WeDevote Platform — Privacy Policy

Effective Date: May 27, 2026 Last Modified: May 27, 2026

Please Read This First

WeDevote Platform exists to help people draw near to God through Scripture through WeDevote Bible and our other Services. Our mission shapes every product and feature we build, and it shapes how we handle the personal information you share with us.

You choose what you access. You choose what you share. You choose with whom you share it. Your data is yours. WeDevote Platform does not sell your personal information for money. We will not share your Personal Information with others so they can solicit the sale of third-party goods or services to you, and we do not use cookies or similar technologies to facilitate interest-based advertising for third-party goods or services to you.

This Privacy Policy applies to all WeDevote Platform products and services across every platform on which we offer them — including the WeDevote Platform websites at wd.bible and wedevote.com, our Android applications, our iOS applications, our desktop applications, and any other application, platform, integration, or service that WeDevote Platform makes available now or in the future. As we develop new products, new features, new modalities (such as voice, audio, video, smart-device integrations, or AI-powered tools), and new partnerships, this Policy will continue to govern how we collect, use, share, and protect your information, subject to any additional notice we provide for new processing.

Please read this Privacy Policy carefully because it describes how we collect, use, share, and process your Personal Information. Your use of the Services is subject to this Privacy Policy. Where applicable law requires a separate consent for a particular processing activity, we will request that consent separately.

Contents

1. Introduction and Scope
2. Definitions
3. Brief Overview: Personal Information We Collect and Why
4. Information We Collect and How We Collect It
5. How We Use Your Information
6. Disclosure of Your Information
7. Your Choices and Rights
8. Children and Minors
9. Security and Data Protection
10. Data Retention
11. Users Outside Our Primary Operating Country and International Data Transfers
12. Lawful Bases for Processing
13. Third-Party Links and Services
14. Changes to This Privacy Policy
15. Contact Us

1. Introduction and Scope

1.1 Who We Are

In this Privacy Policy, "WeDevote Platform," "we," "us," or "our" refers to WeDevote Bible, an entity organized in the State of California, United States, with its registered mailing address at 1753 Cabrillo Ave, Torrance, CA 90501, United States, together with its parents, affiliates, subsidiaries, and successors. Specific corporate-form details (including any not-for-profit-religious-organization registration) are available on request to the contact in Section 15.

WeDevote Platform owns and operates the WeDevote Bible application (accessible at wd.bible and wedevote.com) and the other Services covered by this Privacy Policy. WeDevote Platform is the controller of your personal information collected through the Services, except where we act as a processor on behalf of an organizational partner as described in Section 6.5.

1.1.a How to Reach Our Privacy Team

You can reach our privacy team at [email protected] with privacy-related questions, requests to exercise your rights, or to report any concern about this Policy.

Our encarregado under Brazil's LGPD Article 41 is the WeDevote Privacy Team, reachable at [email protected]. Our person in charge of personal-information protection (responsable de la protection des renseignements personnels) under Quebec Law 25 s. 8.1 is reachable at [email protected]; you may also write to our registered address marked "Attn: Responsable Quebec Law 25."

Where applicable law requires us to formally appoint a Data Protection Officer (under GDPR Article 37 or UK GDPR Article 37) or another named privacy official, we will appoint such an officer and publish their contact details here. We monitor applicable appointment thresholds at each material update to this Policy.

1.1.b Representatives

Where applicable law requires a controller not established in the relevant territory to designate a local representative — including under Article 27 of the EU GDPR, Article 27 of the UK GDPR, or the LGPD — we will designate such a representative and publish their contact details on this page. If you are located in such a jurisdiction and have not yet found your local representative's details below, please contact our privacy team and we will direct your inquiry appropriately.

1.2 Services Covered by This Policy

This Privacy Policy applies to any product, platform, application, website, integration, or other offering that WeDevote Platform makes available to users (collectively, the "Services"). This includes, but is not limited to:

• The WeDevote Platform websites and any of their subdomains (including wd.bible, wedevote.com, and wdbible.org, and any successor or replacement domains);
• The WeDevote Bible mobile applications for Android and iOS, and any other tablet, wearable, smart-device, or in-vehicle application we may offer in the future;
• Any WeDevote Bible desktop application, browser extension, or progressive web application we may offer;
• Any WeDevote Platform application programming interface (API), developer platform, embeddable widget, or content distribution service we may offer;
• Any voice-assistant integration, audio-streaming or video-streaming application, smart-speaker skill, or similar emerging-modality offering we may introduce;
• Any artificial-intelligence-powered feature, conversational interface, study assistant, or content-generation tool we may introduce;
• Any donation, payment, fundraising, store, or e-commerce service we operate;
• Any community, social, group, or organization service we may offer to churches, ministries, denominations, schools, nonprofits, or other partners; and
• Any other WeDevote Platform product or service, in any medium and on any platform, whether currently available or made available in the future.

As described in Section 1.3, certain Services enumerated above (such as AI-powered features, voice-driven features, multi-tenant Community Services, and smart-device integrations) are forward-looking and are not all available in the Services today. The list above describes the universe of offerings to which this Policy is designed to apply when, and only when, those features are actually launched.

1.3 Future Products and Services

WeDevote Platform is continuously developing new products, new features, and new ways to serve our users. This Privacy Policy is intended to be forward-compatible. When we introduce a new product, feature, platform, integration, or service, this Privacy Policy will continue to apply, and the categories of personal information, purposes of use, lawful bases, and rights described in this Policy are intended to cover the new offering. Where a new product or feature involves materially different categories of Personal Information or materially different purposes of use — for example, the introduction of artificial-intelligence features, voice-driven features, multi-tenant Community Services, biometric processing, or any new third-party recipient — we will publish an updated Privacy Policy and, where appropriate, provide a separate or supplemental notice or seek your consent before that new processing begins.

1.4 How This Policy Applies

When this Policy uses examples introduced by phrases such as "for example," "including," or "such as," those examples are illustrative and not exhaustive. References to specific features, technologies, or third-party services reflect our practices as of the effective date of this Policy and may change as our Services evolve.

2. Definitions

For convenience, this Policy uses the following defined terms:

• "Services" means any WeDevote Platform product, application, website, platform, integration, or service (including WeDevote Bible), as described in Section 1.2.
• "User," "you," or "your" refers to any individual who accesses or uses the Services, whether or not registered.
• "Visitor" means a User who accesses the Services without creating an account.
• "Member" means a User who has created an account with WeDevote Bible.
• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes "personal data" as defined under European data-protection law and similar terms under other laws.
• "Sensitive Personal Information" means categories of Personal Information treated as sensitive under applicable law, such as religious or philosophical beliefs, racial or ethnic origin, health information, sexual orientation, precise geolocation, government-issued identifiers, biometric data, and login credentials. Examples of Personal Information we recognize as Sensitive Personal Information when you choose to provide it through the Services include prayer requests, devotional and reading-plan notes, denominational affiliation, donations designated for religious purposes, AI prompts that discuss faith or doctrine (if and when we introduce AI features), and your participation in faith-based Communities (if and when we introduce Community Services).
• "User Contributions" means content you create, upload, post, share, or store within the Services, such as notes, highlights, bookmarks, reading-plan responses, prayer requests, comments, devotional entries, and verse images.
• "AI Inputs and Outputs" means, if and when we introduce AI features, the prompts, queries, and content you submit to those features and the responses generated.
• "Partner" means a third party with whom WeDevote Platform collaborates to deliver content or features, such as Bible societies, publishers, ministries, churches, denominations, educational institutions, content creators, and technology providers.
• "Bible Provider" means a Bible society, publisher, or rights holder that licenses Bible texts, translations, or related content to WeDevote Platform for distribution within the Services.
• "Community" means, if and when we introduce multi-tenant Community Services, a church, ministry, denomination, school, nonprofit, or other organization that uses the Services to provide content, programs, or experiences to its members or audience (see Section 6.5).
• "Service Provider" means a vendor that processes Personal Information on our behalf under a contractual data-protection commitment.

3. Brief Overview: Personal Information We Collect and Why

The table below summarizes the categories of Personal Information we may collect through the Services and the general purposes for collection. The information we actually collect depends on the Services and features you choose to use and the information you choose to provide. A more detailed description follows in Sections 4 and 5.

4. Information We Collect and How We Collect It

4.1 Personal Information You Provide Directly

You do not need to create an account to access some Services. However, creating an account allows us to provide a more personalized experience and to synchronize your activity across devices. To create a Member account, we typically ask for a phone number or email address, a name or display name, and a password. You may also sign in using a supported third-party identity provider (see Section 4.5).

After creating an account you may, at your option, provide additional information such as profile picture, gender, age, location description, language preferences, biography, denominational affiliation, or other profile data. We will collect this only if you voluntarily provide it and will associate it with your Member account until you delete it, modify it, or close your account.

4.2 User Contributions and Sharing

The Services allow you to create and store content within your account and, in some cases, to publish or share that content with others. Examples include notes, highlights, bookmarks, reading-plan progress, prayer requests, devotional entries, verse images, and comments. We process User Contributions to allow you to create, store, retrieve, and (where you choose) share that content. Once you publish or share a User Contribution outside the Services, we no longer control how it is collected or used by others.

4.3 Donations and Payments

If you make a donation, purchase, or other payment through the Services, we collect information necessary to process the transaction, such as your name, the amount, the designation of your gift (if any), your address (for receipting), your phone number, and your email address.

Card numbers, bank-account numbers, and similar financial-account details are processed by our third-party payment processors — Stripe (cards on web and mobile) and PayPal/Braintree (PayPal and Apple Pay on iOS) — and are not stored by WeDevote Platform. We typically receive only a transaction reference, the donation amount, and the contact details necessary for receipting. Please review the privacy policies of the relevant payment processor for information on how they handle your information.

4.4 Communications with Us

When you contact us — for example, by email, through an in-product help or feedback feature, by replying to one of our messages, or by participating in a survey — we collect the content of your communication and the contact information you provide so that we can respond, investigate, and improve our Services.

4.5 Third-Party Sign-In

You may choose to register or sign in using a supported third-party identity provider, such as Google or Apple. When you do, we receive certain information from the provider that you have authorized for sharing. Subject to confirmation in our current SDK configurations, the principal fields we request from each provider are:

• Sign in with Google — your name, primary email address, profile picture URL, and Google account identifier.
• Sign in with Apple — your name and email address. You may choose to share Apple's private relay address (an address ending in @privaterelay.appleid.com) rather than your real email; if so, Apple forwards messages to your real address on your behalf, and we will receive only the relay address.

Your use of the third-party provider is subject to that provider's terms and privacy policy. Revoking the connection at the provider will not automatically delete your WeDevote account; please follow the account-deletion instructions in Section 7.3.

4.6 Information Collected Automatically

When you use the Services, we and our Service Providers automatically collect certain information about your device, network, and activity, including:

• Log information such as IP address, device identifier, hardware model, operating-system version, browser type and language, the URL of the page you came from and the page you go to, the date and time of access, and crash and diagnostic logs;
• Usage information such as the features you access, the Bible books and chapters you view or listen to, the reading and listening duration, the search queries you submit, the reading plans and devotionals you use, and the language and accessibility settings you choose;
• Approximate geolocation information derived server-side from your IP address using a third-party IP-geolocation service called ipwho.is, used to determine applicable legal terms, default language, and regional content availability. We do not collect precise device geolocation. We do not use the iOS CoreLocation or Android ACCESS_FINE_LOCATION permissions. If we introduce features that require precise location in the future, we will request the necessary device-level permission and your separate consent at the point of collection; and
• Network connection information, including whether your device is connected to Wi-Fi or a cellular network, to optimize content delivery and streaming quality.

For website security, we use security-verification services such as Google reCAPTCHA. During the verification process, these services may collect your IP address, browser and device information solely to determine whether access is from a real user and to protect the Services from malicious automated access and abuse.

4.7 Cookies and Similar Technologies

We use cookies, web beacons, pixel tags, software development kits, device identifiers, and similar technologies (collectively, "cookies") to recognize you and your device on and across our Services, to maintain your preferences between sessions, to keep your account secure, to measure performance, to understand how the Services are used, and to improve our Services. As described in Section 4.8, some optional cookies and pixels may also be used to measure and support WeDevote Platform advertising for our own Services. We do not use cookies or similar technologies to facilitate interest-based advertising for third-party goods or services to you.

The principal cookies and similar technologies we and our Service Providers use today include:

• Functional / first-party cookies for authentication, session continuity, and language preference;
• First-party analytics through our internally-operated EventLogger pipeline;
• Third-party analytics through Google Firebase Analytics and Google Analytics 4 (on web; sets _ga (2-year browser max-age), _gid (24 hours), and _gat (1 minute) cookies). We have configured our GA4 property's data retention to the platform minimum (2 months), enabled IP-anonymization, and disabled Google Signals;
• Payment processing cookies set by Stripe and PayPal/Braintree on payment pages.

A current list of the material cookies and SDKs we use, including their purpose and approximate duration, will be maintained and made available on request to our privacy team. We will update this list as we add, change, or remove technologies.

Where consent is required before non-essential SDKs load

Where required by applicable law — including in the European Economic Area, the United Kingdom, Switzerland, Brazil, California, Colorado, Connecticut, Virginia, Oregon, Texas, Montana, Delaware, Iowa, Indiana, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, and Rhode Island — we obtain your consent before non-essential cookies, advertising pixels, social-media SDKs, analytics SDKs (including the analytics technologies named above), or session-replay tools are activated. As of the effective date of this Policy, for users we detect as located in those regions, we do not initialize non-essential SDKs by default. This region-aware default-deny gate is our operative compliance posture under the relevant ePrivacy and state-law regimes. We are also developing an in-product consent management interface (a consent banner) and will update this Policy and link to the cookie preference interface here when it becomes available.

Honoring universal opt-out signals

Where the applicable law recognizes a universal opt-out preference signal — including the Global Privacy Control (the Sec-GPC: 1 HTTP header on web) under California Privacy Rights Act regulations, the Colorado Privacy Act, the Connecticut Data Privacy Act, and other US state laws — we treat the presence of such a signal as an opt-out from the sale of Personal Information, sharing for cross-context behavioral advertising, and the processing of Sensitive Personal Information for purposes outside those permitted by the law. We do not yet support a mobile-OS-level universal opt-out signal because there is no widely-deployed standard for one; on mobile, you may use your device's "Limit Ad Tracking" or App Tracking Transparency settings as the equivalent control.

Third-party websites or services that you reach through links in the Services may set their own cookies, which are outside our control. We encourage you to review their privacy notices.

4.8 Advertising

We may advertise the Services on third-party platforms such as Google, Meta (Facebook and Instagram), Apple, TikTok, and similar advertising networks. We may use cookies, pixels, SDKs, conversion APIs, device identifiers, and similar technologies from those providers to measure the performance of our advertising, to understand whether an ad led to an app install or other interaction, to limit how often ads are shown, to suppress our existing users from acquisition audiences, and — where permitted by law and platform policy — to identify similar audiences (sometimes called lookalike or actalike audiences) for our own-product acquisition campaigns based on a seed of our existing users' hashed contact information and aggregate engagement signals.

The measurement technologies we may use include Meta's Conversions API (CAPI), Google's Enhanced Conversions for Web and App, Apple's SKAdNetwork and AdAttributionKit, TikTok's Events API, and Apple Search Ads (AdServices framework). Where we share data with these platforms for measurement, suppression, or lookalike-audience purposes, we share only hashed identifiers (such as a hashed email or phone number) and a limited list of non-sensitive conversion events (for example, "installed app," "created account," "completed onboarding," "completed a donation transaction without designation detail," or a generic retention milestone).

We do not share, and we will not share, with any advertising platform the substance of your User Contributions, the books or chapters of the Bible you read, the content of your reading-plan responses or notes, prayer requests, AI inputs or outputs (if and when AI features become available), donation designations or amounts, denominational affiliation, Community participation (if and when Community Services become available), precise location, or other Sensitive Personal Information. We do not create advertising audiences, remarketing lists, custom audiences, lookalike audiences, or similar ad segments based on prayer activity, Bible-reading behavior, donation designation, pastoral or spiritual-care interactions, children's data, or other Sensitive Personal Information.

We do not use advertising technologies to infer or target you based on religious beliefs, religious identity, or other sensitive characteristics, and we do not permit advertising platforms to use information collected through the Services to solicit the sale of third-party goods or services to you. Where applicable law treats our use of advertising technologies for our own Services as "targeted advertising," "sharing," or a similar activity, we will provide the notices, consent choices, and opt-out rights required by law.

Android Privacy Sandbox APIs

Effective with the WeDevote Bible Android release published on or before the effective date of this Policy, we have configured our Android application so that the Privacy Sandbox Attribution Reporting API, Custom Audience / Protected Audience (FLEDGE) API, and Topics API are disabled (allowAllToAccess="false" in ad_services_config.xml). We do not use these on-device advertising signals.

Lawful bases for advertising-related processing

Where applicable law — including the European Union and United Kingdom ePrivacy regimes, the Swiss Federal Act on Data Protection, Brazilian rules incorporating ePrivacy-style cookie obligations, and the consumer-privacy laws of California and other US states that treat advertising or analytics technologies as a "sale," "sharing," or "targeted advertising" — requires prior consent before non-essential cookies, pixels, advertising SDKs, analytics SDKs, or similar technologies activate, we rely on your consent (Article 6(1)(a) GDPR; equivalent opt-in under applicable state law). For aggregate, hashed-identifier-based, or server-side conversion measurement of our own-product advertising in jurisdictions where the law permits it on a different basis, we rely on our legitimate business interest (Article 6(1)(f) GDPR) in measuring and improving our own Services. Where applicable law treats analytics or advertising technologies as legitimate-interest-eligible with a right to opt out (rather than opt in), we provide notice and an opt-out mechanism consistent with that law.

Managing your advertising preferences

You can manage your interest-based advertising preferences through your Google, Meta, Apple, TikTok, or other platform account settings; through our cookie-preferences interface (when available); through industry opt-out tools at http://www.aboutads.info/choices/ (United States), https://thenai.org/opt-out/ (NAI), and https://www.youronlinechoices.eu/ (European Union); or by limiting ad tracking through your device's operating-system settings (iOS "Allow Apps to Request to Track" / Android "Opt out of Ads Personalization" / Limit Ad Tracking). These controls may not stop all advertising, but they help limit personalization and measurement that depend on cookies, pixels, SDKs, or device identifiers. We also honor universal opt-out signals (including the Global Privacy Control) as described in Section 4.7.

4.9 Information from Other Sources

We may receive Personal Information about you from other sources, such as Partners that share information with your consent, publicly available sources, analytics providers, and fraud-prevention services. We use this information consistent with this Policy and applicable law.

5. How We Use Your Information

5.1 Core Purposes

We use Personal Information and the inferences we make from it for the following core purposes:

• To provide, support, and personalize the Services and the features you request;
• To create, maintain, customize, and secure your account;
• To process and respond to your requests and inquiries;
• To maintain the safety, security, and integrity of the Services and the infrastructure that supports them;
• To carry out internal research, development, experimentation, and analysis;
• To carry out our obligations and enforce our rights, including under our Terms of Use and this Privacy Policy;
• To comply with applicable legal and regulatory obligations; and
• For any other purpose you authorize or as we describe at the time of collection.

5.2 Personalization and Recommendations

We use the data we collect — including which books, chapters, and verses you read; which reading plans, devotionals, and audio content you start or complete; your highlights, bookmarks, and searches; and your language and accessibility settings — to personalize your experience, including by recommending content, reading plans, devotionals, audio content, study tools, and (where you opt in to future Community Services) Community groups that may be of interest to you.

We provide content-to-content personalization on the basis of our obligation to provide the Services you requested (contract, Article 6(1)(b) GDPR) and our legitimate business interest in delivering a more relevant Service to you (Article 6(1)(f) GDPR). We do not use prayer-journal content, devotional notes, AI prompts (if and when AI features become available), donation designations, or your denominational-affiliation profile field as recommendation inputs unless you have given separate consent. We also do not infer denominational identity from your reading or listening behavior, and we do not use any such inference to drive personalization or advertising.

You may opt out of personalized recommendations sent by email or push notification by following the instructions in those messages or by adjusting your in-product settings.

Where personalization is built on user-typed sensitive content — for example, prayer-journal entries, devotional notes, the denominational-affiliation profile field, or AI prompts that discuss faith (when AI features become available) — we rely on your explicit consent under Article 9(2)(a) GDPR and equivalent state-law opt-in, as described in Section 5.11. Recommendation inputs derived from non-sensitive engagement signals — such as which Bible books and chapters you have opened, which reading plans you have started, your highlights and bookmarks, and your language preferences — are processed under Article 6(1)(b) (contract) and Article 6(1)(f) (legitimate interest), with the safeguards in Section 5.7.

5.3 Sharing with Other Users

The Services may allow you to share Bible verses, User Contributions (including verse images), and other content with other Users or to third-party platforms (see Section 4.2). Whether to communicate, connect, or share is your choice. We do not, at this time, access your device's contact list to suggest connections, and we do not use the iOS Contacts or Android READ_CONTACTS permissions. If we introduce a contact-discovery feature in the future, we will request the necessary device-level permission and your separate consent, and we will describe the processing at the point of collection.

5.4 Location-Based Features

Certain features may use approximate region derived server-side from your IP address (see Section 4.6) — for example, to determine applicable legal terms, default language, and which Bible translations are available in your region. We process this approximate region information on the basis of our legitimate business interest in providing region-appropriate content and analytics.

We do not collect precise location from your device today. If we introduce features in the future that require precise location (such as checking in to an event, finding nearby Community groups, or providing other location-based features), we will request the necessary device-level permission and your separate consent at the point of collection, and you will be able to revoke that consent at any time through your device settings.

5.5 Communications from Us

We may communicate with you through email, SMS, push notification, in-product message, or other channels you have enabled.

We may use information about your activity within the Services — such as which reading plans you have started, when you last opened the app, which devotionals you have completed, and your language and region — to time, personalize, and target the marketing and product communications you have consented to receive. This includes seasonal donation-campaign communications (for example, around Advent, Lent, Christmas, Easter, or year-end giving), milestone celebrations, and re-engagement messages.

You can opt out of marketing or promotional messages by following the unsubscribe instructions in those messages or by adjusting your in-product notification settings.

SMS program terms

For SMS, message frequency varies based on the program you opt in to. Message and data rates may apply, as set by your mobile carrier. To opt out, reply STOP, END, QUIT, CANCEL, or UNSUBSCRIBE to any of our SMS messages; to receive assistance, reply HELP. Mobile carriers are not liable for delayed or undelivered messages. We send SMS only after you have opted in, in compliance with the US Telephone Consumer Protection Act (TCPA), the CTIA SMS messaging guidelines, the Canadian Anti-Spam Legislation (CASL) for Canadian recipients, and the UK Privacy and Electronic Communications Regulations (PECR) for UK recipients.

CASL — express and implied consent

For Canadian recipients, we send commercial electronic messages on the basis of your express consent (indefinite, until you withdraw it) or implied consent under CASL s. 10(9) (for up to 24 months after a commercial transaction or 6 months after an inquiry). You may withdraw consent at any time using the unsubscribe mechanism.

We may continue to send you transactional, security, account, or legal notices even after you opt out of marketing communications, because they are necessary to provide the Services or to comply with our legal obligations.

Lawful basis for marketing

We send marketing communications consistent with the law of your jurisdiction. In the European Economic Area, United Kingdom, Switzerland, Canada (under CASL), and other jurisdictions where prior consent is required, we send marketing email and SMS only after you have opted in (Article 6(1)(a) GDPR; CASL; PECR), except where ePrivacy or national "soft opt-in" provisions permit transactional-similar communications to existing customers with a clear opt-out at every touchpoint. In the United States, we send marketing email on an opt-out basis consistent with CAN-SPAM, and marketing SMS only after express opt-in consistent with the Telephone Consumer Protection Act. You may withdraw consent or opt out at any time as described above. We send transactional, security, account, and legal notices on the basis of contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)).

5.6 Polls, Surveys, and Feedback

From time to time we may invite you to participate in polls, surveys, or research, or to submit feedback about the Services. Participation is voluntary. We will explain the purpose and any specific use of your responses at the point of collection.

5.7 Analytics, Experimentation, and Performance

We analyze how the Services are used — including which features, content, reading plans, and devotionals are accessed; how users move through onboarding and core flows; how often users return; the performance, stability, and accessibility of the Services on different devices, networks, and regions; and the outcomes of internal experiments and A/B tests — in order to operate, debug, secure, personalize, and improve the Services, develop new features, evaluate experiments, and report on usage to our board, donors, and partners in aggregate or de-identified form.

The principal analytics technologies we use today are:

• Google Firebase Analytics (mobile);
• EventLogger, our internally-operated first-party analytics pipeline (mobile and web); and
• Google Analytics 4 (web).

Where we share usage statistics publicly or with Partners (including Bible Providers as part of license-reporting obligations), we do so in aggregated and de-identified form that does not identify any individual User.

We rely on our legitimate business interest (Article 6(1)(f) GDPR) in operating, securing, and improving the Services. We acknowledge that telemetry about Bible reading and engagement, by virtue of describing a Bible-reading product, may relate to subject matter that some legal frameworks treat as sensitive. We apply the following safeguards: (a) we do not join product-analytics events to your prayer-journal content, devotional notes, AI prompts (if and when AI is available), or donation designations; (b) we do not use reading-pattern data to infer denominational identity; (c) we keep raw analytics event retention short (see Section 10); and (d) we pseudonymize identifiers before aggregating to internal business-intelligence tools. Where an experiment or analytics process involves Sensitive Personal Information, we rely on your consent and apply the safeguards described in Section 5.11.

5.8 Future and Emerging AI Features

WeDevote Platform does not currently offer AI-powered features in the Services. The version of the Services available at the time this Policy is published does not use third-party large language models, on-device foundation models, or conversational AI to process User Contributions.

We may, in the future, introduce features powered by artificial intelligence — for example, intelligent search over Bible texts, study assistants, summarization, translation aids, conversational devotional features, or content recommendations. Before any such feature processes your Personal Information, we will provide a separate, in-product notice describing the feature, the categories of information it processes, the lawful bases on which we rely, the third-party AI providers (if any) involved, the retention period that applies, and any consent we are asking you to give. We will not use the substance of your User Contributions (including prayer requests and reading-plan notes) to train any third-party general-purpose AI model without your separate, explicit, informed consent. Any decisions made by AI that may significantly affect you will be reviewed or overseen by people, and you will be able to request human review and to contest the decision.

When AI features become available, AI prompts and AI outputs that include content reflecting religious or philosophical beliefs, denominational affiliation, or other Sensitive Personal Information will be processed on the basis of your explicit consent (Article 9(2)(a) GDPR).

Where any AI feature we introduce in the future is intended to interact directly with you in a conversational manner, we will clearly identify it as an AI system at the start of the interaction, in compliance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689). Where we generate or substantially modify image, audio, or video content using AI, we will mark the content as AI-generated where required by law.

5.9 Audio Playback and Future Voice Features

Today, the Services offer audio Bible playback and audio devotional content. We process your playback preferences, playback position, and listening history to provide and personalize the listening experience.

We do not currently access your device microphone, record voice input, use voice biometrics, or use voice features for identification. Our iOS application does not declare NSMicrophoneUsageDescription, and our Android application does not request the RECORD_AUDIO permission.

We may, in the future, introduce voice-driven features — such as voice search ("read me Romans 8"), voice dictation of notes, audio recording of personal devotionals, or voice-assistant integrations (Siri, Google Assistant, Alexa). Where any such feature requires access to your microphone or processes your voice or audio data, we will first obtain your device-level permission and, where required by law, your separate consent, and we will describe the processing at the point of collection.

5.10 Security, Legal, and Technical Issues

We may use your Personal Information to investigate and respond to security, legal, and technical issues; to detect and prevent fraud or abuse; to enforce our Terms of Use and this Privacy Policy; and to protect the rights, property, and safety of WeDevote Platform, our Users, and the public. You cannot opt out of receiving security, legal, or service-related notices we send for these purposes.

5.11 Sensitive Data

We do not assume that, by using the Services, you hold any particular religious belief, denominational affiliation, or other view. We do not require you to provide religious affiliation, beliefs, racial or ethnic origin, health information, or other Sensitive Personal Information in order to use the Services or to create an account.

Some features may invite you to create or share content that reflects beliefs or other sensitive information — for example, a prayer journal, a devotional note, a denominational-affiliation profile field, or (in the future) an AI prompt that discusses faith or doctrine. If you choose to provide this information, we rely on your explicit, informed consent (Article 9(2)(a) GDPR; equivalent opt-in under the consumer-privacy laws of California, Colorado, Connecticut, Virginia, Oregon, Texas, Montana, Delaware, Iowa, Indiana, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, and Rhode Island) and process it only for the specific purpose you requested and the closely-related purposes of operating that feature, personalizing your in-product experience, securing the Services, and improving the Services. We do not use Sensitive Personal Information to create advertising audiences or to target ads.

We process telemetry about how you use the Bible-reading and devotional features — including which books and chapters you view and your reading and listening duration — on the basis of our legitimate business interest in operating and improving the Services, with the safeguards in Section 5.7. We do not use such telemetry to infer your denominational identity or to draw new conclusions about your beliefs, and we do not share it with advertising platforms.

The Services are designed for Bible reading, devotional reading, and scripture-based prayer. The Services are not designed, marketed, or operated as a mental-health, behavioral-health, wellness, mindfulness, or therapeutic product, and we do not classify the data processed through the Services as "consumer health data" under the Washington My Health My Data Act, the Nevada Consumer Health Data Privacy Act, or the Connecticut consumer-health-data amendments to the Connecticut Data Privacy Act.

Where you provided your consent for Sensitive Personal Information processing through an in-product control or toggle, you may withdraw it through the same control with equivalent ease. You may also stop using the relevant feature, delete the relevant content, adjust available settings, or contact us at [email protected] to withdraw your consent at any time.

5.12 Automated Decision-Making and Profiling

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. We do conduct profiling for content recommendation as described in Section 5.2, and you may opt out of personalized recommendations through your in-product settings. If we use automated processing to make a decision about your access to the Services (for example, an automated account-security suspension to prevent fraud or abuse), we will provide you with information about the principal factors and offer a way to request human review by contacting [email protected]. Residents of Quebec have the right to be informed of such decisions and to receive an explanation, as required by Quebec Law 25 s. 12.1.

6. Disclosure of Your Information

6.1 No Sale of Personal Information

WeDevote Platform does not sell your Personal Information for money. As described in Section 4.8, we may work with third-party advertising platforms to advertise our own Services, but we do not disclose the substance of your User Contributions, the books or chapters of the Bible you read, prayer requests, donation designations, AI inputs or outputs (if and when AI is available), precise location, denominational affiliation, Community participation (if and when Communities are available), or other Sensitive Personal Information for advertising. Where applicable privacy law treats our use of advertising technologies for our own Services as a "sale," "sharing," "targeted advertising," or similar activity, we will provide the legally required notice and opt-out or consent mechanism, and we honor universal opt-out signals (including the Global Privacy Control) as described in Section 4.7.

6.2 Disclosure on Your Behalf or with Your Consent

We may disclose Personal Information as you direct or with your consent — for example, when you choose to share a User Contribution with another User, post to a community, or connect a third-party application to your account.

6.3 Service Providers

We rely on Service Providers to help operate the Services. We require each Service Provider that processes Personal Information on our behalf to be bound by a written data-protection agreement that includes the safeguards required by GDPR Article 28, UK GDPR Article 28, CCPA §1798.140(ag), and LGPD Article 39, as applicable. Where a current Service Provider's contract does not yet include all of these safeguards (including, in some cases, addenda specifically addressing special-category or sensitive personal information), we are completing the necessary addenda and will not direct sensitive-category processing through that provider until the addendum is in place. Our material Service Providers today include:

Service Providers process Personal Information only as needed to perform services for us and may not use it for their own purposes (including training general-purpose AI models). We do not authorize Service Providers to sell your information. We will update this list as it changes, and a current copy is available on request to our privacy team.

6.4 Bible Content Providers and Partners

Our ability to offer specific Bible translations, devotionals, study resources, and other content depends on agreements with Bible Providers, publishers, and other Partners. We do not share your Personal Information with Bible Providers or Partners for their own marketing purposes without your consent.

In limited cases, our license agreements may require us to report aggregated usage statistics (such as the total number of times a translation was opened in a given month and country) to the Bible Provider. We do so in a form that does not identify any individual User. Separately, some license agreements may require us to share limited identifying information (such as your name, email or phone number, and country) so that you can download certain copyrighted Bible texts for offline use. Where this applies, we will provide a clear notice and obtain your agreement before sharing.

6.5 Future Communities and Organizational Partners

WeDevote Platform does not currently operate a multi-tenant Communities product. No church, ministry, denomination, school, nonprofit, or other organization currently manages members through WeDevote.

We may, in the future, offer Services that allow churches, ministries, denominations, schools, nonprofits, and other organizations ("Communities") to deliver content, programs, or experiences to their members or audience through our platform. Where we offer such Services in the future, we will publish a separate Community Member Notice or supplemental privacy notice that describes (a) which party is the controller of which categories of information; (b) whether WeDevote acts as a controller, joint controller, or processor on behalf of the Community; (c) the data-protection agreement we will sign with the Community; and (d) the choices Community members have regarding their information. Where WeDevote acts as a processor on behalf of a Community, that Community will be responsible for the information, and the Community's own privacy notice will govern the collection and use of the information.

6.6 Affiliates and Corporate Group

We may share Personal Information within WeDevote Platform's corporate group — including parents, subsidiaries, and affiliates — to provide the Services, support our operations, and combine information in ways that improve the user experience consistent with this Policy.

6.7 Legal Process and Government Requests

We may disclose Personal Information when we believe in good faith that disclosure is necessary or appropriate to: comply with applicable law, subpoena, court order, or governmental request; enforce our Terms of Use or this Privacy Policy; investigate and prevent fraud, security incidents, or other illegal activity; protect the rights, property, or safety of WeDevote Platform, our Users, or others; or otherwise as permitted by law.

When we receive a government request for Personal Information, we follow these principles:

• Narrow construction: we read the request narrowly and produce only the information actually required;
• Challenge of overbroad requests: we may, in our discretion, challenge requests we believe are overbroad, vague, lacking proper authority, or contrary to law;
• User notice where lawful: where not prohibited by law, court order, or compelling safety or security need, our practice is to provide affected Users with notice of the request before producing their information so they can seek to challenge or limit the disclosure.

Annual transparency report. We commit to publishing an annual transparency report summarizing the number of government data-access requests we received, the jurisdictions of origin, the categories of information requested, and the proportion of requests with which we fully, partially, or did not comply. The first such report will be published within twelve (12) months of the effective date of this Policy.

6.8 Business Transfers

If WeDevote Platform is involved in a merger, acquisition, financing, reorganization, asset sale, joint venture, bankruptcy, or similar corporate transaction, your Personal Information may be transferred as part of that transaction. We will require that any successor or acquirer continue to honor the commitments made in this Privacy Policy with respect to information collected before the transfer.

6.9 Aggregated or De-Identified Information

We may aggregate, anonymize, or de-identify Personal Information so that it no longer identifies you, and we may use and disclose such aggregated or de-identified information for any lawful purpose, including research, statistical analysis, the development and improvement of features (including machine-learning models used to operate the Services), public reporting, and marketing the Services.

We apply de-identification techniques designed to prevent re-identification, and we do not attempt to re-identify de-identified information except where reasonably necessary to detect security incidents, fraud, or other unlawful activity, or as otherwise permitted by law. Where we collaborate with academic researchers, we do so under written confidentiality and data-protection terms and only on aggregated or de-identified data.

7. Your Choices and Rights

7.1 Your Rights

Subject to applicable law and verification of your identity, you may request to:

• Access the Personal Information we hold about you and receive information about how we process it;
• Correct or update Personal Information that is inaccurate or incomplete;
• Delete Personal Information we hold about you, subject to exceptions permitted by law;
• Receive a portable copy of certain Personal Information you provided to us in a structured, commonly used, machine-readable format;
• Restrict or object to certain processing, including processing based on legitimate interests, and the right to object at any time to direct marketing (an absolute right under Article 21(2) GDPR);
• Withdraw consent for processing that is based on consent — where you provided consent through an in-product control or toggle, you may withdraw it through the same control with equivalent ease, and otherwise by contacting us using the details in Section 15;
• Opt out of the sale, sharing, or use of Personal Information for targeted advertising where applicable law provides that right, as described in Sections 4.8 and 6.1, and by means of universal opt-out signals such as Global Privacy Control;
• Limit the use of Sensitive Personal Information to certain permitted purposes (see Section 7.8); and
• Not be subject to decisions producing legal or similarly significant effects based solely on automated processing (see Section 5.12).

7.2 How to Submit a Request — and Response Timeframes

To exercise these rights, please email us at [email protected] or write to us using the contact details in Section 15. Please include the phrase "[Your State or Country] Privacy Request" in the subject line so that we can route your request to the right team and apply the appropriate legal framework. We may ask you to verify your identity before processing your request.

We will respond to verifiable requests within the time required by applicable law. Indicative response timeframes:

• EEA, UK, Switzerland (GDPR / UK GDPR / FADP) — within one (1) month, extendable by up to two (2) additional months for complex requests, with notice of the extension;
• United States — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, Rhode Island, Kentucky, and similar laws — within forty-five (45) days, extendable by an additional forty-five (45) days with notice;
• Brazil (LGPD) — within fifteen (15) days;
• Canada (PIPEDA) and Quebec (Law 25) — within thirty (30) days, with extension where lawful.

We may decline requests that we cannot verify, that are unreasonably repetitive, excessive, or manifestly unfounded, that would jeopardize the privacy of others, or that we are not legally required to fulfill. If you are located in a jurisdiction that allows you to designate an authorized agent to submit a request on your behalf, the agent must provide proof of authorization, and we may require you to verify your identity directly. We will not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded.

7.3 Deleting Your Account

You may delete your account at any time through the Services or by contacting us.

When you choose to delete your account, your account enters a deactivated state immediately and is no longer accessible to you in normal use. During a 7-day grace period, you may cancel the deletion by signing back in to the account — this protects you from accidental or coerced deletion. After the 7-day grace period expires, we will delete or de-identify the Personal Information associated with your account from active systems within a further period of approximately 30 days, except where we are permitted or required by law to retain it (for example, to comply with tax or accounting obligations, to resolve disputes, to enforce our agreements, to detect and prevent fraud, or to maintain the security and integrity of the Services). Information held in rolling backups will age out over the longer retention periods described in Section 10.

We may retain de-identified or aggregated information indefinitely. Content you have shared with others or on third-party platforms remains subject to those platforms' policies once shared.

If you re-register with the same email address or phone number after the 7-day grace period has expired and your prior account has been deleted or de-identified, we will not be able to restore your prior User Contributions, reading progress, or highlights. If you would like to retain access to that content, please cancel the deletion within the 7-day grace period.

7.4 Opting Out of Communications

You may opt out of marketing emails by clicking the unsubscribe link in those emails or by adjusting your email preferences in your account. You may opt out of marketing SMS by replying STOP. You may turn off push notifications and in-product notifications through your device or in-product settings. Even after you opt out of marketing communications, we may continue to send you transactional, security, account, and legal notices.

7.5 Cookie and Tracking Choices

We do not yet provide an in-product cookie preference center at the time this Policy is published. As of the effective date of this Policy, for users we detect as located in regions where consent is required before non-essential cookies and SDKs load (the European Economic Area, the United Kingdom, Switzerland, Brazil, California, and other US states whose laws may apply), we do not initialize non-essential analytics SDKs by default. This region-aware default-deny gate is our operative compliance posture under the relevant ePrivacy and state-law regimes. We are also developing an in-product consent management interface (a consent banner); when it ships, you will be able to manage your cookie preferences through that interface and we will update this Policy.

In the meantime:

• You can control browser-based cookies through your browser settings;
• You can limit mobile advertising identifiers through your device operating system (iOS "Allow Apps to Request to Track" / Android "Opt out of Ads Personalization");
• We honor the Global Privacy Control (Sec-GPC: 1) on web as described in Section 4.7; and
• You can use the industry opt-out tools listed in Section 4.8.

Disabling certain cookies may limit the functionality of the Services, and platform-level advertising controls may not stop all advertising or measurement.

7.5.a Your Privacy Choices (California and Other US States)

California residents — and residents of other US states with similar rights — may exercise the right to opt out of the sale or sharing of Personal Information for cross-context behavioral advertising and the right to limit the use of Sensitive Personal Information through a "Your Privacy Choices" interface, as required by California Civil Code §1798.135 and CCPA implementing regulations §§7013 and 7027.

Within ninety (90) days of the effective date of this Policy, we will publish a conspicuous link in the footer of our website and in the Settings menu of our mobile applications titled either "Your Privacy Choices" or, where required, "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information."

In the meantime, and at any time after the interface is available, you may exercise these rights by emailing [email protected] with the subject line "California Privacy Choices" (or, if applicable, "[Your State] Privacy Choices"), and we will honor your request as if it had been submitted through the in-product interface. We also automatically honor universal opt-out signals (including the Global Privacy Control) as described in Section 4.7.

7.6 Mobile Device Permissions

Your mobile device's operating system allows you to grant or revoke permissions for the Services to access device features. The Services request only the permissions needed for the features we actually offer today:

• Camera — used to take a photo to set as your profile avatar, to take a photo for use as the background of a verse image you create and share, and to scan QR codes. Camera access is triggered only by your explicit action and is not used in the background.
• Photo library — to import photos for your avatar or for verse-image creation, when you select that option.
• Notifications — to deliver in-product notifications, reading reminders, and (where you opt in) marketing messages.

The current version of the Services does not request access to your microphone, contacts, precise location, or biometric sensors. If we introduce features that require those permissions, we will request them at the point of collection.

You can change permissions at any time through your device settings. Revoking a permission may limit the related feature's functionality. Information about your network connection (such as whether your device is connected to Wi-Fi or cellular) is collected automatically as described in Section 4.6 and is not a user-grantable permission on iOS or Android.

7.7 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you Services, charge you a different price, or provide a different level of quality solely because you exercised a right under this Policy or applicable law.

7.8 California Residents and Other US-State Residents: Sensitive Personal Information

If you are a California resident, you have the right to direct us to limit our use and disclosure of your Sensitive Personal Information to those purposes set out in California privacy regulations — generally, providing the Services you requested, securing the Services, preventing fraud and abuse, short-term transient use, performing services on our behalf, and certain quality-assurance activities. You may exercise this right by emailing us at [email protected] with the phrase "California — Limit My SPI" in the subject line, or through the "Your Privacy Choices" interface described in Section 7.5.a once it is available.

If you are a resident of Colorado, Connecticut, Virginia, Oregon, Texas, Montana, Delaware, Iowa, Indiana, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, or Rhode Island, we will obtain your affirmative opt-in consent before processing your Sensitive Personal Information — including information that may reveal religious or philosophical beliefs — for purposes other than to provide the Services you have requested. You may withdraw that opt-in consent at any time by emailing us at [email protected] with the phrase "[Your State] — Withdraw SPI Consent" in the subject line. We will acknowledge such requests within 15 days and act on them as soon as reasonably practicable.

We will not discriminate against you for exercising these rights. See also Section 6.1 for the related "Do Not Sell or Share" choice.

7.9 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the supervisory authority responsible for your jurisdiction. For example:

• EEA residents may contact your national data protection authority. A directory is maintained by the European Data Protection Board at https://edpb.europa.eu/.
• UK residents may contact the Information Commissioner's Office at https://ico.org.uk/.
• California residents may contact the California Privacy Protection Agency at https://cppa.ca.gov/ or the California Attorney General at https://oag.ca.gov/privacy.
• Brazilian residents may contact the Autoridade Nacional de Proteção de Dados at https://www.gov.br/anpd/.
• Quebec residents may contact the Commission d'accès à l'information at https://www.cai.gouv.qc.ca/.

7.10 Right of Appeal

If we decline to act on your request to exercise a privacy right, you may appeal that decision by emailing [email protected] with the phrase "Privacy Request Appeal" in the subject line. We will review the appeal and respond within sixty (60) days, or such other period required by applicable state law. If your appeal is denied, you may contact your state Attorney General or other supervisory authority as described in Section 7.9.

8. Children and Minors

8.1 General Audience

WeDevote Platform's Services are intended for a general audience. The minimum age at which a person can lawfully consent to the collection and processing of their Personal Information (the "Age of Digital Consent") varies by jurisdiction — for example, 13 in the United States, 16 in many European Union member states (subject to national variation), 13 in the United Kingdom, and 14 in Brazil.

8.2 We Do Not Knowingly Collect Children's Personal Information

We do not knowingly collect Personal Information from a person we actually know is under the applicable Age of Digital Consent without consent from that person's parent or legal guardian. If you believe we may have collected Personal Information from or about a person under the applicable Age of Digital Consent without proper consent, please contact us promptly at [email protected] and we will take appropriate steps to delete the information.

8.3 Parents and Guardians

A parent or legal guardian may consent to the use of a WeDevote Platform account by a minor under the parent's or guardian's supervision, including by enabling a secondary or family profile on the parent's or guardian's account. If you allow a minor to use your account or a secondary profile, you are solely responsible for supervising the minor's use of the Services and accept full responsibility for the use and interpretation of any content or suggestions provided. We do not require you to provide the minor's real name to set up a secondary profile; you may use a child-friendly display name.

8.4 What We Do Not Do With Children's Data

If we become aware that an account is used by a known minor, we apply heightened protections:

• We do not use the minor's information to create advertising audiences, custom audiences, lookalike audiences, or to target advertising;
• We do not sell or share the minor's information for cross-context behavioral advertising;
• We do not use the minor's information to drive engagement-maximizing features (such as engagement-optimized push notifications);
• We do not use the minor's information to train AI models when AI features become available; and
• We apply default-private settings consistent with the best interests of the child as expressed in the UK Information Commissioner's Office Age-Appropriate Design Code.

8.5 Minors Aged 13 to 17

Where minors aged 13 to 17 are permitted to use the Services without parental consent (depending on jurisdiction), we apply the protections in Section 8.4 and the additional protections required by applicable law — including the obligations under the Florida HB 3, Texas SCOPE Act, New York Stop Addictive Feeds Exploitation Act, California Age-Appropriate Design Code (to the extent in force), the California Civil Code's heightened protections for minors, the Utah Social Media Regulation Act, Mississippi House Bill 1126, the Tennessee Protecting Children from Social Media Act, and any other US state law that imposes obligations on platforms accessed by minors aged 13 to 17. Minors aged 13 to 17 (or their parent or guardian) may direct us to delete their information by contacting [email protected].

9. Security and Data Protection

We implement administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, use, alteration, disclosure, and destruction. These include encryption of data in transit and at rest, access controls, monitoring, vulnerability management, and personnel training. Access to Personal Information is limited to those WeDevote Platform employees, contractors, and agents who need access to operate, develop, support, and improve the Services and who are subject to confidentiality obligations.

Despite our efforts, no method of electronic transmission or storage is fully secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential, for using a strong unique password, and for promptly notifying us if you suspect any unauthorized use of your account.

9.1 Data Breach Notification

If we determine that a data-security incident has affected your Personal Information, we will notify you and the appropriate authorities as required by applicable law. Indicative timelines:

• GDPR / UK GDPR: notification to the lead supervisory authority within seventy-two (72) hours of becoming aware of the breach (Article 33); notification to affected individuals without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34);
• LGPD (Brazil): notification to the ANPD and affected individuals within a reasonable period (Article 48); and
• US state laws: notification within the timeline required by applicable state breach-notification statutes.

9.2 Data Protection Impact Assessments

Because our Services involve processing of data that may reveal religious or philosophical beliefs, our practice is to conduct, prior to launching new features and prior to making material changes to existing features that involve high-risk processing, Data Protection Impact Assessments under GDPR Article 35 / UK GDPR Article 35 / LGPD Article 38.

10. Data Retention

We retain Personal Information for as long as needed to fulfill the purposes described in this Privacy Policy, to provide the Services, to comply with our legal obligations, to resolve disputes, to enforce our agreements, and to protect our rights and the rights of others. Specific retention periods depend on the nature of the information, the purpose for which it is processed, and applicable legal requirements.

The principal retention rules we apply today are:

11. Users Outside Our Primary Operating Country and International Data Transfers

WeDevote Platform is based in California, United States. Your use of the Services and this Privacy Policy are governed by the laws identified in our Terms of Use, without regard to conflict-of-laws principles, except where applicable privacy or consumer-protection law provides otherwise.

If you use the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States and in other jurisdictions where we, our affiliates, or our Service Providers operate. The principal cross-border flows arise from our use of US-based cloud and analytics infrastructure — including Amazon Web Services (us-west-2), Google Firebase Analytics, Google Analytics 4, Stripe, PayPal/Braintree, and Google reCAPTCHA — and from our use of the IP-geolocation service ipwho.is.

11.1 Transfer Mechanisms

Where required by applicable law, we use appropriate safeguards for international transfers of Personal Information:

• Transfers from the EEA to the United States — our primary export mechanism is the European Commission's 2021 Standard Contractual Clauses (SCCs). WeDevote Platform itself is not self-certified under the EU-US Data Privacy Framework; we reference the Data Privacy Framework only as an additional safeguard where the receiving Service Provider (for example, certain US cloud, analytics, or payment providers) is itself self-certified under the Framework. We conduct Transfer Impact Assessments in accordance with the EDPB Recommendations 01/2020 following Schrems II (C-311/18).
• Transfers from the United Kingdom — we rely on the UK adequacy decision (where the recipient is in an adequate jurisdiction) or on the UK International Data Transfer Addendum to the SCCs.
• Transfers from Switzerland — we rely on the Swiss FADP transfer safeguards (Swiss Federal Data Protection Act).
• Transfers from Canada and Quebec — Quebec Law 25 requires a transfer impact assessment for transfers outside Quebec; we conduct such assessments where required.
• Transfers from Brazil — we rely on the LGPD's international-transfer bases (Article 33).
• Other jurisdictions — we use SCCs or equivalent contractual safeguards where they are recognized.

12. Lawful Bases for Processing

We collect and process Personal Information only where we have a lawful basis for doing so. The lawful bases on which we rely under the GDPR, UK GDPR, LGPD, and similar laws include:

• Consent — where you have given consent to processing for one or more specific purposes, such as the processing of Sensitive Personal Information, the use of non-essential cookies, marketing communications, or other activities for which consent is required. Where you provided consent through an in-product control or toggle, you may withdraw consent through that same control with equivalent ease. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Contract — where processing is necessary to provide the Services you have requested or to take steps at your request before entering into a contract, including account creation, content synchronization, and content-to-content personalization.
• Legitimate interests — where processing is necessary for our legitimate business interests, such as securing the Services, improving the Services, preventing fraud, conducting internal analytics and experimentation, and engaging with our community, and those interests are not overridden by your rights and interests.
• Legal obligation — where processing is necessary to comply with a legal obligation, including tax, accounting, and anti-fraud requirements.
• Vital interests — where processing is necessary to protect the vital interests of you or another person.

12.1 Special-Category / Sensitive Personal Information

We recognize that processing carried out through the Services may, in some cases, reveal religious or philosophical beliefs — for example, when you create prayer-journal entries, devotional notes, an AI prompt that discusses faith (if and when AI features become available), or when you choose to record a denominational affiliation in your profile. Such processing falls within Article 9 of the GDPR (special categories of data) and Article 11 of the LGPD.

For this processing we rely on:

• Article 9(2)(a) GDPR — explicit consent as the primary basis for processing user-provided sensitive content (prayer-journal entries, devotional notes, denominational-affiliation profile field, AI prompts that discuss faith when AI features become available, Community participation when Community Services become available). Equivalent opt-in consent applies under LGPD Article 11 and US state laws that require opt-in for Sensitive Personal Information.
• Article 9(2)(d) GDPR — religious-aim body, where and from such date as recognition is publicly confirmed in this Policy. To the extent, and only from such date as, WeDevote is recognized under applicable law as a foundation, association, or other not-for-profit body with a religious aim, and we publicly confirm such recognition in this Policy, certain processing carried out in the course of our legitimate religious-aim activities may also rely on Article 9(2)(d), subject to the safeguards required by that provision: the processing relates solely to current or former members or to persons in regular contact with the body in connection with its religious purposes; we do not disclose such data outside WeDevote without your consent; and the processing is not for commercial purposes beyond operating the Services. Until such confirmation is published in this Policy, we rely on Article 9(2)(a) explicit consent.

We do not classify routine reading-activity telemetry (which Bible books and chapters you view, how long you listen) as special-category data by default. We process this telemetry under Article 6(1)(f) (legitimate interest) with the safeguards described in Section 5.7: we do not join it to your prayer-journal content, we do not infer denominational identity from it, and we do not share it with advertising platforms.

12.2 Purpose-to-Basis Mapping (Illustrative)

The following table maps the principal processing purposes to their lawful bases. It is illustrative; the lawful basis for a specific activity always depends on the facts.

You may contact us at [email protected] if you have any questions about the lawful basis on which we rely for a specific processing activity.

13. Third-Party Links and Services

The Services may contain links to, or integrations with, third-party websites, applications, and services that we do not own or control. This Privacy Policy does not apply to those third parties. If you access a third-party site or service through a link in the Services, you do so subject to that third party's terms and privacy practices. We encourage you to review the privacy notices of any third party before providing them with information.

If you choose to link a third-party application or social-media account to your WeDevote Platform account, the information you authorize that third party to share with us, and the information that third party collects from your activity on the Services, is subject to that third party's privacy policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and the evolution of the Services. When we make changes, we will revise the "Last Modified" date at the top of this Privacy Policy.

For any material change — including the introduction of a new category of Personal Information, a new purpose of use, a new third-party recipient, a new cross-border transfer, or any change that expands our processing of Sensitive Personal Information — we will provide prominent advance notice (typically 30 days) through an in-product banner, an email to the address associated with your account, or a homepage notice, and, where required by applicable law, we will seek your renewed consent before the change applies to your existing data. Continued use of the Services after the effective date of a non-material change constitutes your acceptance of that non-material change.

We maintain Apple App Store privacy nutrition labels and Google Play Data Safety section disclosures that are consistent with this Privacy Policy. If you find a discrepancy, please contact [email protected] and we will reconcile within 30 days.

15. Contact Us

If you have any questions, comments, or complaints about this Privacy Policy or our privacy practices, please contact us:

WeDevote Bible (operating as WeDevote Platform) Attn: Privacy Team 1753 Cabrillo Ave Torrance, CA 90501 United States

Email: [email protected] Websites: https://wedevote.com

Our encarregado under LGPD Article 41 (Brazil) and our person in charge of personal-information protection under Quebec Law 25 s. 8.1 are both reachable at [email protected]; Quebec residents may also write to the registered address above marked "Attn: Responsable Quebec Law 25." Where applicable law requires us to designate a Data Protection Officer (GDPR / UK GDPR Article 37), an EU Representative (Article 27 GDPR), or a UK Representative, we will appoint such an officer or representative and publish their contact details in this section. We monitor applicable appointment thresholds at each material update to this Policy. In the interim, please direct privacy correspondence to [email protected].

Effective Date: May 27, 2026 Last Modified: May 27, 2026