Privacy Policy

Summary of Data Handling

PrayerNexus (“the App”) is a gamified prayer-habit application for Android developed and published by Five Cats Studios LLC (“Five Cats Studios,” “we,” “us,” or “our”), an Iowa limited liability company based in Grundy County, Iowa (Corp No: 864705). For the purposes of the EU General Data Protection Regulation, the UK GDPR, and the Swiss Federal Act on Data Protection, Five Cats Studios LLC is the data controller for personal data processed through the App.

PrayerNexus is designed to be offline-first: personal prayer items, journal entries, gratitude entries, photos, voice transcriptions, and gamification progress are stored on your device and never transmitted to us. However, some features — most importantly Prayer Groups — and several Google services embedded in the App do transmit data off your device. The table below summarizes what goes where.

Data You Create Inside the App

The following data is created by you and stored locally on your device in an app-private Room database and app-private file storage. We cannot see it, and it is not transmitted anywhere unless you explicitly share it via Prayer Groups:

• Prayer requests, prayer journal entries, and voice-to-text transcriptions
• Answered-prayer testimonies (including optional photos and voice notes, when that feature is enabled)
• Gratitude entries (including optional photos and category tags, when that feature is enabled)
• Prayer collections and custom prayer lists
• Gamification data: XP, level, streaks, achievements, daily quests, and coins
• App preferences and settings

Photos and voice recordings, when attached, live inside app-private storage on your device (the directory returned by Context.filesDir), which is not accessible to other apps and is not uploaded to any server by PrayerNexus.

Google Sign-In and Prayer Groups

3.1 Google Sign-In (Firebase Authentication)

If you choose to create or join a Prayer Group, PrayerNexus uses Google Sign-In via Firebase Authentication to identify you. This collects:

• Your Google account email address
• Your Google account display name (shown to other group members so they can see who added a prayer and who prayed)
• A Google account identifier and a Firebase user ID (UID)

You do not need to sign in to use the rest of the App (personal prayer, gratitude, library, gamification). If you never create or join a group, none of the data in this section is collected.

3.2 Cloud Firestore (Prayer Groups data)

When you create or join a group, or add a prayer item to a group, the following is transmitted to Google’s Cloud Firestore service and stored on Google’s servers so that your fellow group members can see it:

• The group’s name, description, emoji, and shareable invite code
• Each group member’s display name, Firebase UID, role (Admin or Member), and join date
• Shared prayer item titles, descriptions, status (Active / Partially Answered / Answered), and who added them
• “I prayed for this” activity (which user prayed for which item and when)

Prayer Groups are strictly invite-only: there is no public directory, and groups can only be joined by entering the correct invite code. Anyone who possesses the invite code can join — treat invite codes like passwords and share them only with people you trust.

Group data is encrypted in transit (HTTPS/TLS 1.2+) and at rest using Google’s default AES-256 encryption. It is not end-to-end encrypted, meaning it is accessible to Google as the infrastructure provider, subject to Google’s contractual commitments to us, Google’s own privacy policy, and applicable law. Firestore Security Rules restrict read/write access to authenticated users who are members of the relevant group.

This data is subject to the Google Firebase Terms of Service and Google’s Privacy Policy.

Data Collected Automatically

Even when you are not signed in and not using Prayer Groups, the following Google services embedded in the App collect limited technical data.

Information We Do NOT Collect

How We Use the Information

• To operate the App: storing your local prayer items, tracking gamification progress, delivering notifications you’ve opted into.
• To enable Prayer Groups: authenticating you with Google, synchronizing shared prayer requests between group members.
• To diagnose and fix problems: Firebase Analytics and crash events help us spot bugs and improve stability.
• To show ads (free tier): Google AdMob serves advertisements. Upgrading via any of the ad-free options removes ads entirely.
• To process purchases and subscriptions: Google Play Billing handles your purchase or subscription status for the ad-free upgrade.

Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. Data is shared only as follows:

• With other members of your Prayer Groups: display name and content you explicitly add to a group (prayer items, “prayed for this” activity).
• With Google (Firebase, AdMob, Play Billing): as described in Sections 3 and 4.
• For legal reasons: if required by law, court order, or lawful government request.

Your Rights and Choices

8.1 Universal Controls (available to all users)

• Delete your account and cloud data: from inside the App via Settings › Account › Delete My Account, or by emailing us at nathan@5catsgamestudios.com.
• Leave a group or delete a shared prayer request: both are available at any time from within the App.
• Delete all local data: in Android Settings, go to Apps › PrayerNexus › Storage › Clear storage, or uninstall the App.
• Remove ads: choose any of the ad-free options ($3.99/month, $14.99/year, or a single $24.99 lifetime purchase).
• Manage ads and analytics consent (EEA/UK/Switzerland): open Settings › Privacy › Ad & analytics preferences to revisit the UMP consent dialog described in §4.5.
• Reset or opt out of personalized ads (all regions): Android Settings › Google › Ads.
• Opt out of Firebase Analytics: open Settings › Privacy › Ad & analytics preferences inside the App to disable analytics event collection. If the toggle is not yet available in your installed version, email us and we will honor the opt-out for your install.
• Notifications: you control notification categories inside the App, and can disable them entirely from Android system settings.

8.2 Your Rights in the United Kingdom, EEA, and Switzerland (GDPR / UK GDPR / FADP)

If you are located in the UK, the European Economic Area, or Switzerland, data protection law gives you the following rights regarding personal data we process about you:

• Right of access — ask us to confirm what personal data we hold about you and request a copy of it.
• Right to rectification — ask us to correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”) — ask us to delete your personal data. The in-App account deletion flow satisfies this right for your Firebase Auth account and Firestore data; contact us if you want us to confirm deletion has completed.
• Right to restriction of processing — ask us to pause processing of your data in certain circumstances (e.g., while we investigate a correction request).
• Right to data portability — ask us to provide your personal data in a structured, commonly used, machine-readable format. Because most of your data (prayer journal, gratitudes, photos) lives only on your device, you already have full access to it via the Android file system. On request, we will provide your Group-related cloud data in a structured, machine-readable format.
• Right to object — object to processing of your personal data based on our legitimate interests, and to processing for direct marketing purposes (PrayerNexus does not engage in direct marketing).
• Right to withdraw consent — where we rely on consent (e.g., personalized advertising via the UMP dialog), you can withdraw that consent at any time via Settings › Privacy. Withdrawing consent does not affect the lawfulness of prior processing.
• Right to lodge a complaint — you have the right to lodge a complaint with your local data protection authority (e.g., the UK ICO, the Irish DPC, the Swiss FDPIC, or the supervisory authority in your EU member state).

The legal bases on which we rely under Article 6 of the GDPR (and the equivalent provisions of the UK GDPR and Swiss FADP) are:

• Consent (Art. 6(1)(a)) — for personalized ads and analytics in the EEA/UK/Switzerland, captured via the UMP dialog described in §4.5. You may withdraw consent at any time through Settings › Privacy › Ad & analytics preferences without affecting the lawfulness of prior processing.
• Performance of a contract (Art. 6(1)(b)) — for Group-related data and Google Sign-In, so we can provide the Prayer Groups service you asked for, and for processing your ad-free upgrade via Google Play Billing.
• Legitimate interests (Art. 6(1)(f)) — for non-identifying crash and performance diagnostics via Firebase Analytics, to keep the App stable and secure, and for serving non-personalized contextual ads in the free tier where the user has declined consent. Our legitimate interest is balanced against your rights and freedoms, and you may object at any time under §8.2.
• Compliance with legal obligations (Art. 6(1)(c)) — where applicable, for example to respond to a valid law-enforcement request or to comply with a court order.

To exercise any of these rights, contact us at the email address in our Contact section below. We will respond within one month (extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR). We may need to verify your identity before acting on a request.

8.3 Your Rights in the United States

If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you the following rights regarding personal information:

• Right to know the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties we disclose it to. (All of the above is set out in §1 and §§3–4.)
• Right to delete personal information we have collected from you. Use the in-App Delete My Account flow, or email us.
• Right to correct inaccurate personal information we maintain about you.
• Right to limit use and disclosure of sensitive personal information. PrayerNexus does not use or disclose any sensitive personal information beyond what is necessary to provide the services you requested.
• Right to non-discrimination — we will not deny service, charge you more, or provide a lower quality of service because you exercised any of these rights.

Residents of other U.S. states with comprehensive consumer-privacy statutes have substantially similar rights under their respective laws, including:

• Virginia — Consumer Data Protection Act (VCDPA)
• Colorado — Colorado Privacy Act (CPA)
• Connecticut — Connecticut Data Privacy Act (CTDPA)
• Utah — Utah Consumer Privacy Act (UCPA)
• Iowa — Iowa Consumer Data Protection Act (ICDPA)
• Texas — Texas Data Privacy and Security Act (TDPSA)
• Oregon — Oregon Consumer Privacy Act (OCPA)
• Tennessee — Tennessee Information Protection Act (TIPA)
• Montana — Montana Consumer Data Privacy Act (MCDPA)
• Indiana — Indiana Consumer Data Protection Act (INCDPA)
• New Jersey — New Jersey Data Privacy Act (NJDPA)
• Delaware — Delaware Personal Data Privacy Act (DPDPA)
• New Hampshire — New Hampshire Privacy Act
• Nebraska — Nebraska Data Privacy Act
• Maryland — Maryland Online Data Privacy Act (MODPA)
• Minnesota — Minnesota Consumer Data Privacy Act
• Kentucky — Kentucky Consumer Data Protection Act
• Rhode Island — Rhode Island Data Transparency and Privacy Protection Act

If your state is not listed but has enacted comprehensive consumer-privacy legislation, those rights apply equally. Contact us at the email address in our Contact section below to exercise them.

No “sale” or “sharing” of personal information. PrayerNexus does not sell your personal information and does not “share” it for cross-context behavioral advertising as those terms are defined by the CPRA. Ads shown in the free tier via Google AdMob are served based on in-app signals and (for users who consent) the Advertising ID; we do not authorize Google or any other third party to use data collected through PrayerNexus to build cross-site behavioral profiles of you. We have not sold or shared the personal information of California residents in the preceding 12 months, nor do we intend to.

Sensitive personal information. Although prayer content can be deeply personal, the prayer content you create in PrayerNexus is stored locally on your device and is never transmitted to us, so it never enters the categories of “sensitive personal information” that comprehensive U.S. state privacy laws require us to disclose, limit, or obtain consent to process. If you choose to share prayer items via Prayer Groups, that content is shared only with the group members you invited; we do not use it for any secondary purpose.

To exercise these rights, contact us at the email address in our Contact section below. We will verify your identity by matching the email address you contact us from against the Google account you used to sign in (if applicable).

Security

No system is perfectly secure, but we’ve made deliberate architectural choices to minimize the data that exists to be breached and to protect what does exist:

9.1 Architectural minimization

PrayerNexus is offline-first by design. Personal prayer items, journal entries, gratitudes, voice transcriptions, photos attached to answered-prayer testimonies, and gamification progress live only on your device, in app-private storage. We cannot lose, leak, or be subpoenaed for data we never receive in the first place.

9.2 Encryption in transit

All data exchanged between the App and Google’s services (Firebase Authentication, Cloud Firestore, Firebase Cloud Messaging, Firebase Analytics, AdMob, Google Play Billing) is sent over HTTPS using TLS 1.2 or higher.

9.3 Encryption at rest

Group-related data stored in Cloud Firestore, push tokens in Firebase Cloud Messaging, and account information in Firebase Authentication are encrypted at rest by Google using AES-256. Local data on your device is protected by Android’s app-sandboxing model: app-private files (the directory returned by Context.filesDir) and the app-private Room database are not accessible to other applications, and on devices with file-based encryption enabled (the default on modern Android), they are encrypted at rest by the operating system.

9.4 Access controls

Prayer Groups are invite-only — there is no public directory, search, or join-by-name. Group documents in Firestore are protected by Firebase Security Rules that only allow read/write access to authenticated users who are members of the relevant group. Five Cats Studios personnel access Firebase consoles only when necessary to operate the service, and only the studio’s owner currently has administrative access.

9.5 Breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by Article 33 of the GDPR (and equivalent provisions of the UK GDPR and Swiss FADP).
• Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR), or where required by applicable U.S. state breach-notification law (which varies by state).
• Cooperate with Google as the underlying processor for any incident affecting Firebase services.

Because PrayerNexus does not collect payment-card data (handled entirely by Google Play Billing) or government identifiers, the universe of data potentially affected by a breach is intentionally narrow.

Data Retention

Local data is retained on your device until you delete it or uninstall the App. Prayer Groups data in Firestore is retained for as long as the group exists; once deleted from the group or via account deletion, it is removed from Google’s active systems immediately and from Google’s encrypted backups within approximately 180 days per Google’s standard timeline. Firebase Analytics data is retained per Google’s default retention (currently 14 months for event-level data). Firebase Authentication account records are deleted when you use the in-App Delete My Account flow.

Children’s Privacy

PrayerNexus is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 in compliance with the U.S. Children’s Online Privacy Protection Act (COPPA). In the European Economic Area, the United Kingdom, and Switzerland, the age at which a child can consent to processing of personal data in connection with an online service is set by local law and ranges from 13 to 16 depending on the country; where the applicable age is higher than 13, parental or guardian consent is required below that age.

If you are a parent or guardian and believe your child has provided us with personal information through Prayer Groups, please contact us using the email address in our Contact section below and we will delete the information and any associated Firebase Auth account promptly.

PrayerNexus does not knowingly sell, share, or use the personal information of anyone under 16 for personalized advertising.

International Users and Cross-Border Data Transfers

PrayerNexus uses Google services (Firebase, AdMob, Google Play Billing). Your personal data may therefore be processed on servers operated by Google anywhere in the world, including in the United States and other jurisdictions that may not offer an equivalent level of data protection to your home country.

Where personal data is transferred out of the UK, EEA, or Switzerland, Google relies on transfer mechanisms recognized under the GDPR / UK GDPR / FADP, including:

• The EU-U.S. Data Privacy Framework (DPF), to which Google LLC self-certifies
• The UK Extension to the EU-U.S. Data Privacy Framework
• The Swiss-U.S. Data Privacy Framework
• Standard Contractual Clauses (SCCs) approved by the European Commission, where the DPF does not apply

You can review Google’s current transfer disclosures at policies.google.com/privacy and at firebase.google.com/support/privacy.

The legal bases for this processing are those set out in §8.2. If you are not comfortable with these transfers, you can avoid them entirely by not using Prayer Groups and (in the EEA/UK/Switzerland) by declining the UMP consent dialog, which limits advertising- and analytics-related processing to the non-personalized minimum.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the “Last Updated” date at the top of this page will change. For material changes, we will notify you in-App and, where practical, by an in-App banner pointing to the updated policy. Your continued use of PrayerNexus after a change constitutes acceptance of the updated policy.

Third-Party Services at a Glance

A consolidated reference of every third-party service embedded in PrayerNexus, what it processes, and where to read the provider’s own terms.

No other third-party SDKs, analytics services, ad networks, attribution providers, or trackers are integrated into PrayerNexus.