PR Resources

Privacy Policy

Last updated: April 2026

1. Introduction

PR Resources is a volunteer-run search tool created by two lay members of a Protestant Reformed congregation. This Privacy Policy describes what personal data we collect when you use the Service, how we use it, with whom we share it, and the rights you have over it.

For privacy questions, use the contact form.

2. Personal data we collect

  • Account: email address, display name (optional).
  • Activity: reading history (30-day raw retention plus aggregate), saved lists, personal notes, custom tags, author and topic follows.
  • User-submitted: feature requests, contact-form submissions, newsletter signups.
  • Technical: IP address (used for rate limiting and analytics), user agent, referring URL.

3. Sub-processors (where your data flows)

We share the minimum data necessary with the following sub-processors:

  • Supabase (Ireland, EU) — database and auth; stores your email, hashed password, and session cookies.
  • Vercel (US / global edge) — hosting and request logs.
  • OpenAI (US) — /api/chat and /api/summary send prompts plus resource excerpts. OpenAI does not train on API data by default.
  • Anthropic (US) — same pattern as OpenAI for Claude-powered chat completions.
  • Resend (US) — transactional email (signup verification, newsletter digest). We send your email address and the message body.
  • Google Analytics (US) — only loaded after you accept the cookie banner (see section 5).
  • Cloudflare Turnstile (global) — captcha on signup and contact-form submission; returns a success token only, no tracking cookies.

4. How we use your data

  • Provide the Service (auth, save-to-list, search, notes).
  • Security and abuse prevention (rate limiting, captcha verification, audit logging).
  • Service emails (verification, digest if subscribed, response to contact form).
  • Aggregate analytics (popular resources, search trends). We never sell your data.

5. Cookies

  • Strictly necessary: Supabase auth session cookies — set on login, cleared on logout. No consent needed; the Service cannot function without them.
  • Analytics: Google Analytics cookies (_ga, _ga_*) — only set after you accept them in the cookie banner.
  • You can withdraw consent at any time via the “Cookie preferences” link in the footer.

6. Your rights (GDPR / UK GDPR)

  • Access: view your profile data at Account Settings.
  • Rectification: update your display name and email at Account Settings.
  • Erasure: delete your account (removes all personal data) at Account Settings → “Delete Account”.
  • Portability: on request via the contact form we will export your data as JSON within 30 days.
  • Restriction, objection, or complaint: use the contact form. You also have the right to lodge a complaint with your national data-protection authority.

7. Data retention

  • Account data: until you delete your account.
  • Reading history (raw rows): 30 days, then aggregated.
  • Contact-form submissions: retained indefinitely for spam-pattern matching; you may request deletion via the contact form.
  • Logs (Vercel + Supabase): per provider defaults, typically 7-30 days.

8. International transfers

Your data is processed in the EU (Supabase) and the US (Vercel, OpenAI, Anthropic, Resend, Google Analytics). Transfers to the US rely on each provider’s Standard Contractual Clauses and applicable adequacy mechanisms.

9. Children

The Service is not directed at users under 16. If you believe a child has created an account, use the contact form and we will delete it.

10. Changes to this policy

Material changes will be emailed to registered users at least 14 days before taking effect. The latest version is always at https://prc-resources.org/privacy.

11. Contact

For all privacy requests, use the contact form. Our canonical domain is https://prc-resources.org.