Data Controller

Catalysis ("we", "us", "our") is the data controller responsible for your personal information collected through this platform. For any privacy-related questions or to exercise your rights, contact us at privacy@catalysis.com.

Information We Collect

We collect the following categories of personal data: (a) Account information — your name, email address, password (stored as a secure hash), profile photo, and optional profile details such as your denomination, spiritual level, and discovery source; (b) Journey and activity data — journeys you create or enrol in, daily entries, activity completions, and journal content; (c) Community content — testimonies, prayer requests, and group messages you post; (d) Notification preferences — your chosen email and push notification settings; (e) Technical data — IP address, browser type, device type, and standard server access logs; (f) Google OAuth data — if you sign in with Google, we receive your Google account name, email, and profile photo as authorised by you; (g) Local media metadata — file names and activity mappings you create when using the local media feature (your actual files are never uploaded or accessed).

Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following lawful bases: (a) Contract performance — we process your account information, journey data, and activity records because it is necessary to provide the services you have signed up for; (b) Consent — we process your notification preferences and any optional profile information on the basis of your consent, which you may withdraw at any time in Settings; (c) Legitimate interests — we process technical and usage data to maintain platform security, prevent fraud, and improve our services, where these interests are not overridden by your rights; (d) Legal obligation — we may retain certain records where required by applicable law.

How We Use Your Information

We use the information we collect to: (a) create and manage your account and authenticate your identity; (b) provide, operate, and improve the Catalysis platform and its features; (c) personalise your experience, including journey recommendations and saturation schedule; (d) send you service notifications, activity reminders, and community updates according to your preferences; (e) facilitate group, cohort, and community interactions; (f) detect and prevent fraud, abuse, and violations of our Terms of Service; (g) comply with legal obligations.

Information Sharing

We do not sell your personal information. We share your data only in the following limited circumstances: (a) with other users, to the extent your profile and content are set to public or shared within a group you have joined; (b) with service providers who assist in operating the platform (database hosting, cloud storage, email delivery) under confidentiality agreements that prohibit them from using your data for their own purposes; (c) with law enforcement or regulatory bodies when required by law, court order, or to protect the rights and safety of our users or the public; (d) in the event of a merger, acquisition, or sale of assets, in which case we will notify you before your data is transferred and becomes subject to a different privacy policy.

International Data Transfers

Catalysis is operated from outside the European Economic Area (EEA). Your personal data is stored on servers provided by Neon (PostgreSQL database) and Cloudflare R2 (file storage), both of which are US-based services. If you are located in the EEA or United Kingdom, your data is transferred to and processed in the United States. These transfers are conducted under appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, as provided by our infrastructure partners. By using Catalysis, you acknowledge that your data will be transferred to and processed in the United States under these safeguards.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Specifically: (a) Account data is retained for the life of your account plus 30 days after deletion to allow for recovery; (b) Journey content, testimonies, and prayer requests are retained until you delete them or close your account; (c) Local media mapping metadata is retained until you remove the mappings or close your account; (d) Server access logs are retained for up to 90 days for security and debugging purposes; (e) Data we are required to retain for legal or compliance reasons will be held for the period required by applicable law and then securely deleted. You may request deletion of your account and associated data at any time.

Data Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS/TLS), hashed password storage, access controls, and regular security reviews. No method of internet transmission or electronic storage is 100% secure; we cannot guarantee absolute security but are committed to protecting your data using industry-standard practices.

Local Media & Files

When you use the local media feature, your audio and video files remain entirely on your personal device. Catalysis never uploads, accesses, or stores the content of your local files. We store only the mapping metadata on our servers: which file names you have linked to which journey activities, and the timestamp of your copyright acknowledgment. This metadata is used to sync your media setup across sessions and to maintain a record of your copyright acceptance. File access permissions (directory handles) are stored locally in your browser and cannot be transferred to our servers or other devices.

Cross-Device Data

If you use Catalysis on multiple devices (web browser and mobile app), your media mapping preferences sync via our servers so you can set up local files on each device without redoing the matching. The actual files are never transmitted between devices or through our servers. Each device requires separate file access permissions.

Cookies & Tracking

Catalysis uses strictly necessary cookies and browser storage (localStorage, sessionStorage, IndexedDB) to keep you logged in, remember your preferences, and operate core features such as the offline schedule cache and local media mappings. We may also use third-party analytics and advertising cookies to support our services and fund the platform. Where required by applicable law (including GDPR for EEA/UK users), we will obtain your consent before setting non-essential cookies. If our cookie practices change materially, we will update this policy and notify you.

Your Rights

Depending on your location, you may have the following rights regarding your personal data: (a) Right of access — you may request a copy of the personal data we hold about you; (b) Right to rectification — you may ask us to correct inaccurate or incomplete data; (c) Right to erasure ("right to be forgotten") — you may ask us to delete your personal data where there is no lawful reason for us to continue processing it; (d) Right to restriction of processing — you may ask us to pause processing your data in certain circumstances; (e) Right to data portability — you may request your data in a structured, machine-readable format; (f) Right to object — you may object to processing based on legitimate interests; (g) Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing; (h) Right to lodge a complaint — if you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority. To exercise any of these rights, contact us at privacy@catalysis.com. We will respond within 30 days.

Children's Privacy

Catalysis is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at privacy@catalysis.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a prominent notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the platform after changes are posted constitutes your acceptance of the revised policy.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact us at privacy@catalysis.com.

Privacy Policy