Privacy Policy

1. Data Controller, Identity & Multi-Tenant Roles

PNEUMA, INC.

7901 4th St N #25095

St. Petersburg, FL 33702 US

EIN: 99-1234567

Unless otherwise stated, PNEUMA, INC. is the data controller for core account data, authentication, billing, and platform-level analytics. The Services are multi-tenant. Individual organizations, ministries, institutions, or teams ("Tenants") operate their own workspaces within the platform.

For tenant spaces, PNEUMA, INC. typically acts as a data processor for content and project data where the Tenant determines the purposes and means of processing. Tenants may be independent or joint controllers and are responsible for any additional privacy notices they must provide.

Privacy & Data Protection Contact

2. Personal Data We Process

The types of personal data we process depend on how you use the Services and your relationship to a Tenant. They may include:

• Account data: name, email address, password hash (never plain-text), profile image, language preference, tenant memberships, and basic contact details.
• Tenant & organization data: tenant name and slug, business profile details (e.g., legal name, registration number, address, contact details, website) as set by Tenants.
• User-generated & project content: media submissions, files, translations, project metadata, descriptions, categories, and related editorial or theological content.
• Usage & log data: IP address, timestamps, browser and device information, language settings, pages visited, actions taken, tenant context, and audit logs used for security, moderation, and compliance.
• Analytics data: aggregated and pseudonymous metrics from Vercel Analytics and Cloudflare Web Analytics (e.g., page views, performance, reliability).
• Authentication & security data: JWTs, session identifiers, auth cookies, and security-related signals (e.g., login attempts, MFA settings where applicable).
• Payment data: subscription status, plan type, billing metadata, and transaction identifiers. Full card details are processed directly by third-party payment processors (such as Stripe) and are not stored by us.
• Support & communication data: messages and contact details when you email us or use in-app support, plus related metadata.

3. Purposes & Legal Bases for Processing

We process personal data only where we have a valid legal basis under applicable law. Depending on context and jurisdiction, this includes:

• Contract performance: to create and manage accounts and tenant workspaces, provide and secure the Services, process payments and subscriptions, and deliver support.
• Legitimate interests: to maintain security, prevent abuse and fraud, protect our users and Tenants, monitor performance, improve the platform, and support responsible use in theological, academic, and media contexts. We balance these interests against your rights and expectations.
• Consent: where required for optional cookies and similar technologies, marketing communications, or specific processing that you request. You may withdraw consent at any time without affecting prior lawful processing.
• Legal obligations: to comply with tax, accounting, sanctions, consumer protection, and other regulatory requirements, or to respond to valid legal requests.
• Vital or important interests: in rare cases, to protect life or significant public interests where permitted by law.

4. Cookies, JWTs & Similar Technologies

The Services use cookies and similar technologies, primarily to keep your session secure and the platform stable:

• Strictly necessary cookies: used for authentication (including NextAuth JWT/session cookies), tenant routing, and core security features. These are required for the Services to function.
• Functional preferences: used to remember options such as language or display settings.
• Analytics: Vercel Analytics and Cloudflare Web Analytics help us understand performance and usage. Cloudflare Web Analytics is designed to operate in a privacy-preserving, cookieless way; Vercel Analytics may rely on first-party cookies or similar identifiers.

Where law requires consent for non-essential cookies, we will obtain it via in-app controls or your browser interaction. You can manage cookies through your browser settings and, where available, through in-app preferences.

5. Third-Party Services & Data Sharing

We do not sell personal information and we do not "share" personal information for cross-context behavioral advertising within the meaning of the CCPA/CPRA. We may disclose personal data to:

• Hosting & infrastructure: Vercel (application hosting and edge delivery), Cloudflare (DNS, CDN, security), and Google Cloud Platform, including Google Cloud SQL and Google Cloud Storage.
• Email & communications: Mailgun and similar providers for transactional and tenant communications.
• Analytics: Vercel Analytics and Cloudflare Web Analytics to monitor and improve performance and security.
• Payment processors: third parties such as Stripe, which process payment card information directly and provide us with limited billing and transaction details.
• Tenant administrators: if you use the Services under a Tenant, that Tenant's administrators and moderators may see information such as your name, email, membership status, and activity within that workspace.
• Professional advisers & legal recipients: lawyers, auditors, insurers, regulators, and law enforcement, when necessary to protect rights, comply with law, or respond to valid legal processes.

Where third parties act as our processors, we put in place contracts requiring them to process personal data only on our instructions and with appropriate technical and organizational safeguards.

6. Data Location, Transfers & Storage

PNEUMA, INC. stores personal data primarily in the United States:

• Primary data residency: core application data, including user accounts, tenant data, audit logs, and metadata, is stored in Google Cloud Platform (GCP), region us-central1 (Iowa, USA).
• Media storage: uploaded media files are stored in Google Cloud Storage (US Multi-Region) for reliability and performance.
• Global edge caching: static content and non-personal data may be cached globally via Vercel Edge and Cloudflare CDN. These cached copies are transient and do not constitute long-term storage of your personal data.

If you access the Services from the EU/EEA, UK, Switzerland, Canada, or other regions with data transfer restrictions, your data will be transferred to the United States and possibly to other countries where our providers operate. Where required, we use safeguards such as Standard Contractual Clauses and equivalent mechanisms and work to ensure an essentially equivalent level of protection for transferred data.

7. Data Retention

We retain personal data only for as long as needed for the purposes described in this Policy or as required by law:

• User account data: deleted when you delete your account, typically within 72 hours, subject to technical and backup constraints.
• Audit logs: retained for up to 12 months, then deleted or fully anonymized.
• Media submissions, translations & project data: retained for up to 3 years or as configured by the relevant Tenant. This content is not automatically removed solely because a user leaves a Tenant; Tenants determine the lifecycle of their content where they act as controller.
• Backups: encrypted backups are kept for up to 30 days on a rolling basis and then purged or overwritten.

We may retain certain data longer where necessary to comply with legal obligations, maintain security logs, prevent fraud, resolve disputes, or enforce agreements.

8. Your Rights (GDPR, UK-GDPR, PIPEDA & Global Norms)

Depending on where you live and how we process your data, you may have some or all of the following rights:

• Right of access: to know whether we process your personal data and to receive a copy.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of personal data in certain circumstances, subject to retention obligations.
• Right to restrict processing: to request that we limit processing in specific situations.
• Right to data portability: to receive certain data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
• Right to object: to object to processing based on legitimate interests, including profiling, where permitted by law.
• Right to withdraw consent: where we rely on consent, you may withdraw it at any time.
• Right to lodge a complaint with a supervisory authority: including your local data protection authority if you believe your rights have been violated.

If we process your data as a processor on behalf of a Tenant, we may redirect your request to that Tenant and assist them in responding, consistent with our contractual obligations.

To exercise your rights, contact us at privacy@pneuma.inc. We may take reasonable steps to verify your identity and will respond within the timeframes required by applicable law.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the CCPA/CPRA regarding personal information we process as a "business":

• Right to know: to request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of recipients.
• Right to delete: to request deletion of personal information we collected from you, subject to statutory exceptions.
• Right to correct: to request correction of inaccurate personal information.
• Right to opt out of sale or sharing: PNEUMA, INC. does not sell personal information and does not share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive information: we do not use or disclose sensitive personal information in ways that would give rise to a right to limit under the CPRA.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.

You or your authorized agent may submit a verifiable request to privacy@pneuma.inc. We will respond in accordance with California law.

10. PIPEDA (Canada)

If you are in Canada, we handle your personal information in accordance with PIPEDA and applicable provincial privacy laws. We collect, use, and disclose personal information only for purposes a reasonable person would consider appropriate in the circumstances and as described in this Policy.

You may have the right to access and challenge the accuracy and completeness of your personal information, and to have it amended as appropriate. You may also lodge a complaint with the Office of the Privacy Commissioner of Canada or your provincial regulator. To exercise your rights or raise concerns, contact us at privacy@pneuma.inc.

11. Account Management & Deletion

Where available, you can update your profile, change settings, and manage some privacy preferences directly in the Services. If you want to delete your account:

• Use the in-app account deletion feature (where provided), which will trigger deletion of account-level data within about 72 hours.
• For accounts under a Tenant, you may need to contact that Tenant's administrator to request removal or deletion from the workspace.
• If you cannot access your account, you may request deletion by contacting privacy@pneuma.inc. We may need to verify your identity before acting on the request.

Deleting your account does not automatically delete Tenant-owned content (such as media or projects) where the Tenant is the controller. Tenants manage such content in line with their own obligations and policies.

12. Children's Privacy (18+)

The Services are intended for individuals who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected personal data from a child under 18, we will take reasonable steps to delete it as soon as practicable.

Parents or legal guardians who believe that a child has provided us with personal data may contact privacy@pneuma.inc so we can investigate and address the issue.

13. Security & International Considerations

We use appropriate technical and organizational measures to help protect personal data against unauthorized access, loss, alteration, or destruction. These measures may include encryption in transit and at rest, access controls, audit logs, secure development practices, and infrastructure monitoring.

No system can be guaranteed 100% secure. You are responsible for keeping your login credentials confidential and notifying us or your Tenant administrator of any suspected unauthorized access to your account.

Because our infrastructure is primarily hosted in the United States with global edge and CDN services, your data may be processed in countries that may have different data protection laws than your home jurisdiction. We use appropriate safeguards for such transfers as described in this Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or privacy practices. When we make material changes, we will take reasonable steps to notify you, such as by posting a notice in the Services or sending you a direct communication, and will update the "Last updated" date at the top of this page.

We encourage you to review this Policy periodically. Your continued use of the Services after changes take effect constitutes your acknowledgement of the updated Policy, to the extent permitted by law.