YeshuaTree
← Back
Privacy Policy

Your reflections belong to you.

A plain-language summary of what we collect, why, and how to remove it.

Effective May 6, 2026 · Last updated May 6, 2026

YeshuaTree is a Gospel-grounded AI devotional companion at yeshuatree.chat, also distributed as a mobile app. We take a quiet, careful approach to your data — your prayers, journal entries, and reflections are personal, and we treat them that way.

This policy explains what we collect, how we use it, who processes it on our behalf, and how to delete your account or your data. If anything here is unclear, email matthew@makewavs.media and we'll answer.

Who we are

YeshuaTree (the "service", "we", "our") is operated as a sole-proprietor service. Contact: matthew@makewavs.media.

What we collect

Information you give us directly

  • Account — your email address and a hashed password when you sign up.
  • Chat messages — the conversations you have with the AI companion.
  • Journal entries — anything you write in the private journal, including mood tags, intentions, and session reflections.
  • Onboarding answers — your stated faith stage, intents, and any optional context you choose to share.
  • Feedback — thumbs-up/thumbs-down signals you give on responses.
  • PIN — if you set a journal PIN, it is stored as a one-way hash (bcrypt). We can never read your PIN, only verify it.

Information collected automatically

  • Usage logs — model used, token counts, response latency, and timestamps. Used for tier metering and abuse prevention.
  • Device metadata — for the mobile app: a push-notification token, platform (iOS/Android), bundle ID, app version, and device model. Used only to deliver the reminders you opt into.
  • Time zone offset — captured from your browser when you set reminder times, so we send notifications at the local hour you chose.
  • Server logs — basic request logs (IP, user-agent, request path) retained briefly for security.

What we do not collect

  • No advertising identifiers, no cross-site tracking, no third-party analytics SDKs.
  • We do not collect contacts, photos, location, microphone, or camera data.
  • We never read or store your payment-card details — Stripe handles that directly (see below).

How we use your information

  • To run the service: deliver chat responses, save journal entries, send the daily devotion, and authenticate you across sessions.
  • To honor reminder preferences: send the email or push notification you opted into, at your chosen time.
  • To enforce fair use: count daily token usage so the right tier limit applies.
  • To keep the service safe: detect crisis-language patterns and surface appropriate referrals (e.g. 988), and to log abuse signals.
  • To process subscriptions: pass billing data to Stripe (see "Processors" below).
  • To improve safety classifiers and answer quality. We do not sell your data, and we do not use your private chats or journal entries to train third-party AI models.

Processors we work with

We use a small number of third-party services to operate the app. Each one only sees the slice of data it needs:

  • Stripe — payment processing, subscription management, and webhook events. Card details are handled by Stripe directly; we only receive customer and subscription IDs. Stripe privacy policy →
  • OpenRouter / Anthropic — the AI inference layer. Your chat message and the relevant Gospel context are sent to generate each response. OpenRouter · Anthropic
  • xAI / Grok — optional web-assisted answers for Disciple users when a question appears current or outside the YeshuaTree corpus. The latest user question may be sent to xAI for web search; saved journal entries and memories are not sent for this fallback. Web-assisted responses are labeled in the app. xAI privacy policy →
  • Resend — transactional email (sign-up, password reset, daily devotional, reminder, unsubscribe). Resend sees your email address and the message we send you. Resend privacy policy →
  • Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) — only when you install the mobile app and opt into push. They receive a delivery token and the notification payload. Apple · Firebase
  • Hostinger VPS / Docker — application hosting. The application database is stored on a single VPS we control.

How your data is stored and protected

  • All traffic to yeshuatree.chat uses HTTPS/TLS.
  • Passwords are stored only as one-way bcrypt hashes. We cannot recover them — only reset them.
  • Journal PINs are also stored only as bcrypt hashes.
  • Authentication uses signed JWT tokens. The journal section requires an additional PIN-unlock token if you've set a PIN.
  • Database backups, when taken, are stored on the same infrastructure with the same access controls.

No internet-connected service can promise perfect security, but we keep the surface area small on purpose: one server, a small number of trusted processors, no analytics SDKs, no ad networks.

Data retention

We keep your account data for as long as your account is active. Specifically:

  • Account, chat history, journal entries, intentions: retained until you delete them or close your account.
  • Usage and safety logs: retained on a rolling basis (typically 90 days) for abuse prevention and capacity planning.
  • Stripe records: retained by Stripe per their own retention rules and applicable tax/finance law, even after you cancel.
  • Server logs: short-term only.

Your rights and choices

Export or delete your data

You can request a full export of your account data, or full deletion of your account and its data, by emailing matthew@makewavs.media from the email address on the account. We'll respond within 30 days.

Cancel or unsubscribe

  • Subscription: manage or cancel from the in-app account screen, or from your Stripe customer portal.
  • Email reminders: every reminder email includes a one-click unsubscribe link that disables all reminder emails immediately.
  • Push notifications: turn off in your device settings, or sign out of the app to unregister your device token.

Regional rights (EEA, UK, California, etc.)

If you live in a jurisdiction with specific data-protection laws (GDPR, UK GDPR, CCPA/CPRA, and similar), you have the right to access, correct, port, restrict, or delete your personal data, and to object to processing. To exercise any of these rights, email us at matthew@makewavs.media. You also have the right to lodge a complaint with your local supervisory authority.

Children

YeshuaTree is intended for users aged 13 and older. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, email matthew@makewavs.media and we will remove the account.

International transfers

Our infrastructure and our processors operate in the United States and the European Union. By using YeshuaTree from outside these regions, you consent to the transfer and processing of your data in those regions, with the protections described above.

About the AI itself

YeshuaTree is an AI companion grounded in the canonical Gospels. It is not Jesus Christ, not a source of new revelation, and not a substitute for Scripture, prayer, your local church, or qualified pastoral, medical, or mental-health care.

The AI may make mistakes. If you are in crisis, please reach out to a trusted person, your local emergency services, or in the U.S. call or text 988.

Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top and, when appropriate, notify active users by email. Continued use of the service after a change means you accept the updated policy.

Contact

Questions, concerns, deletion requests, or anything that doesn't fit the categories above:

matthew@makewavs.media