Privacy Policy

PrayerMap ("we," "our," or "us") operates prayermap.me and the application at app.prayermap.me. This Privacy Policy explains what information we collect, how we use it, and how we protect it. We built PrayerMap with a privacy-first philosophy — especially regarding the content of your prayers.

1. Information We Collect

Account information: When you create an account, we collect your name, email address, and a securely hashed password. For organization accounts, we also collect the organization name.

Prayer data: We store the prayer subjects, prayer items, session windows, schedules, and completion records you create. This is the core data PrayerMap needs to function.

Profile information: You may optionally upload a profile photo. This is stored on our server and is only visible to you.

Usage data: We collect standard web server logs, including IP addresses, browser type, and pages accessed. This data is used to maintain server security and diagnose technical issues.

Email communications: If you contact us via the request form or email, we retain that correspondence to respond to you.

2. Prayer Content is Private

This is the most important section of this policy. The content of your individual prayer items is never visible to account administrators, organization administrators, or PrayerMap staff.

In multi-user organization accounts, administrators can see aggregate statistics (for example, total number of prayers, completion rates) but they cannot read, access, search, or export the text of individual prayer items belonging to any user.

This is not just a policy — it is enforced at the database query level in the application code. Every query that retrieves prayer content requires a matching user_id for the authenticated user.

We will never sell, share, or publish your prayer content.

3. How We Use Your Information

• To provide and operate the PrayerMap application
• To authenticate you and maintain your session
• To generate and deliver your personalized prayer schedule
• To send transactional emails (password resets, account confirmations)
• To respond to support requests and account inquiries
• To diagnose and fix technical issues
• To maintain the security and integrity of our systems

We do not use your data for advertising. We do not sell your data to third parties. We do not use your prayer content to train AI models or for any purpose other than displaying it back to you.

4. Data Storage and Security

Your data is stored on a dedicated server hosted by DigitalOcean in a US-based data center. We implement the following security measures:

• All web traffic is encrypted via HTTPS/TLS (SSL)
• Passwords are hashed using bcrypt with a work factor of 12 — we never store plain-text passwords
• Database access is restricted to the application user with minimum necessary permissions
• Session cookies are marked Secure and HttpOnly; sessions are regenerated on login
• All database queries use prepared statements to prevent SQL injection
• All output is HTML-escaped to prevent cross-site scripting (XSS)
• CSRF tokens are required on all state-changing forms

While we implement industry-standard security practices, no system is 100% immune to security incidents. We encourage you to use a strong, unique password for your PrayerMap account.

5. Cookies and Sessions

PrayerMap uses a single session cookie (prayermap_sess) to keep you logged in during your browsing session. This cookie expires after 8 hours of inactivity.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No external analytics platforms (Google Analytics, Facebook Pixel, etc.) are loaded on the application.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to any third party.

We may share limited information with:

• DigitalOcean — our infrastructure provider, who hosts our server. DigitalOcean does not have access to application data.
• Email delivery providers — transactional emails (password resets, etc.) may be routed through an SMTP service. Only the recipient email address and email content are transmitted — no prayer data.
• Law enforcement — if required by law, court order, or to protect the safety of users or the public.

7. Data Retention

We retain your account and prayer data for as long as your account is active. If you request account deletion, we will delete your personal information and prayer data within 30 days. Server access logs are retained for up to 90 days for security purposes.

8. Your Rights

You have the right to:

• Access a copy of the personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and all associated data
• Export your prayer subjects and items (available via CSV export on paid plans)

To exercise any of these rights, contact us at the address below.

9. Children's Privacy

PrayerMap is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of PrayerMap after changes are posted constitutes acceptance of the updated policy.

11. Contact Us