PassTheVerse

Privacy

Last updated: 2026-04-19

This is a short, plainly-written summary of what we collect, why, and what we don't do. Draft text — to be reviewed by counsel before public launch.

What we collect

  • Your email address — required for the magic-link sign-in flow. We do not share it with anyone.
  • Your display name and country — you choose these during onboarding. They appear on every note you post.
  • Notes you write — stored with your user ID, the verse reference, the translation you were reading, and the timestamp.
  • Reading preferences — your preferred translation, scripture font, text size, and light/dark theme. These live in your browser (localStorage) and in your account.
  • Rate-limit counters — keyed by user and IP, stored in Redis with a short TTL. Used to stop spam and abuse.
  • Moderation events — records of reports, approvals, removals, bans, and unbans. Used to keep the site safe.

What we don't collect

  • No advertising identifiers. No Google Analytics. No third-party tracking pixels. No cross-site fingerprinting.
  • No payment information. The site is free. We don't collect card or banking info.
  • No geolocation beyond what you self-report. Your country comes from the dropdown you fill in, not your IP.

Third parties that touch your data

  • OpenAI Moderation API. The text of each note is sent to OpenAI's moderation endpoint for automated safety screening. OpenAI states this content is not used to train their models. We send only the note text — no email, no user ID, no other context.
  • Email provider (Resend). Your email address is sent to our email provider solely to deliver magic-link sign-in messages.
  • API.Bible (pending). If and when modern Bible translations are enabled, minimal usage metrics (anonymized device ID and session ID, and a SHA-256-hashed user ID if you're signed in) will be reported to API.Bible per their Fair Use Management System. See api.bible. Until that integration lands, this does not apply.

Cookies

  • ptv_session — a signed cookie holding your user ID. HttpOnly, Secure, SameSite=Lax. Required to stay signed in.
  • ptv_csrf — a random token that protects against cross-site request forgery. Not HttpOnly by design (client JavaScript must read it).

No third-party cookies. No advertising cookies. No analytics cookies.

Retention and deletion

  • You can delete any note you posted within the last 24 hours from the note itself.
  • To delete your account and all associated notes, email the address in About. We will respond within a week.
  • Moderation events are retained for as long as the project exists so that bans and report history remain reviewable.

Security

We use industry-standard transport encryption (HTTPS) in production. Session cookies are signed with HMAC-SHA256. Passwords are not used — sign-in is via single-use magic link. We are a small project, not a bank, and make no guarantees beyond best effort.

Children

PassTheVerse is not targeted at children under 13 and does not knowingly collect information from them. If you believe a child under 13 has created an account, please contact us.

Changes

If this policy changes in any material way, we will post the updated version here and update the "Last updated" date above. Continued use after that date constitutes acceptance.