Privacy Policy

Last updated: [INSERT DATE] Effective date: [INSERT DATE]

Family Faith Studio is a tool that helps Christian parents talk about faith with their kids. Because we work with families and kid information, we take privacy seriously and try to explain things in plain language. This policy explains what data we collect, how we use it, who we share it with, and what choices you have.

If something here isn’t clear, please email us at [PRIVACY EMAIL] — we’ll get back to you.

1. Who We Are

Family Faith Studio is operated by [BUSINESS LEGAL NAME] (“we,” “us,” or “our”), based at [BUSINESS ADDRESS]. We are the data controller for the personal information described in this policy.

For privacy questions or requests, contact us at [PRIVACY EMAIL].

2. A Note About Kids

The Service is designed for parents and guardians to use with their children — but children do not have accounts of their own. Here’s how that works:

Only adults (18+) can create accounts. Parents and guardians create family accounts.
Children don’t log in. There is no direct login for kids. When you (the parent) use the Service, you may share content with your child by reading it to them or showing them your screen.
Parents enter information about their children. Things like first name or nickname, birth month/year, faith stage, and interests — entered by you, not by your child.
Wonder Mode (a kid-facing feature, available in our Family Plan) is supervised. When you enter Wonder Mode, you hand your device to your child to browse age-appropriate content. We don’t collect new personal information from your child during these sessions — we only log which questions they tap (to share back with you), not who is tapping.

We do not knowingly collect personal information directly from children under 13 without verifiable parental consent (the legal standard set by the Children’s Online Privacy Protection Act, or COPPA). The data we have about children is provided by their parent or guardian for the purpose of personalizing the family’s experience.

If you believe we have collected personal information from a child outside this arrangement, please contact us immediately at [PRIVACY EMAIL] and we will delete it.

3. Information We Collect

3.1 Information you provide directly

Account information (about parents):

Name (display name you choose)
Email address
Password (stored as a secure hash, never in plain text)
Time zone
Optional: profile photo

Family information:

Family name
Default Bible translation preference
Theological tradition preference
Optional: family motto or verse, family photo

Kid profile information (entered by you about your children):

Display name (first name or nickname)
Birth month and year (used to determine age tier)
Optional: faith stage (Curious / Believing / Questioning)
Optional: interests (used to personalize AI content)
Optional: photo

Content you create or generate:

Questions you ask through Ask Me Anything
Bible passages you submit for translation
Devotion themes and topics you request
Journal entries you write
Prayers, notes, and milestones you log
Photos you upload
Memory verses you track

Payment information:

We do not store credit card numbers. Payment data is handled directly by Stripe, our payment processor. We store only what Stripe sends us — your subscription status, billing email, and transaction history references.

3.2 Information collected automatically

Usage data:

Pages and features you use
Time and date of activity
Approximate location (derived from IP address — city/region level only)
Device type and browser
IP address (stored briefly for security purposes)

Technical data:

Log files (for debugging and security)
Error reports
Session information

We do not use third-party advertising trackers, cross-site behavioral profiling, or social media pixels.

3.3 Information from third parties

If you sign up using Google sign-in, we receive your email address and name from Google. We don’t access your Google contacts, calendar, or other data.

4. How We Use Your Information

We use the data we collect to:

4.1 Provide and operate the Service

Create and maintain your account
Generate AI responses to your questions
Save journal entries and AI generations to your family’s journal
Process subscription payments
Send transactional emails (welcome, receipts, account notifications)
Enforce free tier usage limits

4.2 Personalize your experience

Calibrate AI-generated content to your kids’ ages and interests
Show age-appropriate content in Hard Questions Library
Default to your family’s preferred Bible translation
Tailor devotions to the kids participating

4.3 Communicate with you

Send weekly journal digests (if enabled)
Send onboarding tips
Send product updates and new feature announcements (you can opt out)
Respond to your support requests

4.4 Improve the Service

Analyze how features are used (in aggregated, de-identified form)
Diagnose and fix errors
Identify common questions to expand the Hard Questions Library
Improve AI prompts and guardrails

4.5 Keep the Service safe

Detect and prevent fraud, abuse, or violations of our Terms
Investigate security incidents
Enforce our Terms of Service

4.6 Comply with legal obligations

Respond to lawful requests from authorities
Maintain records for tax and accounting purposes

5. How We Use AI

The Service uses AI (specifically, Anthropic’s Claude API) to generate responses to your questions and to create devotions and passage retellings.

When you submit a question or request, here’s what happens:

We send your input to Anthropic’s Claude API, along with context about which kid the request is for (age tier, interests) so the response is appropriately calibrated.
Anthropic processes the request and returns a response.
We save the response in your family’s journal.
Anthropic’s data handling policies apply to that processing — see anthropic.com for details.

What we do NOT do with your AI interactions:

We do not use your specific family content (your questions, your kids’ names, your journal entries) to train or fine-tune AI models.
We do not share your AI interactions with anyone other than Anthropic for the purpose of generating the response.
We do not sell or rent your AI interaction data.

What we may do with aggregated, de-identified data:

We may analyze aggregated patterns across all families (e.g., “the most common Ask Me Anything topics this month”) to improve the Service.
These aggregations never identify individual families, parents, or kids.

6. Who We Share Your Information With

We share your information only as described below. We do not sell your personal information to anyone, ever.

6.1 Service providers (subprocessors)

We use trusted third-party providers to operate the Service. Each one is contractually bound to handle data securely and only as we instruct.

Provider	Purpose	What they receive
Anthropic	AI generation (Claude API)	Your questions, kid age/interests, brief family context
Stripe	Payment processing	Name, email, billing info, transaction details
Lovable Cloud	Hosting and database infrastructure	All account and content data (stored encrypted)
Email delivery provider (via Lovable Cloud)	Sending transactional emails	Email address, name, email content

If we add or change subprocessors, we’ll update this list and, for material changes, notify account holders by email.

6.2 With other parents on your family account

If you invite a co-parent to your family account, they will have access to family-level data: kid profiles, journal entries, AI generations, and devotions. They will not see your personal account settings (email, password, individual preferences) unless they’re displayed by your choice.

6.3 For legal reasons

We may disclose information when we believe in good faith that disclosure is necessary to:

Comply with a law, subpoena, court order, or other legal process
Protect the rights, property, or safety of our users, ourselves, or others
Investigate fraud, security issues, or violations of our Terms

We will notify you of legal requests for your data unless legally prohibited from doing so.

6.4 In the event of a business transfer

If we are acquired, merged, or sell some or all of our assets, your data may be transferred as part of that transaction. We will notify you (and give you a chance to delete your data first) before any transfer.

6.5 With your consent

We may share information in other ways if you ask us to or give us your permission.

7. How Long We Keep Your Information

7.1 While your account is active

We keep your data as long as your account is open, so you can continue to use the Service and access your family’s journal.

7.2 After account deletion

When you delete your account:

Your data is marked deleted immediately and becomes inaccessible to you.
We retain it for a 30-day grace period during which the primary parent can contact support to restore the account.
After 30 days, your data is permanently deleted from our active systems.
Backup systems may retain copies for up to 90 days, after which backups are overwritten.

7.3 Limited retention exceptions

We may retain certain limited information after account deletion to:

Comply with tax, accounting, and other legal obligations (typically 7 years for financial records)
Prevent fraud or abuse (e.g., banning a violating account from re-creating)
Resolve disputes and enforce agreements

These exceptions are limited to the minimum necessary data.

7.4 Activity and error logs

We retain technical logs (error logs, security logs, audit logs) for up to 12 months for operational and security purposes.

8. How We Protect Your Information

We take security seriously. Our safeguards include:

Encryption in transit: All data sent between you and the Service is encrypted using HTTPS/TLS.
Encryption at rest: Data stored in our database is encrypted.
Access controls: Only authorized personnel can access systems containing your data, and access is logged.
Row-level security: Our database enforces strict row-level security, so no family can access another family’s data.
Secure payment handling: Payment data is handled by Stripe, a PCI-DSS Level 1 certified provider. We never see or store full payment card details.
Password hashing: Passwords are stored as one-way hashes; we cannot see your password.
Audit logging: Administrative access to account data is logged and reviewable.

No system is 100% secure. If we discover a security breach affecting your information, we will notify you and applicable authorities as required by law.

9. Your Rights and Choices

9.1 Access and download

You can view and download your family’s data anytime through the Data section of your account settings. Exports are provided as JSON files.

9.2 Correction

You can edit your account info, family info, kid profiles, and journal entries anytime through account settings.

9.3 Deletion

You can:

Delete individual journal entries
Remove kid profiles (with options for what happens to their entries)
Remove a co-parent from your family
Delete your entire family account

9.4 Email preferences

You can opt out of non-essential emails (product updates, weekly digests, tips) anytime through settings. We will still send essential transactional emails about your account and subscription.

9.5 Marketing communications

We don’t engage in marketing communications to people outside our active customer base. We don’t share your email with third-party marketers.

9.6 Cookies and tracking

We use only essential cookies needed to operate the Service (session cookies, authentication). We do not use advertising cookies, social media pixels, or cross-site tracking.

9.7 State-specific privacy rights

California residents (CCPA/CPRA): You have additional rights under California law, including the right to:

Know what personal information we collect, use, disclose, and sell (we don’t sell)
Request deletion of your personal information
Opt out of the sale or sharing of personal information (we don’t sell or share for cross-context behavioral advertising)
Correct inaccurate personal information
Limit the use of sensitive personal information
Non-discrimination for exercising these rights

To exercise California rights, email [PRIVACY EMAIL] from the email associated with your account.

Virginia, Colorado, Connecticut, Utah, and other state residents: You may have similar rights under your state’s privacy law. Email [PRIVACY EMAIL] to request access, correction, or deletion of your data.

9.8 European Economic Area / United Kingdom residents (GDPR/UK GDPR)

If you are in the EEA or UK, you have rights including access, rectification, erasure, restriction of processing, data portability, and objection to processing. Our legal basis for processing is typically your consent (when you create an account and agree to our terms) and the necessity of providing the Service you’ve contracted for.

To exercise GDPR rights, email [PRIVACY EMAIL]. You also have the right to lodge a complaint with your local data protection authority.

10. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. By using the Service, you consent to this transfer.

For users in the EEA/UK, we rely on appropriate safeguards (such as Standard Contractual Clauses) where applicable for international data transfers.

11. Children’s Privacy (COPPA)

As described in Section 2, the Service is designed for adult account holders to use with their children. We do not knowingly collect personal information directly from children under 13 without verifiable parental consent.

When a parent enters information about their child (such as first name and age tier) in our Service, that information is provided by the parent — not collected from the child directly — and is used solely to personalize the family’s experience under the parent’s account.

Parents have full control over their children’s information in the Service:

Add, edit, or delete kid profiles anytime
Decide what content to share with their child
Enable or disable Wonder Mode (the supervised kid-facing browsing experience)
Export or delete all data associated with their family at any time

If you believe a child has provided personal information to us without parental consent, contact us at [PRIVACY EMAIL] and we will investigate and delete the information as appropriate.

12. Do Not Track

Some browsers send a “Do Not Track” signal. There is no consistent industry standard for how to respond to these signals, so we do not currently respond to them. However, we do not engage in cross-site tracking or behavioral advertising regardless of DNT signals.

13. Third-Party Links

The Service may occasionally link to external websites (for example, a Bible publisher’s website). This Privacy Policy does not apply to those sites. We encourage you to read the privacy policies of any third-party sites you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the “Last updated” date at the top
Notify account holders by email at least 14 days before changes take effect
Post the updated policy on our website

Continued use of the Service after changes take effect means you accept the updated policy.

15. Contact Us

For privacy questions, requests, or concerns, please contact:

Email: [PRIVACY EMAIL]

Mail: [BUSINESS LEGAL NAME] Attn: Privacy [BUSINESS ADDRESS]

We aim to respond to all privacy requests within 30 days, often much sooner.

A Note from Sara

Optional section — feel free to keep, edit, or remove

I built Family Faith Studio as a mom trying to figure out how to answer my own kid’s questions about God. I think a lot about what data we collect and why, because this is my family’s data too. We don’t sell data, we don’t run ads, and we don’t use AI to surveil what you’re talking about with your kids. If something here doesn’t make sense or doesn’t feel right, please email me — I read everything that comes in.

— Sara