Privacy Policy

1. Introduction

FromSunday.io ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. This policy complies with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

• Account Information: Name, email address, password (encrypted)
• Church Information: Church name, address, contact details
• Payment Information: Processed securely through Stripe (we do not store credit card details)
• Usage Data: Videos uploaded, processing history, subscription tier
• Technical Data: IP address, browser type, device information, usage patterns

2.2 Video Content

We process video content you upload or import from YouTube/Facebook. This content is stored securely and used solely for generating discussion guides and related materials. We do not share your video content with third parties except as necessary to provide our services (e.g., video processing via RunPod).

3. How We Use Your Information

We use your information for the following purposes:

• To provide and maintain our service
• To process video content and generate discussion guides
• To manage your subscription and process payments
• To communicate with you about your account and our services
• To improve our service and develop new features
• To comply with legal obligations
• To protect our rights and prevent fraud

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal bases:

• Contract Performance: To fulfill our service agreement with you
• Legitimate Interests: To improve our services and prevent fraud
• Consent: When you explicitly consent to specific processing
• Legal Obligation: To comply with applicable laws

5. Data Sharing and Disclosure

We share your information only in the following circumstances:

5.1 Service Providers

We use third-party service providers who process data on our behalf:

• Supabase: Database, authentication, and file storage
• RunPod: GPU-accelerated video processing
• Stripe: Payment processing
• OpenAI (via Vercel AI Gateway): Video transcription
• OpenRouter + Gemini: AI analysis and content generation
• Vercel: Hosting and infrastructure

All service providers are bound by data processing agreements (DPAs) and are prohibited from using your data for any purpose other than providing services to us.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption at rest (Supabase Storage)
• Encryption in transit (HTTPS/TLS 1.3)
• Secure password storage (bcrypt)
• Row-level security (RLS) for multi-tenant data isolation
• Regular security audits and monitoring
• Access controls and authentication

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as necessary to provide our services:

• Account Data: Retained while your account is active
• Video Content: Retained until you delete it or your account is closed
• Transaction Records: Retained for 7 years for tax and legal compliance
• Logs and Analytics: Retained for up to 2 years

You can request deletion of your data at any time (see "Your Rights" below). Upon account deletion, we will delete your personal data within 30 days, except where we are required to retain it for legal purposes.

8. Your Rights (GDPR & CCPA)

You have the following rights regarding your personal data:

8.1 Right to Access

You can request a copy of all personal data we hold about you. You can export your data from your account dashboard or contact us for assistance.

8.2 Right to Rectification

You can update your personal information at any time through your account settings or by contacting us.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will delete your data within 30 days, except where we are required to retain it for legal purposes.

8.4 Right to Restrict Processing

You can request that we limit how we process your data in certain circumstances.

8.5 Right to Data Portability

You can request a machine-readable copy of your data in a structured format. You can export your data from your account dashboard.

8.6 Right to Object

You can object to processing of your data based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

8.8 Right to Non-Discrimination (CCPA)

We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at privacy@fromsunday.io or use the data management tools in your account dashboard.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) or your country of residence. We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs) with service providers
• Data Processing Agreements (DPAs) with all processors
• Adequacy decisions where applicable

10. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. The "Last Updated" date at the top indicates when this policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

• Email: privacy@fromsunday.io
• Data Protection Officer (if applicable): dpo@fromsunday.io

Supervisory Authority (EU): If you are located in the EU and believe we have not addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

15. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

We do not sell your personal information. We only share data with service providers as described in this policy.