Privacy Policy
Last updated: April 15, 2026 · Draft pending legal review
1. Data controller
Kai'Ros International Technologies ("KAIR"), operating TheWay, is the controller of the personal data collected through this service. Contact: support@summitbiblecenter.com.
2. What we collect
- Account data: email, display name, timezone, password hash (via Supabase Auth).
- Family data: child names, dates of birth, avatars, developmental stage.
- Journal content: text entries, photos, videos, and audio you upload — including entries written by your child via invite code.
- Coaching data: messages you send to AI coaching, and summaries (not full transcripts) of those conversations.
- Billing data: Stripe customer ID, subscription status. We do not store card numbers — Stripe handles that.
- Usage data: page views, feature use, and error reports for product improvement. Error reports are stored in our own database.
3. How we use it
- To deliver the features you signed up for.
- To send account email (e.g., child-write notifications, badges) via Resend.
- To generate AI coaching via Anthropic's Claude API. Prompts sent to Anthropic are governed by Anthropic's data policies; Anthropic does not train on API inputs.
- To process payments via Stripe.
- To detect and prevent abuse (rate limiting via Upstash Redis).
- To monitor errors and uptime (in-house error logger + external uptime monitors).
4. Processors we share data with
- Supabase — database, authentication, file storage (
entrusted-mediabucket). - Vercel — hosting and edge delivery.
- Anthropic — AI coaching (prompt + response, no training on API data).
- Stripe — payments.
- Resend — transactional email.
- Upstash — rate limiting.
- In-house error logger — errors stored in our own Supabase database, auto-purged after 90 days.
We do not sell personal data. We do not share journal content with marketing partners or advertisers.
5. Children's data
TheWay is designed for use by parents about their children. Children may write entries through invite codes issued by a parent; that writing is stored under the parent's account and visible only to the parent and (optionally, at age 18) the child via the Entrusted delivery. We do not advertise to children. Parents may delete child content at any time.
6. Row-level security
Every database table has Row-Level Security enabled. You can only read or write your own records. The server-side service role is used exclusively inside our API — never exposed to the browser.
7. Retention
Journal content is retained for the life of your subscription and for up to 18 years after a child's birth date to support Entrusted delivery, unless you delete it sooner. Billing records are retained for the period required by tax law. Error reports are auto-purged from our database after 90 days.
8. Your rights
- Access — request a copy of your data by emailing support.
- Correction — edit most fields from settings; email for the rest.
- Deletion — delete your account from settings, or email support. Deletion is applied within 30 days, subject to legal holds.
- Export — download your Entrusted journal as a PDF from the Entrusted page at any time.
9. Security
All traffic is TLS-encrypted. Passwords are hashed by Supabase Auth (bcrypt). Secrets (API keys, service role) live in Vercel environment variables and never in source code. We use rate limiting to mitigate abuse. Error logs are stored in our own database and auto-purged after 90 days.
10. International transfers
Our infrastructure providers (Supabase, Vercel, Anthropic, Stripe, Resend, Upstash) operate in the United States. If you use TheWay from outside the US, you consent to your data being processed in the US under these providers' data protection frameworks.
11. Changes to this policy
We will notify active users by email before material changes take effect.
Questions? Email support@summitbiblecenter.com.