Doxa Cookie & Tracking Policy

Effective Date: 23 January 2026 | Last updated: 25 March 2026

We believe in transparency and minimal tracking. This policy explains what technologies we use, why we use them, and how you can control them.

This Cookie & Tracking Policy forms part of our Privacy & Data Protection Policy and should be read alongside our Terms of Service.

1. Our Approach: Minimal Tracking

We use only essential cookies and technologies required to operate the Service. We do NOT use:

Advertising or marketing cookies
Cross-site tracking
Third-party analytics for behavioral profiling
Data brokers or ad networks

2. Technologies We Use

Essential Cookies & Storage

Required for the Service to function. Without these, you cannot log in or use core features.

Technology	Provider	Purpose	Duration
Auth Session	Supabase	Keeps you logged in	Until logout/expiry
Secure Token	Supabase	API authentication	Session
Local Storage	Browser/App	App preferences, cached data	Until cleared

Analytics Technologies

Used to understand how the Service is used and improve the experience.

Technology	Provider	Purpose	Duration
Google Analytics	Google	Page views, traffic sources	2 years
PostHog Analytics	PostHog (EU)	Anonymised product analytics, funnel tracking, masked session replay (all text/images hidden)	Session-based

Google Analytics is used on our website (doxa.app) to understand page views and traffic sources. We use IP anonymisation and do not enable advertising features.

PostHog provides anonymised product analytics (feature usage, funnel analysis) and session replay with all text inputs, images, and personal content masked at source before any data leaves your device. We cannot see what you type, read, or view — only anonymised interaction patterns (e.g. which buttons are tapped, where users drop off). Data is hosted on PostHog's EU infrastructure (Frankfurt) and routed through our reverse proxy at insight.doxa.app. PostHog does not set cookies on mobile — on web, it uses a session cookie to group page views into sessions.

Push Notification Tokens

Used to deliver push notifications to your device (if enabled).

Technology	Provider	Purpose	Duration
Expo Push Token	Expo (650 Industries)	Push notification delivery	Until app uninstall
APNs Token	Apple Inc.	iOS push delivery	Until app uninstall
FCM Token	Google LLC	Android push delivery	Until app uninstall

Error Monitoring (Optional)

Used to identify and fix bugs. You can opt out of this.

Technology	Provider	Purpose	Duration
Error Reports	Sentry (Functional Software)	Crash and error tracking	90 days

Website Hosting

Technologies used when you visit our website (doxa.app).

Technology	Provider	Purpose	Duration
CDN/Edge	Vercel Inc.	Website hosting and delivery	Session
Access Logs	Vercel Inc.	Security and performance	30 days

3. AI Processing

When you use AI-powered features, your content is processed by our AI partners:

Feature	Provider	Data Processed	Retention
Audio Transcription	AssemblyAI	Audio files	Deleted after processing
Title Generation	OpenAI	Text content	Not stored by OpenAI
Content Moderation	OpenAI	Text content	Not stored by OpenAI
Scripture Recommendations	OpenAI	Text content	Not stored by OpenAI
Voice Chat (Engage)	OpenAI Realtime API	Voice audio (streamed)	Real-time only, not stored
AI-Generated Images	AI Image Generation	Text prompts (testimony content)	Prompts not stored by provider

These are optional features. Your content is processed transiently and is not used to train AI models per our agreements with these providers.

Voice Chat (Engage) — How It Works

When you use the Engage voice chat feature, here's exactly what happens with your data:

Voice audio: Streamed in real-time directly to OpenAI's Realtime API—not recorded or stored by Doxa
Session metadata: Duration, voice preference, and topics are stored in your account to improve future sessions
Conversation context: Your prophecies and testimonies may be referenced to provide personalized encouragement (this data already exists in your account)
No audio recordings: Neither Doxa nor OpenAI retains audio after your session ends

You can use text-only mode if you prefer not to use voice features.

4. Your Choices & Control

You have control over how we use tracking technologies. Here are your options:

Push Notifications

You can disable push notifications at any time through your device settings (Settings → Notifications → Doxa). Disabling notifications does not affect other app functionality.

Error Reporting

Sentry error reporting helps us fix bugs and improve reliability. You can:

Request deletion of your error data at privacy@doxa.app
Error data is automatically deleted after 90 days
We do not use error data for any purpose other than fixing bugs

Browser Cookies

When using our website, you can manage cookies through your browser settings:

Block all cookies: Note that this will prevent login and essential functionality
Delete cookies: Clear your browser cookies to remove session data
Private/Incognito mode: Browse without persistent cookies

We do not use cookie consent banners because we only use essential cookies that are strictly necessary for the Service to function. Under UK GDPR/PECR, consent is not required for such cookies.

AI Features

AI features (transcription, title generation, voice chat, recommendations) are optional enhancements. You can use the core app without these features if you prefer not to have your content processed by AI. Opting out of AI features does not affect your ability to record and store content.

Do Not Track

We honour "Do Not Track" browser signals. However, since we don't track you for advertising purposes anyway, there is no practical difference whether this setting is enabled or not.

5. Third-Party Privacy Policies

For more information about how our partners handle data:

Supabase: Privacy Policy
Stripe: Privacy Policy
Expo: Privacy Policy
Sentry: Privacy Policy
Vercel: Privacy Policy
OpenAI: Privacy Policy
AssemblyAI: Privacy Policy
Apple: Privacy Policy
Google: Privacy Policy
PostHog: Privacy Policy

6. Data Retention Summary

Authentication data: Until you log out or session expires
Push tokens: Until you uninstall the app or disable notifications
Error logs: 90 days, then automatically deleted
Website access logs: 30 days
Analytics data: Google Analytics: 2 years; PostHog: session-based
AI processing data: Transient (deleted immediately after processing)
Voice chat audio: Real-time streaming only, never stored
Voice chat session metadata: Retained with your account until you delete it
Payment/subscription data: Retained by Stripe; subscription records retained for legal/accounting purposes

7. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app or this page. The "Last updated" date at the top indicates when this policy was revised.

8. Legal Basis for Cookies

Under UK GDPR, ePrivacy Directive, and PECR, we rely on the following legal bases:

Strictly necessary cookies: No consent required—these are essential for the Service to function
Analytics/performance cookies: Legitimate interest (product improvement, no profiling)
Advertising/marketing cookies: We do not use these
Optional AI features: Consent (provided when you choose to use these features)

9. Disclaimer

While we take measures to limit tracking and protect your privacy, you acknowledge that:

Third-party providers (Apple, Google, Supabase) may collect data according to their own privacy policies
Your device and browser may transmit data that we cannot control
We are not liable for tracking conducted by third parties outside our control
You are responsible for managing your own device and browser settings

10. Contact Us

For questions about cookies or tracking technologies:
Email: privacy@doxa.app
Address: The Doxa Way Ltd, 108 Kings Road, New Haw, Addlestone, KT15 3BH, United Kingdom

Our Commitment to Your Privacy

No advertising cookies. No behavioural tracking. No data selling. Your privacy matters.