Privacy Policy

Sanctuary is operated by Tournahub Solutions Private Limited (India). This Privacy Policy explains what we collect when you use the Sanctuary mobile app or sanctuary.app, why we collect it, and the rights you have over it.

We only collect what is necessary to run the prayer experience and to keep your account secure.

• Account: name, email, sign-in provider (Apple / Google / Supabase).
• Intentions: seed phrase, intention name, optional struggle.
• Voice transcripts (text only — raw audio is dropped after the turn finishes).
• Daily cards, evening reflections, sealed intention metadata.
• Push notification token (Expo Push) and notification preferences.
• Token ledger entries (grants, debits, top-ups).
• Anonymous product analytics events via PostHog (screen views, paywall taps, purchase outcomes) keyed by a non-reversible internal id — never your email or name. Voice transcripts, reflection text and intention names are never sent to PostHog.
• Crash and performance telemetry (Sentry).

• Your location.
• Your contacts.
• Photos or media library.
• Third-party advertising identifiers (IDFA / GAID).
• Voice audio recordings beyond the duration of a single turn.

• To deliver the daily verse, voice replies, and prayer memories that make Sanctuary feel remembered.
• To run subscriptions, trials, and token grants.
• To send the daily verse push when you have it enabled.
• To detect crashes and improve the app (Sentry).
• To understand which parts of the ritual help and which don't (anonymous product analytics via PostHog — no voice, no reflection text, no intention names).
• To respond to support requests at business@tournahub.com.

Account, intention, ledger and reflection data live in MongoDB Atlas (encrypted at rest, AES-256). Authentication is handled by Supabase. Audio chunks, when present, live in object storage behind one-hour signed URLs. Vector embeddings stay inside Atlas Vector Search.

Third-party processors we rely on for the ritual: Deepgram (speech-to-text), ElevenLabs (text-to-speech), Google Gemini (LLM), Expo Push (notifications), RevenueCat (subscription state, once live), Sentry (crash + performance telemetry), and PostHog (anonymous product analytics — US-hosted, no voice content, no reflection text).

Sanctuary cannot function without sending what you speak and type to three external AI processors. We ask for your explicit consent in-app the first time you open Sanctuary (Step 0 of onboarding), and the server refuses to forward any of your data to a third party until that consent is on record. You can revoke it any time by deleting your account in Settings → Profile.

• Deepgram (United States) — receives short audio chunks while you speak so it can return text. The audio is discarded the moment the turn ends; nothing is retained on Deepgram's side and your audio is not used to train their models.
• Google Gemini via Vertex AI (United States) — receives the resulting text transcript, your intention name, and the recent conversation memory so Sanctuary can reply. Covered by Google's Vertex AI commercial terms, which prohibit using your inputs to train Google's foundation models.
• ElevenLabs (United States) — receives only the text of Sanctuary's reply so it can synthesize the voice playback. Nothing of yours is retained beyond that synthesis.

PostHog (United States) receives anonymous product-event metadata only — never your voice, your reflection text, or your intention names. Sentry receives crash + performance telemetry, scrubbed of message content.

• Account + intention data: kept while your account is active.
• Voice transcripts: kept while the parent intention is active. Deleted when the intention is archived more than 90 days.
• Reported messages: the message text is removed from your chat and our message store immediately. We keep only non-content audit metadata (message id, reason, timestamp, platform, content hash and length) so we can review safety reports.
• Audio: discarded immediately after a turn completes — never persisted.
• Account deletion: when you tap Settings → Profile → Delete account, your account, intentions, transcripts, ledger entries and Supabase identity are permanently removed. There is no recovery window.

• Export: Settings → Data → Export your data downloads a JSON file with every record we hold.
• Delete: Settings → Profile → Delete account permanently removes your account, intentions, transcripts, ledger entries and Supabase identity. The action is final and immediate — there is no recovery window.
• Access, correction, restriction, portability and objection: write to business@tournahub.com and we will respond within 30 days.
• EU / UK / India: you may also lodge a complaint with your national data-protection authority.

Sanctuary is intended for users 18 and older. We do not knowingly collect data from children under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided us data, contact business@tournahub.com and we will delete it.

Material changes to this policy will be surfaced in-app on next launch and posted at sanctuary.app/privacy with an updated revision date. Continued use after a change indicates acceptance.

Questions, requests, or complaints: business@tournahub.com. Postal: Tournahub Solutions Private Limited, India.