Biblexika

Privacy Policy

Effective date: March 23, 2026

1. Overview

Biblexika is a Bible study platform operated by Biblexika, a company registered in Zurich, Switzerland. We are committed to protecting your privacy and processing personal data responsibly, transparently, and only to the extent necessary to provide you with a high-quality service.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nDSG/DSG). Where the GDPR and the Swiss DSG overlap, we apply the stricter of the two standards.

Biblexika is free to use and we do not run any advertising on the Biblexika website itself. We do not sell your personal data. We do not build advertising profiles of our users. We do, however, use advertising platforms (Google Ads, Meta Ads, Reddit Ads) to promote Biblexika to new users on those external platforms, and we describe exactly how that works in this policy.

2. Data Controller

The data controller responsible for your personal data is:

Biblexika
Zehntenhausstrasse 2
8046 Zurich, Switzerland
Email: info@biblexika.com

If you have questions about this policy or wish to exercise your data rights, you can contact us at any time at the address above. We will respond within 30 days.

3. Legal Basis for Processing

We process personal data only where we have a valid legal basis under Article 6 of the GDPR. The bases we rely on are:

  • Contract (Art. 6(1)(b) GDPR) – Processing is necessary to provide the service you have signed up for, including managing your account, authenticating your login, and processing your subscription payment.
  • Consent (Art. 6(1)(a) GDPR) – Where you have given explicit consent, for example when you interact with the Sophi AI assistant or when you accept optional advertising cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legitimate interests (Art. 6(1)(f) GDPR) – We process certain data based on our legitimate interests, including security monitoring, fraud prevention, platform performance analytics, and basic service improvement. We balance these interests against your rights and will not rely on this basis where your interests override ours.
  • Legal obligation (Art. 6(1)(c) GDPR) – We retain certain financial records to comply with Swiss accounting and tax law (Swiss Code of Obligations, Art. 958f).

4. Data We Collect

(a) Account Data

Creating an account is optional. If you register with an email and password, we collect your email address. Your password is securely hashed using a modern algorithm (bcrypt or Argon2 via Supabase Auth) and is never stored in plain text.

If you sign in with Google OAuth or Apple OAuth, we receive basic profile information from that provider: your name, email address, and profile photo (if available). We do not receive your Google or Apple password. You can review and manage which apps have access to your Google or Apple account through your Google or Apple account settings at any time.

(b) Usage Data

Reading preferences, bookmarks, highlights, notes, reading streaks, and cached Bible content are stored locally in your browser using localStorage and IndexedDB. This data does not leave your device unless you are signed in, in which case bookmarks and notes are synced to our database so you can access them across devices.

(c) Technical Data

When you visit Biblexika, our servers and hosting infrastructure automatically record certain technical data for security, performance monitoring, and abuse prevention. This includes your IP address, browser type and version, device type, operating system, the referring URL (the page you came from), and the pages or resources you requested. This data is processed by Vercel (our hosting provider) and is not linked to your account unless required for security investigation.

(d) Payment Data

If you subscribe to Biblexika Pro, payment is processed entirely by Stripe. We never receive or store your full credit card number or other payment credentials on our servers. Stripe handles all payment information in accordance with PCI DSS Level 1 standards. We receive from Stripe only a transaction confirmation, the last four digits of your card, the card brand, and the billing country.

(e) AI Interaction Data

When you use the Sophi AI assistant, the messages you send are transmitted to Anthropic's Claude API for processing. Anthropic processes these messages to generate a response. Per Anthropic's API usage policy, data submitted via the API is not used to train Anthropic's models by default. You should review Anthropic's Privacy Policy for full details on their data handling.

For authenticated users, we store your Sophi conversation history in our database so you can refer back to it. Conversation history is retained for 90 days and then permanently deleted. You can delete your conversation history at any time from your account settings.

(f) Search Data

When you use the semantic search feature, your search query is sent to Voyage AI to generate a vector embedding, which is then used to find relevant results. Voyage AI processes the query text to produce a numeric representation; we do not share any other personal data with Voyage AI. See Voyage AI's Privacy Policy for details.

(g) Bible Translation Requests

When you load a Bible chapter in a translation that is not bundled with the app, the request is fulfilled by the getBible API or the helloao (API.Bible) API. Your requested translation identifier and chapter reference are sent as URL query parameters to these APIs. No personally identifiable information is included in these requests. See getBible's information page and the helloao / API.Bible Privacy Policy.

(h) Advertising and Conversion Data

We run paid advertising campaigns on Google, Meta (Facebook/Instagram), and Reddit to promote Biblexika. When you arrive at Biblexika via one of these ads, or when you complete an action we have configured as a conversion event (such as registering for an account), a conversion tracking pixel from the relevant advertising platform may collect data including your IP address, browser type, the pages you visited, and the conversion event. This data is used solely to measure the effectiveness of our advertising campaigns and optimize them. It is not used to serve you ads on Biblexika.

Advertising cookies require your consent. You can manage or withdraw your consent at any time via our cookie settings. We describe these cookies in detail in Section 6 below.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Providing the service – Authenticating your account, syncing your bookmarks and notes, and personalizing your reading experience.
  • Processing payments – Handling Pro subscription billing via Stripe and sending subscription confirmation or renewal emails.
  • Service communications – Sending account verification emails, password reset links, and important policy or service update notifications.
  • AI assistant – Processing your messages through Anthropic's API to generate responses from Sophi.
  • Semantic search – Sending search queries to Voyage AI to return relevant results.
  • Security and fraud prevention – Monitoring for abuse, protecting accounts from unauthorized access, and investigating suspicious activity.
  • Performance and analytics – Using Vercel Analytics and Web Vitals to understand how the site performs and where it can be improved. This data is aggregated and not linked to individual user identities.
  • Advertising measurement – Using conversion tracking pixels from Google Ads, Meta Ads, and Reddit Ads to measure how many users discover Biblexika through our paid campaigns and to optimize those campaigns. This data is used only for measurement; we do not run ads targeted at existing users on Biblexika itself.
  • Legal compliance – Retaining financial records as required by Swiss law and responding to lawful requests from authorities.

We do not sell your personal data to any third party. We do not use your data to serve you targeted advertisements on Biblexika. We do not share your data with data brokers or marketing platforms for profiling purposes.

6. Cookies and Tracking Technologies

We use cookies and similar browser storage technologies. Cookies are small text files placed on your device. You can control cookies through your browser settings and through our cookie consent banner. For a complete list of all cookies we use, see our Cookie Policy.

Essential Cookies

These cookies are required for the site to function. They cannot be disabled without breaking core features. They include authentication session tokens, your locale preference, and your interface theme (light/dark). These cookies do not track you across other websites and contain no advertising-related information. No consent is required for essential cookies.

Analytics Cookies

Vercel Analytics collects aggregated, anonymized data about page views and web performance (Core Web Vitals). Vercel Analytics is designed to be privacy-preserving and does not set persistent tracking cookies or build individual user profiles. This data helps us understand which features are being used and where performance can be improved.

Advertising Cookies

When you arrive at Biblexika via one of our ad campaigns, or when you complete a configured conversion event, the following advertising platforms may set cookies or use pixel technology to record that event:

  • Google Ads conversion tracking – Measures whether users who clicked a Google Ad completed a signup or subscription. See Google's Privacy Policy.
  • Meta Pixel (Facebook/Instagram) – Measures conversions from Meta ad campaigns. See Meta's Privacy Policy.
  • Reddit Conversion Pixel – Measures conversions from Reddit ad campaigns. See Reddit's Privacy Policy.

Advertising cookies require your explicit consent. You can accept or reject them via our cookie banner when you first visit the site, and you can change your preferences at any time by clicking “Cookie Settings” in the site footer.

How to Manage Cookies

In addition to our cookie settings tool, you can configure or delete cookies directly in your browser settings. Note that disabling essential cookies may prevent parts of Biblexika from working correctly. You can also opt out of Google advertising cookies at adssettings.google.com and out of Meta advertising at facebook.com/adpreferences.

7. Data Storage and Transfers

European Union storage: Your account data, notes, bookmarks, and conversation history are stored in our primary database hosted by Supabase on Amazon Web Services in the eu-central-1 (Frankfurt, Germany) region. This data remains within the EU/EEA by default.

Vercel global edge network: Biblexika is deployed on Vercel, whose content delivery network serves static assets and serverless functions from edge nodes distributed globally, including nodes outside the EU. Request logs may be processed in these locations transiently for performance purposes. Vercel is committed to GDPR compliance and offers standard contractual clauses.

Transfers to the United States: The following services are operated by US-based companies and process personal data in the United States:

  • Anthropic – Processes Sophi AI messages in the US.
  • Voyage AI – Processes search queries for semantic embeddings in the US.
  • Stripe – Processes payment data in the US and other regions.
  • Google, Meta, Reddit – Advertising conversion data is processed in the US.

For these transfers, we rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism, where the EU-US Data Privacy Framework does not already apply. These contractual safeguards ensure that your data receives a level of protection essentially equivalent to that within the EU. Details of each provider's transfer mechanisms are available in their respective privacy policies linked in Section 9.

8. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA) or Switzerland, we ensure that an appropriate safeguard is in place as required by Chapter V of the GDPR and Art. 16 of the Swiss DSG. The safeguards we rely on include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission – used for transfers to Anthropic, Voyage AI, and Stripe.
  • EU-US Data Privacy Framework (DPF) – where the recipient is certified under the DPF (e.g., Stripe, Google, Meta). You can verify DPF certifications at dataprivacyframework.gov.
  • Swiss-US Data Privacy Framework – for transfers from Switzerland to DPF-certified US companies.

You may request a copy of the relevant transfer safeguards by contacting us at info@biblexika.com.

9. Third-Party Services

The following third-party services are used to operate Biblexika. For each service we list its purpose, the data shared with it, its location, and a link to its privacy policy.

Infrastructure

  • Vercel – Website hosting, CDN, serverless functions, and analytics. Data shared: request logs (IP, browser, pages visited). Location: Global (edge network, US-based company). Vercel Privacy Policy.
  • Supabase – Database (PostgreSQL), authentication, and file storage. Data shared: all account data, notes, bookmarks, conversation history. Location: AWS eu-central-1 (Frankfurt, EU). Supabase Privacy Policy.
  • Stripe – Payment processing for Pro subscriptions. Data shared: billing information, transaction data (we do not share your full card details). Location: United States and other regions. Stripe Privacy Policy.

Authentication Providers

  • Google OAuth – Optional sign-in via Google account. Data shared with us by Google: name, email address, profile photo. Location: United States. Google Privacy Policy.
  • Apple OAuth – Optional sign-in via Apple ID. Data shared with us by Apple: name and email address (Apple may provide a private relay email). Location: United States. Apple Privacy Policy.

AI Services

  • Anthropic (Claude API) – Powers the Sophi AI assistant. Data shared: the messages you send to Sophi. Anthropic processes messages to generate responses and does not use API data to train its models by default. Location: United States. Anthropic Privacy Policy.
  • Voyage AI – Semantic search embeddings. Data shared: search query text (no personal identifiers). Location: United States. Voyage AI Privacy Policy.

Advertising and Analytics

  • Google Ads – We run campaigns on Google Search and Display networks to promote Biblexika. Google Ads conversion tracking may collect IP address, browser, and conversion events when users arrive from a Google Ad. Location: United States. Google Privacy Policy.
  • Google Search Console – Monitors the performance of Biblexika in Google Search results (impressions, clicks, keyword rankings). This tool does not collect or process individual user personal data on our behalf. Location: United States. Google Privacy Policy.
  • Meta Ads (Facebook/Instagram) – We run campaigns on Facebook and Instagram to promote Biblexika. The Meta Pixel may collect IP address, browser, pages visited, and conversion events for campaign measurement. Location: United States. Meta Privacy Policy.
  • Reddit Ads – We run campaigns on Reddit to promote Biblexika. The Reddit conversion pixel may collect IP address, browser, and conversion events. Location: United States. Reddit Privacy Policy.

External Bible Data APIs

  • getBible API – Fetches Bible translation data on demand. Data shared: requested translation ID and chapter reference (no personal identifiers). See getBible information page.
  • helloao / API.Bible – Fetches additional Bible translations on demand. Data shared: requested translation ID and chapter reference (no personal identifiers). Location: United States. API.Bible Privacy Policy.

10. Your Rights

Under the GDPR and the Swiss DSG, you have the following rights regarding your personal data. To exercise any of them, contact us at info@biblexika.com. We will respond within 30 days (and within one month as required by GDPR Art. 12).

  • Right of access (Art. 15 GDPR) – You may request a copy of the personal data we hold about you, along with information about how we process it.
  • Right to rectification (Art. 16 GDPR) – You may request correction of inaccurate or incomplete personal data. You can update most data directly in your account settings.
  • Right to erasure (Art. 17 GDPR) – You may request deletion of your personal data (“right to be forgotten”). You can delete your account directly from your Settings page, which triggers immediate deletion of your profile, notes, bookmarks, and conversation history.
  • Right to restriction of processing (Art. 18 GDPR) – In certain circumstances, you may request that we restrict processing of your data while a dispute is resolved.
  • Right to data portability (Art. 20 GDPR) – You may request an export of the personal data you have provided to us in a structured, machine-readable format (JSON or CSV).
  • Right to object (Art. 21 GDPR) – You may object to processing based on our legitimate interests, including analytics. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3) GDPR) – Where processing is based on your consent (e.g., advertising cookies, AI assistant), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

Right to lodge a complaint: If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). If you are located in an EU/EEA member state, you may also contact your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

11. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy. Our specific retention periods are:

  • Account data (name, email, preferences, notes, bookmarks) – Retained until you delete your account. After deletion, data is purged within 30 days, except where retention is required by law.
  • AI conversation history – Retained for 90 days from the date of each conversation, then permanently deleted. You can delete individual conversations or your full history at any time from your account settings.
  • Payment records – Retained for 10 years as required by Swiss commercial law (Art. 958f of the Swiss Code of Obligations). These records are limited to transaction metadata and do not include full payment credentials.
  • Analytics data – Aggregated, anonymized analytics data is retained for up to 26 months. This data cannot be linked back to individual users.
  • Server logs – Technical request logs containing IP addresses are retained for up to 90 days for security monitoring and then deleted.

After your account is deleted, we may retain anonymized, aggregated statistics (e.g., total reading sessions, country of origin) that cannot be linked back to you. We do not retain any identifiable personal data after account deletion except where legally required.

12. Data Security

We take technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

  • Encryption in transit – All connections to Biblexika are protected with TLS (HTTPS). Data in transit between our application and third-party services (Supabase, Stripe, Anthropic) is also encrypted.
  • Encryption at rest – Data stored in our Supabase database is encrypted at rest by the underlying AWS storage infrastructure.
  • Password hashing – Passwords are hashed using a strong adaptive algorithm (Argon2 or bcrypt) via Supabase Auth. We never store passwords in plain text or in reversible form.
  • Access controls – Database access is restricted to authorized application services. We apply the principle of least privilege to internal data access.
  • No plain-text credentials – API keys and service credentials are stored as environment variables and are never exposed in source code or client-side bundles.

While we work hard to protect your data, no method of transmission over the internet or electronic storage is completely secure. We encourage you to use a strong, unique password for your Biblexika account and to enable two-factor authentication when available.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (the FDPIC in Switzerland, and/or the applicable EU DPA) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR and Article 24 of the Swiss DSG.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, describing the nature of the breach, the likely consequences, and the steps we have taken or propose to take to address it (GDPR Art. 34).

14. Children

Biblexika is intended for users aged 13 and older globally, and aged 16 and older in the EU/EEA, in accordance with Article 8 of the GDPR and our Terms of Service. We do not knowingly collect personal data from children below these age thresholds.

If you are a parent or guardian and believe that your child has created an account or provided personal data to us without appropriate consent, please contact us immediately at info@biblexika.com and we will take prompt steps to delete that information.

15. Do Not Track

Some browsers send a “Do Not Track” (DNT) signal to websites as an indication that you prefer not to be tracked. We respect browser DNT signals. When a DNT signal is detected, we will not load advertising conversion pixels (Google Ads, Meta Pixel, Reddit Pixel) for your session, even if you have previously consented. Essential and analytics cookies are not affected by DNT signals.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we use, or applicable law. When we make material changes, we will notify registered users by email and update the “Effective date” at the top of this page. We encourage you to review this policy periodically.

Your continued use of Biblexika after the effective date of a revised policy constitutes your acknowledgment of the updated terms. If you do not agree with the revised policy, you may close your account at any time.

17. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Biblexika
Zehntenhausstrasse 2
8046 Zurich, Switzerland
Email: info@biblexika.com

We do not currently have a formally appointed Data Protection Officer (DPO), as one is not required under the GDPR for organizations of our size. For privacy-related inquiries, please contact us at the address above and we will respond within 30 days.

If you are not satisfied with our response, you have the right to contact the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or your local EU Data Protection Authority if you are resident in the EU/EEA.