Privacy Policy

Introduction

This Privacy Policy ("Policy") describes how OakDev & AI AB, a Swedish limited liability company ("Company", "we", "us", or "our"), collects, uses, stores, discloses, and protects personal data in connection with the ChristBay mobile application ("App") and any related websites, services, features, or content (collectively, the "Service").

By downloading, installing, accessing, or using ChristBay, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, you must not use the Service.

This Policy is written in English. In the event of any conflict between a translated version and the English version, the English version shall prevail.

1.1 Scope

This Policy applies to all users of the ChristBay iOS application distributed via the Apple App Store, as well as to visitors of any ChristBay-related web pages hosted by OakDev & AI AB. It does not apply to third-party websites or services that may be accessible from within or alongside the App, which are governed by their own privacy policies.

1.2 Our Commitment

OakDev & AI AB built ChristBay as a private, personal devotional tool. The nature of the App — daily scripture, guided reflection, and prayer — means that the content you engage with can be deeply personal. We take that seriously.

• Minimal collection: We collect only the data necessary to provide and improve the Service.
• No advertising: ChristBay is permanently ad-free. We do not build advertising profiles.
• No data selling: We do not sell, rent, or trade your personal data to any third party, ever.
• No AI training: Your prayer journal entries and reflection notes are never used to train machine learning or artificial intelligence models.
• User control: You have full rights over your personal data, including the right to access, correct, export, and permanently delete it.

1.3 Who This Policy Is For

This Policy applies to all persons who use the ChristBay application, including users who have purchased the base application, users who have upgraded to the "Blessed" tier, and users who have purchased top-up Reflection packs. All categories of users are subject to the same privacy protections described herein.

1.4 Age Requirement

ChristBay is intended for users aged 13 and older. We do not knowingly collect personal data from children under the age of 13. Please refer to Section 18 (Children's Privacy) for our full policy regarding minors.

1.5 Relationship to Other Policies

This Privacy Policy should be read alongside our Terms of Use (available at /terms/), which govern your use of the Service. In the event of any conflict between the Terms of Use and this Privacy Policy on matters of data protection, this Privacy Policy shall prevail.

Data Controller

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Swedish Act Supplementing the EU Data Protection Regulation (2018:218), the data controller is:

As a Swedish company, OakDev & AI AB is established within the European Union and is directly subject to the GDPR and applicable Swedish data protection legislation.

2.1 Data Protection Contact

All data protection enquiries, rights requests, and concerns should be directed to: hello@oakdev.app

We aim to respond to all legitimate requests within 30 days, and no later than the legally required timeframes under the GDPR (typically within one month, extendable by a further two months for complex or numerous requests).

2.2 No DPO Requirement

As a small organisation whose core activities do not involve large-scale processing of special categories of data, OakDev & AI AB is not currently required under Article 37 of the GDPR to appoint a Data Protection Officer (DPO). However, we are fully committed to GDPR compliance and will appoint a DPO if required by applicable law in the future.

Definitions

The following definitions apply throughout this Policy:

Data We Collect — Overview

We collect personal data in several ways: data you provide directly, data collected automatically through your use of the App, and data received from Apple in connection with in-app purchases. Detailed descriptions follow in Sections 5–9.

Device & Technical Data

When you install and use ChristBay, we automatically receive certain technical information from your iOS device and operating system. This is necessary to deliver the App reliably and diagnose technical problems.

5.1 What Is Collected

• Device model: e.g., "iPhone 16 Pro". We use an anonymous, app-specific identifier generated by iOS rather than any persistent hardware serial number or IMEI.
• Operating system version: The iOS version running on your device, used to ensure compatibility and test updates.
• Application version and build number: The specific version of ChristBay installed, used for crash reporting and update management.
• Locale and language settings: Your device's configured language and regional format, used to display content appropriately.
• Time zone: Used to schedule daily devotional reminders at appropriate local times.
• Network connectivity type: Whether the device is on Wi-Fi or cellular (not your IP address or network provider name), used to optimise content loading and offline functionality.
• Screen resolution and display scale: Used to render UI assets at the correct resolution for your device.
• Available storage space: Accessed to ensure the App can download and cache devotional content without exceeding available storage.

5.2 App-Specific Device Identifier

iOS provides each app with a Vendor Identifier (IDFV — Identifier for Vendor), unique to your device and our specific application. This identifier:

• Is generated by iOS and cannot be used to track you across other apps or companies.
• Resets when you delete and reinstall ChristBay.
• Is used internally to associate your app data and settings across sessions on the same device.
• Is not shared with advertising networks or data brokers.

We do not request or use the Advertising Identifier (IDFA). ChristBay does not participate in any advertising ecosystem.

5.3 Crash Logs and Diagnostics

If the App crashes, iOS generates a crash report. Depending on your iOS privacy settings and whether you have enabled "Share with App Developers", Apple may share anonymised crash reports with us. These reports contain stack traces and memory information relevant to the crash — they do not contain your personal data or journal content. Crash reports are used solely to identify and fix technical bugs. You can disable this in iPhone Settings → Privacy & Security → Analytics & Improvements → Share with App Developers.

5.4 Performance Metrics

We may collect aggregated, non-personally-identifiable performance metrics such as App launch time and screen render duration. These are used solely to improve App performance and are never associated with your identity.

Account Data

ChristBay is designed to be usable without requiring account creation. Certain optional features may involve account functionality for convenience (such as restoring purchases or syncing across devices).

6.1 Optional Display Name

You may optionally provide a display name within the App for personalised greetings. This name is stored locally on your device and is not sent to our servers unless you explicitly enable a cloud sync feature. It can be changed or deleted at any time from App settings.

6.2 Sign In with Apple

ChristBay may offer optional integration with Sign in with Apple. If you use this feature:

• Apple provides us with a unique, stable user identifier and, at your discretion, either your real email address or an Apple-generated relay email address.
• We use this identifier solely to authenticate you and associate your data with your account.
• We do not use your Apple email address for marketing communications without your explicit, separate consent.
• You can revoke ChristBay's access to your Apple ID at any time via iPhone Settings → [Your Name] → Sign in with Apple → ChristBay → Stop Using Apple ID.

6.3 Support Contact

If you contact us for support — by email to hello@oakdev.app or through an in-app feedback mechanism — you may provide your email address and any information you choose to include in your message. We use this solely to respond to your enquiry and to improve the Service. Support correspondence is retained for up to 2 years and then permanently deleted.

6.4 No Mandatory Registration

You are not required to create an account to use the core features of ChristBay, including daily scripture reading, guided reflections, and the personal prayer journal. Account-based features exist solely to improve continuity across devices and are entirely optional.

Usage & Analytics Data

To understand how the App is used in aggregate and to make meaningful product improvements, we collect anonymised or pseudonymised analytics data.

7.1 What We Measure

• Feature engagement: Which features are used, how often, and for how long — in aggregate, not tied to your identity.
• Session frequency and duration: How often users open the App and for how long, to understand engagement patterns.
• Onboarding completion: Whether new users complete the initial setup flow, to identify friction points.
• Reflection balance behaviour: Aggregate top-up purchasing patterns, to plan content pricing and availability.
• Notification interaction: Whether users open the App via a push notification, at the aggregate level only.

7.2 Anonymisation and Pseudonymisation

Where possible, analytics data is fully anonymised before leaving your device — meaning it cannot be linked back to you as an individual. Where an internal session identifier is technically required, we use pseudonymised identifiers that are not linked to your name, Apple ID, or any other directly identifying information. These identifiers are rotated periodically.

7.3 Apple App Store Analytics

If you have agreed to Apple's terms regarding app analytics, Apple may provide us with aggregated, anonymised data about how users interact with ChristBay in the App Store. This data is governed by Apple's own privacy policy. You can manage these settings at iPhone Settings → Privacy & Security → Analytics & Improvements.

7.4 What We Do Not Do with Analytics

• We do not build individual user profiles from analytics data.
• We do not share analytics data with advertising networks.
• We do not use analytics to make automated decisions with significant effects on you.
• We do not use analytics to read or infer the content of your journal entries or reflection notes.

Journal & Reflection Data

The personal prayer journal and reflection notes feature is at the heart of ChristBay's devotional experience. We treat this category of data with the highest possible level of care.

8.1 Local Storage by Default

By default, all journal entries, prayer notes, bookmarked scriptures, reflection session history, and personal annotations are stored exclusively in the local storage of your iOS device. This data:

• Never leaves your device unless you explicitly enable iCloud backup or a future optional cloud sync feature.
• Is stored in the App's sandboxed container, inaccessible to other apps on your device.
• Is protected by iOS device encryption tied to your device passcode, Face ID, or Touch ID.
• Is backed up as part of your iOS iCloud or iTunes backup if you have those features enabled — this backup is managed entirely by Apple and governed by Apple's privacy policy.

8.2 Future Optional Cloud Sync

We may introduce an optional cloud synchronisation feature in a future version of ChristBay. If and when this is introduced:

• Participation will be entirely voluntary and will require your explicit consent.
• Data will be encrypted in transit (TLS 1.2 or higher) and at rest on our servers.
• You will retain full control to disable sync and request deletion of cloud-stored data at any time.
• This Policy will be updated prior to the launch of such a feature, and you will be notified.

8.3 Religious Nature of Content — Special Category Data

We recognise that journal entries written in ChristBay may contain information about your religious beliefs, prayer intentions, personal struggles, and faith journey. Under the GDPR, information revealing religious or philosophical beliefs is classified as "special category data" (Article 9), which is afforded heightened protection.

OakDev & AI AB processes special category data in your journal only to the strict extent necessary to store your entries and display them back to you. We never process special category data for analytics, profiling, or third-party disclosure. Our legal basis for processing this data, to the extent any processing occurs, is your explicit consent (Article 9(2)(a) GDPR) as expressed by your voluntary use of the journal feature and agreement to this Policy.

8.4 Reflection Session History

The App maintains a history of which reflection sessions you have completed, your current Reflection balance, and your progress through available content. This information is stored locally on your device and is not transmitted to our servers except as part of any future optional cloud sync described above.

8.5 Bookmarked Scriptures

Scriptures you bookmark within ChristBay are stored locally on your device. We do not collect information about which specific scriptures you have bookmarked.

Purchase Data

ChristBay is a paid application. All purchases are processed exclusively through the Apple App Store using Apple's StoreKit framework. OakDev & AI AB does not collect, store, or process your payment card details, Apple ID credentials, or any payment instrument information.

9.1 What Apple Processes

Apple Inc. acts as the merchant of record for all ChristBay purchases, including:

• Initial purchase of the ChristBay application from the App Store.
• In-app purchase of the "Blessed" upgrade tier (which provides 300 additional Reflections and unlocks more categories and features).
• In-app purchases of top-up Reflection packs (100, 200, or 400 Reflections — one-time purchases, no subscription or auto-renewal).

Apple's handling of payment data is governed by Apple's Privacy Policy.

9.2 What We Receive from Apple

Following a successful purchase, Apple provides ChristBay with:

• Purchase receipt (Apple-signed): A cryptographically signed receipt confirming a legitimate purchase, used to verify your entitlements.
• Transaction identifier: A unique ID for each transaction, used for de-duplication and refund enquiries.
• Product identifier: A code identifying which product was purchased.
• Purchase date and time: When the transaction occurred.
• Original transaction identifier: Used for restoring previous purchases.

We do not receive your name, billing address, email address, or payment method details from Apple in connection with purchases.

9.3 Entitlement Verification

To confirm purchase entitlements, the App may send Apple's signed receipt to a secure server-side verification endpoint. This process transmits the receipt to Apple's App Store receipt validation API for verification, and Apple returns confirmation of purchased products. Our server records the verified entitlements against your anonymous device identifier. This is technically necessary to prevent fraudulent modification of local entitlement data.

9.4 Purchase Records Retention

We retain purchase transaction records (receipt tokens, transaction IDs, product IDs, and timestamps) for 7 years from the date of purchase. This retention period is required by Swedish accounting law (Bokföringslagen) and to handle refund, chargeback, or dispute enquiries.

9.5 Refund Policy

All refund requests are processed through Apple in accordance with Apple's refund policies. OakDev & AI AB does not process refunds directly. To request a refund, please visit reportaproblem.apple.com.

Legal Bases for Processing (GDPR Article 6)

Under the GDPR, every instance of personal data processing must have a lawful basis. The table below sets out the legal basis we rely upon for each type of processing we perform.

10.1 Special Category Data (GDPR Article 9)

Where your journal entries contain information revealing your religious beliefs or prayer intentions, this may constitute special category data under GDPR Article 9. We rely on the following bases:

• Art. 9(2)(a) — Explicit consent: By voluntarily writing in the journal feature and agreeing to this Policy, you consent to the storage and display of your religious content within the App for your personal use.
• Art. 9(2)(e) — Data manifestly made public by the data subject: To the extent that you independently choose to enter personal religious reflections into your private journal, this is wholly self-directed.

We do not use special category data for any purpose beyond displaying it back to you.

10.2 Legitimate Interests Assessment

Where we rely on legitimate interests under Art. 6(1)(f), we have carried out a balancing test and determined that our interests do not override your fundamental rights and freedoms, particularly because: we only collect minimal, necessary data; we fully anonymise analytics data where possible; we do not share this data with third parties for their own purposes; and you retain the right to object to legitimate-interest processing at any time (see Section 16).

How We Use Your Data

We use the personal data we collect for the following specific purposes only.

11.1 Service Delivery

• Displaying daily scripture passages, reflection prompts, and guided devotional content.
• Tracking your Reflection balance and applying deductions as you engage with content sessions.
• Storing and displaying your personal journal entries and prayer notes.
• Enabling the saving, browsing, and retrieval of bookmarked scriptures.
• Tracking your progress through the devotional content catalogue.
• Applying and verifying your Blessed upgrade entitlements to unlock expanded features and categories.
• Restoring your previous purchases when you reinstall the App or move to a new device.

11.2 App Performance and Reliability

• Diagnosing and resolving App crashes, errors, and performance issues.
• Testing and validating updates before public release.
• Monitoring App performance to identify regressions or infrastructure issues.

11.3 Product Improvement

• Understanding in aggregate which features are most and least used, to prioritise development work.
• Identifying usability problems in onboarding or feature discovery.
• Planning new content categories and reflection series based on aggregate engagement patterns.

11.4 Customer Support

• Responding to support requests, bug reports, and feature enquiries submitted by email or in-app feedback.
• Verifying purchase entitlements to resolve billing disputes or restore missing purchases.

11.5 Legal and Compliance

• Maintaining purchase and transaction records as required by Swedish accounting legislation.
• Responding to lawful requests from courts, regulatory authorities, or law enforcement where legally required.
• Enforcing our Terms of Use and protecting the rights, property, or safety of OakDev & AI AB, our users, or the public.

11.6 What We Do Not Do

• We do not use your data for advertising or marketing profiling.
• We do not sell, rent, lease, or license your personal data to any third party.
• We do not use your journal entries or reflection history to train, fine-tune, or evaluate any AI or machine learning model.
• We do not use your data to make automated decisions that produce legal or significant effects on you (no automated profiling within the meaning of GDPR Article 22).
• We do not send unsolicited marketing communications.

Data Sharing and Disclosure

OakDev & AI AB does not sell, rent, or trade your personal data. We share personal data only in the limited circumstances described below.

12.1 Service Providers (Data Processors)

We may engage carefully selected third-party service providers who process personal data on our behalf and under our instructions. Any such provider is bound by a Data Processing Agreement (DPA) requiring them to:

• Process personal data only according to our documented instructions.
• Implement appropriate technical and organisational security measures.
• Not engage sub-processors without our prior written consent.
• Assist us in fulfilling data subject rights requests.
• Delete or return all personal data upon termination of the agreement.

12.2 Apple Inc.

Apple processes purchase transactions on our behalf and provides verified purchase receipts. Apple also provides device analytics under its own terms. Apple's data practices are governed by Apple's Privacy Policy.

12.3 Legal Obligations

We may disclose personal data to courts, law enforcement, or regulatory authorities when required by applicable law. Before doing so — where legally permitted — we will verify the legality of the request, disclose only the minimum necessary data, and notify the affected user unless prohibited by law or a court order.

12.4 Protection of Rights

We may disclose personal data where we believe, in good faith, that such disclosure is reasonably necessary to protect the rights, property, or safety of OakDev & AI AB, our users, or the public; or to detect, prevent, or address fraud, security incidents, or technical problems.

12.5 Business Transfers

In the event of a merger, acquisition, asset sale, financing, corporate restructuring, or dissolution, personal data we hold may transfer to a successor entity. We will notify users before any such transfer takes effect, and the acquiring party will be required to uphold this Policy or provide adequate alternative privacy protections.

12.6 Aggregate and Anonymised Data

We may share aggregated, anonymised statistical data (e.g., aggregate engagement trends) with partners, investors, or the public. Such data does not identify any individual user and is not personal data.

12.7 With Your Explicit Consent

Beyond the circumstances above, we will share your personal data with third parties only if you have given us your clear, informed, and freely given consent. You may withdraw such consent at any time.

Apple & the App Store

ChristBay is distributed exclusively through the Apple App Store. By using ChristBay, you also agree to and are subject to Apple's terms and policies.

13.1 Apple's Role

• App distributor: Apple distributes the App and may collect download and usage data under its own terms.
• Payment processor: Apple processes all financial transactions for App purchases and in-app purchases.
• Platform provider: Apple provides iOS, StoreKit, CloudKit, and other platform APIs that ChristBay may use.
• Crash reporting conduit: Apple may share anonymised crash diagnostics with us, subject to your device privacy settings.

13.2 App Store Privacy Nutrition Labels

Apple requires all App Store applications to provide a Privacy Nutrition Label disclosing what data the app collects. ChristBay's nutrition label disclosures are maintained on the App's App Store page and are consistent with this Privacy Policy. In the event of any discrepancy, this Policy shall govern.

13.3 iCloud

If you have iCloud backup enabled, your ChristBay app data (including journal entries) will be included in your iCloud backup, stored in your personal iCloud account and governed by Apple's iCloud terms. OakDev & AI AB does not have access to your iCloud backup data.

13.4 Family Sharing

ChristBay supports Apple's Family Sharing feature. When a family member purchases ChristBay through Family Sharing, the purchase is processed by Apple under the purchasing account holder's Apple ID. We receive the same purchase verification data as for any other purchase.

Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, to fulfil our legal obligations, or to resolve disputes and enforce agreements.

14.1 Deletion Upon Request

When you exercise your right to erasure (Section 16.3) or delete your account (Section 17), we will delete your personal data ahead of the standard retention schedules above, except where we are required by law to retain it (e.g., transaction records for tax compliance). In those cases, we will restrict processing so the data is not used for any other purpose during the legally required retention period.

14.2 Backup Copies

Encrypted backup copies of server-held data are retained for up to 30 days for disaster recovery purposes. After this period, backups are rotated and permanently overwritten. Deletion of your personal data from our primary systems will be fully reflected in backups within 30 days.

International Data Transfers

OakDev & AI AB is a Swedish company within the EEA. We aim to keep personal data within the EEA wherever possible. However, certain third-party service providers (including Apple) may process data outside the EEA, including in the United States.

15.1 Transfers to Apple

Apple Inc. is headquartered in the United States. Any data transferred to Apple in connection with the App Store, StoreKit, or other Apple services is subject to Apple's standard contractual and privacy protections. Apple maintains Standard Contractual Clauses (SCCs) with EEA data subjects.

15.2 Other Third-Party Transfers

Where we engage service providers that process personal data outside the EEA, we ensure appropriate GDPR Chapter V transfer safeguards are in place, including:

• Standard Contractual Clauses (SCCs): The European Commission's approved model clauses for data transfers to third countries (Commission Decision 2021/914).
• Adequacy decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection.

15.3 Data Minimisation

Because most of your personal data (particularly journal entries and reflection content) is stored locally on your device and does not leave it, the volume of data subject to international transfer is minimised by design. Server-side data processing is limited to purchase verification and, in the future, optional cloud sync.

15.4 Your Rights Regarding Transfers

You have the right to request information about the specific safeguards we rely upon for any international data transfers. Contact us at hello@oakdev.app to exercise this right.

Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights with respect to your personal data. We are committed to facilitating the exercise of these rights promptly and without imposing undue barriers.

16.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about the purposes of processing, categories of data, recipients, retention periods, your other rights, and whether data is subject to automated decision-making.

16.2 Right to Rectification (Article 16)

You have the right to require us to correct inaccurate personal data we hold about you, and to have incomplete personal data completed. Data stored locally on your device can be amended directly within the App.

16.3 Right to Erasure (Article 17)

You have the right to request that we delete your personal data where: the data is no longer necessary for the purpose it was collected; you withdraw consent on which processing was based and there is no other legal basis; you object and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required by a legal obligation. Erasure requests may be limited where we are legally required to retain certain records (e.g., transaction records). In such cases we will inform you and restrict further use during the required retention period.

16.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in circumstances including: you contest the accuracy of your data; the processing is unlawful but you prefer restriction over erasure; we no longer need the data but you need it for legal claims; or you have objected pending verification of our grounds. During a restriction period, we store the data but do not process it further without your consent.

16.5 Right to Data Portability (Article 20)

Where we process your personal data based on consent or a contract, by automated means, you have the right to receive that data in a structured, commonly used, and machine-readable format. For ChristBay this applies primarily to account details and purchase entitlement records. Journal entries stored on your device can be exported directly from the App.

16.6 Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests. Upon receipt we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for legal claims.

16.7 Rights Related to Automated Decision-Making (Article 22)

ChristBay does not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. Should this change in a future version, we will update this Policy and obtain any required consent.

16.8 Right to Withdraw Consent

Where we process your personal data based on consent (e.g., push notifications), you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal. Consent for push notifications can be withdrawn at any time in iPhone Settings → Notifications → ChristBay.

16.9 How to Exercise Your Rights

To exercise any of the rights described in this Section, contact us at hello@oakdev.app. Please include sufficient information to verify your identity. We will respond within 30 days of receiving a valid request. In complex cases we may extend this by a further two months, notifying you of the extension within the first 30 days. There is no charge for exercising your rights, unless requests are manifestly unfounded, excessive, or repetitive.

Account Deletion and Data Removal

17.1 In-App Deletion

You can delete your journal entries and all locally stored App data at any time from within ChristBay via Settings → Privacy → Delete All Data. This immediately and irreversibly removes all locally stored journal entries, reflection history, bookmarks, and personal settings from your device.

17.2 Account Deletion Request

If you have created an account or would like all server-side data permanently removed, please visit /delete-account/ or email hello@oakdev.app with the subject line "Account Deletion Request".

Upon receiving your verified deletion request, we will:

1. Permanently delete your account identifier and authentication data within 30 days.
2. Delete any personal data associated with your account from our active systems within 30 days.
3. Ensure your data is removed from backup systems within 60 days.
4. Confirm deletion to you by email.

We will retain purchase transaction records for the legally required 7-year period under Swedish accounting law, but these records will be restricted from any other processing.

17.3 Effect of Deletion

• Your purchased Reflections and Blessed upgrade entitlements will no longer be accessible through our system.
• Your journal entries will be permanently removed and cannot be recovered.
• Your faith journey history and session progress will be permanently removed.

17.4 Apple Sign-In Revocation

If you used Sign in with Apple, revoking the App's access to your Apple ID does not automatically delete your data from our servers. You must separately submit a deletion request as described above. To revoke Apple Sign-In access: iPhone Settings → [Your Name] → Sign in with Apple → ChristBay → Stop Using Apple ID.

17.5 App Store Compliance

Apple's App Store guidelines require that all apps offering account creation must also provide in-app account deletion. ChristBay complies with this requirement. The account deletion flow is accessible at ChristBay App → Settings → Privacy → Delete Account & Data.

Children's Privacy

18.1 Age Requirement

ChristBay is intended for users aged 13 and older. We do not knowingly collect personal data from children under the age of 13. The App Store age rating for ChristBay reflects this age restriction.

18.2 Users Between 13 and 16 (GDPR)

In Sweden, the minimum age of consent for information society services is 13. For users between 13 and 16:

• We recommend parental supervision for users under 16.
• Where a guardian purchases the App on behalf of a minor, the guardian accepts this Policy on behalf of the child.
• Parents or guardians may request access to, correction of, or deletion of data associated with their minor child by contacting us at hello@oakdev.app.

18.3 If We Discover Data from Children Under 13

If we become aware that we have inadvertently collected personal data from a child under the age of 13, we will take immediate steps to delete that information. If you believe we may have collected data from a child under 13, please contact us immediately at hello@oakdev.app.

18.4 Family Sharing

ChristBay supports Apple's Family Sharing feature. The family account holder (parent or guardian) is responsible for supervising the use of the App by minor family members.

18.5 No Advertising to Minors

ChristBay contains no advertising of any kind. We do not build profiles of users for advertising purposes regardless of age, and this prohibition applies with particular force to users who are minors.

Security

OakDev & AI AB takes reasonable and appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

19.1 Technical Measures

• Encryption in transit: All communications between the App and any server-side components use TLS 1.2 or higher. We enforce App Transport Security (ATS) at the iOS layer.
• Encryption at rest (device): Data stored on your iOS device is protected by iOS's built-in file system encryption, tied to your device passcode, Face ID, or Touch ID.
• Encryption at rest (server): Any personal data stored on our servers is encrypted using industry-standard encryption (AES-256 or equivalent).
• Access controls: Access to personal data is restricted to personnel who require it for their duties, subject to role-based access controls and authentication requirements.
• Secure coding: ChristBay is developed following iOS security best practices, including use of iOS Keychain for sensitive credentials.
• Regular reviews: We conduct regular reviews of our security practices and update them as threats evolve.

19.2 Organisational Measures

• Personnel with access to personal data are bound by confidentiality obligations.
• Third-party service providers are vetted for security before engagement and contractually required to maintain appropriate security measures.
• We maintain an internal incident response plan for data security events.

19.3 Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (IMY) within 72 hours of becoming aware (GDPR Article 33). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Article 34), including a description of the breach, likely consequences, and measures taken to address it.

19.4 No Absolute Guarantee

No method of electronic storage or internet transmission is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. We encourage you to use a strong device passcode and keep your iOS software up to date.

Cookies & Tracking Technologies

20.1 The App Does Not Use Cookies

ChristBay is a native iOS application. Native iOS apps do not use browser cookies. ChristBay does not use cookies, cross-site tracking pixels, or similar web-based tracking mechanisms.

20.2 No Advertising SDK

ChristBay does not include any advertising SDKs, ad networks, or third-party marketing trackers. There is no advertising infrastructure of any kind embedded in the App.

20.3 No Cross-App Tracking

ChristBay does not request access to the Advertising Identifier (IDFA) and does not participate in cross-app tracking. Enabling "Limit Ad Tracking" or disabling "Allow Apps to Request to Track" in your iOS Privacy settings has no negative impact on ChristBay's functionality.

20.4 Website

The ChristBay website may use minimal, privacy-respecting analytics. Any analytics used on the website are disclosed in a separate notice on that site. The website does not use third-party advertising cookies.

20.5 App Store Analytics

Apple's App Store platform may use its own analytics in connection with App discovery, downloads, and purchases. This is conducted by Apple under Apple's own privacy policies and is outside our control.

Push Notifications

21.1 Consent Required

ChristBay may send you push notifications (e.g., daily devotional reminders). Push notifications require your explicit permission, which iOS will request via a system-level prompt. You may grant or deny permission at that time.

21.2 What Notifications We Send

• Daily devotional reminders: A brief prompt to begin your daily reflection, sent at a time you configure in App settings.
• Milestone notifications: Notifications celebrating faith journey milestones (e.g., a devotional streak).
• New content announcements: Notifications about new reflection categories or significant content additions.

We do not send promotional or commercial marketing messages via push notifications without your separate consent.

21.3 Managing Notifications

You can withdraw permission for push notifications at any time via iPhone Settings → Notifications → ChristBay, or configure notification types within the App at Settings → Notifications. Disabling notifications does not affect your access to any App features.

21.4 APNs Token

To deliver push notifications, Apple provides the App with an Apple Push Notification service (APNs) token — a device-specific identifier used solely for routing push messages to your device. This token is not linked to your personal identity, is not shared with advertising networks, and is deleted from our systems when you revoke notification permissions or delete the App.

Third-Party Services

ChristBay is designed to minimise reliance on third-party services. Where third-party services are used, they are carefully selected for privacy practices and legally bound to process data only for the purposes we specify.

22.1 Current Third-Party Integrations

Apple StoreKit (In-App Purchases)

Apple's StoreKit framework is used for all purchase processing. Data handled: purchase receipts, transaction identifiers, product IDs. Governed by Apple's Privacy Policy.

Apple Push Notification Service (APNs)

Used to deliver push notifications to consenting users. Data handled: APNs device token. Governed by Apple's Privacy Policy.

Apple Sign In (Optional)

Optional authentication service. Data handled: Apple user identifier, optional relay email address. Governed by Apple's Privacy Policy.

Apple CloudKit (Potential — Future Optional Feature)

If a future version of ChristBay introduces optional cloud sync, we may use Apple's CloudKit. Under this model, your journal data would be stored in your own personal iCloud account and governed by Apple's iCloud terms. OakDev & AI AB would not have access to your CloudKit data.

22.2 No Social Media SDKs

ChristBay does not integrate with any social media platform's SDK. No social media company tracks your usage of ChristBay.

22.3 No Third-Party Analytics SDKs

ChristBay does not currently include third-party analytics SDKs such as Firebase Analytics, Mixpanel, or Amplitude. Any analytics we perform are handled through our own first-party implementation or Apple's platform analytics.

22.4 No Advertising Networks

ChristBay does not include any advertising network SDKs. We are committed to keeping the App permanently ad-free.

22.5 Scripture Content

ChristBay uses licensed Bible translation text. Scripture content is embedded within the App and served from our own infrastructure. No user data is transmitted to Bible publishers or translation licensors in connection with your use of scripture content.

22.6 Future Integrations

We will update this Policy before introducing any new significant third-party data integrations. We will seek your consent where required by law before any new data sharing begins.

Links to Other Sites

ChristBay may contain links to external websites or resources. OakDev & AI AB is not responsible for the privacy practices, content, or data handling of any third-party websites or services. We encourage you to read the privacy policy of any third-party site you visit.

The inclusion of a link to an external site does not constitute an endorsement of that site or its privacy practices. When you follow a link from ChristBay to an external website, any personal data you provide on that website is subject to the privacy policy of that third party, not this Policy.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, new features, legal requirements, or regulatory guidance. We are committed to transparency about any such changes.

24.1 How We Notify You

When we make material changes to this Policy, we will:

• Update the "Last Updated" date at the top of this Policy.
• Post a prominent notice within the ChristBay App and/or on the ChristBay website.
• For changes that significantly affect your rights or the way we process your personal data, provide at least 30 days' advance notice before the changes take effect.

24.2 Minor Changes

For minor, non-material updates (such as clarifications of existing language, typographical corrections, or updates to contact information), we will update the "Last Updated" date but will not necessarily provide advance notice.

24.3 Continued Use

Your continued use of ChristBay after the effective date of an updated Policy constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Service and may request deletion of your data in accordance with Section 17.

24.4 Policy Archive

Previous versions of this Privacy Policy are available upon request. Please contact us at hello@oakdev.app if you require a historical version of this Policy.

24.5 Version History

Governing Law and Jurisdiction

This Privacy Policy and all matters arising from or related to it are governed by the laws of Sweden, without regard to its conflict of law provisions, and in compliance with applicable EU law including the GDPR.

25.1 Applicable Legislation

• Regulation (EU) 2016/679 (GDPR): The General Data Protection Regulation, directly applicable in Sweden and throughout the EEA.
• Swedish Act (2018:218) supplementing the EU Data Protection Regulation: Provides additional national specifications and derogations.
• Lag (2003:389) om elektronisk kommunikation (Electronic Communications Act): Governs certain aspects of electronic communications.
• Bokföringslag (1999:1078) (Accounting Act): Imposes obligations to retain certain business records for 7 years.
• Konsumentköplag (2022:260) (Consumer Sales Act): Governs consumer rights in connection with purchases.

25.2 Dispute Resolution

Any disputes arising from this Policy that cannot be resolved through direct communication with us should be submitted to the competent Swedish courts or to the Swedish Authority for Privacy Protection (IMY), as appropriate. As an EU-based data controller, we are also subject to the jurisdiction of other EU/EEA supervisory authorities where relevant.

25.3 Users Outside the EEA

ChristBay is available globally on the App Store. While this Policy is written primarily with GDPR compliance in mind, we extend the same privacy principles and protections to all users worldwide. Users in jurisdictions with local privacy laws (e.g., California CCPA, Australia Privacy Act, Canadian PIPEDA) may have additional rights; contact us at hello@oakdev.app to enquire about your specific rights under local law.

25.4 California Privacy Rights (CCPA / CPRA)

To the extent that ChristBay is used by residents of California, USA, the CCPA and CPRA may provide additional rights including rights to know what personal information is collected, to delete personal information, to opt out of the "sale" or "sharing" of personal information, and to non-discrimination for exercising these rights. OakDev & AI AB does not sell or share personal information as defined by the CCPA/CPRA. California residents may exercise their rights by contacting us at hello@oakdev.app.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. We will do our best to respond promptly and helpfully.

Our postal address (for formal legal correspondence) is available upon request. We aim to acknowledge all enquiries within 5 business days and provide a substantive response within 30 days.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint about our processing of your personal data with a data protection supervisory authority. As a Swedish company, our lead supervisory authority is the Swedish Authority for Privacy Protection (IMY):

If you are located in another EU or EEA member state, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work. A list of all EU/EEA supervisory authorities is available on the European Data Protection Board (EDPB) website at edpb.europa.eu.

We ask that you first try to resolve any concern with us directly by contacting hello@oakdev.app. We take all privacy concerns seriously and will do our best to address them promptly and fairly.