Privacy policy

1. Who we are

Matu is a Christian prayer-lock and devotional Android app operated by an individual established in Estonia, European Union. For the purposes of EU and UK data-protection law, the operator is the controller of your personal data.

You can reach the controller at joesalulabs@gmail.com.

2. What we collect

We organise the data we hold into the categories below. We try to keep this list complete and accurate; if you spot something missing, please tell us.

Account identifiers

When you first open Matu we sign you in anonymously through Supabase. This generates a random user ID — no email, no name, no phone number is required. If you later choose to link a Google account or an email/password (so your data survives reinstalls), we then store the email address tied to that account.

Onboarding information

During onboarding you tell us a nickname, gender, age range, the country derived from your device locale, where you are on your faith journey, how often you currently pray, the struggles weighing on you, the goals you want to focus on.

App configuration

The prayer times you set, the days they repeat, and the list of apps you choose to lock. The list of locked apps is stored on our servers as a backup so it survives reinstalls; we never receive the list of every app installed on your phone — only the ones you actively decide to lock.

Prayer activity

Each time you complete the prayer prompt, we record a row with the timestamp and the package name of the app that triggered the prompt (e.g. com.instagram.android). This powers your streak and the app-by-app history graph on your profile.

Bible reader data

Verses you highlight, verses you mark as loved, and any notes you write — including the book, chapter, and verse range each item belongs to.

AI companion data

Data we are storing from the integrated AI chat feature: the messages you send and the responses you receive, short summaries of past chat sessions, individual facts that Matu extracts from your conversations so it can remember context across days, follow-up topics it plans to bring up later, and vector embeddings (a numerical representation of each memory used to look up relevant past context). The full mechanics are described in Section 4.

Subscription information

When your 7-day trial begins, we record the start date so we know when the paywall should appear. If you subscribe, we receive your subscription status (active, trial, cancelled, expired) from RevenueCat. We do not receive your card details — payment is handled entirely by Google Play Billing.

Push notification token

If you allow notifications, we store the Firebase Cloud Messaging token for your device so we can deliver your daily verse and prayer reminders. You can revoke this at any time in Android settings.

Diagnostic data

Server-side request logs (your user ID, the API endpoint, the time, and the response status) and counts of how many tokens each AI call consumed. We use this to debug problems and understand cost. We do not log the content of your messages in these diagnostic logs.

What we explicitly do not collect

• We do not collect precise location. Your country is inferred once from your device's locale settings.
• We do not access your contacts, photos, microphone (if you do not give excplicit access), or camera.
• We do not run third-party advertising SDKs, analytics trackers, or marketing pixels in the app.
• We do not collect a list of every app installed on your phone. Android shows you that list inside Matu so you can choose which to lock — only the ones you actively select are ever sent to our servers.

3. Sensitive data — faith and struggles

Some of the information you give us reveals religious or philosophical beliefs (for example, your faith journey stage, your prayer frequency, or anything you say to Matu about God or the church). Some of it might touch on your health and emotional state (for example, selecting "anxiety", "depression", "grief", "addiction", or "health" as struggles you want to focus on, or describing those in chat).

Under Article 9 of the EU General Data Protection Regulation (GDPR), this is special-category data. We process it on the basis of your explicit consent, which you give by:

• Selecting these items during onboarding, and
• Choosing to send messages via AI integration that may contain messages of deeply personal state

You can withdraw your consent at any time by deleting your account from Profile → Delete account. Deletion cascades through every record we hold, including memories the companion has stored about you.

We do not share special-category data with any advertising partner, broker, or analytics provider — there is no such sharing in Matu at all. We disclose it only to the technical processors listed in Section 7 who need it to deliver the service to you.

4. How the AI companion works

Matu, AI chat integration, is the most data-sensitive part of the app, so we want to be specific about what happens.

What gets sent out. When you press send, your message — together with the small amount of context Matu needs (your nickname, your stated faith journey, your current struggles, recent messages from the same session, and a handful of relevant past memories the system retrieved) — is sent over HTTPS to our backend, then forwarded to Anthropic's Claude API. Anthropic returns a streamed response. A short embedding of each memory is also generated by an OpenAI embedding model so the system can find relevant memories later.

No model training on your messages. By default, neither Anthropic nor OpenAI uses inputs or outputs sent through their commercial APIs to train their models. This is part of their standard commercial terms — we have not signed a separate enterprise or zero-data-retention agreement with either vendor. Anthropic retains API content for up to 30 days for trust-and-safety monitoring, and may retain content flagged by their safety classifiers for up to 2 years (with classifier scores for up to 7 years). OpenAI retains API content for up to 30 days for abuse monitoring, and may retain it longer where required by law or to protect their services. We have no contractual ability to shorten either retention window.

What gets stored on our side. The full conversation messages, short session summaries, extracted memories, follow-up topics, and embeddings live in our database under your user ID, protected by row-level security so no other user can read them.

You can see and delete what Matu remembers. Open Profile → What Matu remembers. You can swipe to delete any individual memory, or clear the lot. Memories are also automatically expired after a built-in lifetime where one is set (for example, short-term context after seven days; ongoing situations after ninety; permanent facts only when you've confirmed them).

Crisis-safety classifier. Before every message is answered, your message is also passed through a small Anthropic classification call that looks for signs of acute crisis — self-harm, suicidal ideation, ongoing abuse. If detected, Matu interrupts the normal flow and shares emergency resources instead of generating a chat reply. The classifier output is not stored on our backend. The classification call itself sends your message text to Anthropic's API, where it is subject to the same default retention as other API calls described above.

Matu is not pastoral or medical care. It is a companion for daily prayer and encouragement, not a substitute for a pastor, counsellor, doctor, or emergency line. If you are in crisis, please reach out to a person you trust or a national helpline.

5. Why we use your data

• To run the app you signed up for — locking the apps you chose, showing the prayer prompt, recording completions, calculating streaks, syncing the Bible reader, generating your daily verse.
• To make the AI companion useful across days — remembering what you've shared so you don't have to re-explain context every session.
• To keep you safe — the crisis classifier, rate limits, and abuse-prevention logic described above.
• To handle billing and trials — knowing when your trial ends, when a subscription renews, and when access should be revoked.
• To answer your questions and fix bugs — replying to support email, debugging crashes, understanding errors in the diagnostic logs.
• To meet legal obligations — keeping the minimum subscription records that tax and consumer-protection law require.

6. Legal basis under GDPR

The lawful bases on which we rely (Article 6 GDPR, plus Article 9 for special-category data) are:

• Performance of a contract (Art. 6(1)(b)) — your account, lock configuration, prayer completions, subscription state, and chat messages are processed because they are essential to deliver the service you signed up for.
• Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — your faith-related onboarding answers, struggles touching on health, and any sensitive information you share with Matu. You give consent by entering it; you withdraw consent by deleting your account.
• Legitimate interests (Art. 6(1)(f)) — server-side error logs and aggregate cost-tracking, which we need to keep the service working without overspending. We've balanced this against your interests; if you object, contact us.
• Legal obligation (Art. 6(1)(c)) — minimum subscription and payment records retained for as long as tax and consumer-protection law require.

7. Who we share data with

We do not sell your data. We share it only with the technical processors below, each of which has been picked because it's necessary to operate Matu. Each processor is bound by their publicly-published Data Processing Addendum where one is offered, and by their standard terms of service in all other cases.

• Supabase (Supabase Inc., USA) — anonymous authentication, database hosting, file storage. Stores all of the data described in Section 2.
• Anthropic, PBC (USA) — runs the Claude models that power chat responses, daily verse generation, memory extraction, and the crisis classifier. Receives the message content described in Section 4.
• OpenAI, L.L.C. (USA) — runs the embedding model that converts memory text into vectors so the companion can retrieve relevant past context. Receives the plain-text content of each memory extracted from your conversations (which may include sensitive material such as stated struggles or faith disclosures) in order to compute its vector.
• Railway Corp. (USA) — hosts our backend. All API traffic transits Railway's infrastructure.
• RevenueCat, Inc. (USA) — manages subscription state and webhook delivery. Receives your anonymous user ID, subscription status, the Google Play transaction details (order ID, product ID, country, store-reported price), and standard webhook metadata (timestamps, request IPs).
• Google LLC — Play Billing handles your payment; Sign-in with Google handles optional account linking; Firebase Cloud Messaging delivers push notifications.
• Vercel Inc. (USA) — hosts the marketing website you are reading right now. The app itself does not send personal data to Vercel.

We may also disclose data where we are legally required (for example, in response to a valid court order or a binding request from a regulator). We will narrow any such disclosure to the minimum required and, where lawful, notify you.

8. International transfers

Several of the processors above are based in the United States. Where your data is transferred outside the EEA / UK, we rely on the European Commission's Standard Contractual Clauses (2021/914) as incorporated into each processor's published Data Processing Addendum, together with each provider's technical and organisational measures (encryption in transit and at rest, access controls, audit logs). Where a provider additionally holds an EU–US Data Privacy Framework certification, we rely on that certification as well.

9. Security

All traffic between the app and our backend, and between our backend and the processors above, runs over TLS. Data at rest in Supabase is encrypted by default. Database access for client-originated requests is gated by Postgres row-level security policies scoped to the requesting user's ID. Backend service-role operations (which can read across users by design) are limited to specific server-side workflows such as cron jobs, embedding generation, and AI orchestration; their keys live only on our backend, never in the app.

We do not currently encrypt your chat content or notes end-to-end. The technical processors listed above can, by design, see that content in order to deliver the service. We have not promised end-to-end encryption and do not want to claim it.

10. How long we keep your data

• Account data, lock configuration, Bible reader data — for as long as your account exists. Removed immediately on account deletion.
• Prayer completions and streak history — for as long as your account exists. Removed on account deletion.
• AI memories — those marked time-bounded (e.g. short-term context, ongoing arcs) are auto-expired after their built-in lifetime; permanent memories live until you delete them or your account.
• Chat messages and session summaries — until you delete your account. The full message history of any single day is also held on your device and resets locally at midnight.
• Subscription records — retained for the period required by Estonian / EU consumer-protection and tax law (typically up to 7 years), even after account deletion, in a pseudonymised form where possible.
• Diagnostic logs — kept for up to 90 days, then rotated.

When your account is deleted, we issue a delete to Supabase which cascades through every table that references your user ID, and we instruct the auth system to remove the underlying identity record. RevenueCat keeps the anonymised purchase record per the requirement above; everything else is gone.

11. Your rights

If you are in the EU, EEA, or the UK, the GDPR gives you the following rights. We honour these wherever we can identify the requesting user. If you reside outside the EU/EEA/UK, equivalent local rights may apply; please contact us to exercise them.

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate information. Most onboarding fields can be edited directly from the Profile screen.
• Erasure — delete your account and all data tied to it. Fastest path: Profile → Delete account.
• Restriction — ask us to pause processing while a dispute is resolved.
• Objection — object to processing based on legitimate interest. We will stop unless we can demonstrate compelling overriding grounds.
• Portability — ask for your data in a machine-readable format. We provide JSON exports on request.
• Withdraw consent — for anything we process on the basis of your consent (notably your faith and struggles data), at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Lodge a complaint with the data-protection supervisory authority of your EU member state. The Estonian authority is the Andmekaitse Inspektsioon.

To exercise any right above, write to joesalulabs@gmail.com. We respond within one month, as required by Article 12(3) GDPR, and may extend this by up to two further months for complex requests with notice to you.

12. Children

Matu requires users to be at least 16 years old, which is the highest age of digital consent in the EU. We do not knowingly process personal data from anyone under 16.

If you believe a user under 16 has created a Matu account, contact joesalulabs@gmail.com and we will delete it.

13. Changes to this policy

We may update this policy as Matu evolves. When we make a material change — adding a new processor, expanding what we collect, or otherwise changing your rights or our duties — we will update the "Last updated" date above and, where the change is significant, notify you in the app or by email before it takes effect. The current version always lives at getmatu.app/privacy.

14. Contact

Questions, requests, or complaints about how we handle your data:

joesalulabs@gmail.com
Estonia, European Union