BFG HANDBOOK COMPANION

Chapter from BFG Handbook

Select a chapter...

Area of Life to Improve

Select an area...

Your question or challenge

🌐 Read aloud in:

Ask another question

Privacy Policy

Last updated: May 20, 2026

Built For Greatness ("BFG", "we", "us", or "our") respects your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Information We Collect

Account information: When you create an account, we collect your name, email address, and (optionally) phone number, city, state, and signup survey answers.

Payment information: When you subscribe, payment details are collected and processed by Stripe. We never see or store your full card number. We do receive limited billing metadata such as your subscription status and the last four digits of your card.

Usage information: We log the questions you submit to BFG and the answers returned, so we can show you your history and manage your daily question limit. We also log IP addresses and basic device information for security and rate-limiting.

Cookies: We use essential cookies to keep you logged in and remember your preferences. We do not use advertising cookies.

How We Use Your Information

Provide and operate the BFG service
Process payments and manage subscriptions
Send transactional emails (welcome, receipts, password resets)
Respond to support requests
Prevent abuse, fraud, and technical issues
Improve the service through anonymized, aggregated analysis

What We Do NOT Do

We do not sell your personal data
We do not share your questions or answers with third parties
We do not use your data to train external AI models
We do not send marketing emails without your consent

Service Providers

We use trusted third parties who process limited data on our behalf:

Stripe — payment processing
Amazon SES — transactional email delivery
OpenAI — generating question responses (questions are sent anonymously, no account identifiers)

Your Rights

You can:

View or edit your profile at Edit Profile
Cancel your subscription at My Account
Request full account deletion at My Account → by emailing [email protected]
Contact us at [email protected] for any other privacy request

Data Retention

We keep account data for as long as your account is active. You may delete your account at any time from your Profile page. When you click "Delete Account":

A 7-day grace period begins. Your account continues to work normally and you can restore it with one click during this time.
Your Stripe subscription (if any) is marked for cancellation at the end of your current billing period. You will not be billed on the next cycle. No refund is issued for the current period.
On day 7, if you have not restored, we permanently delete your profile, saved guidance, chat history, streak history, activity logs, prayer reminder configuration, push tokens, and all other personal data. The Stripe customer record is also marked deleted, removing saved payment methods.
Some information is retained for legal/audit purposes: historical Stripe charge records (required by tax law), your consent record (unlinked from your profile), and aggregated anonymized analytics. See our Terms of Service — Account Deletion for the full list.
You will receive a confirmation email from us when deletion is scheduled, a separate email from Stripe confirming the subscription cancellation, and a final email from us on day 7 when deletion is complete.

To request deletion via email instead of the self-service flow, contact [email protected]. We will respond within 30 days.

Children

BFG is not directed at children under 13. If you believe a child has created an account, please contact us and we'll remove it.

Changes to This Policy

We may update this policy as BFG evolves. When we do, we'll update the "Last updated" date above and, for material changes, notify you by email.

Contact

Questions about this policy? Email [email protected].

Note: This is a plain-language privacy policy intended as a starting point. We recommend having it reviewed by an attorney before broad public launch, especially if you serve users in the EU (GDPR), California (CCPA), or other regulated markets.

Analytics and Usage Data

We use Google Analytics 4 (GA4) to understand how people use the BFG Handbook Companion (web and Android app) so we can improve the experience. This data is collected automatically when you visit our website or use the app.

What we collect via Google Analytics:

Approximate location (city/region level, derived from IP — your full IP address is anonymized before being stored)
Device type (phone, tablet, desktop) and browser
Pages or app screens you visit
Time spent on each page or screen
Whether you are a new or returning visitor
Referrer (the website that sent you to us, if any)
Anonymous events such as: chapter selected, area-of-life selected, PDF downloads, music plays, login events

What we do NOT collect or send to Google Analytics:

The actual text of your questions or answers
Your name, email address, or any personal account information
Your password or login credentials
Your payment information
Your scripture searches or AI conversation content

Privacy settings we use:

IP anonymization is enabled — your IP address is shortened before being logged
Google Signals (cross-site advertising tracking) is DISABLED
Ad personalization is DISABLED
We do not use Google Analytics for advertising purposes

How long the data is kept: Google Analytics retains visitor data for 14 months by default, after which it is automatically deleted.

How to opt out:

Browser: Install the Google Analytics Opt-out Add-on at tools.google.com/dlpage/gaoptout
Android app: Disable analytics in your device’s Settings → Privacy → Ads
You can also block Google Analytics tracking with most ad blockers (e.g., uBlock Origin, AdBlock Plus)

Third-party services we use:

OpenAI processes the text of your questions to generate spiritual guidance responses. Questions are sent over an encrypted connection. See OpenAI’s privacy policy.
Stripe processes payments for paid subscriptions. See Stripe’s privacy policy.
Cloudflare provides our website’s content delivery network and bot protection. See Cloudflare’s privacy policy.

Your rights: Depending on where you live (EU, California, etc.), you may have the right to access, correct, or delete the data we have collected. To exercise these rights, email [email protected].

AI Conversation Data (Ask BFG Multi-Turn Chat)

When you use the "Ask BFG" multi-turn chat feature, your full conversation history is stored on our servers in association with your account. This includes the questions you ask, the AI-generated responses, and timestamps of each message. We store conversation history so you can resume conversations later and so we can enforce daily quotas. Conversation text is sent to OpenAI to generate responses; we do not send your account identifier with the message. Conversations are retained for as long as your account is active. You may delete individual conversations at any time from the Chat tab, or request full account deletion via [email protected].

Engagement & Activity Tracking

To provide features such as daily streaks, "Pinned" and "Recent" guidance lists, prayer reminders, and personalized usage stats, we record the following activity associated with your account:

Each guidance question you submit and the answer returned (already described above)
Each saved ("Pinned") guidance entry, with chapter, area, and timestamp
Daily activity events used to compute streaks (date of activity, milestones achieved, freeze-token usage)
Prayer reminder configuration (which reminders are enabled, scheduled times, language preference)
Push notification tokens (for Android push delivery — see "Push Notifications" below)
Login events (timestamp, IP address, device type)

This activity data is used solely to provide the Service to you. It is not sold and is not shared with third-party advertisers.

Sharing Activity

When you share a piece of guidance from BFG (via Facebook, X / Twitter, Email, WhatsApp, Telegram, LinkedIn, Reddit, Copy Link, etc.), we record an event that captures: the share method (Facebook / Email / Copy Link / etc.), your device type (mobile / desktop), your platform (web / Android), and an anonymized identifier of the shared content. We use this to understand which features are useful and to attribute referrals (see "Referral Attribution" below). We do not store the recipients of your shares. We do not see the body of any message you compose around the shared link.

Referral Attribution

When someone clicks a BFG share link from another user, we set a 30-day cookie (_bfg_referred_by) on their device. If they sign up within 30 days, we attribute the referral to the original sharer for internal analytics only. This cookie does not enable third-party advertising tracking and does not participate in any cross-site behavioral profile. You may decline this cookie via your browser settings or block it with a first-party cookie blocker.

Audio (Listen), Music, and PDF Download Events

When you tap "Listen" on a guidance answer, the answer text is sent to our text-to-speech provider (currently OpenAI) over an encrypted connection and audio is streamed back to you. The streamed audio is not stored long-term by us.
Background music tracks (when enabled in the Listen flow) and chapter song plays are logged as anonymous events (which track was played, when) so we can rotate selections fairly and gauge popularity. No listener identity is sent to our music storage provider (Cloudflare R2).
PDF download events are recorded server-side when you tap "PDF" on a guidance answer.

Translation Activity

The widget supports translation of UI text and guidance answers into more than 40 languages. When you select a non-English language, the text of your guidance answer and surrounding UI labels is sent over an encrypted connection to our translation provider (currently OpenAI). We log a translation event with the target language code. We do not send your account identifier with the translation request. Translations are cached locally in your browser so that subsequent visits do not require additional translation calls.

Lead-Capture Data (Registration on /membership-join/)

The /membership-join/ registration form collects: first name, last name, email address, optional phone number, age range, how you heard about BFG, an optional goal/intention text field, and a record of your acceptance of the Terms of Service and this Privacy Policy. Consent records include the timestamp of acceptance, the Terms version you accepted, and your IP address at the time of consent. Consent records are retained for as long as required by applicable law (typically 6 years).

Sensitive-Category Information You Submit

The Service is designed to help you reflect on faith, prayer, and life situations. When you submit questions or save reflections, you may voluntarily disclose information that is "sensitive personal information" under the California Privacy Rights Act (CPRA), or "special category data" under the EU/UK General Data Protection Regulation (GDPR Art. 9). This includes information about your religious beliefs and may, on occasion, include other sensitive-category data such as information about your mental or physical health, relationships, or family. By submitting such information, you provide your express consent for Built For Greatness to process that information solely for the purpose of providing the Service to you. We do not use sensitive-category information for advertising, profiling, scoring, or any purpose beyond delivering the Service to you. You may withdraw consent at any time by deleting your account, after which all such information will be removed within 48 hours.

Cookies & Local Storage — Full Breakdown

We use the following categories of cookies and browser local-storage entries:

Strictly Necessary (Essential): WordPress session cookie, SWPM membership session cookie, CSRF token. Required to keep you logged in and protect form submissions.
Preference: language preference (bfg_user_lang in localStorage), audio Listen language (bfg_listen_lang), translation cache (bfg_ui_i18n_v2_*). Improve your experience across visits.
Attribution: _bfg_referred_by (30 days) — tracks who referred you so they can be credited internally.
Anti-Bot: Cloudflare Turnstile token (session-scoped) — protects forms from automated abuse.
Analytics: Google Analytics 4 cookies (_ga, _ga_*) — see the "Analytics and Usage Data" section above.

We do not use advertising cookies. We do not participate in cross-site behavioral advertising.

Automated Decision-Making and AI-Generated Content

Guidance answers, reflections, prayers, and translations on BFG are generated by artificial intelligence (currently OpenAI's GPT models). These responses are NOT reviewed by a human before delivery. Under GDPR Article 22 and similar laws, you have the right to request human review of any AI-generated output that significantly affects you. If you receive AI-generated guidance you wish to contest or have reviewed, email [email protected] and we will provide human review within 14 days. AI responses on BFG are not used for any legal, medical, financial, or employment decisions. We do not score, classify, or profile you based on the content of your questions.

Push Notifications

If you install the BFG Handbook Companion Android app and enable push notifications, we store a Firebase Cloud Messaging (FCM) token associated with your account. We use this token to deliver Prayer Reminders and streak-at-risk notifications. We will not send marketing push notifications without your express opt-in — only transactional notifications you configure. You may disable push notifications at any time via your device settings or via the in-app Prayer Reminders page. Disabling push notifications does not affect any other Service feature.

Security

We protect your data with:

TLS 1.2+ encryption for all data in transit
Encrypted storage of payment data by Stripe (PCI-DSS Level 1 certified)
Hashed passwords (bcrypt) for account credentials — we never store passwords in plain text
Cloudflare bot protection and rate limiting
Application Passwords for administrator access to our infrastructure
Periodic review of access logs and permissions

No system is perfectly secure, however, and we cannot guarantee absolute security.

Breach Notification

In the event of a security incident affecting your personal information, we will notify you and applicable regulators within 72 hours of confirming the breach, as required by GDPR Art. 33 and similar US state laws. Notification will be sent via email to the address associated with your account.

International Data Transfers

The Service is operated from the United States. Some of our service providers (Stripe, OpenAI, Amazon SES, Cloudflare) operate globally. When data is transferred outside your country of residence, the transfer is governed by:

For EU / UK transfers to the United States: Standard Contractual Clauses (SCCs) as approved by the European Commission, and the EU-US Data Privacy Framework where applicable.
For other transfers: appropriate safeguards as required by the destination jurisdiction.

You can request more information about cross-border transfers by emailing [email protected].