iLiturgy

Privacy Policy

Last updated: April 6, 2026

ProgTrack, LLC ("we," "our," "us") operates the iLiturgy web application at iliturgy.com and missals.iliturgy.com. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.

1. Data Controller

The data controller responsible for your personal data is:
ProgTrack, LLC
Contact: [Insert contact email]

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Name — to personalize your experience
  • Email address — for authentication, password resets, and account communications
  • Password — stored as a one-way bcrypt hash; we cannot read your password

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide you with the service.

2.2 Payment Data

Payment processing is handled by Stripe, Inc. We do not store your full credit card number. We retain only:

  • Card type (e.g., Visa, Mastercard)
  • Last four digits of your card number
  • Stripe customer ID (an opaque identifier)

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Stripe's own privacy policy applies to data they process: stripe.com/privacy.

2.3 Analytics Data (Privacy-Respecting)

We collect minimal, anonymized analytics to understand how the app is used:

  • Daily visitor hash — a SHA-256 hash of your IP address combined with the date. This is a one-way hash that cannot be reversed to identify you. It is used only to count unique visitors per day.
  • Country code — derived from your IP at the time of the request. Only the 2-letter country code is stored (e.g., "US," "ES"); the IP address itself is not stored.
  • Liturgical preferences — which form of the Mass (Ordinary/Extraordinary) and which languages you selected.
  • Date viewed — which liturgical date you looked at.

What we do NOT collect: raw IP addresses, user agents, browser fingerprints, cookies beyond the session cookie, or any third-party tracking scripts (no Google Analytics, no Facebook Pixel, no advertising trackers).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — understanding aggregate usage to improve the service.

3. Cookies

We use only essential cookies:

  • Session cookie (iliturgy_session) — necessary for authentication. Expires when you close your browser or after 2 hours of inactivity.
  • CSRF token cookie — protects against cross-site request forgery attacks.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. Because we use only strictly necessary cookies, consent is not required under GDPR Art. 5(3) of the ePrivacy Directive.

4. How We Use Your Data

  • To provide and maintain the iLiturgy service
  • To process your subscription payments via Stripe
  • To send password reset emails (no marketing emails)
  • To understand aggregate usage patterns (anonymized analytics)
  • To comply with legal obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data Sharing

We share data only with:

  • Stripe, Inc. — payment processing (name, email, card details)
  • Email service provider — transactional emails only (password resets)
  • Hetzner Online GmbH — server hosting (data stored on Hetzner infrastructure in the EU/EEA)
  • Cloudflare, Inc. — CDN and DDoS protection (requests pass through Cloudflare's network)

6. Your Rights Under GDPR

If you are in the European Economic Area, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a structured format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at [Insert contact email]. We will respond within 30 days.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Payment data: Retained as required by tax and accounting law (typically 7 years for transaction records).
  • Analytics data: Anonymized aggregates retained indefinitely. Daily visitor hashes are non-reversible and cannot identify you.

8. Data Security

We protect your data with:

  • TLS/SSL encryption for all data in transit (enforced via Cloudflare)
  • Bcrypt password hashing (passwords cannot be read or reversed)
  • Database encryption at rest on Hetzner infrastructure
  • No storage of full payment card numbers (Stripe handles PCI compliance)

9. Children's Privacy

iLiturgy is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us for deletion.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the application. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy inquiries, data requests, or concerns:
ProgTrack, LLC
Email: [Insert contact email]