Your data stays where it belongs.

Devar is operated by Devar Technologies Ltd ("Devar", "we", "us"). For the purposes of applicable data protection law, we are the data controller for personal data collected through our website and application. If you have questions about this policy, contact us at privacy@devar.app.

Account data. When you register, we collect your name, email address, and a hashed password. You may optionally add a profile photo.

Usage data. We collect anonymised, aggregate signals about how features are used (e.g. which transcription model is selected most often). No personally identifiable information is attached to these signals. We use this data to improve the product.

Support correspondence. When you contact us for support, we retain the content of that correspondence for as long as the support relationship is active and for 12 months thereafter.

Billing data. Payment is processed by our payment provider (Stripe). We do not store card numbers or banking information. We retain records of transaction amounts, dates, and plan tier for accounting purposes.

Device and session data. Standard server logs (IP address, browser type, referring URL) are retained for up to 30 days for security and debugging purposes.

• Sermon audio. Audio is captured and processed entirely on your local machine. It is never transmitted to Devar servers.
• Transcripts. Transcript data is stored locally in your browser or on your self-hosted backend. We have no access to it unless you choose to enable cloud archive and sync to your own storage bucket.
• Congregation data. We do not process or store any information about your church's congregation members.
• Verse selections. Which Bible verses you project during a service is your data. It is stored on your device and your configured backend, not on our servers.
• Bible translation text. Translation files are uploaded by you to your local backend. We have no access to them.

For users in the European Economic Area and United Kingdom, we process personal data on the following legal bases:

• Contract performance — to provide the service you have signed up for (account management, authentication, billing).
• Legitimate interests — to operate, secure, and improve the service (usage analytics, security logs).
• Legal obligation — to retain billing records as required by applicable accounting law.

Account data is retained for as long as your account is active. If you delete your account, personal data is erased within 30 days, subject to our legal obligation to retain billing records for up to 7 years. Anonymised usage analytics have no defined retention limit. Server logs are deleted after 30 days.

We use a small number of sub-processors, each bound by a Data Processing Agreement:

• Fly.io — application hosting (EU region)
• Supabase — database and optional file storage (EU region)
• Stripe — payment processing
• Postmark — transactional email delivery

We do not share your personal data with any other third parties for marketing, advertising, or analytics purposes.

Our primary infrastructure is located in the European Union. If data is processed outside the EEA, we ensure adequate safeguards are in place (EU Standard Contractual Clauses or equivalent).

Devar sets one first-party session cookie for authentication. We do not use third-party analytics cookies, advertising cookies, or tracking pixels of any kind. No cookie consent banner is required because no non-essential cookies are set.

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate personal data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Portability — receive your personal data in a machine-readable format.
• Restriction — request that we restrict processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Complaint — lodge a complaint with your local supervisory authority (e.g. ICO in the UK, your national DPA in the EU).

To exercise any of these rights, email privacy@devar.app. We will respond within 30 days.

We use industry-standard security measures: all data in transit is encrypted with TLS 1.2+, data at rest is encrypted, passwords are hashed with bcrypt, and access to production systems is restricted and audited. If we become aware of a breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

Devar is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@devar.app and we will delete it promptly.

We will notify registered users by email at least 14 days before any material changes to this policy take effect. The current version and its effective date are shown at the top of this page. Continued use of the service after the effective date constitutes acceptance of the revised policy.