Privacy Policy

Statio is a private spiritual journal. We treat what you write as yours. This page explains what we collect, what we do with it, and what we never do.

What we collect

• Your email address, used only to send you magic-link sign-in emails and (rarely) account-related notices.
• Your journal entries, prayers, testimonies, and AI reflections, encrypted at rest with AES-256-GCM before being stored. Without the encryption key, the rows are unreadable.
• Device metadata for the Trusted Devices list: IP address (best-effort country lookup), user-agent string, and session timestamps.
• Topic and relationship labels the AI extracts from your entries to surface patterns over time. These are short kebab-case tags ("mom", "work-anxiety") generated locally.
• Anonymous feedback if you submit it via /feedback. Feedback rows store no link to your account.
• Legal acceptance records: which version of these documents you accepted, when, and from what IP. These records survive account deletion (see below).

What we never do

• We never train AI on your content.
• We never sell or share your data with advertisers.
• We never use third-party analytics or advertising trackers.
• No human reads your journal under normal operations. Every decryption path on the server is system code feeding the AI features below — not a person sitting at a console.

The trust contract

Statio is honest about what it can and can't do. Your journal entries, prayers, and testimonies are encrypted at rest with AES-256-GCM. The encryption key lives in the server's environment; a database snapshot without that key is unreadable bytes.

However, our AI features (post-save reflections, Bible-reference detection, prayer extraction, milestone recognition, weekly / monthly / yearly syntheses) work by decrypting the relevant rows in memory at processing time, running the inference, and then discarding the plaintext. Statio's server can read your journal because it processes it for you. No third party can read it. No human reads it under normal operations.

We treat that contract as binding. If we ever build an admin surface that needs to read a decrypted entry — for incident investigation, abuse review, or anything else — we will require a written justification, log every read in an audit table, and notify the affected member that their entry was read, by whom, and why. We have not built such a surface today; this paragraph is a forward-looking commitment, not a description of current functionality.

How AI processing works

Daily reflections are generated by the on-server AI that lives on the same secured server holding your encrypted journal. Your entry text leaves the database (decrypted in memory) for the duration of one inference call and is then forgotten by the model.

Weekly, monthly, and yearly syntheses can fall over to a secure cloud-provider lane when the on-server AI is overloaded. That provider is contractually bound to zero data retention and does not train on the data we send. We never opt in to retention.

Bible verse lookups go to bible-api.com (free translations) or scripture.api.bible (paid translations) when you've selected one. Only the reference string ("Romans 8:28") is sent — never your entry text.

Voice recordings

When you record a voice prayer or voice testimony, the spoken words are transcribed on your device by your phone's built-in speech-to-text. The audio bytes themselves are encrypted and stored alongside the prayer they belong to so you can play them back later.

A small on-server AI also produces a polished, readable version of the transcript that becomes the prayer body — you edit and approve it before saving.

Audio retention. Audio recordings are kept for as long as the parent prayer is active, answered, or unresolved. When you archive a prayer, a 30-day countdown starts. After 30 days the audio bytes are permanently deleted from our database. The prayer text and any answer text remain; only the audio recording is removed. If you un-archive after the 30-day window, the audio will not return — Statio will surface a small "voice recording no longer available" marker on that prayer.

Account deletion

You can delete your account at /settings → Danger zone. When you do, we wipe every journal entry, prayer, testimony, reflection, session, prayer candidate, and topic/relationship rollup tied to your account. The deletion is permanent; there is no recovery.

We retain a minimal record after deletion: your email address, the versions of these documents you accepted, and the timestamps of acceptance. We keep this for our own legal protection and to comply with potential regulatory requests. We do not use it for any other purpose.

Cookies

We set a session cookie when you sign in (httpOnly, sameSite=lax) and a locale cookie if you change languages. We do not use advertising or tracking cookies.

Children

Statio is not intended for users under 13 (or 16 where required by law). If you are a parent and believe your child has signed up, contact us and we will delete the account.

Changes

When we materially change this policy, we'll bump the version above and ask you to accept the new version on your next sign-in. Past acceptances of older versions are kept on record.

Contact

Reach us at [email protected].