Privacy Policy
What data we collect, why we collect it, who we share it with, and the rights you have. Written in plain English. Updated for 2026 US state privacy laws.
Effective May 9, 2026
This Privacy Policy describes how PLAY PLAY CARDS S.R.L. ("Bible Agents", "we", "us", "our") collects, uses, discloses, and protects Personal Information when you visit trybibleagents.com, subscribe to our service, or receive our weekly emails (the "Service").
We are a Romanian limited liability company (CUI 54439120, Trade Register No. J2026023005004) with our registered office at Str. Drumul Pescarilor nr. 16 A, Olimp, Constanța 905503, Romania. Our Service is offered to a global audience and is primarily directed at adult users in the United States.
California residents, see also our California Privacy Notice, which addresses the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), including the right to limit our use of Sensitive Personal Information.
1. Personal Information we collect
We collect the following categories of Personal Information, all of it directly from you or automatically when you interact with the Service:
1.1 Information you provide
- Email address — collected at checkout. Required to deliver the Service.
- Payment information — collected and processed by Stripe, Inc., not by us. We never see, store, or have access to your card number, CVV, or expiration date. We receive only a Stripe Customer ID and Subscription ID for our records, plus the last four digits of your card and country, which Stripe shares for fraud prevention.
- Agent selection — the Bible Agent topic you choose at checkout (e.g. Anxiety Reset, Marriage Fire). We treat the agent topic as Sensitive Personal Information under California and certain other US state laws because it can reveal a religious or philosophical preference. See § 8.
- Customer support correspondence — content of emails you send to hello@trybibleagents.com.
1.2 Information collected automatically
- Device and usage data — IP address (anonymized after collection), approximate location derived from IP (country / region only), user agent string, referrer URL, pages viewed, timestamps. Collected via Vercel server logs and Google Analytics 4.
- Advertising identifiers — when you arrive from a Google Ad, your Google Click ID (gclid) is captured into the URL and stored in your Stripe Checkout session metadata so we can measure whether the ad was useful. We do not store gclid against your email after the conversion event is reported to Google Ads.
- Email engagement — Resend, our email delivery provider, records delivery, open, and click events for each email we send to you. We use this to improve deliverability and detect address typos. We do not use it to profile you or to make decisions that produce legal or similarly significant effects.
- Cookies and similar technologies — see our Cookie Policy for the full list and purposes.
1.3 What we do not collect
We do not collect your name, phone number, postal address, government identifiers, photos, biometric data, precise geolocation (GPS), audio, or video. We do not buy data from brokers and we do not use third-party tracking pixels beyond the Google tag described in the Cookie Policy. We do not knowingly collect Personal Information from children under the age of 13 (see § 12).
2. How we use Personal Information
We use the categories above for the following purposes only:
- Service delivery — to send you the weekly drops you signed up for, the purchase confirmation, billing receipts, account notifications, and one-click unsubscribe.
- Payment processing — to charge your card, manage subscription renewal, and prevent fraud, all via Stripe.
- Service improvement — analytics and email-engagement data inform editorial choices (which topics resonate, where readers drop off) and deliverability monitoring. This is conducted in aggregate; we do not build individual user profiles.
- Advertising measurement — to measure the performance of our advertising campaigns on Google Ads and to optimise future campaigns. We do not use Personal Information for cross-context behavioral advertising or for "targeted advertising" as defined under the Virginia Consumer Data Protection Act, the Colorado Privacy Act, or comparable laws.
- Security and fraud prevention — IP addresses and request fingerprints are processed by Vercel, Stripe, and our application to detect abuse, brute force, and payment fraud.
- Legal compliance — to comply with our legal obligations (tax, accounting, subpoenas, court orders).
- Communications related to the Service — service announcements, security alerts, and changes to these legal documents. These are not marketing emails; you cannot opt out of necessary service communications without cancelling.
We will not use Personal Information for any other purpose without first telling you and, where required by law, obtaining your consent.
3. Legal bases (for users in the European Economic Area, the United Kingdom, and Switzerland)
If you are in the EEA, the UK, or Switzerland, we process Personal Information on the following legal bases under the GDPR / UK GDPR:
- Performance of a contract (Art. 6(1)(b)) — to deliver the Service you purchased.
- Consent (Art. 6(1)(a)) — for analytics and advertising cookies. You can withdraw consent any time by clearing site cookies, which re-shows our consent banner, or by disabling cookies in your browser.
- Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, to prevent fraud, to communicate with you about your subscription, and to measure aggregate Service performance. We have assessed these interests against your fundamental rights and concluded that the processing is proportionate.
- Legal obligation (Art. 6(1)(c)) — for tax, accounting, and consumer protection records.
4. How we share Personal Information
We share Personal Information only with the service providers listed below, each of whom is contractually bound to use the data solely on our instructions and to apply appropriate security measures. We do not sell your Personal Information for money, and we do not share it for cross-context behavioral advertising.
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, fraud prevention | USA |
| Resend, Inc. | Transactional & marketing email delivery | USA |
| Supabase, Inc. | Application database hosting | USA |
| Vercel, Inc. | Web hosting, edge network, server logs | USA & global edge |
| Anthropic, PBC | Drafting weekly editorial content | USA |
| Google LLC | Analytics (GA4) and advertising measurement (Google Ads) | USA |
We disclose Personal Information only on a need-to-know basis and only the minimum required for each purpose. We do not authorise these providers to use your Personal Information for their own marketing.
We may also share Personal Information when legally required, in response to a lawful subpoena, court order, or government demand, where we believe disclosure is necessary to prevent imminent physical harm or financial loss, or in connection with the sale, merger, acquisition, or financing of all or part of our business, in which case the acquirer will be bound by this Privacy Policy or notify you of any changes.
5. International data transfers
Most of our service providers are located in the United States. When we transfer Personal Information from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on a combination of: (a) the European Commission's adequacy decision for the EU-US Data Privacy Framework where the recipient is certified, and (b) the EU Standard Contractual Clauses (Module Two: Controller to Processor) or comparable safeguards. You may request a copy of the safeguards in place by writing to us.
6. Retention
We keep Personal Information only as long as we need it for the purposes described above:
- Active subscribers — for the duration of your subscription, plus 12 months after cancellation in case you return.
- Email engagement data — 24 months in Resend, then deleted or aggregated.
- Analytics — Google Analytics retains user-level data for 14 months by default; we do not extend that.
- Server and security logs — typically 30 days, longer where needed for an active security investigation.
- Tax and accounting records — Stripe and we retain records of transactions for the period required by US, Romanian, and EU tax law (typically 7 years).
7. Your rights
Wherever you live, we honour the rights below where they apply to you under the law of your jurisdiction. Depending on your state or country, we may verify your identity before responding to a request to ensure we don't disclose your data to someone else.
- Right to know / access — what Personal Information we have about you, how we use it, and who we share it with.
- Right to correct — request correction of inaccurate Personal Information.
- Right to delete — subject to legal exceptions (e.g. required tax records), we will delete your data on request.
- Right to data portability — receive a portable copy of your data.
- Right to opt out of sale or sharing for cross-context behavioral advertising — we already do not engage in either of these activities. See § 4 and our California Privacy Notice.
- Right to limit the use of Sensitive Personal Information — California right; we already only use Sensitive PI to deliver the Service and we will not use it for purposes other than those described in § 8 even if you do not exercise this right.
- Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right.
- One-click unsubscribe from any marketing email — the link is in every message we send, and a single click stops further weekly drops.
- Right to lodge a complaint — if you are in the EEA / UK / Switzerland, you may lodge a complaint with your supervisory authority. The Romanian authority is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (www.dataprotection.ro). If you are in the US, you may also contact your state attorney general.
To exercise any of these rights, email hello@trybibleagents.com with "Privacy Request" in the subject line. We respond to most requests within 15 days and to all verifiable requests within 45 days (90 if a complex request requires additional time, in which case we'll tell you).
You may also use an authorized agent to submit a request on your behalf. We will require proof of agency (a signed permission from you) before responding.
8. Sensitive Personal Information
Under California (CPRA), Connecticut (CTDPA), Virginia (VCDPA), Colorado (CPA), and other US state privacy laws, "Sensitive Personal Information" includes information that reveals a person's religious or philosophical beliefs.
Because the Bible Agent topic you select at checkout (e.g. Spiritual Warfare 101, Porn-Free Freedom, Anxiety Reset) can reveal such information, we treat the agent selection as Sensitive Personal Information.
We use Sensitive Personal Information solely to:
- Deliver the weekly drops to you (i.e. the agent you chose dictates which content you receive).
- Internally measure subscription concentration by topic, in aggregate only.
We do not:
- Sell or share Sensitive Personal Information.
- Use it to infer characteristics about you.
- Use it for advertising of any kind.
- Disclose your specific agent choice to any third party other than the service providers strictly necessary to deliver the email (Resend, Supabase, Vercel — see § 4).
California residents may exercise the "Right to Limit the Use of Sensitive Personal Information" via our California Privacy Notice. Because our default practice already matches the limit, exercising this right will not change how we process your information.
9. Cookies, analytics, and advertising
We use a small set of cookies and similar technologies. Necessary cookies are always on; analytics and advertising cookies load only after you opt in via our consent banner where consent is required (EEA/UK and many US states with opt-out frameworks). The complete inventory and durations are in our Cookie Policy.
We have implemented Google Consent Mode v2. When advertising consent is denied, our Google tags load in a privacy-preserving mode that pings Google in a way that does not identify you personally (cookieless pings).
We honor browser-based opt-out signals such as the Global Privacy Control (GPC) where legally required. If your browser sends a GPC signal, we will treat it as a request to opt out of any sale or sharing for cross-context behavioral advertising, even though we do not engage in those activities by default.
10. AI and automated processing
Some weekly drops are drafted with the help of AI (currently Claude by Anthropic, PBC), working from editorial standards we set and primary biblical sources we provide. Every drop is written under our editorial direction.
We do not use Personal Information to train AI models, and we do not make automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. Anthropic does not retain or train on prompts containing your Personal Information; we send Anthropic only the agent topic, never your email or any other data that identifies you.
11. Email marketing and CAN-SPAM
The weekly drops you receive are part of the paid Service, not unsolicited commercial email. Every drop and every transactional email contains a one-click unsubscribe link plus the standardised List-Unsubscribe headers that Gmail and Apple Mail use for native in-inbox unsubscribe. A single click stops further drops, with effect on the next batch run (typically within 24 hours, well within the 10-business-day window required by CAN-SPAM, 15 USC § 7704). Our physical postal address is included in the footer of every message.
12. Children
The Service is not directed to children under 13. We do not knowingly collect Personal Information from a child under 13 in the United States (Children's Online Privacy Protection Act, 15 USC §§ 6501–6506) or from a child under 16 in the European Economic Area without verifiable parental consent. If you believe we have collected information from a child below the applicable age, write to us and we will delete it promptly.
13. Security
We use commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Information from unauthorised access, alteration, disclosure, and destruction. These include TLS encryption in transit, encryption at rest in our database, scoped API tokens, two-factor authentication on operator accounts, and delegation of card data handling to Stripe (PCI-DSS Level 1). No system is perfect; if you spot a security issue, please email us — we welcome responsible disclosure.
If we experience a security breach affecting your Personal Information, we will notify you and the relevant authorities within the time frames required by applicable law (e.g. within 72 hours of becoming aware, where the GDPR applies; without unreasonable delay under most US state breach-notification laws).
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes we will email active subscribers and update the "Effective" date at the top of this page. Continued use of the Service after the change takes effect means you accept the updated Privacy Policy. If you do not accept the updates, you can cancel before they take effect — the unsubscribe link is in every email.
15. Contact
For privacy questions, requests, or complaints:
PLAY PLAY CARDS S.R.L.
Str. Drumul Pescarilor nr. 16 A, Olimp, Constanța 905503, Romania
CUI 54439120 · J2026023005004
hello@trybibleagents.com
If you are in California and would like to exercise specific CCPA / CPRA rights, please use our California Privacy Notice.