)) -- You may withdraw consent at any time (e.g., cookies via the banner, marketing emails in the settings).

To exercise your rights, please write to: support@theosis-app.com

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Web: https://www.aki.ee

You may also contact the supervisory authority of the member state in which you reside or are located.

10. Account Deletion

You may delete your account at any time in the App settings, or contact support@theosis-app.com. Upon deletion, all personal data is immediately and permanently removed from 18 database tables (cascade deletion). Recovery is not possible.

11. Changes

We reserve the right to amend this Privacy Policy as needed, for example in the event of changes to our services or the legal situation. The current version is always available at this URL.

← Back

Privacy Policy

This is a translation of the German Privacy Policy (Datenschutzerklärung). In case of any discrepancy, the German version shall be the legally binding document.

Last updated: April 9, 2026

1. Data Controller

Theosis OÜ
Tornimae 5, Tallinn 10145, Estonia
Registry code: 17060489
Email: support@theosis-app.com

Competent data protection supervisory authority: Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia.

2. Overview of Processing

THEOSIS is an Orthodox spiritual companion app. We process personal data exclusively within the scope of the purposes and legal bases described below.

3. Data Collected and Purposes

3.1 Registration and Authentication

Upon registration, we collect:

Email address (required)
Name (optional; obtained from the provider in case of social login)
Provider ID (Google or Apple ID in case of social login)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Social login data is processed only on the basis of your active decision.

Provider: Authentication is handled via Supabase Auth (GoTrue), hosted in the EU (AWS Frankfurt). In case of social login, data is transmitted from Google LLC or Apple Inc. (see Section 8).

3.2 App Usage Data

During use of the App, we store the following in your user account:

Reading progress, bookmarks, notes, highlights
Prayer history and settings
Onboarding preferences (chosen path, interests)
Gamification data (experience points, badges, streaks)
Settings (language, calendar type, font size, theme)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.3 Community Features

When you use community features, the following data is processed:

Community posts, questions, and answers (publicly visible to other users)
Friend requests and connections
Username and profile picture (publicly visible)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.4 Payment Data

When subscribing (EUR 55/year), payment data is processed exclusively by Stripe, Inc. We only store the subscription status and Stripe Customer ID, but no payment method details.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.5 Transactional Emails

We send you the following emails:

Confirmation email upon registration
Password reset
Welcome email after onboarding

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.6 Marketing Emails (Drip Campaign)

After registration, you may opt in to our welcome email series (day 1, 3, and 7 after registration). These emails contain tips on using the App and invitation codes.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time -- in the settings under "Email notifications" or via the unsubscribe link in each email.

3.7 Error Reports and Performance

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stability of the App).

3.8 Rate Limiting

To protect against abuse, we use Upstash Redis for rate limiting. IP addresses and request counters are stored for a short period.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).

3.9 Product Analytics, Heatmaps, and Session Replay

PostHog Cloud (EU) — captures pageviews, clicks, conversion funnels, device information (anonymised IP, browser, OS), and session replays (see below). Processing takes place exclusively in the EU cloud region (Frankfurt, Germany).
Microsoft Clarity — produces heatmaps (aggregated click, scroll, and movement maps) and session replays for UX analysis.

Retention: PostHog events up to 12 months, PostHog session replays 30 days. Microsoft Clarity recordings 30 days; labelled/favourited sessions and aggregated heatmaps 13 months.

4. Cookies and Tracking

4.1 Strictly Necessary Cookies

Supabase Auth Cookies: Session management (strictly necessary)
tw_ok: Whitelist cache cookie (5 min, httpOnly) -- access control
NEXT_LOCALE: Language selection

Legal basis: Art. 6(1)(f) GDPR (legitimate interest); strictly necessary under applicable ePrivacy legislation.

4.2 Analytics and Marketing Cookies

We only deploy analytics and marketing cookies when you actively consent via our consent banner (Usercentrics):

PostHog Cloud (EU) -- product analytics, funnels, session replay, error tracking (see section 3.9)
Microsoft Clarity -- heatmaps, session replay, UX analysis (see section 3.9)
Google Analytics 4 (via Google Tag Manager) -- usage analysis
Meta Pixel -- conversion tracking
TikTok Pixel -- conversion tracking
Klaviyo -- email marketing analytics

Legal basis: Art. 6(1)(a) GDPR (consent via Usercentrics). The default consent setting is "declined" (Consent Mode v2) -- without your active consent, no tracking cookies are set.

You may withdraw your consent at any time via the cookie banner (fingerprint icon at the bottom left or in the settings).

5. Recipients and Data Processors

We share your data with the following categories of recipients:

5.1 Hosting and Infrastructure

Supabase, Inc. -- Database, authentication, storage (AWS Frankfurt, EU)
Vercel, Inc. -- Hosting, CDN, Edge Functions (Frankfurt region)
Upstash, Inc. -- Redis rate limiting (EU)

5.2 Authentication

Google LLC -- Google OAuth (social login): email, name, profile picture URL, Google ID
Apple Inc. -- Apple OAuth (social login): email (possibly relay address), name, Apple ID

5.3 Communication

Resend, Inc. -- Email delivery (transactional and marketing emails)

5.4 Payment Processing

Stripe, Inc. -- Subscription management, payment processing (PCI-DSS certified)

5.5 Analytics and Marketing (with consent only)

PostHog, Inc. -- product analytics, session replay, error tracking. Data processing takes place exclusively in the EU cloud region (Frankfurt, Germany).
Microsoft Corporation -- Microsoft Clarity (heatmaps, session replay)
Google LLC -- Google Analytics 4, Google Tag Manager
Meta Platforms, Inc. -- Meta Pixel
ByteDance Ltd. -- TikTok Pixel
Klaviyo, Inc. -- Email marketing tracking
Usercentrics GmbH -- Consent management

5.6 Error Tracking

Sentry (Functional Software, Inc.) -- Error/performance tracking

5.7 AI Services

We use AI models for various functions. Processing is carried out through the following providers:

OpenRouter, Inc. -- AI aggregator/router (forwards requests to the respective model providers)
Google LLC (Gemini) -- Community moderation, content translations (via OpenRouter)
OpenAI, Inc. (GPT) -- Text processing and generation (via OpenRouter)
Anthropic, PBC (Claude) -- Text processing, translations, support assistance (via OpenRouter or directly)
Groq, Inc. -- Speech-to-text processing (Voice API)
ElevenLabs, Inc. -- Text-to-speech for liturgical texts

6. Transfers to Third Countries

Specifically:

Google, Apple, Vercel, Supabase, Stripe, Sentry, Resend, Klaviyo, Meta, Microsoft: EU-US DPF + SCCs
PostHog, Inc.: Although the company is based in the US, all data processing for our instance takes place exclusively in the EU cloud region (Frankfurt) -- no personal data is transferred to third countries. DPA in place under Art. 28 GDPR.
OpenAI, Anthropic: EU-US DPF + SCCs
ByteDance (TikTok): SCCs -- only with your explicit consent via the consent banner
OpenRouter, ElevenLabs, Groq: SCCs

7. Data Retention

Account data: Until deletion of your account
Usage data (progress, notes, etc.): Until deletion of your account
Payment data (at Stripe): In accordance with statutory retention periods (6-10 years)
Product analytics events (PostHog): 12 months
Session replays (PostHog): 30 days
Heatmaps + session replays (Microsoft Clarity): 30 days; labelled/favourited sessions and aggregated heatmaps 13 months
Error reports (Sentry): 90 days
Error reports (PostHog Error Tracking): 12 months
Rate limit data: A few minutes (automatic deletion)
Password reset tokens: 1 hour (automatic deletion)
Server logs (Vercel): 30 days
Consent records: 3 years (in accordance with documentation obligations)

8. Your Rights

Under the GDPR, you have the following rights:

Access (Art. 15) -- You may request information about the data we process about you.
Rectification (Art. 16) -- You may request the correction of inaccurate data.
Erasure (Art. 17) -- You may request the deletion of your data. Upon account deletion, all your data is immediately and permanently deleted from 18 database tables.
Restriction (Art. 18) -- You may request the restriction of processing.
Data portability (Art. 20) -- You may receive your data in a machine-readable format.
Objection (Art. 21) -- You may object to processing based on legitimate interests.
Withdrawal of consent (Art. 7(3)) -- You may withdraw consent at any time (e.g., cookies via the banner, marketing emails in the settings).

To exercise your rights, please write to: support@theosis-app.com

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Web: https://www.aki.ee

You may also contact the supervisory authority of the member state in which you reside or are located.

10. Account Deletion

11. Changes

We reserve the right to amend this Privacy Policy as needed, for example in the event of changes to our services or the legal situation. The current version is always available at this URL.