Aretha · Legal
Privacy Policy
Last updated May 2026 · Version 1.0
Aretha is built on a simple principle: your privacy comes first. We collect only what is strictly necessary, we do not sell your data, we do not show advertising, and you can delete your account at any time.
This policy explains what personal data Aretha collects, why we collect it, how it is stored and protected, and what rights you have over it. It applies to all users of Aretha at aretha.online and via the Aretha mobile application.
Data Controller
Aretha is the data controller for personal data processed through this service. For any privacy-related enquiries contact privacy@aretha.online. We will respond within 30 days.
Who can use Aretha
Aretha is intended for users aged 16 and older. By registering you confirm you meet this requirement. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, contact privacy@aretha.online and we will delete their account promptly.
What data we collect
We collect only what is necessary to provide the service:
- Account information — a username (which does not need to be your real name), your email address, and a hashed password. Your email is never displayed publicly.
- Location (region level only) — the country and state or region you select when setting up your profile. We do not collect GPS coordinates or precise location.
- Prayer requests — the category and subcategory you select. Aretha deliberately does not allow free-text content — we do not collect what you are praying about in detail.
- App preferences — your chosen language and colour theme.
- Activity data — timestamps of prayers said, sessions joined or created, and your last active time, used only to power the feed and statistics.
- Saved requests and sessions — records of requests and sessions you have bookmarked.
- Optional feedback — if you submit feedback through the app, we store the content and type of that feedback.
We do not collect your real name, phone number, date of birth, payment details, photos, or any free-text content beyond optional feedback.
Why we collect it · Legal basis
- Contract performance (Art. 6(1)(b)) — account details, location, prayer requests, and activity data are necessary to provide the core service.
- Legitimate interests (Art. 6(1)(f)) — last-seen timestamps and activity logs help maintain platform integrity. Anonymised prayer counts are retained after account deletion to preserve the accuracy of historical records.
- Consent (Art. 6(1)(a)) — optional features such as weekly digest emails and prayer reminders, which you can enable or disable at any time in Settings.
How long we keep your data
- Active account data is retained for as long as your account is open.
- Anonymised prayer records are retained indefinitely after account deletion to maintain accurate community statistics — they cannot be linked back to you once deleted.
- Password reset tokens expire after 1 hour and are stored only as a one-way SHA-256 hash.
- Notification preferences and optional data are deleted immediately when you close your account.
Third parties and data transfers
- Amazon Web Services (AWS) — the application and database are hosted on AWS EC2 in the EU (Ireland, eu-west-1). Transactional emails are sent via AWS Simple Email Service. AWS operates under GDPR-compliant data processing agreements.
- Google Fonts — font files are loaded from Google Fonts CDN via a standard HTTP request. No personal data beyond a request IP address is transmitted.
We do not sell, rent, or share your personal data with any other third party. We do not use advertising networks or tracking pixels of any kind.
Cookies and local storage
Aretha does not use tracking cookies. We use your browser's localStorage to store your session token, language preference, and colour theme. This data stays on your device and is not transmitted to any third party. It is cleared when you log out.
Account deletion
You can delete your account at any time from Settings → Account → Delete Account. Deletion pseudonymises your account: your username, email, and password are permanently replaced with non-identifiable values. All other personal data is permanently deleted immediately. Anonymised prayer activity logs are retained solely to preserve the accuracy of community statistics.
Your rights
- Right of access (Art. 15) — request a copy of your data via Settings → Account → Request a copy of my data. We will email it to your registered address immediately.
- Right to rectification (Art. 16) — update your username, email, and location at any time from your profile settings.
- Right to erasure (Art. 17) — delete your account at any time as described above.
- Right to data portability (Art. 20) — the data export tool in Settings provides your data in a structured, readable format.
- Right to restriction (Art. 18) — contact privacy@aretha.online to request restriction of processing.
- Right to object (Art. 21) — opt out of optional processing (weekly digest, prayer reminders) at any time in Settings → Notifications.
To exercise any right not covered by an in-app tool, contact privacy@aretha.online. We will respond within 30 days.
Right to complain
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority. As Aretha is hosted in Ireland, the relevant authority is the Data Protection Commission at dataprotection.ie. You may also contact the authority in your country of residence.
Changes to this policy
We may update this policy from time to time. When we make material changes we will update the date at the top of this page. Continued use of Aretha after changes are posted constitutes acceptance of the updated policy. For significant changes we will also notify registered users by email.