Legal

Privacy Policy

⚠️ DRAFT — needs Norwegian/EU lawyer review before publishing to App Store or any public URL. Drafted 2026-05-26 by the engineer to reflect what the app actually does. Replace this banner with the live published date once a lawyer has reviewed and approved.

Last updated: 2026-05-26 Effective date: [TBD — date this is first published]

In plain English (the TL;DR)

Blessed Frames is a Christian app that turns your moments into beautiful, personal images of yourself with Jesus or other sacred figures. To do that, we collect your name, email, religious tradition, gender, photos of you, and the verses + frames you create. We use that data to make the app work. We don't sell your data. We don't show ads. Your photos and frames are stored in Europe (Ireland). When you create a frame, your photo is sent briefly to OpenAI in the United States to be processed by AI — then it's deleted from OpenAI. You can delete your account and all your data any time, from inside the app or by emailing us. You have full GDPR rights — see "Your rights" below.

1. Who we are (the Data Controller)

Dahlstrøm GD (Norwegian enkeltpersonforetak) is the data controller responsible for your personal data.


Business name	Dahlstrøm GD
Organisation number	926 596 977
Registered address	Rosenlundveien 7, 3225 Sandefjord, Norway
Sole proprietor	Kim Dahlstrøm
Contact for privacy matters	privacy@blessedframes.com (forwarded to kimdahlstroem@gmail.com until the domain mailbox is live)

If you live in the European Economic Area (EEA) or the United Kingdom, this policy is governed by the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).

2. What this policy covers

This policy describes how Dahlstrøm GD ("we", "us", "Blessed Frames") collects, uses, and shares personal data when you use the Blessed Frames iOS application, our website at blessedframes.com, and related services (collectively, the "Service").

It applies to:

People who download and use the Blessed Frames app
People who visit blessedframes.com
People who receive a gift, greeting card, or shared frame from a Blessed Frames user (limited processing — see Section 6)

3. Personal data we collect

We organize the data we collect into categories. Each category lists exactly what's in it.

3.1 Account data

Name (display name) — provided by you, or received from Apple Sign In if you choose that option
Email address — provided by you, or received from Apple Sign In (which may give us a Private Relay email instead of your real one)
Apple User ID (when you sign in with Apple) — a unique identifier Apple gives us so we can recognize you on return visits
Account creation date

3.2 Religious + demographic data (special category data under GDPR Article 9)

Christian tradition / denomination — you choose one of: Catholic, Orthodox, Protestant or Evangelical, Other Christian, or Prefer not to say
Gender — you choose Man or Woman (used to tell the AI how to represent you in generated images)

These two fields are special category data under GDPR Article 9, because they reveal religious belief and gender. We only process this data with your explicit consent, which you provide by selecting these options during sign-up. You can change or delete these at any time from the Account screen.

3.3 Content you create or upload

Reference photos — photos of yourself that you upload so the AI can include your face in generated frames. These are biometric data (your face is biometric information).
Generated frames — images created by the app that combine your reference photo with biblical scenes, verses, and sacred figures. These are images of you and are stored in your personal Library.
Verse selections, mood pill taps, scene preset choices, custom prompts — your in-app choices that drive what the AI generates.
Photo consent confirmations — a record of when you ticked the box confirming you have permission to use a photo.

3.4 Usage and engagement data

Daily blessing read history — which curated daily passages you've received and which you've opened
Streak counter data — consecutive days you opened a daily blessing
Total engagement days — cumulative count of days you've used the app
Mood pill image seen history — which curated library images you've been shown (so we don't repeat them for you)
Generation history — a record of every frame you've created
Credit balance + ledger — the credit transactions tied to your subscription or one-off purchases
Last opened Bible chapter — so the "Continue Reading" button works

3.5 Communication data

Email recipients when you send a gift subscription or a greeting card — the recipient's email address, your personal message, and the verse / image attached
Email autocomplete history — the last 10 email addresses you sent gifts to (stored locally on your device only, not on our servers)

3.6 Payment data

We do not collect or store your credit card number, expiration date, CVV, or bank details. All payments are handled by Apple's In-App Purchase system under Apple's own privacy policy. We receive only:

Whether you have an active subscription, and which tier
Your Apple-provided transaction identifiers (for receipt validation)
Your purchase history within Blessed Frames

3.7 Technical data

Device type and operating system (e.g., iPhone 15, iOS 18) — collected via standard app analytics for crash reporting and compatibility
App version
Approximate request timestamps

We do not collect: precise location, IP-based tracking, advertising identifiers (IDFA), cross-app tracking, browsing history, contacts.

4. How we use your data and our legal basis (GDPR Article 6 + 9)

GDPR requires us to tell you the legal basis for every use of your data. Here it is.

What we do	Why	Legal basis
Create your account, let you sign in	To provide the Service you asked for	Contract (Article 6(1)(b))
Generate AI-created frames using your photo + selected verse	The core feature you signed up for	Contract (Article 6(1)(b)) for processing; explicit consent (Article 9(2)(a)) for biometric + religious data
Show you a daily blessing tailored to what you've already seen	Personalize the Service	Contract (Article 6(1)(b))
Filter content (which scenes, figures, verses) to your chosen Christian tradition	Personalize the Service	Explicit consent (Article 9(2)(a)) for religious data processing
Send AI moderation requests on your custom prompts	Protect you and other users from harmful content	Legal obligation (Article 6(1)(c)) + legitimate interest (Article 6(1)(f))
Send transactional emails (gift confirmations, password resets, account notices)	Required to operate the Service	Contract (Article 6(1)(b))
Provide customer support	Required to operate the Service	Legitimate interest (Article 6(1)(f))
Detect fraud, abuse, and security incidents	Protect users and the Service	Legitimate interest (Article 6(1)(f))
Comply with legal obligations (tax, accounting, court orders)	Required by law	Legal obligation (Article 6(1)(c))
Improve the app (debugging, performance)	Operate the Service well	Legitimate interest (Article 6(1)(f))

We do not use your data for: advertising, profiling for marketing, automated decision-making with legal effects, training third-party AI models (see Section 6 on OpenAI specifically), or any purpose unrelated to running Blessed Frames.

5. Special category data — extra protection

Three categories of data we process need extra care under GDPR Article 9:

Religious tradition / denomination (Section 3.2)
Photos of your face (Section 3.3) — biometric data
Gender (Section 3.2) — depending on jurisdiction may qualify

We rely on your explicit consent for all special category processing (GDPR Article 9(2)(a)). You give that consent when you:

Pick your denomination during sign-up
Tick the "I have permission to use this photo" checkbox before uploading a reference photo
Pick your gender during sign-up

You can withdraw consent at any time by:

Deleting your photo in the Account screen
Changing your denomination to "Prefer not to say" in the Account screen
Deleting your account entirely (Account screen → Sign out → Delete account)

Withdrawing consent does not affect processing that already happened (Article 7(3)). It does immediately stop future processing.

6. Who we share your data with

We share only with the third parties listed below, and only for the purposes shown.

6.1 Apple

We share with Apple:

Your subscription status (active / inactive, tier) — so Apple can bill you correctly via In-App Purchase
Sign in with Apple identity verification — when you sign in, Apple confirms your identity to us

Apple's privacy policy: https://www.apple.com/legal/privacy/

6.2 Supabase (Ireland, EU)

Supabase is our database and storage provider. They host:

Your account, profile, denomination, gender
Your uploaded photos (in their EU region, eu-west-1)
Your generated frames (in their EU region)
Your usage history, streak counter, credits

Supabase processes this data on our instructions only and is contractually bound by a Data Processing Agreement under GDPR Article 28. Supabase's privacy policy: https://supabase.com/privacy

Where the data is stored: Within the European Economic Area (specifically, Ireland — eu-west-1). It does not leave the EEA except for the specific OpenAI transfer described in Section 6.3.

6.3 OpenAI, L.L.C. (United States) — important

When you generate a personalized AI frame ("Include me in the picture" ticked), we send the following to OpenAI:

Your reference photo (with your prior consent)
The text prompt that describes the scene
No other personal data — no name, no email, no denomination

OpenAI processes the request, returns the generated image, and (per OpenAI's API terms) does not use the data to train their models. OpenAI retains the data briefly (up to 30 days per their standard API policy) for abuse detection, then deletes it.

This is a transfer of personal data from the EEA to the United States. We rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission, plus the EU-US Data Privacy Framework (in which OpenAI participates), as the legal mechanism for this transfer.

You can avoid this transfer entirely by using only the free curated frame path (leave "Include me in the picture" unticked). That path never sends your photo to OpenAI — it serves images from our own EU library instead.

OpenAI's privacy policy: https://openai.com/policies/privacy-policy

6.4 Resend (United States / Ireland)

We use Resend to send transactional emails — gift confirmations, password resets, account notices. We share with Resend:

The recipient's email address
The email subject and body (which may include the gift message and verse you composed)

Resend is contractually bound by a DPA. The data goes through Resend's EU infrastructure when possible.

Resend's privacy policy: https://resend.com/legal/privacy-policy

6.5 RevenueCat (United States) — future

When we launch paid subscriptions, we plan to use RevenueCat for subscription management. They will receive your Apple-provided user ID and your subscription tier — but never your card details (those stay with Apple). We will update this Policy before activating RevenueCat.

RevenueCat's privacy policy: https://www.revenuecat.com/privacy/

6.6 We do not share with:

Advertising networks
Data brokers
Other commercial third parties
Anyone for marketing purposes outside Blessed Frames itself

We may disclose your data when required by law (court orders, valid government requests) or to protect Blessed Frames or its users from imminent harm. We will tell you about such requests where legally allowed.

7. International data transfers

Most of your data stays in the European Economic Area (EEA). The exceptions:

OpenAI — your photo + prompt cross to the United States during generation (Section 6.3). Transfer mechanism: Standard Contractual Clauses + EU-US Data Privacy Framework.
Resend — email contents may briefly transit US infrastructure depending on delivery route. Transfer mechanism: SCCs.
Apple — Apple's data handling is governed by their own GDPR-compliant cross-border framework.

We assess these transfers periodically and will adjust if the legal landscape changes (e.g., if Schrems-style rulings invalidate a transfer mechanism).

8. How long we keep your data

Data	Retention
Active account data (name, email, denomination, gender)	While your account is active
Reference photos (the original photo you uploaded)	Deleted from our `user-photos` bucket immediately after generation completes (within minutes)
Reference photos (a copy held by OpenAI)	OpenAI retains for up to 30 days for abuse detection, then deletes
Generated frames (your Library)	While your account is active, or until you delete the frame
Daily blessing read history, streak data	While your account is active
Email autocomplete (gift recipients)	Stored only on your device, never on our servers
Email logs (Resend sending records)	Up to 30 days per Resend's defaults
Backup snapshots	Up to 30 days from the last incremental backup; older snapshots are deleted automatically
Account deleted by you	All your data is erased within 30 days of you initiating deletion, except where a legal obligation (e.g., tax records) requires longer retention

9. Your rights under GDPR

You have the following rights. To exercise any of them, email privacy@blessedframes.com. We will respond within one month (GDPR Article 12(3)).

Right	What it means
Right of access (Article 15)	You can ask us for a copy of all personal data we hold about you
Right to rectification (Article 16)	You can correct inaccurate data — most fields are editable directly in the app's Account screen
Right to erasure / "right to be forgotten" (Article 17)	You can delete your account and all data. Account screen → Delete my account, or email us.
Right to restriction (Article 18)	You can ask us to limit how we use your data while a dispute is resolved
Right to data portability (Article 20)	You can request an export of your data in a machine-readable format (JSON)
Right to object (Article 21)	You can object to processing based on legitimate interest
Right to withdraw consent (Article 7(3))	You can withdraw any consent at any time — see Section 5
Right not to be subject to automated decision-making (Article 22)	We do not make automated decisions with legal effect about you
Right to complain to a supervisory authority (Article 77)	See Section 13

10. Children

Blessed Frames is rated 4+ in the Apple App Store, meaning the content is suitable for all ages. However, the Service is not designed for or directed at children under 13.

Norwegian law (Personopplysningsloven §5) sets the digital consent age at 13 years. Children under 13 may not consent to the processing of their personal data and may not lawfully use Blessed Frames without verifiable parental consent.

In other EEA countries, the digital consent age ranges from 13 to 16 depending on the country (GDPR Article 8 allows member states to choose).

We do not knowingly collect personal data from children below the applicable consent age in their country. If you believe a child below that age has provided us with personal data, please email privacy@blessedframes.com and we will delete it.

If you are a parent or guardian and want to use Blessed Frames with your child, please supervise their use, manage the account in your name, and be aware that the AI may include the child's face in generated images.

11. How we protect your data

We use the following safeguards:

Encryption in transit — all data exchanged between the app and our servers uses TLS (HTTPS)
Encryption at rest — Supabase encrypts all stored data with AES-256
Row-level security (RLS) — our database is configured so each user can read only their own data; this is enforced at the database level, not just the application level
Service-role keys — administrative database access is restricted to server-side functions and rotated periodically
No password storage on our servers — we use Sign in with Apple and magic-link email login; we never store passwords
AI content moderation — every custom prompt is screened through OpenAI's Moderation API before generation; flagged prompts are refused
Regular security review — schema and access policies are reviewed on every major release
No production access from personal devices — administrative access is via secured tools only

No system can be 100% secure. If we ever experience a data breach that risks your rights or freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, per GDPR Article 33.

12. Changes to this Privacy Policy

We may update this Policy when we add features, change third parties, or when the law changes. When we make material changes:

We will update the "Last updated" date at the top
We will notify you in-app and/or by email at least 14 days before the change takes effect
For changes that require fresh consent (e.g., a new special-category use), we will ask for consent before processing the data under the new policy

Past versions of this Policy will be archived at blessedframes.com/privacy/archive (link will be active once we publish a v2).

13. Complaints and supervisory authority

If you believe we have processed your data in violation of GDPR, you have the right to lodge a complaint with a supervisory authority. For users in Norway, that authority is:

Datatilsynet (the Norwegian Data Protection Authority) Postboks 458 Sentrum, 0105 Oslo, Norway https://www.datatilsynet.no/ Phone: +47 22 39 69 00

If you live in another EEA country, you may complain to your local supervisory authority. The full list is published by the European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en

We encourage you to contact us first at privacy@blessedframes.com so we have a chance to resolve the issue directly — but you are not required to.

14. Contact us

For any privacy question, request, or complaint:

Email: privacy@blessedframes.com Postal mail: Dahlstrøm GD, Rosenlundveien 7, 3225 Sandefjord, Norway

We aim to respond within 7 days for most questions, and always within one month for formal GDPR requests.

This document is a draft prepared by Blessed Frames' engineering team for legal review. Material decisions about the App's data practices have been documented as they currently exist (as of 2026-05-26). Before publication, this draft should be reviewed by a Norwegian or EEA data protection lawyer. The "Effective date" at the top will be set once that review is complete and the document is published at blessedframes.com/privacy.

← Back to Blessed Frames