Privacy Policy

— At a Glance

01 Information We Collect

1.1  Information You Provide Directly

When you create an account or subscribe to the Platform, we collect:

• Email address — used for account authentication, subscription management, and platform communications;
• Payment information — collected and processed by Stripe; we do not store your full payment card details on our systems;
• Subscription tier selection and billing preferences;
• Any content you submit through the Platform, including queries entered into the QT Prism dialogue tool, notes, and documents you upload.

1.2  Information Collected Automatically

When you use the Platform, we and our service providers may automatically collect:

• Session tokens and authentication data required for login and access control;
• Subscription status and query usage counts, stored in Supabase to enforce tier limits;
• Basic server logs including IP address, browser type, device type, and timestamps, retained for security and error monitoring.

We do not currently use third-party analytics or behavioral tracking tools. When we do, this Policy will be updated and you will be notified in advance.

1.3  Information from Third Parties

• Stripe provides subscription status, payment confirmation, and billing event data. We do not receive full card numbers or banking details.
• Supabase stores your account data, subscription records, query history, and conversation data on our behalf.
• Anthropic API processes your queries to generate AI dialogue responses. Query content is transmitted to Anthropic in accordance with Anthropic's privacy and usage policies.

02 How We Use Your Information

• Account and subscription management — Creating and maintaining your account, validating access, enforcing query limits, and processing billing events;
• Platform delivery — Routing your queries to the QT Prism AI system, storing conversation history within your tier's retention window, and enabling PDF export and keyword search;
• Communications — Sending transactional emails including confirmations, payment receipts, lapse notifications, and material policy updates. We do not send marketing emails without your explicit opt-in;
• Security and abuse prevention — Monitoring for unauthorized access, circumvention of access controls, and patterns of misuse;
• Platform improvement — Understanding how the Platform is used in aggregate to inform content development and technical stability;
• Legal compliance — Retaining records as required by applicable law.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects. We do not use your query content or conversation history to train external AI models without your explicit consent.

03 How We Share Your Information

3.1  Service Providers

• Stripe — payment processing and subscription management;
• Supabase — database storage and backend infrastructure;
• Vercel — platform hosting and content delivery;
• Anthropic — AI query processing via the Claude API.

Each provider is bound by contractual obligations to handle your data securely and only for the purposes we specify.

3.2  Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of OPNX LLC, our users, or the public.

3.3  Business Transfers

If OPNX LLC is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.

3.4  What We Do Not Do

We do not sell, rent, or trade your personal information to third parties. We do not share your data with advertisers. We do not allow third parties to use your data for their own independent purposes.

04 Data Retention

4.1  Post-Cancellation Retention by Tier

• Explorer (free) — Session data only; no persistent conversation history retained;
• Scholar — 30 days from cancellation or lapse date;
• Theologian — 60 days from cancellation or lapse date;
• Companion — 90 days from cancellation or lapse date.

During the retention window, your data remains accessible if you reactivate your subscription. After the window closes, deletion is permanent and cannot be reversed.

4.2  Legal and Financial Records

Billing records, payment history, and subscription transaction data may be retained for up to seven years following your last transaction, regardless of account status, to comply with applicable tax and financial recordkeeping requirements.

4.3  Security Logs

Server and access logs are held for a maximum of 90 days on a rolling basis, unless a specific incident requires extended retention for investigation.

05 Cookies and Tracking Technologies

5.1  Current Use

The Platform currently uses only essential cookies and session tokens. These are strictly necessary for authentication and subscription access control. We do not use advertising cookies, behavioral tracking cookies, or social media tracking pixels at this time.

5.2  Future Analytics

We intend to introduce analytics tools to understand subscriber engagement. Before deploying any non-essential tracking, we will update this Policy, notify active subscribers, and implement a consent mechanism where required by law.

5.3  Managing Cookies

You may configure your browser to block or delete cookies at any time. Blocking essential session cookies will prevent login and subscription access.

06 Data Security

We implement reasonable technical and organizational measures to protect your personal information, including:

• Encrypted data transmission via HTTPS across all Platform connections;
• Supabase Row Level Security (RLS) policies restricting data access to authenticated users;
• Stripe's PCI-compliant infrastructure for all payment processing;
• Access controls limiting internal access to personal data to authorized personnel only.

No method of transmission or storage is completely secure. In the event of a data breach that affects your rights or freedoms, we will notify you as required by applicable law.

07 Your Rights and Choices

7.1  Access and Correction

You may request a copy of the personal data we hold about you, or request correction of inaccurate information, by contacting us at support@quantumtheology.app. We will respond within 30 days.

7.2  Deletion

You may request deletion of your personal data at any time, subject to our post-cancellation retention timelines and any legal obligations requiring us to retain certain records.

7.3  Data Portability

Where technically feasible, you may request an export of your personal account data and conversation history in a structured, readable format. Per-response PDF export is available within the Platform for paid tier subscribers.

7.4  Opt-Out of Communications

You may opt out of non-essential communications at any time via the unsubscribe link in any email or by contacting us directly. Transactional communications related to your subscription cannot be opted out of while your account is active.

7.5  Account Deletion

To request full account deletion, contact us at support@quantumtheology.app. We will confirm deletion within 30 days, subject to the retention schedules in Section 4.

08 EU and UK Users — GDPR

8.1  Data Controller

For users in the EU, EEA, or UK, the data controller is OPNX LLC, reachable at support@quantumtheology.app.

8.2  Lawful Bases for Processing

• Contract performance — Processing your email, subscription tier, and billing data to deliver services you have purchased;
• Legitimate interests — Processing usage data for security, abuse prevention, and platform improvement;
• Legal obligation — Retaining financial and billing records as required by applicable tax law;
• Consent — Where we deploy optional analytics, we will seek your prior consent and provide a withdrawal mechanism.

8.3  Your GDPR Rights

In addition to the rights in Section 7, EU and UK users have the right to restriction of processing, the right to object to processing based on legitimate interests, and the right to lodge a complaint with your national supervisory authority.

To exercise any GDPR right, contact us at support@quantumtheology.app. We will respond within 30 days. For complex requests we may extend by an additional 60 days with notice.

8.4  International Data Transfers

Your data is processed and stored in the United States. We rely on the following mechanisms for EU/UK transfers:

• Stripe — participates in data transfer frameworks including Standard Contractual Clauses where applicable;
• Supabase — contractual arrangements include data processing agreements with standard data protection provisions;
• Anthropic — query data transmitted via the API is subject to Anthropic's data processing terms.

09 Children's Privacy

The Platform is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently done so, we will delete it promptly.

Users between 13 and 17 may access the Platform with parental or guardian awareness.

10 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by posting the revised Policy with an updated effective date. Your continued use of the Platform after the effective date constitutes acceptance.

11 Contact

Questions, requests, or concerns regarding this Privacy Policy should be directed to: