Privacy Policy
Last updated: May 30, 2026
Scripture Drops is a service operated by Helpy Media inc., a company incorporated in Quebec, Canada (“we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use our website at scripturedrops.com and our daily devotional delivery service (collectively, the “Service”).
This Privacy Policy is intended to comply with, and should be read alongside:
- Quebec's Act respecting the protection of personal information in the private sector (“Law 25”);
- the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”); and
- other privacy laws that apply to you.
By using the Service, you consent to the practices described in this Privacy Policy. We currently do not load non-essential analytics technologies by default. If analytics are re-enabled in the future, we will use a separate express consent mechanism described in Section 6 rather than relying on your general use of the Service.
1. Privacy Officer (Person in Charge of Personal Information)
In accordance with Law 25, Helpy Media inc. has designated a person in charge of the protection of personal information. You may contact this person to ask a question about this Policy, to exercise any of the rights described in Section 10, or to make a privacy complaint:
Louis-Paul Baril — Founder and Privacy Officer
Helpy Media inc., Montreal, Quebec, Canada
Email: privacy@helpymedia.com
We acknowledge privacy requests and complaints sent to this address within 5 business days, and we provide a substantive response within 30 days (or sooner where the law requires it). If we need more time because a request is complex, we will tell you and explain why.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, and password (managed through our authentication provider, Clerk).
- Delivery-channel information: Your Telegram user ID and username, and — where enabled — WhatsApp/Meta identifiers or other delivery-channel identifiers, provided when you connect a messaging account to receive devotionals.
- Payment information: When you subscribe to a paid plan, payment details (credit card number, billing address) are collected and processed directly by Stripe, our payment processor. We do not store your full credit card number.
- Preferences: Language preference (English or French), preferred delivery time, timezone, and devotional settings.
- Family member information: Family Plan and minor-account features are not offered in V1; we do not currently collect family-member invitation information.
- Communications: Any messages or feedback you send us via email or through the Service.
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, devotional listening and delivery history, and interaction timestamps.
- Device and browser data: IP address, browser type and version, operating system, device type, and screen resolution.
- Cookies and tracking technologies: We use cookies and similar technologies to maintain your session, remember your preferences, and — with your consent where required — to analyze usage. See Section 6 for details.
2.3 Information from Third Parties
- Authentication provider (Clerk): Account verification data and session tokens.
- Payment processor (Stripe): Subscription status, payment success/failure notifications, and billing cycle information.
2.4 Sensitive Personal Information
Scripture Drops delivers Bible devotionals. The fact that you use the Service — and the themes, verses, and devotional content delivered to you — can reveal information about your religious beliefs or practices. Under Law 25, this is sensitive personal information. We collect and use it only to provide the Service you have asked for, we apply heightened safeguards to it (see Section 7), and we do not use it for any purpose you would not reasonably expect.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service, including generating and delivering daily devotionals via Telegram and, where enabled, WhatsApp or other configured delivery channels.
- Process payments and manage your subscription.
- Send you transactional communications (welcome emails, payment confirmations, trial expiration notices, delivery failure alerts).
- Personalize your experience, including language, delivery schedule, and content preferences.
- Manage Family Plan memberships and invitations if and when those features are launched under updated terms and consent flows.
- Analyze usage trends to improve the Service (with your consent where required).
- Maintain the security of the Service and prevent fraud and abuse.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information. We do not use your personal information to make decisions about you based solely on automated processing that produce a legal effect or otherwise significantly affect you (see Section 11).
4. Consent and Withdrawal
We collect, use, and disclose your personal information with your consent, except where the law allows or requires us to act without it. The form of consent we rely on depends on the sensitivity of the information and the purpose:
- We rely on the consent you give when you create an account and use the Service to provide the devotional service you have requested, manage your subscription, and send you service-related communications.
- We do not load non-essential analytics technologies by default. If we re-enable analytics in the future, we will ask for express, opt-in consent before doing so (see Section 6).
Withdrawing consent. You may withdraw your consent to an optional use of your personal information at any time by contacting the Privacy Officer (Section 1) or, for cookies and tracking technologies, by using the controls described in Section 6. Withdrawal does not affect processing we carried out lawfully before you withdrew.
Consequences of withdrawal. Some uses of your information are necessary to provide the Service. If you withdraw consent to those uses — for example, the use of your delivery-channel identifier to deliver devotionals, or your payment information to manage a paid subscription — we may no longer be able to provide all or part of the Service to you, and your account may be downgraded or closed. We will tell you the likely consequences before you withdraw where we reasonably can.
5. How We Share Your Information
We share your personal information only with the following categories of service providers, strictly for the purposes described:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Clerk | Authentication and account management | Email, name, session data |
| Stripe | Payment processing and subscription management | Email, payment details, billing address |
| Telegram | Devotional delivery | Telegram user ID, message content |
| WhatsApp / Meta | Devotional delivery, where enabled | Messaging identifier, delivery status, and message content |
| OpenAI | Devotional content generation, text-to-speech support, and — where church/partner features are enabled — sermon transcription or trailer generation | Content brief (theme, passage, language), devotional text to be voiced, and, for partner features, sermon audio/transcripts/scripts. We do not intentionally send your name, email, account identifier, or contact details to OpenAI for standard devotional generation. |
| ElevenLabs / other TTS providers | Audio narration, where enabled | Devotional text and language/voice settings |
| Resend | Transactional email delivery | Email address, email content |
| Hosting and infrastructure providers (including Coolify/Hetzner and related operations tools) | Hosting, deployment, backups, security, and service operations | Account, usage, and service data processed in our application environment |
| Sentry and similar error-monitoring tools | Error monitoring, security diagnostics, and reliability | Technical diagnostics, request metadata, and limited account context where needed to diagnose errors |
| Google Analytics | Website usage analysis | Disabled by default / not currently loaded until an approved consent experience is in place |
Analytics providers receive information only if analytics are re-enabled after you have consented to the corresponding cookies or tracking technologies (see Section 6). We rely on OpenAI's API and data-processing terms, under which API inputs and outputs are not used to train OpenAI's foundation models; we review this position when OpenAI's terms change.
We may also disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.
6. Cookies and Tracking Technologies
6.1 Categories We Use
| Cookie Type | Purpose | Loaded | Duration |
|---|---|---|---|
| Essential | Authentication, session management, security, and remembering your privacy choices | Always (strictly necessary) | Session / up to 12 months |
| Analytics (Google Analytics) | Understanding how visitors use our site | Not currently loaded; only with consent if re-enabled later | Up to 2 years if enabled |
6.2 Your Cookie Choices
Essential cookies are required to operate the Service and cannot be switched off. Analytics technologies are not strictly necessary, and Google Analytics is currently disabled. We will not activate Google Analytics or similar non-essential analytics unless and until an approved consent experience is in place that lets you opt in and withdraw consent.
You can also manage or disable cookies through your browser settings, and you can use this vendor-level opt-out:
- Google: ads.google.com/settings
- Industry tools: youradchoices.ca (Canada) or optout.aboutads.info (United States)
If you disable essential cookies, parts of the Service may not function.
7. Data Security
We implement reasonable administrative, technical, and physical safeguards to protect your personal information, including:
- Encryption of data in transit (TLS/HTTPS).
- Reasonable safeguards for data at rest, including access-controlled, secure hosting and backups.
- Secure authentication through Clerk with session management.
- Payment data handled exclusively by PCI-DSS compliant Stripe.
- Access controls limiting employee and operator access to personal information on a need-to-know basis.
- Heightened handling of the sensitive, religious-context information described in Section 2.4.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
8. Confidentiality Incidents
If a confidentiality incident (such as unauthorized access to, use of, or loss of personal information) occurs, we will take reasonable measures to reduce the risk of harm and to prevent further incidents. We maintain an internal incident register for incidents that must be recorded under Law 25.
Where an incident presents a risk of serious injury, we will notify the Commission d'accès à l'information du Québec (CAI) and the affected individuals with reasonable promptness, and we will provide the information required by law to help you protect yourself.
9. Data Retention
We retain your personal information only for as long as your account is active or as needed to provide you the Service, after which it is destroyed or anonymized. Specifically:
- Account data: Retained until you delete your account or request deletion.
- Payment records: Retained for 7 years after your last transaction to comply with tax and accounting obligations.
- Devotional delivery history: Retained for up to 1 year after account deletion, then permanently deleted.
- Analytics data: Google Analytics is currently disabled. If analytics are re-enabled after consent, analytics data will be retained according to the applicable provider settings and disclosed retention period.
Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law (in which case the data is isolated and access-restricted until destruction).
10. Your Privacy Rights
10.1 Canadian Users (PIPEDA and Quebec Law 25)
Under PIPEDA and Quebec's Law 25, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate, incomplete, or ambiguous personal information.
- Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions (see Section 4).
- Request deletion of your personal information, and, where applicable, request that we stop disseminating it or de-index a link that gives access to it.
- Request data portability — receive the computerized personal information you provided to us in a structured, commonly used technological format, where Law 25 applies.
- Obtain information about, and request human review of, automated processing that affects you (see Section 11).
- File a complaint with the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC).
10.2 United States Users
If you are a resident of California, Colorado, Connecticut, Virginia, or another state with a comprehensive privacy law, you may have additional rights including the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to opt out of the sale or sharing of personal information (we do not sell your personal information), and the right to non-discrimination for exercising your privacy rights.
10.3 Users in the EU/EEA and the UK
If you are in the EU/EEA or the UK, you may have additional rights under the GDPR or UK GDPR, including the rights of access, rectification, erasure, restriction, objection, and portability, and the right to lodge a complaint with your local supervisory authority. We are not currently established in the EU/EEA or UK and do not target those markets; this paragraph is provided for transparency and does not represent that we are subject to those laws.
10.4 How to Exercise Your Rights
To exercise any of these rights, contact the Privacy Officer at privacy@helpymedia.com. We will acknowledge your request within 5 business days and respond within 30 days (or sooner if required by applicable law). We will verify your identity in proportion to the sensitivity of the request and will not ask for more information than necessary.
11. Automated Decision-Making and AI-Generated Content
The devotional content delivered through the Service — including the selection of themes and verses, the written devotional, and the audio narration — is generated with the help of artificial intelligence (including OpenAI models). This is content generation, not a decision that produces a legal effect or otherwise significantly affects you.
We do not make decisions about you (such as eligibility, pricing, or account status) based solely on automated processing. Where AI is used to generate content you receive, you may contact the Privacy Officer to ask questions about it or to request human review.
Because AI-generated content can occasionally contain inaccuracies, please also see the AI content disclaimer in our Terms of Service.
12. International Data Transfers
Some of our service providers process personal information outside Quebec, including in the United States (Clerk, Stripe, OpenAI, Resend, Google, Meta/WhatsApp where enabled), Europe (where some hosting or infrastructure services may be located), and elsewhere. For Quebec launch, Helpy Media inc. reviews cross-border transfers using the privacy-impact factors required by Law 25 — including the sensitivity of the information, the purposes of the transfer, the safeguards (including contractual safeguards) available, and the legal regime of the destination. You may ask the Privacy Officer for more information about a specific transfer.
13. Children
The Service is intended for adults. To create an account and subscribe, you must meet the age requirement in our Terms of Service.
Under Quebec law, consent to the collection of personal information about a minor under 14 years of age must be given by the person having parental authority or by the tutor. We do not knowingly collect personal information about a child under 14 without that consent. Family Plan and minor-account features are not offered in V1; we will publish a verified parental-consent flow before offering them. the Service.
If you believe a child under 14 has provided us with personal information without the required consent, please contact the Privacy Officer at privacy@helpymedia.com and we will promptly delete that information.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Post the updated policy on this page with a revised “Last updated” date.
- Send a notification via email or Telegram if the changes are significant.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy, except where the law requires fresh consent.
15. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact our Privacy Officer:
Louis-Paul Baril — Founder and Privacy Officer
Helpy Media inc.
Montreal, Quebec, Canada
- Privacy inquiries and requests: privacy@helpymedia.com
- General legal inquiries: legal@helpymedia.com
For complaints regarding your privacy rights, you may also contact:
- Commission d'accès à l'information du Québec (CAI): cai.gouv.qc.ca
- Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca