Privacy

QAVA Privacy Policy

Effective Date: June 12, 2026

Last Updated: June 12, 2026

This Privacy Policy explains how City on a Hill Productions, Inc. (“COAH,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information in connection with QAVA, including the QAVA mobile applications, the QAVA website at qava.tv, and related streaming and devotional services (collectively, the “Service”).

This Policy applies to information we collect through the Service. It does not apply to the practices of third parties we do not own or control. By using the Service, you acknowledge this Policy. Where required by law, we will obtain your consent before processing your information.

If you have questions about this Policy, contact us at [email protected] or City on a Hill Productions, Inc., 13201 Data Vault Dr. Ste 101, Louisville, KY 40223.

1. About COAH and QAVA

COAH is a Kentucky nonprofit corporation and a 501(c)(3) tax-exempt organization. QAVA is a faith-based streaming platform that provides Bible-centered films, series, devotional content, study tools, and personal journaling features. We are the “controller” of personal information collected through the Service.

2. Quick Summary

We collect information needed to provide the Service, including account details, Subscription and payment information (processed by Stripe, RevenueCat, or your App Store), content you create such as journal entries, viewing activity, and basic technical information about your device. We use this information to operate the Service, deliver content you request, process payments, send communications you have agreed to receive, secure the Service, and improve the experience.

How we use tracking differs between our mobile applications and our website:

Mobile applications. Our mobile apps do not use advertising trackers, advertising pixels, or web analytics tools such as Google Analytics. We use only the SDKs needed to operate the app (such as authentication, subscription management, video playback, and push notifications).
Website (qava.tv). Our website uses Google Analytics for product analytics and Google Ads and Meta (Facebook) Pixel for advertising purposes, including conversion tracking and remarketing. Under California, Colorado, Connecticut, and similar state privacy laws, this activity is considered “sharing” personal information for cross-context behavioral advertising. We do not engage in this activity in our mobile applications.

We do not sell personal information for money. We do not use the content of your journal entries to train artificial intelligence or machine learning models. You can opt out of advertising-related sharing on the website as described in Section 14.

3. Information We Collect

We collect the categories of information described below. Some information you provide directly; some is generated automatically when you use the Service; and some is provided by third parties such as payment processors and App Stores.

3.1 Account Information

When you create an Account, we collect your email address, the password you create (stored only in hashed form), and any optional profile information you provide such as a display name.

3.2 Subscription and Payment Information

Subscription transactions on the QAVA website are processed by Stripe, Inc. Subscription transactions in our mobile applications are processed by Apple, Google, or RevenueCat, Inc. Payment card numbers and full financial account information are collected and processed directly by these providers; we do not receive or store full payment card numbers. We do receive transaction metadata such as Subscription plan, status, renewal date, billing country, amount charged, and the last four digits of your payment card (where provided by the processor).

3.3 User Content

We collect content you create within the Service, including journal entries, notes, highlights, scripture saves, prayer entries, content tags, and other personal reflections you submit. This information is stored privately in your Account and is not visible to other users.

3.4 Usage and Viewing Information

We collect information about how you use the Service, including content you view or listen to, playback progress and duration, completion of devotional series, search queries within the Service, content you save or favorite, onboarding responses, and other interactions with features of the Service.

3.5 Device and Technical Information

When you use the Service, we automatically collect technical information including device type and model, operating system and version, application version, language and locale, time zone, approximate location derived from your IP address (city- or region-level), IP address, device identifiers, crash and performance logs, and similar information.

3.6 Communications

If you contact us by email or other means, we collect the content of your messages and any information you choose to provide. If you opt in to receive marketing communications from us, we collect your email address and the preferences you select.

3.7 Cookies and Similar Technologies (Website Only)

On the QAVA website (qava.tv), we use cookies and similar technologies (such as local storage, web beacons, and SDK identifiers) for the following purposes:

Strictly necessary cookies: required for authentication, security, fraud prevention, load balancing, and core site functionality.
Analytics cookies: Google Analytics 4, used to understand aggregate site usage.
Advertising cookies and pixels: Google Ads (conversion tracking and remarketing) and Meta (Facebook) Pixel (conversion tracking and audience building). These technologies share information about your visit, including your IP address, device identifiers, pages viewed, and actions taken, with Google and Meta.

We do not use cookies, web beacons, or similar tracking technologies in our mobile applications.

3.8 Inferences

We may derive inferences from the information above, such as content recommendations or preferences, to personalize your experience within the Service.

4. Sensitive Personal Information and Faith Content

Because QAVA is a faith-based service centered on Christian content, your use of the Service inherently reveals information about your religious or philosophical beliefs and practices. Under certain privacy laws (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act), this is considered “sensitive personal information.”

We collect and use this information only as necessary to provide the Service you have requested—that is, to deliver Bible-centered content, devotional features, journal prompts, and related functionality. We do not use this information to infer characteristics about you for advertising, profiling, or other purposes outside the reasonable expectations of someone using a faith-based streaming and journaling service. We do not share sensitive personal information with our advertising partners (Google Ads and Meta Pixel).

5. Where We Get Your Information

Directly from you, when you create an Account, complete onboarding, submit content, or contact us;
Automatically through your use of the Service, including device, viewing, and log information;
From service providers, including Stripe, RevenueCat, and your App Store, which provide us with Subscription and transaction metadata;
From analytics and advertising providers (on our website), including Google Analytics, Google Ads, and Meta Pixel, which provide us with aggregated audience and conversion data.

6. How We Use Your Information

We use personal information for the following purposes:

Provide and operate the Service: authenticate your Account, deliver content you request, save your progress and journal entries, personalize recommendations, and provide customer support.
Process Subscriptions and payments: establish and manage your Subscription, process renewals, prevent and detect payment fraud, and address billing issues.
Communicate with you: send transactional messages (account, billing, security), respond to inquiries, and—only with your consent—send marketing communications about QAVA.
Send push notifications: deliver notifications you have enabled in your device settings.
Secure the Service: monitor for and prevent fraud, abuse, and security incidents, and enforce our Terms of Service.
Analyze and improve: understand how the Service is used in the aggregate, evaluate and improve features, and conduct internal research.
Marketing and advertising (website only): measure the effectiveness of advertising campaigns, build audiences for advertising on Google and Meta platforms, and serve relevant advertisements about QAVA to website visitors and similar audiences.
Comply with law: satisfy legal obligations, respond to lawful requests, and protect our legal rights.

We do not use the content of your journal entries or other private User Content for advertising, profiling, or to train any artificial intelligence or machine learning model.

7. How We Share Information

We share personal information only as described in this Policy.

7.1 Service Providers

We share information with vendors and service providers that help us operate the Service, under contracts that require them to safeguard your information and use it only for the purposes we authorize. Our principal service providers include:

Provider	Purpose	Data Processed
Supabase	Database, authentication, file storage (app + web)	Account, User Content, usage data; hosted in US East (N. Virginia)
Stripe	Payment processing (web Subscriptions)	Payment method, billing address, transaction data
RevenueCat	Mobile Subscription management	Account identifier, Subscription status, transaction metadata
Mux	Video hosting and streaming (app + web)	Playback data, device/network info, IP address
OneSignal	Push notifications and in-app messages (app)	Device push token, app event data, notification preferences
Google Analytics 4 (web only)	Product analytics on qava.tv	Site usage events, device identifiers, IP address; advertising features disabled
Google Ads (web only)	Advertising conversion tracking and remarketing on qava.tv	Visit and conversion events, device identifiers, IP address, cookies (treated as “sharing” under CCPA/CPRA)
Meta (Facebook) Pixel (web only)	Advertising conversion tracking and audience building on qava.tv	Visit and conversion events, device identifiers, IP address, cookies (treated as “sharing” under CCPA/CPRA)
Resend	Transactional email	Email address, message content for account, billing, and security messages
Mailchimp	Marketing email (opt-in only)	Email address, marketing preferences, engagement metrics
Apple and Google	App distribution and in-app purchases	Transaction data and identifiers governed by Apple’s and Google’s own privacy policies

This list may be updated from time to time. The current list is available by contacting [email protected].

7.2 Legal Requirements

We may disclose information to comply with applicable law, regulation, legal process (such as a subpoena, court order, or search warrant), or governmental request; to enforce our Terms of Service; to protect the rights, property, or safety of COAH, our users, or others; or to investigate or prevent fraud, security incidents, or wrongdoing.

7.3 Business Transfers

If COAH or QAVA is involved in a merger, acquisition, asset sale, financing, reorganization, or similar transaction, we may transfer personal information as part of that transaction, subject to customary confidentiality and data-protection commitments. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.

7.4 With Your Consent

We may share information for other purposes with your consent or at your direction.

7.5 No Sale; Limited Sharing for Advertising on Our Website

We do not sell personal information for money or other valuable consideration. However, our use of Google Ads and Meta Pixel on the QAVA website (qava.tv) is considered “sharing” personal information for cross-context behavioral advertising under the California Consumer Privacy Act and certain other state privacy laws. This sharing is limited to our website; we do not share personal information collected through the QAVA mobile applications for cross-context behavioral advertising.

You can opt out of this sharing as described in Section 14.

8. Cookies, Analytics, and Advertising

8.1 Website (qava.tv)

On the QAVA website, we use the following categories of cookies and similar technologies:

Strictly necessary: required for the website to function, including authentication, session management, security, and load balancing. These cannot be disabled.
Analytics: Google Analytics 4 to understand aggregate site usage and improve the Service. We do not enable Google Analytics advertising features.
Advertising: Google Ads tags and Meta (Facebook) Pixel for conversion tracking, remarketing, and audience building. These share information about your visit with Google and Meta.

We are implementing a cookie consent banner that will allow you to accept or reject non-essential cookies. Until the banner is live, you may opt out of analytics and advertising cookies using the methods described in Section 14.

8.2 Mobile Applications

The QAVA mobile applications do not use cookies, web beacons, or advertising trackers. We do not use Google Analytics, Google Ads, Meta Pixel, or similar advertising SDKs in our mobile applications. The mobile applications use only the SDKs necessary to operate the app, including Supabase (authentication and data), RevenueCat (subscription management), Mux (video playback), and OneSignal (push notifications).

8.3 Do Not Track Signals

Some browsers offer a “Do Not Track” (DNT) signal. Because there is no industry consensus on how to interpret DNT signals, we do not currently respond to them. We do, however, honor Global Privacy Control (GPC) signals as described in Section 14.

9. Push Notifications and Email Communications

If you grant permission, we send push notifications through OneSignal. You can disable push notifications at any time in your device settings.

Transactional emails (such as account, billing, and security notices) are necessary for the Service and cannot be opted out of while you maintain an active Account. Marketing emails are sent only with your consent and you may unsubscribe at any time using the link in the email or by contacting [email protected].

10. Children’s Privacy

The Service is intended for users age thirteen (13) and older. We do not knowingly collect personal information from children under 13. If you are under 13, do not use the Service or provide any personal information to us. If you believe a child under 13 has provided us with personal information, contact us at [email protected], and we will delete the information as required by the Children’s Online Privacy Protection Act (“COPPA”).

For users between 13 and the age of majority in their jurisdiction, a parent or legal guardian should review this Policy and the Terms of Service before the minor uses the Service.

11. How Long We Keep Information

We keep personal information for as long as your Account is active and as needed to provide the Service. When you delete your Account, we delete or de-identify your personal information within a reasonable period, except where we are required or permitted by law to retain it (for example, to comply with tax, accounting, or audit obligations; to resolve disputes; or to enforce our agreements).

Specifically: Account and User Content are retained while your Account is active and deleted within 60 days of Account deletion, except for de-identified analytics data and records we are required to retain. Backup copies may persist for an additional period before being overwritten. Subscription transaction records are retained for at least seven (7) years to comply with tax and accounting requirements. Website analytics and advertising data is retained according to Google’s and Meta’s standard retention windows (typically 14–26 months).

12. How We Protect Information

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, and destruction. These safeguards include encryption in transit (TLS), encryption at rest where supported by our service providers, access controls, authentication requirements (including multi-factor authentication for administrative access), and ongoing monitoring.

No method of transmission or storage is perfectly secure. While we work to protect your information, we cannot guarantee its absolute security. If you suspect that your Account has been compromised, contact us immediately at [email protected].

13. Your Choices

Regardless of where you live, you can:

Access and update most of your Account information directly in the Service;
Delete your User Content within the Service;
Cancel your Subscription at any time (see the Terms of Service);
Disable push notifications in your device settings;
Unsubscribe from marketing emails;
Opt out of advertising cookies on our website (see Section 14);
Request deletion of your Account and associated personal information by contacting [email protected].

14. State Privacy Rights and Opt-Out Mechanisms (U.S.)

If you reside in a state with a comprehensive consumer privacy law (including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia), you may have one or more of the rights described below, subject to verification and applicable exceptions.

14.1 Rights You May Have

Right to know / access: request confirmation of whether we process your personal information and access the personal information we hold about you.
Right to correction: request that we correct inaccurate personal information.
Right to deletion: request that we delete your personal information, subject to exceptions.
Right to data portability: receive a copy of your personal information in a portable, machine-readable format.
Right to opt out of sale or sharing: direct us not to sell or share your personal information for cross-context behavioral advertising.
Right to limit use of sensitive personal information (California): direct us to limit our use of sensitive personal information to purposes necessary to provide the Service. Because we already use sensitive personal information only for purposes necessary to provide the Service, no additional action is required to honor this right.
Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.
Right to appeal: in states that provide an appeal right, you may appeal our decision regarding your request by replying to our response or contacting [email protected].

14.2 How to Opt Out of Sharing for Advertising

As described in Sections 7.5 and 8, our website uses Google Ads and Meta Pixel for advertising purposes, which is considered “sharing” under CCPA/CPRA. You can opt out using any of the following methods:

Cookie consent banner (when available): reject non-essential cookies through the cookie banner on qava.tv.
Global Privacy Control (GPC): we honor GPC signals from your browser as a valid opt-out of sale/sharing for that browser. Browsers and extensions supporting GPC include Brave, Firefox (with the GPC extension), DuckDuckGo, and others.
Email request: email [email protected] with the subject line “Do Not Sell or Share My Personal Information,” including your name and the email address associated with your Account.
Provider-level opt-outs: you can also opt out directly at Google (adssettings.google.com) and Meta (in your Facebook account settings).

14.3 How to Exercise Your Other Rights

Submit a request by emailing [email protected] with the subject line “Privacy Rights Request” and a description of the right you wish to exercise. We will verify your identity using information associated with your Account before responding. You may use an authorized agent to submit a request on your behalf; we may require proof of the agent’s authority. We will respond within the time period required by applicable law (generally 45 days, extendable in certain circumstances).

14.4 California “Shine the Light”

California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

14.5 California Categories

Over the preceding twelve (12) months, we have collected the following categories of personal information, as defined under the California Consumer Privacy Act: identifiers; customer records information; commercial information; internet or other electronic network activity; geolocation data (coarse, from IP address); audio, electronic, visual, or similar information (only User Content you submit); inferences drawn from the above; and sensitive personal information (information that reveals religious or philosophical beliefs, by virtue of your use of the Service).

We have disclosed these categories of information for business purposes to the service providers identified in Section 7.1. We have shared identifiers, internet/network activity, geolocation (coarse), and inferences with Google and Meta in connection with website advertising. We have not sold personal information.

15. International Users and Cross-Border Transfers

QAVA is operated from the United States and our service providers are located primarily in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States, which may have different data-protection laws than your country.

If you reside in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, you may have the following rights under applicable law: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to lodge a complaint with your local data protection authority. The legal bases on which we process your personal information are (i) performance of our contract with you (provision of the Service); (ii) our legitimate interests in operating and improving the Service, where not overridden by your rights; (iii) compliance with legal obligations; and (iv) your consent, where applicable (for example, for marketing emails, push notifications, and non-essential cookies). We rely on appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses.

To exercise these rights or for questions about international processing, contact [email protected].

16. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email and/or by posting a notice in the Service at least thirty (30) days before the changes take effect, unless a shorter notice period is required by law. The “Last Updated” date at the top of this Policy reflects the most recent revision. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the updated Policy.

17. Contact Us

For questions about this Policy or our privacy practices, or to exercise your rights, contact us:

City on a Hill Productions, Inc.

Email: [email protected]

Address: 13201 Data Vault Dr. Ste 101, Louisville, KY 40223

— End of Privacy Policy —