Privacy

Annotations, journal entries, and prayer content belong to you. We don’t sell them, don’t use them to train AI, don’t share them with advertisers, and don’t expose them to anyone outside the scope you chose when you wrote them.

Every annotation has a scope you set when you wrote it:

• Self.Only you can read it. Family members, group leaders, and church admins cannot — even when you’re looking at the same verse together.
• Family. Visible to the people in your family who use GoTherefore. Not visible outside the family.

We’ll add group and church scopes in a future phase. They’ll work the same way: scope decides who can read, and you decide the scope.

When you tap Removeon something you wrote, it disappears from every view — yours, your family’s, everyone’s. We don’t hard-delete the row right away because we want a future “show hidden” recovery option for when you change your mind. The row is invisible by default and stays that way until you choose to see it again.

Permanence by default.Once you write something, the system keeps the historical record. We treat your writing the way a paper journal treats ink — you can hide a page, but the page exists. Edits and removals are recorded so the history is honest.

If you’re part of a family, the family admin (usually a parent) can see engagement signals— whether you’ve done today’s reading, your streak, how many annotations you’ve written this week. They cannot read the contentof self-scope annotations. They can read family-scope annotations because that’s the scope you chose.

This is the shape of pastoral care: a parent who can tell whether you’re drifting, without reading what you’re thinking. We hold that line at the database level, not just the UI.

Most of the GoTherefore team (support, content reviewers, auditors) operate under the same content boundary as everyone else: they see engagement signals, not annotation content, not journal text, not prayer entries.

One exception: a designated platform owner (“super-admin”) can access content under specific circumstances — a legal request we’re required to honor, a credible safety concern (a user signaling harm to themselves or someone else), or a user’s own written request for help recovering content they removed. Every such access is recorded in an append-only audit log with the staff member, the action, the user, and the timestamp.

Family devices — a shared iPad, a parent’s phone handed to a kid — show a profile picker when no one is actively using the app. Tap your name, type your PIN, and you’re in.

Every member has their own PIN.Parents, adult family members, kids — each person has a private unlock code. Tapping someone else’s tile asks for their PIN, not yours. After 5 wrong attempts in 15 minutes, the tile locks for 15 minutes.

Adult PINs are managed only by the adult.No one else — not another adult in the family, not platform staff — can read, reset, or change another adult’s PIN. If you forget yours, you reset it by signing in through your email-recovery flow on “Forgot PIN?”.

Kid PINs are managed by a family admin (a parent).The parent who set up the kid’s profile can reset the PIN at any time. This is by design for kids who don’t have email addresses yet — if a kid loses their PIN, the parent helps them get back in. The trade-off: a parent canreset a kid’s PIN and use the kid’s profile if they need to. We say so plainly here so it’s never a surprise.

When a kid earns their own email and is ready for an independent account, a parent can upgrade their profile. The upgrade keeps every annotation, every journal entry, every piece of history under the same identity — nothing is lost. What changes is the privacy contract: from the moment of upgrade forward, the kid manages their own PIN, and the parent no longer has reset access. The kid sets a fresh PIN at upgrade time so even the parent doesn’t know it.

• Account basics.Display name; email if you have one; year of birth (or full birthday) if you or your family admin chose to share it — used to snapshot “wrote this at age 14” on annotations. Never required.
• Unlock PIN.Stored as a one-way hash (bcrypt) so even we can’t read it. Used only to verify your sign-in attempts on the device.
• What you write. Annotations, notes, and (later) journal/prayer entries.
• Engagement signals.Whether you completed today’s reading, your streak, point totals, quiz scores.
• Operational logs. Sign-in times, IP addresses retained briefly for security, audit-log entries for staff actions.

GoTherefore is built for families, including young readers. Federal law (the Children’s Online Privacy Protection Act, or COPPA) requires us to be specific about what we collect from kids under 13 and how parents consent.

Kids under 13 don’t have their own accounts.Their profile is created by a parent (family admin) under the parent’s account. The act of a parent creating the profile is the parental consent record — we keep an audit-log entry of who created it, when, and for whom.

What we collect for a kid profile:

• Display name (chosen by the parent; can be a nickname — we don’t require legal names).
• Birth year or full birthday, only if the parent chose to share it.
• The kid’s PIN (bcrypt-hashed; the value itself is unrecoverable).
• What the kid writes (annotations, notes, prayer, quiz answers).
• Engagement signals (reading completion, streak).

What we don’t collect for kids:no email, no phone number, no precise location, no contacts, no persistent device identifiers beyond what’s needed for session continuity. No third-party advertising or cross-context behavioral tracking, ever.

Parental rights:a parent can at any time review the kid’s profile and engagement signals from Family settings, reset the PIN, edit the birthday, change the display name, or remove the profile entirely. Removing the profile archives the kid’s row and stops further data collection; written annotations follow the same permanence-by-default rules as anyone else’s (kid can self-invoke removal too).

Contact:for COPPA-related questions or requests — review, delete, or correct your child’s data — email hello@gotherefore.app. We’ll respond within 7 days.

• We don’t sell your data.
• We don’t use what you write to train AI models — ours or anyone else’s.
• We don’t serve third-party advertising.
• We don’t share content with churches, groups, or publishers outside the scope you chose.

You can delete your account. We’ll remove your personal identifiers and stop processing your data. Some operational records (audit log of staff actions, billing history if any) are retained for compliance. Annotations you wrote in shared scopes stay in those scopes as anonymized historical entries unless you remove them first — the same way a comment you posted in a group chat doesn’t un-say itself when you leave the chat.

We’re early. If something on this page is unclear, or you want to know how a specific feature handles your data, email hello@gotherefore.app. We’ll answer.