1. Who we are
Confessionals is a private, AI-assisted companion for examination of conscience, prayer, and spiritual reflection across the Catholic, Orthodox, and Protestant traditions. This policy applies to Confessionals ("we," "us," "our"), a product of Lemillion LLC, a Virginia limited liability company (SCC ID 12016863) with its principal office at 4446 Elan Pl, Annandale, VA 22003-5735. This policy is governed by the laws of the Commonwealth of Virginia, United States.
Contact for any privacy question or request: privacy@confessionals.app.
This policy explains what we collect, what we do not collect, who we share data with, and what rights you have over your data. We have written it in plain language because privacy in this app is a feature, not a footnote.
2. The most important thing on this page
Your confession content never reaches our servers.
When you have a confession session in the app, the text of that session is sent directly to our AI provider (Anthropic) through a stateless request relay we operate. We do not log, copy, store, or analyze that text on our infrastructure. Once the AI's reply comes back to your device, the entire session lives only on your device, encrypted with your device's hardware-backed secure store (AES-256). When you delete a session, it is gone.
This applies equally to:
- Confession messages you type or speak
- The AI's responses to those messages
- Examination-of-conscience answers
- Generated penance / spiritual guidance text
The rest of this policy explains the data we do handle — the data needed to make the app run.
3. Information we collect
We collect the minimum necessary to run accounts, billing, and basic product analytics. We have grouped it by type below.
3.1 Account information
If you create an account: your email address and a salted hashed password. (Hashing is handled by our authentication provider Supabase; we never see your raw password.)
If you use Guest mode: an anonymous user identifier is created on your behalf. No email or password is collected. You can later convert your guest account into a registered account, which preserves your usage history and subscription state but begins associating your email.
3.2 Profile preferences
- Your selected tradition (Catholic, Orthodox, Protestant) and, if Protestant, your denomination
- Whether you have completed onboarding
- Your reminder-notification preferences (on/off, time of day)
3.3 Subscription and billing data
If you subscribe to a paid plan, our subscription provider (RevenueCat) syncs the following to our database:
- Subscription plan (
monthly/yearly), status, current period dates - Which app store the subscription was purchased through (Apple App Store or Google Play)
Apple or Google handle the actual payment. We never see your credit card number. Apple/Google share with us only the subscription identifier and status — not your name, address, or payment details.
3.4 Anonymous usage metadata
To enforce free-tier limits (3 sessions per month) and show you streaks/history, we record:
- Timestamp of each confession session you start (no content)
- Date and aggregate count of sessions per month
- Anonymous device identifier for syncing prayer titles across devices (not your real device ID — an opaque value we generate)
This metadata is associated with your user account but does not include the substance of any session.
3.5 Beta feedback (during the beta program only)
If you submit feedback through the in-app feedback button:
- The feedback text you write
- Category, severity, and reproduction steps you provide
- Your email (if you are registered)
- Diagnostic context auto-attached: app version, build number, platform, OS version, device model, locale, current screen, your tradition/denomination/plan
This data is used to triage and fix issues. It is retained while the issue is open and for a reasonable period after resolution; we will delete or anonymize it when no longer needed.
3.6 Information we do not collect
We want to be explicit about what we do not collect or store:
- Confession session content (see Section 2)
- Prayer body text — only titles and types are synced; the prayer body lives on your device
- Location — the app does not request or use your physical location. (If we add a Church Finder feature in the future using Google Places, you will see a separate location-permission prompt and this policy will be updated.)
- Contacts, photos, microphone, or camera
- Advertising identifiers — we do not run ads and do not pass any data to ad networks
- Third-party analytics or crash reporting — at the time of writing, we do not use Sentry, Mixpanel, Firebase Analytics, or similar. If we add error reporting later, this policy will be updated and disclose what is captured
4. How we use information
We use the information described above only to:
- Authenticate you and keep your account secure
- Personalize the app to your tradition and preferences
- Process and manage your subscription
- Enforce the free-tier session limit fairly
- Send notifications you have explicitly enabled (e.g., daily reminders)
- Triage bug reports during the beta
- Communicate with you about service changes or important account matters
We do not use your data to train AI models, build advertising profiles, or sell to third parties. We do not perform automated decision-making with legal effects.
5. AI processing — the Anthropic relay
When you have a confession session, the messages you send and the conversation history within that session are transmitted from your device, through a stateless function we operate on Supabase Edge Functions, to Anthropic, PBC (the maker of the Claude AI model).
What happens on our relay: the request is forwarded; the response is streamed back to you; nothing is logged or stored on our side.
What happens at Anthropic: per the Anthropic API Terms, prompts and completions may be retained by Anthropic for up to 30 days for trust and safety review (e.g., to detect abuse) before being deleted. Anthropic does not use API inputs or outputs to train its models. We are not on a Zero Data Retention agreement with Anthropic at this time.
If you do not want any session text to be processed by a third-party AI provider, do not use the AI features of the app.
6. Crisis content handling
The app contains a crisis-detection layer. If your messages indicate risk of self-harm or harm to others, the AI will pause the spiritual companion mode and surface crisis resources (e.g., 988 in the United States, Samaritans in the UK). This detection happens at the relay before reaching the AI; we do not store the message that triggered it. We do not contact emergency services on your behalf, and we do not notify any third party. The crisis response is informational only.
If you are in crisis, please contact a real human professional or hotline. The app is not a substitute for emergency care.
7. Sub-processors
We rely on the following service providers to operate the app. Each handles only the data described.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Anthropic, PBC | AI processing for confession sessions | Session messages (transient, max 30-day retention by Anthropic) | United States |
| Supabase, Inc. | Authentication, database, edge functions | Account info, profile, subscription state, anonymous usage metadata, beta feedback | us-east-1 (United States) |
| RevenueCat, Inc. | Subscription state synchronization | Subscription plan, status, period | United States |
| Apple Inc. | App Store distribution and payment processing (iOS) | Payment, device, App Store account info — handled per Apple's privacy policy | United States and global |
| Google LLC | Google Play distribution and payment processing (Android) | Payment, device, Google account info — handled per Google's privacy policy | United States and global |
| Resend, Inc. | Pre-launch email list (collected only via the website signup form) and transactional email delivery | Email address; no confession content | United States |
We do not use any third-party advertising networks, analytics SDKs, or session-replay tools.
8. Data retention
| Data | Retention |
|---|---|
| Account record | While your account is active. Deleted on request. |
| Profile preferences | Same as account |
| Subscription record | While subscription is active, and for a reasonable period after for tax/accounting (typically up to 7 years per applicable law) |
| Anonymous usage metadata | Retained for the lifetime of the account; aggregated into monthly counts |
| Beta feedback | Retained while the issue is open and a reasonable period after; anonymized or deleted thereafter |
| Confession session content | Not retained server-side at all. Retained on your device until you delete it. |
| AI provider relay (Anthropic) | Up to 30 days at Anthropic per their API terms; not retained by us |
You can delete your account and all server-side data at any time (see Section 10).
9. Sharing and disclosure
We do not sell or rent your information to anyone. We share data only:
- With the sub-processors listed in Section 7, for the purposes described
- When required by law (e.g., a valid subpoena, court order, or other legal process). If we ever receive such a request that touches on user data, we will challenge overbroad requests and notify the affected user where legally permitted
- In connection with a corporate transaction (merger, acquisition) — the acquirer would be bound by this policy or one materially equivalent
We will never share or disclose the substance of any confession session because we do not have it.
10. Your rights and choices
Regardless of where you live, you have the following rights with respect to data we hold about you:
- Access — request a copy of the data we have associated with your account
- Correction — fix anything that is wrong
- Deletion — close your account and have your server-side data deleted
- Portability — receive your data in a machine-readable format
- Objection / restriction — ask us to stop processing for specified purposes
- Withdraw consent — for anything we process based on consent, withdraw it at any time
To exercise any of these, email privacy@confessionals.app from the address associated with your account. We will respond within 30 days.
To delete your account from inside the app: Settings → Account → Delete Account. This removes your record from our database and cancels future subscription billing on the next cycle (or per the relevant store's refund policy for the current period).
If you are in California (CCPA/CPRA), the EU/EEA or UK (GDPR), or another jurisdiction with similar laws, the rights above already cover you. We do not "sell" or "share" personal information as those terms are defined under California law. We are the data controller for purposes of GDPR.
11. International data transfers
We are based in the United States and our primary infrastructure is in the United States (Supabase us-east-1). If you use the app from outside the United States, your data is transferred to and processed in the United States.
For users in the EU/EEA, UK, or Switzerland: we rely on the Standard Contractual Clauses approved by the European Commission as the legal basis for these transfers, and our sub-processors have committed to equivalent safeguards.
12. Children's privacy
The app is rated 12+ and is not directed to children under 13 (or under 16 in some EU member states). We do not knowingly collect data from anyone in those age groups. If you are a parent or guardian and believe a child has created an account, contact privacy@confessionals.app and we will delete it.
We do not enable Apple's "Made for Kids" designation or its corresponding Google Play equivalent. Subscriptions can only be purchased by an Apple ID or Google account holder, which (per Apple/Google) requires the holder to be of age in their jurisdiction.
13. Security
We protect your data with:
- HTTPS / TLS 1.2+ for all network traffic
- AES-256 encryption at rest for confession content stored on your device (via Apple Keychain on iOS and Android Keystore on Android, both hardware-backed where the device supports it)
- Row-level security on all server-side data, so users can only access their own records
- Hashed passwords managed by our authentication provider; we never see the cleartext
- Biometric lock option (Face ID / Touch ID / Android equivalent) for the on-device confession history
No system is perfectly secure. If we discover a breach affecting your data, we will notify you as required by law.
14. AI disclaimer
The AI companion in this app is not a priest, pastor, counselor, or therapist. It does not administer any sacrament. In Catholic teaching, sacramental confession requires a validly ordained priest; this app cannot fulfill that requirement. The AI provides reflective companionship and scriptural perspective, not absolution, mental-health treatment, or medical advice. If you are in spiritual or psychological distress, please reach out to a qualified human.
15. Changes to this policy
We may update this policy as the product evolves. When we make material changes, we will:
- Post the updated policy at
confessionals.app/privacywith a new "Last updated" date - Notify registered users by email or in-app notice
- Where required by law, ask for your consent before applying material changes to processing of existing data
16. Contact
- Privacy and data requests: privacy@confessionals.app
- General support: support@confessionals.app
For users in the EU/EEA, you have the right to lodge a complaint with your local supervisory authority.
This policy is provided in good faith and represents our actual practices as of the effective date. If anything in the app appears to contradict this policy, please contact us immediately so we can investigate and correct.