ReflectSign in

Trust Covenant

Privacy as ministry — what we promise about what you share.

People share intimate things in Reflect — prayers, journal entries, the things they're carrying that they won't tell anyone else. Treating that data with anything less than complete care is a values failure, not just a compliance one. What follows is what we promise. Plain language, not legalese. The legal version lives at /privacy.

Why we wrote this down

Most apps treat user data as an asset to monetize. Reflect can't — not because of regulation, but because the practice it serves is incompatible with that. If Reflect mined prayer text for marketing, the practice itself becomes hollow. This covenant exists to close that door publicly, before it could ever be opened.

1. Never sell data.

Ever. Not aggregated. Not anonymized. Not “for partners.” Not for any reason. If Reflect ever changes hands, this covenant transfers with it; if it can't, you get exported and the data is destroyed.

2. Never mine prayer or journal content for marketing or product analytics.

Your words are between you and God. The server reads them only to generate your next reflection. We don't run engagement analyses on what you wrote. We don't surface “popular topics” extracted from your prayer text. We don't hunt for trends across users that we'd then market.

3. Encryption at rest.

Everything you write — prayers, journal entries, reflection responses, season descriptions, family details — is additionally encrypted with AES-256-GCM before it ever lands in our database. The encryption key is held server-side only, in production environment variables. It is not in the database. The database can be dumped without exposing what you wrote.

4. One-tap data export.

Your data is yours. You can download a complete archive of your reflections, prayers, journal entries, and account details anytime — one tap from your profile. No friction, no support ticket required.

5. One-tap account deletion.

One tap from your profile permanently deletes your data after a 30-day grace window (so an accidental tap is recoverable). No retention dialogues. No “are you sure?” guilt prompts. No upsells before the cancel button.

6. No third-party trackers.

No Firebase Analytics. No Facebook SDK. No advertising IDs collected. No analytics that need your content as input. For crash reports we use Apple MetricKit (iOS) and the equivalent privacy-friendly tooling on Android — both surface aggregate crash data without sending what you wrote to any third party.

7. No ads, ever.

The $6.99/month subscription funds the product. This covenant is sustainable only because the unit economics work without ad revenue. We will never insert ads, sponsored content, or affiliate links into the practice.

8. Transparency about AI.

We tell every user that AI generates the text of their daily reflection — Anthropic's Claude API, under commercial terms that prohibit using your content for model training. The AI doesn't remember you between sessions; each reflection is generated fresh from the context you've already shared with us. This transparency is part of the trust, not separate from it.

If we're ever uncertain

If a feature would require breaking one of these promises to “work,” that's the strongest possible signal that the feature is wrong, not the promise. We won't ship it.

For the legal version of how we handle data — including subprocessors, retention windows, and your rights under applicable law — see /privacy.