Saintcard ("we," "us") respects your intentions and treats them as the private, religious expressions that they are. This policy explains what we collect, why, where it goes, and how to remove it.
WHAT WE COLLECT
Prayer intentions you type into the box. These contain religious beliefs about you or others, which under EU law (GDPR Article 9) and under California privacy law are "sensitive" data. We collect them because the app cannot generate a prayer without them.
Device-level metadata stored in cookies: a random device id (so we can show you your history without an account), daily prayer counts, free-Flux usage counts, language preference, attribution parameters from any URL that brought you in (utm_source, utm_campaign, ref), and a session token for the admin panel that you will never see.
Server-side, for every request we record: the page path, the page you came from (HTTP referrer header), your browser's user-agent string, and the country code derived from your IP by our hosting provider (Vercel). We do NOT store your raw IP address.
WHAT WE DO NOT COLLECT
We do not require an account. We do not ask for your name, address, date of birth, gender, or phone number. We do not run third-party ad trackers or social pixels. We do not sell or rent any data.
WHO RECEIVES YOUR DATA
OpenRouter (openrouter.ai) processes the intention text to generate your prayer and a matching saint. Their privacy policy applies to that processing.
Supabase (supabase.com) hosts our PostgreSQL database. Prayer intentions, generated prayers, and analytics events are stored there. Supabase encrypts data at rest.
Vercel (vercel.com) hosts the app and routes the requests. Their edge servers see your IP momentarily before discarding it.
Stripe (stripe.com) processes donations if you choose to make one. Stripe receives whatever you type into their checkout form: payment details, email, billing address. We see only the amount, currency, and a redacted email.
We do not share data with anyone else.
HOW LONG WE KEEP IT
Prayer intentions and generated prayers are stored indefinitely so you can revisit them via the link we gave you. If you ask us to delete them, we will (see below).
Analytics events older than 365 days are eligible for deletion on request; we may keep them longer for aggregate dashboards but without the device id linkage.
Cookies expire as follows: device id - 5 years. Daily counter - 1 day. Free-Flux counter - 1 year. Attribution cookie - 90 days. Admin session token - 24 hours.
YOUR RIGHTS
You can ask us to delete any data tied to your device. Email fizzyparanoia@gmail.com with the device id (it is in a cookie named pray_device_id in your browser's DevTools) and we will remove the associated rows within 30 days.
You can disable cookies in your browser; the app will still work but daily limits and history will reset on each visit.
If you are in the EU, UK, or California, you also have the right to data portability, to object to processing, and to lodge a complaint with your data protection authority.
AI-GENERATED CONTENT
Every prayer and saint match is generated by an AI model in response to your intention. The output is not vetted by a priest, theologian, or any other human authority. It is a starting point for personal reflection, not a substitute for the sacraments, spiritual direction, or pastoral guidance.
CHANGES
We will update this page when our practices change and bump the "last updated" date at the top. Material changes will be announced on the home page for 30 days.
CONTACT
Questions, requests, or concerns: fizzyparanoia@gmail.com.