Privacy Policy

1. Introduction

Theo ("we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App"). Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the App.

We reserve the right to make changes to this Privacy Policy at any time and for any reason. We will alert you about any changes by updating the "Last updated" date of this Privacy Policy. You are encouraged to periodically review this Privacy Policy to stay informed of updates.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide to us when you register on the App, express an interest in obtaining information about us or our products and services, or otherwise contact us. The personal information we collect may include:

• Account Information: Email address, name (if provided via social login), profile information
• Authentication Data: OAuth tokens from Apple Sign-In or Google Sign-In
• Usage Data: Questions you ask, conversations you create, theologian selections you make, responses you receive
• Subscription Information: Payment processing handled by Apple; we receive confirmation of active subscription status only

2.2 Device Information

We automatically collect certain information when you use the App:

• Device type and model
• Operating system version
• App version
• Unique device identifiers
• Crash reports and performance data

2.3 Third-Party Data Sharing

We share data with the following third-party service providers to operate the App:

• Supabase (Database Hosting): Stores user account data, conversations, messages, and preferences. Data location: United States. Privacy policy: https://supabase.com/privacy
• Google Gemini (AI Processing): Processes your questions to generate theologian-attributed responses. We share only your question text, not personally identifiable information. Privacy policy: https://policies.google.com/privacy
• Apple Sign-In (Authentication): Provides authentication services. We receive email address and name (optional). Privacy policy: https://www.apple.com/legal/privacy/
• Google Sign-In (Authentication): Provides authentication services. We receive email address, name, and profile photo. Privacy policy: https://policies.google.com/privacy

3. How We Use Your Information

We use the information we collect for the following purposes:

• To create and manage your account
• To authenticate your identity
• To provide theologian-attributed responses to your questions
• To maintain conversation history across your devices
• To process and manage subscription payments
• To send you important service updates and notifications (not marketing)
• To improve app performance and user experience
• To detect and prevent technical issues and security threats
• To comply with legal obligations

We do not sell your personal information to third parties.

4. Your Rights (GDPR/CCPA)

4.1 GDPR Rights (European Union Users)

If you are a resident of the European Union, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: You have the right to request copies of your personal data
• Right to Rectification: You have the right to request correction of inaccurate or incomplete data
• Right to Erasure: You have the right to request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data
• Right to Data Portability: You have the right to request transfer of your data to another organization or directly to you
• Right to Object: You have the right to object to our processing of your personal data
• Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing

4.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective January 1, 2026:

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell
• Right to Delete: You have the right to request deletion of your personal information
• Right to Correct: You have the right to request correction of inaccurate personal information
• Right to Opt-Out: You have the right to opt-out of the sale or sharing of your personal information (we do not sell or share your data)
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights

Opt-Out Confirmation (CCPA 2026 Requirement): If you submit an opt-out request for data sharing, we will display "Opt-Out Honored" status in your account settings within 15 business days of processing your request. You can verify your opt-out status at any time by logging into the App and navigating to Settings > Privacy.

4.3 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@wesleydickens.com
• Support form: https://wesleydickens.com/theo/support

We will respond to your request within 30 days for GDPR requests and 45 days for CCPA requests. We may require verification of your identity before processing your request.

5. Data Retention and Deletion

We retain your personal data for as long as your account is active or as needed to provide you services. You may request deletion of your account and associated data at any time.

5.1 Account Deletion Process

To delete your account, open the Theo app and navigate to Settings > Account > Delete Account. Upon account deletion:

• Your account information is immediately deactivated and inaccessible
• All conversations and messages are permanently deleted from our production database within 30 days
• Personal information is removed from our active systems
• Backup copies are purged within 90 days
• Some information may be retained as required by law or for legitimate business purposes (e.g., fraud prevention, financial records)

5.2 Inactive Account Policy

If your account remains inactive (no login) for 3 years, we may delete your account and associated data after providing 30 days' notice to your registered email address.

6. Children's Privacy

Theo is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verification of parental consent, we will delete that information as quickly as possible.

If you believe we have collected information from a child under 13, please contact us immediately at privacy@wesleydickens.com.

7. Security of Your Information

We use administrative, technical, and physical security measures to protect your personal information. These measures include:

• HTTPS encryption for all data in transit
• Encrypted database storage for data at rest
• OAuth 2.0 authentication protocols
• Secure database access controls and authentication
• Regular security audits and updates

Despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against interception or misuse. We cannot guarantee the absolute security of your information.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

If you are located in the European Economic Area (EEA), we transfer your personal data to the United States where our service providers operate. We ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission.

9. AI-Generated Content

Theo uses artificial intelligence (Google Gemini) to generate responses to your questions. These responses are:

• Generated based on trained models and historical theological texts
• Attributed to theologians but are AI interpretations, not direct human responses
• Subject to potential errors or inaccuracies inherent in AI systems
• Not a substitute for professional theological, spiritual, or religious counsel

Your questions are processed by Google Gemini's API. We do not share personally identifiable information with the AI service beyond the question text you submit.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make changes, we will:

• Update the "Last updated" date at the top of this policy
• Post the revised policy at this URL
• Notify you via in-app notification if changes are material

Your continued use of the App after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Email: privacy@wesleydickens.com
• Support page: https://wesleydickens.com/theo/support

For GDPR-related inquiries, you may also contact your local data protection authority.