Privacy Policy

Account Information

• Name and email address
• Account password (hashed — we never store your actual password)
• Role selection (Seeker or Mentor)
• Profile information you choose to share (language preferences, areas of interest)

Mentor Verification Data

• Ordination or formation credentials
• Episcopal or superior approval documentation
• VIRTUS/Safe Environment certification status

Session Data

• Session scheduling information (date, time, participants)
• Session duration and completion status
• We do not record, store, or access the content of your sessions

Payment Information

• Donation amounts and dates
• Payment processing is handled entirely by Stripe — we never see or store your full card number, expiration date, or CVC

Technical Information

• IP address (for security and fraud prevention only)
• Browser type and device information
• Pages visited and general usage patterns (aggregated, not individual)

We use your information only for the following purposes:

• Operating the platform — Creating your account, matching you with mentors, scheduling sessions
• Verification — Confirming mentor credentials and maintaining safety standards
• Communication — Session reminders, account notifications, and important platform updates
• Payment processing — Processing donations through our payment provider (Stripe)
• Safety — Preventing fraud, abuse, and unauthorized access
• Improving the platform — Using aggregated, anonymized usage data to improve features (never individual tracking)

We never use your data for advertising, profiling, behavioral targeting, or any purpose unrelated to the mission of GraceBook.

Your spiritual conversations are sacred to us. We have built GraceBook with the highest technical standards of privacy:

• End-to-end encryption — All video, audio, and in-session chat is encrypted in transit and at rest. GraceBook cannot access the content of your sessions.
• No recording — Sessions are never recorded by default. There is no mechanism for GraceBook staff to listen to or view your sessions.
• No monitoring — We do not proactively review, screen, or surveil session content.
• Zero-knowledge session notes — Mentor session notes are encrypted client-side before being stored. Only the mentor who created them can read them. Even our engineers cannot access them.
• No AI analysis — We do not use artificial intelligence, natural language processing, or any automated tools to analyze session content.

To be explicit, GraceBook never collects:

• The content of your spiritual conversations
• Audio or video recordings of your sessions
• Your mentor's private session notes
• Your religious beliefs, sacramental history, or confession details
• Your physical location (beyond the IP-derived country for legal compliance)
• Social media profiles or contacts
• Biometric data

We do not sell, rent, or trade your personal information. Period.

We share limited data only with the following service providers, all of whom are contractually bound to protect your data:

• Stripe — Payment processing. Stripe receives only the data needed to process your donation. See Stripe's Privacy Policy.
• Video infrastructure provider — Provides encrypted video session technology. Receives no personally identifying information beyond what is required for the encrypted connection.
• Email service provider — Sends session reminders and account notifications. Receives only your email address and name.
• Hosting provider (Vercel) — Hosts the GraceBook website. See Vercel's Privacy Policy.

We may also disclose information if required by law, such as in response to a valid court order or subpoena.

GraceBook uses minimal cookies:

• Essential cookies — Required for the platform to function (authentication, session management). These cannot be disabled.
• Preference cookies — Remember your language and display preferences.

We do not use:

• Third-party advertising cookies
• Social media tracking pixels
• Cross-site tracking
• Behavioral analytics that identify individual users

We use aggregated, anonymized analytics to understand general usage patterns (e.g., which pages are most visited). These analytics cannot identify you individually.

• Account data — Retained for as long as your account is active. Deleted within 30 days of account deletion.
• Session metadata — Scheduling records retained for 12 months after your last session, then automatically deleted.
• Session content — Never stored. There is no content to retain.
• Mentor session notes — Encrypted notes are retained until the mentor deletes them or their account is closed.
• Verification documents — Retained for as long as the mentor is active on the platform, plus 12 months after departure.
• Payment records — Retained for 7 years as required by tax and financial regulations.
• Server logs — Retained for 90 days for security purposes, then automatically deleted.

You have the right to:

• Access — Request a copy of all personal data we hold about you
• Correction — Update or correct inaccurate personal data
• Deletion — Request deletion of your account and associated data
• Portability — Receive your data in a portable format
• Restriction — Ask us to limit how we process your data
• Objection — Object to processing based on legitimate interests
• Withdraw consent — Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@gracebook.com. We will respond within 30 days.

GraceBook is not directed at anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has provided us with personal data, please contact us immediately at privacy@gracebook.com and we will delete it.

We protect your data with industry-leading security measures:

• End-to-end encryption for all session communications
• TLS 1.3 encryption for all data in transit
• AES-256 encryption for all data at rest
• Zero-knowledge architecture for session notes
• Regular security audits and penetration testing
• Role-based access controls for internal systems
• Two-factor authentication available for all accounts
• Automated intrusion detection and monitoring

While no system is 100% secure, we are committed to maintaining the highest standards of data protection and to promptly notifying affected users in the unlikely event of a data breach.

GraceBook is based in the United States. If you access the platform from outside the United States, your data may be transferred to and processed in the United States. We ensure all international data transfers comply with applicable data protection laws, including the use of Standard Contractual Clauses where required.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis — We process your data based on: consent (account creation), contract performance (providing the service), and legitimate interests (platform security).
• Data Protection Officer — You may contact our DPO at dpo@gracebook.com.
• Supervisory authority — You have the right to lodge a complaint with your local data protection authority.
• Data transfers — We rely on Standard Contractual Clauses approved by the European Commission for transfers to the United States.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know — You may request the categories and specific pieces of personal information we have collected.
• Right to delete — You may request deletion of your personal information.
• Right to opt-out — We do not sell personal information, so no opt-out is necessary.
• Non-discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at privacy@gracebook.com.

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Post the updated policy on this page with a new effective date
• Notify you by email if the changes materially affect how we handle your data
• Provide a summary of what changed

We encourage you to review this policy periodically. Your continued use of GraceBook after changes are posted constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.