This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your
information when You use the Service and tells You about Your privacy rights and how the law protects You.
Wheel of Prayer is built with a zero-knowledge architecture. This means
that Your prayers, group content, and personal information are encrypted on Your device before being sent to Our
servers. We cannot read, access, or decrypt Your private content — only You and those You explicitly choose to
share with can access it.
By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The
following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
- Account means a unique account created for You to access our Service or parts
of our Service.
- Company (referred to as either "the Company", "We", "Us" or "Our" in this
Agreement) refers to NordStack Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. For the
purpose of the GDPR, the Company is the Data Controller for unencrypted data only.
- Cookies are small files that are placed on Your computer, mobile device or
any other device by a website, containing the details of Your browsing history on that website among its many uses.
- Data Controller refers to the Company as the legal person which alone or
jointly with others determines the purposes and means of the processing of Personal Data.
- Device means any device that can access the Service such as a computer, a
cellphone or a digital tablet.
- Encrypted Data refers to content that is encrypted on Your device using end-to-end
encryption before being transmitted to Our servers. This includes Your prayers, group content, display names, and
avatar images. We store this data but cannot decrypt or read it.
- End-to-End Encryption means that Your data is encrypted on Your device before
transmission and can only be decrypted by You or recipients You have explicitly authorised. The encryption keys
never leave Your device in unencrypted form.
- Personal Data is any information that relates to an identified or identifiable
individual. For the purposes of GDPR, Personal Data means any information relating to You such as a name, an identification
number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity.
- Service refers to the Wheel of Prayer website, accessible from https://wheelofprayer.com.
- Service Provider means any natural or legal person who processes the data
on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate
the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist
the Company in analyzing how the Service is used. For the purpose of the GDPR, Service Providers are considered
Data Processors.
- Usage Data refers to data collected automatically, either generated by the
use of the Service or from the Service infrastructure itself.
- You means the individual accessing or using the Service, or the company,
or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
- Zero-Knowledge Architecture means a system design where the Service Provider
(Us) has no ability to access, read, or decrypt Your private content. We only store encrypted data that We cannot
interpret.
Collecting and Using Your Personal Data
Types of Data Collected
Data We Cannot Access (End-to-End Encrypted)
The following data is encrypted on Your device before being stored on Our servers. We store this data but cannot read, access, or decrypt it:
- Your prayers and prayer content
- Group names and group content
- Your display name (encrypted separately for each group)
- Your avatar image
- Intercessions and follow-up messages
- Your email address (stored encrypted for display purposes)
Data We Can Access
The following data is accessible to Us and is necessary to operate the Service:
- Email hash: A one-way cryptographic hash (SHA-256) of Your email address,
used solely to identify Your account during login. This hash cannot be reversed to reveal Your email address.
- Authentication data: Cryptographic verification data used for secure login
(SRP-6a protocol). Your password is never transmitted to or stored on Our servers.
- Public encryption keys: Your public keys used for end-to-end encryption.
These cannot be used to decrypt Your data.
- Encrypted key bundles: Your private encryption keys, encrypted with a key
derived from Your password. We store these but cannot decrypt them.
- Metadata: Timestamps, group membership relationships, and other structural
data necessary to operate the Service.
- Usage Data
Usage Data
Usage Data is collected automatically when using the Service. Usage Data may include information such as Your
Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service
that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and
other diagnostic data.
Tracking Technologies and Cookies
We use Cookies to manage your login status only. The types of Cookies We use:
- Necessary / Essential Cookies: These Cookies are essential to provide You
with services available through the Website and to enable You to use some of its features. They help to authenticate
users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot
be provided.
- Functionality Cookies: These Cookies allow us to remember choices You make
when You use the Website, such as remembering your login details. The purpose of these Cookies is to provide You
with a more personal experience.
Local Storage
Your encryption keys are stored in Your browser's local storage to maintain Your session across page refreshes
and browser restarts. These keys never leave Your device in unencrypted form and are essential for decrypting
Your data.
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
- To provide and maintain our Service, including to monitor the usage of
our Service.
- To manage Your Account: to manage Your registration as a user of the Service.
- To contact You: To contact You by email regarding updates or informative
communications related to the Service, including security updates.
- To manage Your requests: To attend and manage Your requests to Us.
- For other purposes: We may use Your information for other purposes, such
as data analysis, identifying usage trends, and to evaluate and improve our Service.
Retention of Your Personal Data
The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this
Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal
obligations, resolve disputes, and enforce our legal agreements and policies.
Transfer of Your Personal Data
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside
of Your state, province, country or other governmental jurisdiction where the data protection laws may differ.
The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in
accordance with this Privacy Policy.
Disclosure of Your Personal Data
Law enforcement
Under certain circumstances, the Company may be required to disclose data if required to do so by law or in
response to valid requests by public authorities. However, due to Our zero-knowledge architecture, We can only
provide encrypted data and metadata — We cannot provide the plaintext content of Your prayers, messages, or
other encrypted information because We do not have the ability to decrypt it.
What We Can Disclose
If legally required, We may disclose:
- The cryptographic hash of Your email address (not the email itself)
- Encrypted data (which cannot be read without Your password)
- Metadata such as timestamps and group membership relationships
- Usage data and IP addresses
What We Cannot Disclose
Due to Our zero-knowledge design, We are technically unable to disclose:
- The content of Your prayers or messages
- Your display name or avatar
- Group names or content
- Your email address in readable form
- Your password (which is never transmitted to Us)
Other legal requirements
The Company may disclose available data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of Users of the Service or the public
- Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is Our highest priority. We employ a zero-knowledge architecture with
industry-standard cryptographic protections:
- AES-256-GCM encryption: All Your content is encrypted using AES-256-GCM,
a highly secure symmetric encryption algorithm used by governments and financial institutions worldwide.
- X25519 key exchange: When sharing content with others, We use X25519 elliptic
curve cryptography for secure key exchange.
- Ed25519 signatures: Digital signatures verify the authenticity of shared
encryption keys, preventing tampering.
- SRP-6a authentication: Your password is never transmitted to Our servers.
We use Secure Remote Password protocol so You can prove You know Your password without ever revealing it.
- PBKDF2 key derivation: Your master encryption key is derived from Your password
using PBKDF2 with a high iteration count, making brute-force attacks impractical.
Because of Our zero-knowledge design, even if Our servers were compromised, attackers would only obtain
encrypted data that they cannot decrypt without Your password. We cannot be compelled to provide Your plaintext
data because We do not have access to it.
Your Password and Data Recovery
Your password is the key to all Your encrypted data. Because We use a zero-knowledge architecture:
- We cannot reset Your password in the traditional sense. Your password is
never transmitted to Us, so We have no way to verify or change it directly.
- Password recovery requires group member assistance. If You forget Your password, recovery is only possible if You are a member of a group. Other group members can approve
Your recovery request through physical QR code verification, allowing You to regain access to Your data.
- Without group membership, data loss is permanent. If You forget Your password and are not a member of any group, Your encrypted data cannot be recovered — by You
or by Us. This is a fundamental consequence of zero-knowledge encryption.
We strongly recommend using a password manager and ensuring You are a member of at least one trusted group to
enable password recovery if needed.
Third-Party Service Providers
Analytics
We use Plausible Analytics, a privacy-focused analytics service provided by Plausible Insights OÜ. You can view
their privacy policy at https://plausible.io/privacy.
GDPR Privacy
Legal Basis for Processing Personal Data
We may process Personal Data under the following conditions:
- Consent: You have given Your consent for processing Personal Data for one
or more specific purposes.
- Performance of a contract: Provision of Personal Data is necessary for the
performance of an agreement with You.
- Legal obligations: Processing Personal Data is necessary for compliance with
a legal obligation.
- Vital interests: Processing Personal Data is necessary to protect Your vital
interests or those of another natural person.
- Legitimate interests: Processing Personal Data is necessary for the purposes
of the legitimate interests pursued by the Company.
Your Rights under the GDPR
You have the right to:
- Request access to Your Personal Data
- Request correction of any incomplete or inaccurate Personal Data
- Request erasure of Your Personal Data
- Object to processing of Your Personal Data
- Request restriction of processing of Your Personal Data
- Request transfer of Your Personal Data
- Withdraw Your consent
You may exercise these rights by contacting Us. We may ask You to verify Your identity before responding to such
requests. You have the right to complain to a Data Protection Authority about Our collection and use of Your
Personal Data.
Note on encrypted data: Due to Our zero-knowledge architecture, We can provide
You with Your encrypted data upon request, but We cannot read or modify its contents. You can delete Your account
and all associated data at any time through the Service. For data portability, Your encrypted data can only be meaningfully
accessed using Your encryption keys on Your device.
Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. We strongly advise You to review
the Privacy Policy of every site You visit. We have no control over and assume no responsibility for the
content, privacy policies or practices of any third party sites or services.
Changes to this Privacy Policy
We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy
Policy on this page and updating the "Last updated" date. We will let You know via email prior to the change
becoming effective. You are advised to review this Privacy Policy periodically for any changes.