← Back to In Eden

Privacy Policy

Last updated: 2026-05-28

Draft — awaiting legal review. This document is a working version. A lawyer-reviewed, final version will be published before public launch.

In Eden — Privacy Policy

Version: 2026-05-28 Effective Date: May 17, 2026 Last Updated: May 28, 2026

This Privacy Policy explains how Rose Global LLC d/b/a In Eden ("In Eden," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the In Eden mobile application, web platform, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Who We Are and How to Contact Us

Data Controller: Rose Global LLC, an Arizona limited liability company. Email for privacy matters: privacy@ineden.app Email for data deletion requests: privacy@ineden.app (or via Settings → Account → Delete My Data)

We are the data controller of your personal information. Service providers who process data on our behalf (described in Section 4) act as data processors.

2. Information We Collect

2.1 Information You Provide Directly

CategoryWhat we collect
Account infoEmail address, authentication provider (Apple, Google, or email code)
Profile infoName, profile photo, city, interests, faith opt-in toggle, travel pin location, optional bio, optional Instagram handle, optional birthday, optional website URL, identity archetypes (optional self-described attributes)
CommunicationsDirect messages between you and other Members, your replies and reactions on group message boards, support tickets and emails to In Eden
Payment informationSubscription tier, billing cycle, payment provider (Stripe or Apple), partial card info displayed by the payment processor (e.g., last 4 digits — we do not store full card numbers), trial dates, renewal dates
Founder/Partner submissionsApplication form data (name, city, why you're a fit, links to social/portfolio), uploaded resources (devotionals, ebooks, audio, video, templates)
Reports and moderation dataReports you file against another Member or content, blocks you initiate, reasons given

2.2 Information We Collect Automatically

CategoryWhat we collect
Device and technical dataDevice type, operating system, app version, IP address, language, timezone, crash reports
Usage dataPages and screens visited, features used, RSVP behavior, content engagement (which devotionals you opened, which classes you started), search terms, session duration
Approximate locationDerived from IP address or city you select; we do not track precise GPS location continuously
Cookies and similar tech (web only)Session cookies, authentication cookies, analytics cookies (PostHog), error-tracking cookies (Sentry)

2.3 Information from Third Parties

SourceWhat we receive
Apple Sign in / Google Sign-inEmail, name (you choose what Apple/Google share)
Stripe / Apple In-App Purchase / RevenueCatSubscription status, transaction IDs, refund events
Eventbrite / Luma / Instagram oEmbedPublic event metadata for partners who provide their organizer URLs or post URLs

2.4 What We Do NOT Collect

  • Full credit card numbers (handled by Stripe and Apple)
  • Continuous GPS location tracking
  • Contacts from your phone book unless you explicitly grant permission
  • Biometric data of any kind — In Eden does not perform identity verification, facial recognition, or face matching, and collects no biometric identifiers
  • Clinical health data — we are not a HIPAA-covered entity and we do not collect anything beyond the optional cycle data you choose to log (see Section 2.5)
  • Information from minors under 18

2.5 Cycle and Hormone Health Data (Optional)

If you choose to use the cycle-tracking features of In Eden, we collect only the minimum data needed to surface your phase guidance:

CategoryWhat we collectWhere it lives
Cycle logsThe first day of each cycle you log (a single date, e.g., 2026-04-15)cycle_logs table in our EU Postgres database, gated by Row-Level Security so only you can read your row
Phase calculationYour current cycle phase, day count, and cycle length, derived on-demand from your cycle logsComputed server-side via the get_current_cycle_phase() RPC; not stored separately
Calculator inputsNoneThe in-app cycle-phase tool runs entirely on your device. We never receive the dates or values you enter into it. In Eden does not offer pregnancy, fertility, or conception tools.

What we never do with cycle data:

  • We do not sell, trade, or rent your cycle data — to anyone, under any circumstances.
  • We do not share it with advertisers, ad networks, brokers, or marketing partners.
  • We do not use it to target ads (we don't run ads at all).
  • We do not feed it into any AI training set, ours or anyone else's. Any future AI hormone-health feature will be opt-in only and clearly disclosed.
  • We do not share it with your friends, partner, or anyone else inside In Eden — there is no partner-sync or shared-cycle feature at v1.
  • We do not share it with U.S. or international authorities except in response to a valid, narrowly scoped legal process; we will challenge overbroad requests where lawful.

How we protect it:

  • Encrypted in transit (TLS 1.2+) and at rest (AES-256 disk-level encryption on Supabase's managed Postgres in eu-central-1).
  • Row-Level Security enforced at the database — even our own engineers cannot read your data without an explicit support workflow that you initiate.
  • Hosted in the European Union (Supabase eu-central-1) under GDPR-grade safeguards, regardless of where you live.

How long we keep it:

  • Cycle logs are retained while your account is active so we can render your phase guidance.
  • Upon account deletion, all cycle logs are deleted within 30 days with no derivative analytics or aggregate retention. There is no "anonymized cycle archive" — when you delete, your cycle history is gone.
  • Backups (encrypted, 30-day rotation) roll your data off completely within 60 days of your deletion request.

Your controls:

  • You can edit or delete any individual cycle log entry in Settings → Privacy & Safety → Cycle data.
  • You can delete all cycle data without deleting your full account by emailing privacy@ineden.app with the subject "Delete cycle data only."
  • You can view exactly what we have on you via the data export flow in Settings → Account → My Data.

3. How We Use Your Information

We use your information to:

  1. Provide the Service — create your account, render your profile, surface events and content, route DMs, run Friend Match suggestions, process payments, deliver subscriptions.
  2. Personalize the experience — curate your Pinterest-style Home feed based on the interests, city, and faith opt-in you selected.
  3. Communicate with you — send the welcome email sequence (Day 0, Day 3, Day 5, Day 6, Day 30), trial-ending reminders, security notices, and policy update notifications via Resend. You may opt out of marketing emails (transactional emails are required for service operation and cannot be opted out of without canceling your account).
  4. Run safety operations — review Reports, enforce Community Guidelines, suspend or remove accounts for violations.
  5. Run business operations — respond to support requests, prevent fraud, comply with legal obligations, defend against legal claims, conduct internal analytics.
  6. Improve the Service — analyze aggregated usage patterns via PostHog to understand what's working and what isn't.
  7. Send product updates — when we release new features or change policies, we may notify you via email or in-app message.

We do not sell your personal information. We do not rent it. We do not use it for cross-context behavioral advertising.

3.1 Lawful Bases for Processing (EEA, UK, Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data only where we have a lawful basis to do so:

  • Performance of a contract — to deliver your membership and the features you sign up for (account management, payments, community features).
  • Legitimate interests — for purposes that serve our reasonable business interests and do not override your rights and freedoms (security, fraud prevention, service improvement, and community communications).
  • Consent — where you have explicitly opted in (for example, optional profile fields, cycle tracking, marketing emails, or non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation — where processing is required to comply with applicable law (for example, tax record-keeping or responding to lawful requests).

3.2 Automated Decision-Making and Personalization

We use rule-based systems to personalize your experience — for example, Friend Match suggestions (weighted by city, shared interests, and faith alignment) and your interest-curated Home feed. These systems do not produce legal effects concerning you or similarly significant effects; they are used solely to improve your experience and you can always browse, search, and connect independently of them. We do not use solely automated decision-making to deny access, set pricing, or take adverse action against you. If you have questions about how personalization affects you, contact privacy@ineden.app.

4. Who We Share Information With

We share your information only with the following categories of third parties, each of whom acts as a data processor under our written instructions and subject to confidentiality and security obligations.

4.1 Service Providers

ProviderPurposeData SharedLocation
SupabaseDatabase, authentication, file storage, edge functionsAll Service dataEU (eu-central-1)
StripeWeb subscription paymentsEmail, payment method, billing addressUS/EU
AppleiOS subscription billing via App StoreApple-managed; we receive only the receipt and subscription statusUS
RevenueCatiOS subscription receipt validation and tier managementSubscription stateUS
ResendTransactional and welcome emailsEmail address, nameEU
PostHogProduct analyticsAnonymized usage data, device infoEU
SentryError and performance monitoringCrash reports, app version, user ID (for filtering)US/EU
MapboxMap rendering for travel pin and city anchorsApproximate locationUS

4.2 Other Members

The following profile information is public to other signed-in Members of In Eden:

  • Your name and profile photo
  • Your city
  • Your interests
  • Your travel pin (current and upcoming)
  • Your member-since date and Founding Member badge (if applicable)

The following remain private:

  • Your faith opt-in status
  • Your testimony or bio (unless you choose to share it)
  • Your last-active timestamp
  • Your DMs and connection-request history
  • Your subscription tier
  • Your payment information

4.3 Legal and Safety

We may disclose information if we believe in good faith that it is necessary to:

  • Comply with a valid legal process (subpoena, court order, regulatory request);
  • Enforce our Terms of Service;
  • Protect the rights, property, or safety of In Eden, our Members, or the public;
  • Investigate fraud, security issues, or illegal activity;
  • Defend ourselves against legal claims.

We will, where legally permitted, notify you of any government request for your data before responding.

4.4 Business Transfers

If In Eden is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (via email or in-app notice) of any such transfer and any choices you may have regarding your information.

4.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information (e.g., "the average member opens 3 devotionals per week") with partners, researchers, or the public. This information cannot reasonably be used to identify you.

5. International Data Transfers

In Eden's primary database is hosted in the European Union (Supabase eu-central-1). Some service providers (Stripe, RevenueCat, Sentry US-region, Mapbox) are based in the United States.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to the U.S. and processed there. We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to U.S. processors;
  • EU–U.S. Data Privacy Framework certifications where available;
  • Contractual confidentiality and security obligations on each processor.

By using the Service, you consent to these transfers.

6. Your Rights and Choices

6.1 GDPR Rights (EEA, UK, Swiss residents)

You have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate data;
  • Erase your data ("right to be forgotten") — see Section 7;
  • Restrict processing in certain circumstances;
  • Object to processing for direct marketing or based on legitimate interest;
  • Portability — receive your data in a machine-readable format;
  • Withdraw consent at any time where processing is based on consent;
  • Lodge a complaint with your local data protection authority.

To exercise these rights, email privacy@ineden.app. We will respond within 30 days.

6.2 CCPA/CPRA Rights (California residents)

You have the right to:

  • Know what personal information we collect, use, and share;
  • Delete your personal information (with certain exceptions);
  • Correct inaccurate personal information;
  • Limit use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right);
  • Opt out of "sale" or "sharing" — we do not sell or share your personal information for cross-context behavioral advertising;
  • Non-discrimination — we will not discriminate against you for exercising your rights.

To exercise these rights, email privacy@ineden.app or use the in-app Settings → Account → My Data flow. We will not require you to create an account to make a request, but we may need to verify your identity to fulfill it.

6.3 Other U.S. State Rights (Virginia, Colorado, Connecticut, Utah, etc.)

Residents of states with similar privacy laws have analogous rights. Email privacy@ineden.app to exercise them.

6.3.1 Canada (PIPEDA and Quebec Law 25)

If you are in Canada, you have the right to access and correct the personal information we hold about you, to withdraw consent to its collection, use, or disclosure (subject to legal and contractual limits), and to lodge a complaint with the Office of the Privacy Commissioner of Canada or, in Quebec, the Commission d'accès à l'information. Email privacy@ineden.app to exercise these rights.

6.3.2 Australia (Privacy Act 1988 and the Australian Privacy Principles)

If you are in Australia, you may request access to and correction of the personal information we hold about you, and you may complain about our handling of your information. Please contact privacy@ineden.app first; if you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We may disclose your information to overseas recipients (including service providers in the United States and the European Union) as described in Section 4. We will notify you and the OAIC of any eligible data breach as required by the Notifiable Data Breaches scheme.

6.4 In-App Controls

You can:

  • Edit your profile (name, photo, city, interests, bio, travel pin) in Settings → Profile;
  • Manage notification preferences in Settings → Notifications;
  • Block or report another Member from their profile or any conversation;
  • Request data deletion via Settings → Account → Delete My Data;
  • Cancel your subscription in Settings → Subscription (or via Apple ID for iOS subscriptions).

7. Data Retention and Deletion

We retain your information for as long as your account is active and as necessary to provide the Service. After account deletion or prolonged inactivity, we retain data only as needed to:

  • Comply with legal obligations (e.g., tax records, fraud prevention);
  • Resolve disputes;
  • Enforce our agreements;
  • Protect the safety of other Members.

7.1 What Happens When You Delete Your Account

Upon account deletion request:

DataWhat happens
Profile (name, photo, bio, interests)Deleted within 30 days
Auth recordsDeleted within 30 days
DMs you sentAnonymized — content remains visible to the other party but attribution becomes "Former Member"; if you want full deletion of message content from other Members' inboxes, contact us and we will use commercially reasonable efforts
Group message-board posts and repliesAnonymized to "Former Member"
Event RSVPs (past)Retained as anonymized count for the event; personal attribution removed
Cycle and hormone health logsDeleted within 30 days. No derivative analytics, no aggregated retention, no copy in any AI training set
Payment recordsRetained for 7 years for tax and fraud-prevention compliance (as required by Arizona and U.S. federal tax law)
Support communicationsRetained for 3 years
Reports filed by you or against youRetained as long as needed for ongoing safety review, plus 12 months
BackupsEncrypted backups expire on a 30-day rotation; deleted data is fully removed once backups roll over

You can also delete specific items (a DM, a board post, a profile photo) at any time without deleting your full account.

8. Security

We protect your information using industry-standard practices, including:

  • Encryption in transit: TLS 1.2+ for all client-server communication.
  • Encryption at rest: all data stored in Supabase's encrypted Postgres and Storage.
  • Authentication: managed by Supabase Auth — email and password, 8-digit email codes, Sign in with Apple, and Sign in with Google. Passwords are never stored in plaintext; Supabase Auth stores only a salted cryptographic hash, and In Eden staff cannot read your password.
  • Row-Level Security (RLS): enforced on every database table so Members can only access their own data unless explicitly authorized.
  • Access controls: least-privilege admin access, audit logs, two-factor on internal admin tooling.
  • Vulnerability management: Supabase, AWS, Stripe, and our other processors maintain ongoing security programs (SOC 2, ISO 27001, PCI DSS).

No system is perfectly secure. We will notify affected Members of any data breach affecting their personal information without undue delay, and in any event within 72 hours of confirming the breach (in compliance with GDPR Art. 33–34 and applicable U.S. state laws).

9. Children's Privacy

The Service is for adults 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that a person under 18 has provided us with personal information, we will delete it as soon as reasonably possible. If you believe a minor has provided us with personal information, please contact privacy@ineden.app.

10. Cookies and Tracking (Web Only)

The In Eden mobile app does not use cookies. The In Eden web platform uses:

  • Strictly necessary cookies for authentication and session management (cannot be disabled).
  • Analytics cookies (PostHog) that help us understand product usage. You can opt out via your browser's Do Not Track setting, our cookie banner (if presented in your jurisdiction), or by emailing privacy@ineden.app.
  • No advertising cookies. No cross-site tracking. No cookies sold to third parties.

We honor the Global Privacy Control (GPC) signal where applicable.

11. Founders, Partners, and Vendors

If you are a Founder, Partner, or Vendor, additional privacy considerations apply:

  • The information in your application is reviewed by In Eden admins;
  • Once approved, your business profile (name, bio, photo, instagram link, ticket platform link) becomes public to all Members;
  • Events you publish are public to all Members in the relevant city;
  • Aggregate engagement metrics for your group (member count, post engagement) may be shared with you in a future Founder/Partner dashboard;
  • Members' private information (DMs, payment info, faith opt-in) is not shared with you, even within your own group.

12. Third-Party Services and Bible Translations

  • Berean Standard Bible (BSB) is bundled in-app under Creative Commons Attribution-ShareAlike (CC BY-SA). Your reading activity (which verses you view, which devotionals you open) is treated as usage data per Section 2.2.
  • YouVersion deep links open the YouVersion app or website outside of In Eden; YouVersion's privacy policy applies to anything you do there. We do not receive information about your activity in YouVersion.
  • Eventbrite / Luma / Instagram oEmbed: when you tap a "Get Tickets" button or interact with an embedded post, you leave In Eden and those services' policies apply.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects any changes. Material changes will be communicated via email or in-app notification at least 30 days before they take effect, and we will request renewed consent where required by law. If you do not agree with the updated policy, you must stop using the Service.

A historical archive of prior versions is available on request.

14. Contact

For privacy questions, data access requests, deletion requests, or to exercise any right under this Privacy Policy:

Email: privacy@ineden.app Postal mail: Rose Global LLC, [Arizona address on file], Attn: Privacy

For EEA/UK residents, you may also contact your local Data Protection Authority. A list is maintained at edpb.europa.eu.

Thank you for trusting In Eden with your information. Privacy is foundational to a community built on intentionality and care.