Privacy Policy

Doxa Wellness ("Doxa," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service").

We understand that you trust us with deeply personal information—your spiritual journey, mental health reflections, struggles, and prayers. We take this responsibility seriously.

2.1 Information You Provide

• Account Information: Name, email address, password (encrypted)
• Profile Information: Preferences, focus areas, spiritual background
• Check-in Data: Mood scores, life domain ratings, reflections
• Journal Entries: Personal reflections, gratitude notes, prayers
• Goals & Plans: Personal goals, action items, progress tracking
• Freedom Journey Data: Struggles you're working to overcome, triggers, progress
• Relationship Data: Names and notes about people you're tracking relationships with
• AI Conversations: Messages you send to Doxa AI

2.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type
• Usage Data: Features used, time spent, interaction patterns
• Log Data: IP address, access times, pages viewed

2.3 Sensitive Information

We use your information to:

• Provide, maintain, and improve the Service
• Personalize your experience and content recommendations
• Generate AI responses and insights based on your data
• Send you notifications and reminders (if enabled)
• Analyze usage patterns to improve our features
• Respond to your inquiries and support requests
• Protect against fraud and unauthorized access

4.1 AI Features

Doxa uses third-party AI services (such as Anthropic's Claude or OpenAI) to power our AI conversation features. When you use "Ask Doxa" or similar features:

• Your messages are sent to AI providers for processing
• AI providers may temporarily store data for processing purposes
• We do not allow AI providers to use your data to train their models (where such options exist)
• AI responses are generated based on your input and may be stored by Doxa

4.2 Other Third-Party Services

• Hosting: Our data is hosted on secure cloud infrastructure
• Payment Processing: Payments are processed by Stripe (we never see your full card number)
• Analytics: We use privacy-respecting analytics to understand usage patterns

We implement robust security measures to protect your data:

• Encryption in Transit: All data is encrypted using TLS/SSL during transmission. HSTS is enforced with a 2-year policy.
• Encryption at Rest: Sensitive narrative fields — including journal entries, prayer requests, check-in reflections, freedom journey logs, financial notes, and relationship reflections — are encrypted using AES-256-GCM authenticated encryption before being stored in our database. Numerical scores and metadata are stored without application-layer encryption but are protected by database-level access controls and encrypted connections.
• Access Controls: Strict internal access controls limit who can access user data. Database connections require TLS and credentials are never stored in code.
• Regular Audits: We conduct regular security reviews and updates
• Secure Authentication: Passwords are hashed using PBKDF2-SHA512 with unique salts. Raw passwords are never stored.
• Session Security: Session tokens are cryptographically random and only their hashes are stored in the database.

You have the following rights regarding your data:

• Active Accounts: We retain your data as long as your account is active
• Deleted Accounts: Upon account deletion, we remove your data within 30 days
• Backup Retention: Backups may retain data for up to 90 days for recovery purposes
• Legal Requirements: We may retain certain data as required by law

8. Children's Privacy

Doxa is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

9. International Users & GDPR

Doxa is operated from the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

For users in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, we comply with applicable regulations including GDPR where applicable.

9.1 Legal Basis for Processing (GDPR)

If you are located in the EEA or UK, we process your personal data based on the following legal bases:

• Consent (Article 6(1)(a)): When you create an account and agree to our terms, you consent to the processing of your data. For special category data (religious beliefs, health-related reflections), we rely on your explicit consent (Article 9(2)(a)).
• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you requested.
• Legitimate Interests (Article 6(1)(f)): Processing for security, fraud prevention, and service improvement.

9.2 Your GDPR Rights

In addition to the rights listed in Section 6, EEA and UK users have the right to:

• Request restriction of processing of your personal data
• Object to processing based on legitimate interests
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint with your local data protection supervisory authority

9.3 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at: dpo@doxawellness.com

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by law)
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights
• Provide details about the nature of the breach, the data involved, and the measures taken
• Take immediate steps to contain the breach and prevent further unauthorized access

We may send you:

• Service Communications: Account-related notifications (required)
• Reminder Notifications: Check-in reminders, devotional prompts (optional)
• Product Updates: New features and improvements (optional)

You can manage your notification preferences in Settings at any time.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date
• Sending an email notification for material changes
• Displaying a notice within the app

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

For data deletion requests or GDPR-related inquiries, please email: dpo@doxawellness.com