Privacy Policy

SermonFlow ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By using SermonFlow, you consent to the data practices described in this policy.

Account information:

• Name, email address
• Password (stored as a bcrypt-12 hash — we never store or see your plain-text password)
• Denomination, preaching style, language preference, Bible translation preference
• Region (US or PH, detected automatically from your IP address)

Profile information (optional):

• Church name, logo, brand colors
• Pastor background, preaching influences, congregation description
• Custom theological notes, anti-preferences

Sermon data:

• Scripture references, topics, notes you enter
• AI-generated manuscripts and your edits
• Slide configuration and theme selections
• Series titles, video cue information

Payment information:

• Transaction metadata (amount, date, credit balance changes)
• Stripe customer ID and subscription status
• We do NOT store credit card numbers — payment processing is handled entirely by Stripe

Technical data:

• Browser type, IP address
• Approximate location at signup (country, state/province, city — derived from your IP address by our hosting provider Vercel for regional pricing and fraud prevention; this is not precise GPS location)
• Session cookies (functional, not tracking)

Uploaded content:

• Church logos and sermon-related images stored in Supabase Storage

We use your information to:

• Provide the Service: Generate AI sermon manuscripts and slides tailored to your profile
• Process payments: Handle credit purchases and subscription management via Stripe
• Manage your account: Authentication, session management, profile storage
• Send transactional emails: Account verification, password reset, payment receipts We do NOT:
• Sell your personal information to third parties
• Use your data for advertising or marketing profiling
• Share your sermon content with other users
• Train AI models on your individual sermons

We share data with the following service providers, solely for operating the Service:

• Anthropic (Claude AI) — Sermon manuscript generation. Data shared: scripture, topic, notes, preaching profile (sent as AI prompts). Anthropic processes this data under their API Terms of Service and does not use API inputs to train their models.
• Supabase — Database hosting and file storage. Data shared: all account and sermon data.
• Stripe — US payment processing. Data shared: email, payment amounts, subscription data.
• Vercel — Web hosting. Data shared: IP addresses, request logs.
• Resend — Transactional email delivery. Data shared: email address, email content.
• Ybug — Feedback widget. Data shared: user-submitted feedback, browser metadata.

Each provider has their own privacy policy. We encourage you to review them. We do not share data with providers beyond what is necessary for the Service.

SermonFlow uses a minimal number of cookies:

Functional cookies (required):

• NextAuth session cookie — maintains your login session. HTTP-only, secure. This is essential for the Service to function.

Third-party cookies:

• Ybug feedback widget — may set cookies when you use the feedback button. See Ybug's privacy policy for details.

We do NOT use:

• Advertising or tracking cookies
• Analytics cookies (no Google Analytics, no Facebook Pixel)
• Cross-site tracking cookies

Because we only use functional cookies essential for the Service, no cookie consent banner is required under most US privacy frameworks. If you are accessing SermonFlow from the European Economic Area (EEA), the Ybug feedback widget cookie is non-essential; by using the feedback button, you consent to Ybug setting its cookie. You may choose not to use the feedback widget if you do not wish to accept this cookie.

• Sermon data: Retained indefinitely while your account is active. You can export or delete individual sermons at any time.
• Account data: Retained while your account is active. Permanently deleted when you delete your account.
• Payment records: Transaction metadata is retained for accounting and tax compliance purposes, even after account deletion, as required by law.
• Server logs: Automatically rotated and deleted by our hosting provider (Vercel).

You have the following rights regarding your data:

• Access: You can view all your profile data on the Profile page and export all sermons via the export feature.
• Correction: You can edit your profile and sermon data at any time.
• Deletion: You can delete your account from the Profile page, which permanently removes all your personal data (see Terms of Service, Account Termination for details on payment record retention).
• Portability: You can export your sermons as Word documents at any time.

California residents (CCPA): Even though SermonFlow may not meet CCPA revenue thresholds, we extend the following rights to all California users:

• Right to know what personal information we collect
• Right to delete your personal information
• Right to opt-out of the "sale" of personal information — we do not sell your data
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at support@sermonflow.site.

SermonFlow is not intended for users under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a person under 18, we will delete it promptly. If you believe someone under 18 has created an account, please contact us at support@sermonflow.site.

SermonFlow processes data in the United States, regardless of your location. By using the Service, you consent to the transfer and processing of your data in the United States. Our hosting (Vercel), AI processing (Anthropic), and payment processing (Stripe) are all US-based services.

We implement appropriate technical and organizational measures to protect your data:

• Passwords hashed with bcrypt-12
• All data transmitted over HTTPS/TLS
• Database encrypted at rest (Supabase managed PostgreSQL)
• Payment card data never touches our servers (handled by Stripe)
• HTTP-only session cookies
• Security headers enforced (HSTS, X-Content-Type-Options, X-Frame-Options)

No system is 100% secure. If we discover a data breach affecting your information, we will notify you promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending an email to your registered address. Your continued use of the Service after changes constitutes acceptance.

For privacy-related questions or to exercise your data rights:

• Email: support@sermonflow.site
• General support: support@sermonflow.site