Privacy Policy

Who we are

SoulVriti is operated by SetKernel Digital Inc., the data controller under GDPR Article 4(7) and the Data Fiduciary under India's Digital Personal Data Protection Act 2023. You can reach us about anything in this policy at hello@soulvriti.com.

How SoulVriti handles your data

SoulVriti is local-first. You do not need an account to use it: if you stay signed out, your bookmarks, journal entries, mood logs, reading history, goals, streaks, and preferences live only in the app's storage on your device, and we cannot see them.

Signing in is optional. Its one purpose is cross-device sync: when you sign in, the practice data listed below is synced to your account on our servers so your other devices can see it. Signing in does not enable advertising, profiling, or any other secondary use.

What we collect, and when

Account data (only if you sign in): your email address (when you use an email sign-in link) or the identity your provider shares with us (Sign in with Apple or Google — typically a stable identifier, and your name and email if you choose to share them), plus session records. Sessions expire after 30 days; email sign-in links expire after 15 minutes and work once.

Push notification data (only if you turn on reminders): to deliver reminders to a device we store a per-device push subscription — the device's push address or token, the encryption keys used for web push, and its language and timezone. We use it only to send the reminders you schedule, and it is deleted with your account.

Invitation data (only if you invite someone): when you create an invite we store the invitations you make and whether each one was accepted. An invite is just a shareable link with a random code — we never collect your friend's email or any other detail about them. When someone signs up through your link, we record an internal link between your two accounts so your invite shows as accepted; that link is deleted with either account.

AI conversation data (only if you sign in and use the AI feature): your AI conversations — the messages you send and the AI's replies — are saved to your account, along with a short set of "AI memory" notes the AI distils about your stated practices, concerns, preferences, context, and beliefs. See "Ask SoulVriti AI" below for the detail. Signed-out AI chats are never stored on our servers.

Synced practice data (only while you are signed in):

• Bookmarks — the verses you save
• Journal entries — your reflections, including optional title and mood before/after
• Mood logs — the mood you pick, an optional note, and the verse it relates to
• Reading history — which verses you read, when, and for how long
• Share events — which verses you shared, and when
• Goals — reading goals you set and when you achieve them
• Challenge progress — which challenge days you complete
• Achievements earned and rewards earned
• Notification records — reminders the service created for you (streak, digest) and whether you've read them
• Preferences — language, appearance, reminder and accessibility settings — and your verse-of-the-day assignments

Content delivery, server logs, analytics and cookies

Verse content (scriptures, translations, commentary) is delivered from our servers, so the app does make network requests. These are ordinary web requests: our infrastructure sees your IP address and standard request metadata, which we use only to deliver content, prevent abuse (rate limiting), and keep the service secure. We do not use it to build profiles.

Anonymous requests to the AI feature include a random device identifier used only for abuse-prevention rate limits. Apart from the consent-based website analytics described in this section, we do not use advertising or tracking SDKs anywhere in the product.

Website analytics. On our website (soulvriti.com) and web app we use two third-party measurement tools to understand, in aggregate, how the site is used and where it can be improved: Google Analytics 4 (provided by Google LLC, United States) for aggregate behavioural web analytics, and Microsoft Clarity (provided by Microsoft, United States) for session replay and heatmaps. These are the only analytics tools we use. We do not use a tag manager, product-analytics platforms (such as PostHog), error-tracking SDKs (such as Sentry), or any advertising pixels.

Consent first — nothing before you choose. These tools are off by default. Our legal basis is your consent (GDPR Art 6(1)(a) and the ePrivacy/PECR cookie rules). We use Google Consent Mode v2 with every consent signal set to denied by default, so no analytics script loads and no cookie is set until you opt in through our cookie banner. If you do nothing, or decline, nothing is loaded.

Cookies set only after you opt in: Google Analytics sets _ga and _ga_<id>; Microsoft Clarity sets _clck, _clsk, and CLID. No analytics cookies are set before consent.

What we never measure. To protect your religious and inner-life data, analytics events never include any scripture text, any journal, reflection, mood, or AI message text, or your search queries. Microsoft Clarity session replay runs with strict input masking, and it is switched off entirely on the journal, reflection, mood, AI, customization, and privacy screens, so nothing you type or read on those screens is ever recorded.

These tools are not used for advertising, profiling, or selling data. Google and Microsoft are based in the United States, so where this involves an international transfer of data it is covered by Standard Contractual Clauses and the providers' standard transfer safeguards.

You stay in control. You can decline analytics from the start, and you can change your mind at any time using the cookie banner or the "Manage analytics & cookies" control on our site — turning analytics off withdraws your consent going forward.

Ask SoulVriti AI

When you use the AI feature, your message and its context (e.g. which verse or tradition you're asking about, your language) are sent to our server to generate the reply.

If you are signed in, your AI conversations are saved to your account on our servers so you can return to them across your devices: we store the messages you send and the AI's replies (your conversation history). The AI may also distil and keep a short set of remembered notes about your stated practices, concerns, preferences, context, and beliefs ("AI memory") so its replies stay relevant over time. You can view and delete individual conversations, and your conversation history and AI memory are included in your data export and are permanently erased when you delete your account. If you are signed out, your AI messages and the replies are never stored on our servers — they exist only on your device.

Whether you are signed in or out, our server logs record only the request shape (scope, language, whether a safety check matched), never your message text in those logs.

Every message is checked against a built-in crisis-safety word list. If it matches, the service shows support resources instead of an AI reply, and that message is not saved to your account; we log only that the check matched and its category — never your words.

Why we process this data

To provide the service you ask for: delivering verse content, keeping your signed-in devices in sync, generating AI replies, saving your AI conversation history and AI memory so the feature works across your devices and stays relevant, sending the sign-in emails you request, and producing your data export when you ask for it.

To keep the service secure and working: rate limiting, abuse prevention, and operational logs.

Nothing else. We do not advertise, we do not sell or share personal data, and we do not use your content — including your AI conversations and AI memory — to train AI models. Your AI memory is used only to personalise your own replies, never to profile you for any other purpose.

Legal bases (GDPR) and DPDP

Performance of a contract (GDPR Art 6(1)(b)) — operating your account, syncing your data, answering your AI prompts, and fulfilling export/deletion requests.

Legitimate interests (GDPR Art 6(1)(f)) — security, rate limiting, and operational logging, in ways that do not override your rights.

Consent (GDPR Art 6(1)(a); DPDP §6) — sync itself is consent-based: it happens only because you chose to sign in, and you can withdraw at any time by deleting your account. Website analytics (Google Analytics 4 and Microsoft Clarity) also run only on your consent, under GDPR Art 6(1)(a) and the ePrivacy/PECR cookie rules; nothing loads or sets a cookie until you opt in, and you can withdraw at any time — see "Content delivery, server logs, analytics and cookies".

Religious and inner-life data

Your choice of traditions, your journal entries, your mood logs, and — if you sign in and use the AI feature — your AI conversations and AI memory can reveal religious beliefs and emotional state — special-category data under GDPR Article 9. We process them only because you chose to write, sync, or send them (your explicit action), only to provide the service, and never for advertising, profiling, ranking of traditions, or any secondary purpose. If you stay signed out, this data — including your AI chats — never reaches our servers for storage at all.

How long we keep data

Synced data, and your AI conversation history and AI memory, are kept while your account exists. Sessions expire after 30 days; email sign-in tokens after 15 minutes.

When you delete an AI conversation, it is permanently erased from our servers straight away — there is no tombstone and it is not retained for sync.

When you delete a synced item on one device, our server keeps a soft-deleted copy of the record (a "tombstone") so the deletion can propagate to your other devices. Tombstones are invisible to the app and excluded from your data export, and an automated daily job permanently erases each one 90 days after you deleted the item — or immediately, together with everything else, if you delete your account.

Deleting your account removes your account row and every piece of your data — synced items and their tombstones, plus your AI conversations, AI messages, and AI memory — immediately, in one cascading database operation.

Your rights, and exactly where to exercise them

Access & portability (GDPR Art 20) — Privacy & data → "Export my data" in the web app downloads a complete JSON file of your account data: your profile, bookmarks, journal entries, reading history, notifications, daily-verse assignments, goals, mood logs, achievements, rewards, challenge progress, share events, preferences, and your AI conversations (messages and replies) and AI memory. The only exclusions are per-device push-delivery infrastructure (push tokens and their encryption keys) and sign-in security credentials (session records and OAuth tokens), withheld for security and erased with your account.

Erasure (GDPR Art 17; DPDP §12) — Privacy & data → "Delete all my data" erases your account and all server-side data — including your AI conversations and AI memory — immediately. You can also delete individual AI conversations from the AI history at any time. Signed-out data can be removed by resetting the app or uninstalling it.

Rectification — edit your content and preferences directly in the app at any time.

Withdraw analytics consent — on our website and web app, use the cookie banner or the "Manage analytics & cookies" control to turn analytics off at any time; this withdraws your consent to Google Analytics and Microsoft Clarity going forward. See "Content delivery, server logs, analytics and cookies" above.

Complaint — you may lodge a complaint with your local data-protection authority (EU residents: via edpb.europa.eu; Indian residents: the Data Protection Board of India).

Who processes data for us

We share personal data only with the infrastructure providers needed to run the service, and with no one else:

• Cloudflare, Inc. — hosts the API (Workers), stores synced data (D1 database, KV), and delivers verse content (R2).
• Resend, Inc. — sends the email sign-in links you request (sees your email address for that purpose only).
• Expo (650 Industries, Inc.) — delivers push notifications to the mobile app when you turn on reminders (receives your device's push token and the notification content).
• Apple Inc. — when you choose Sign in with Apple.
• Google LLC — when you choose Sign in with Google.

No ads, no sale of data

SoulVriti is free and carries no advertising. The only analytics we use are the consent-based website measurement tools described under "Content delivery, server logs, analytics and cookies" above; the app itself contains no advertising or in-app analytics SDKs. We do not sell or share personal data for advertising or any other consideration, and we never have.

Children

SoulVriti is not directed at children under 13, and we do not knowingly collect personal data from them. Used signed-out, the app stores nothing about you on our servers beyond the transient infrastructure logs described above.

Changes to this policy

If this policy changes, we will update this page and its effective date. For material changes we will give notice in the app before they take effect, and you can always export your data and delete your account first.

Contact

Questions about this policy or your data: hello@soulvriti.com.