Privacy Policy

Last updated: May 7, 2026 · Version 1.3.0

Who We Are

Cathedra Institute (cathedrainstitute.org) is a free theological education platform. Cathedra Institute is the data controller for personal data processed through this site — we determine the purposes and means of processing, and we are the entity you can contact about your data. We are committed to protecting your personal data, especially the religious and spiritual information you share with us. For privacy questions or data requests, contact us at [email protected].

What Data We Collect

When you create an account and use our services, we collect:

• Account information: Name, email address.
• Faith profile: Faith background, denomination, theological familiarity, prayer tradition, preferred biblical languages, and learning goals. You provide these during onboarding (subject to the explicit consent described below) and can update or delete them at any time.
• Learning progress: Which lessons you have completed and your exercise scores.
• AI conversations: Messages exchanged with our AI-powered features (Safe Questions, Prayer Guidance, Self-Examination).
• Prayer requests: Content you post in prayer groups.
• Session data: Authentication cookies required to keep you signed in.
• Audit logs: Sensitive events on your account — sign-in, sign-out, profile changes, email changes, AI feature use, data exports, account deletion — recorded with the originating IP address and timestamp for security and abuse prevention.

Legal Bases for Processing

We rely on the following lawful bases under the GDPR, the UK GDPR, and other applicable privacy laws:

• Account creation, login, course progress, and certificates — performance of a contract with you (Article 6(1)(b)). Without this data we cannot run the service you signed up for.
• Faith profile, prayer requests, prayer group membership, and AI conversations with our religious or spiritual features — your explicit consent (Article 6(1)(a) and Article 9(2)(a) for special-category data). See Religious and Spiritual Data below.
• Audit logs (including IP addresses) and security notifications — our legitimate interest in protecting users and the platform from misuse (Article 6(1)(f)). We have weighed this interest against your rights: the data collected is minimal (action, your account identifier, IP, timestamp), retention is bounded to one year, IP addresses are never used for marketing or profiling, and access is restricted to security investigations.
• Email-verification codes and security notifications about your account — performance of a contract and our legitimate interest in account security.
• Certificates issued for completed credit-track courses — our legitimate interest in maintaining accurate academic records, and where applicable the establishment, exercise, or defence of legal claims (Article 17(3)(e)). See Certificate Retention Exception below.

Religious and Spiritual Data

Religious and spiritual information is treated as special-category data under GDPR Article 9, the UK GDPR, and other applicable privacy laws.

Explicit consent is required. Before Cathedra collects or processes religious or spiritual information about you, we require a separate explicit consent action distinct from account creation. This consent is recorded with a timestamp, the version of this policy in effect at the time you gave it, and the exact consent text you accepted. You may withdraw this consent at any time from My Portal → My Profile; withdrawing consent removes the religious-profile fields from your profile and ends future processing of religious data under your account. We also provide controls to delete prior AI conversations, prayer-request posts, and prayer-group memberships where technically possible and legally permitted; you may use these controls separately from withdrawing consent. Withdrawing consent does not automatically remove prayer requests already visible to other group members unless you delete those posts or request deletion where available.

The religious data we process under this consent is:

• Faith profile fields: faith background, denomination, theological familiarity, prayer tradition, learning goals.
• Prayer requests posted to prayer groups.
• Prayer group memberships.
• The content of your AI conversations (Safe Questions, Prayer Guidance, Self-Examination).

Filling in religious information is optional. You can complete account onboarding, enroll in courses, and use any non-AI feature without providing religious data and without granting this consent. Granting consent only enables the religious-personalization features above.

How We Use Your Data

• Personalization: Your faith profile is used to personalize AI interactions so they speak in terms familiar to your tradition.
• Service delivery: Learning progress tracks your advancement through courses. AI conversations maintain context within a session.
• Community: Prayer requests are visible to members of the prayer group where they are posted (see Data Sharing below for visibility rules).
• Security and abuse prevention: Audit logs are reviewed when investigating suspicious activity, abuse, or security incidents.

We do not sell your data, share it for behavioural advertising, use it for marketing profiling, or share it with third parties except the operational providers listed under Third Parties Who Receive Your Data.

AI Processing

Our three AI features — Safe Questions, Prayer Guidance, and Self-Examination — send your messages to a language model for inference. Each feature is currently routed as follows:

• Safe Questions: Currently routed to a local language model running on infrastructure we operate directly. No third-party AI provider receives the prompt or response.
• Prayer Guidance: Currently routed externally via OpenRouter (openrouter.ai) to the Qwen3-235B-A22B-2507 model. The full conversation (your message and prior turns in the same conversation) is sent to OpenRouter, which forwards it to a model-hosting provider that serves that model. We configure OpenRouter to use only the model listed here for Prayer Guidance and do not intentionally authorize substitution. We also instruct OpenRouter to route only to model-hosting providers whose terms prohibit retaining prompts for training, via the data_collection: deny request preference; OpenRouter excludes any provider that does not meet that constraint. Brief abuse-detection logging at the model-hosting provider may still apply. Where the specific model-hosting provider for a given request is identifiable from the routing metadata, we record it. OpenRouter and its model-hosting providers are based in the United States.
• Self-Examination: Always routed to a local language model running on infrastructure we operate directly. Self-Examination content is never routed to a third-party AI provider — reflecting the particularly sensitive nature of introspective spiritual content. If Cathedra ever needs to change this, we will notify affected users in advance and obtain renewed explicit consent before any external routing of Self-Examination content takes effect.

Each feature's routing reflects the configuration in effect at the “Last updated” date at the top of this policy. If we change the routing of Safe Questions or Prayer Guidance in a way that adds or expands external processing, we will update this policy and reflect the change in the “Last updated” date before the change takes effect. If you would prefer not to use a feature whose current routing is external, do not use that feature.

AI conversation messages are stored in our database encrypted at rest using AES-256-GCM with a key derived from a server secret. A leak or backup of the database alone would not expose conversation content. Cathedra operators with administrative access to the running service can decrypt them only when necessary for: a security investigation, an abuse report, a legal obligation we are required to comply with, or a support request where you have specifically asked us to inspect the content. Such access is recorded in our audit-log system. Client-side encryption, where even our operators cannot decrypt, is on our roadmap for Self-Examination.

Paper Submissions and Grading

When you submit a paper to Cathedra for grading:

• The paper file is stored on Cathedra’s servers.
• The text content is extracted from your file and stored in our database.
• The extracted text is sent to an AI model for grading against the assignment rubric. The model is selected per assignment by the course author (admin-configurable). For assignments graded by OpenRouter-routed models, every grading request is sent with provider.data_collection: deny, instructing the provider not to retain the text for training.
• Only the AI model reads your paper. No human reviewer sees it.
• Submissions are deleted after 365 days (configurable in the platform’s data-retention settings).
• Your identity is associated with your submission for grade-record purposes; submissions are not anonymized.

When a submission is deleted (after the retention period or upon your erasure request), we retain a one-way cryptographic hash of the paper text. The hash cannot be reversed to recover your paper. It is not associated with your user account, your assignment, or any other identifying data. We use it only to detect when a deleted paper is later resubmitted by a different user.

First-Party Operations

We run our own authentication, email, and database infrastructure rather than using third-party providers for those functions. Your sign-in credentials, transactional emails, and account data live on servers we operate directly. As a normal part of operating an email server, outgoing-mail logs may briefly contain the body of transactional emails (including verification codes for the duration of their 10-minute validity window). Such logs are retained for up to 30 days, then automatically rotated and deleted.

Third Parties Who Receive Your Data

Cathedra remains the data controller for your personal data. The following processors and operational providers receive your data on our behalf or by virtue of how the internet works. We use these providers only where we have appropriate contractual safeguards in place — such as a Data Processing Agreement, the European Commission Standard Contractual Clauses, or equivalent terms — governing their processing of personal data on our behalf.

• Cloudflare — provides TLS termination, DDoS protection, and edge proxying for all HTTP traffic to cathedrainstitute.org. Cloudflare's privacy policy applies to the edge layer.
• OpenRouter — AI-inference routing for the Prayer Guidance feature (see AI Processing above). OpenRouter forwards Prayer Guidance requests to a model-hosting provider serving the configured model.

Current AI subprocessor list (as of the “Last updated” date):

• OpenRouter, Inc., for routing Prayer Guidance requests to the configured Qwen3-235B-A22B-2507 model. Where OpenRouter identifies the model-hosting provider in routing metadata, Cathedra records that provider for audit and data-request purposes.

We do not engage any other operational sub-processors for personal data. If we add one, we will update this section and the “Last updated” date.

International Data Transfers

Cathedra's primary infrastructure is hosted in third-party data centers located in the United States. If you access the service from outside the United States — including from the European Economic Area, the United Kingdom, or Switzerland — your interactions with Cathedra (account creation, learning progress, and any AI features you choose to use) involve transferring your personal data to the United States. When AI features are routed via OpenRouter, your conversation content is similarly transferred to United States providers.

For transfers from the EEA, UK, or Switzerland to the United States we rely on applicable transfer mechanisms, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum or IDTA where required, and supplementary safeguards appropriate to the sensitivity of the data being transferred.

Data Sharing — Prayer Groups

When you post a prayer request to a prayer group, the content is visible to all current and future members of that group, not just members at the time of posting. If a new member joins the group after you post, they can read your past requests. If you leave or are removed from a group, you lose access to past requests in that group. If you are uncomfortable with this scope, do not post sensitive content as a prayer request — consider instead the Self-Examination feature, whose content is private to you and never routed externally.

Cookies

We use only essential cookies required for authentication (keeping you signed in). These are session-scoped or short-lived (auto-expire when you log out or after a short period of inactivity).

We also set a small functional cookie called cathedra_prelaunch_modal to remember whether you have dismissed or completed the pre-launch signup modal on our home page, so it does not reappear on every visit. This cookie contains no user-identifiable information and is not shared with anyone.

We do not use tracking cookies, analytics cookies, third-party cookies, advertising cookies, or marketing pixels. Because the only cookies we set are strictly necessary for the service you requested, no separate cookie-consent banner is required under EU/UK ePrivacy rules; we still display a brief notice on first visit so you know what's happening.

Data Retention

• Your account data (profile, progress) is retained for as long as your account is active.
• Self-Examination conversations are automatically deleted after 90 days.
• Prayer Guidance conversations are automatically deleted after 90 days.
• Safe Questions conversations are automatically deleted after 1 year.
• Audit logs (including IP addresses) are retained for 1 year for security and abuse-investigation purposes; they are then permanently deleted.
• Mail-server transactional logs (Postfix delivery, Dovecot access, Rspamd anti-spam) are retained for up to 30 days, then automatically rotated and deleted.
• When you delete your account, your data is removed from active systems immediately and from encrypted backups within 30 days. Two limited exceptions survive deletion: academic certificates (see Certificate Retention Exception) and legal-acceptance records (see Legal-Acceptance Retention Exception) below.

Certificate Retention Exception

If you complete a credit-track course, Cathedra issues an academic certificate that captures a snapshot of your name, the course title, the course version, the credit hours, and the learning outcomes at completion time. These certificates are retained as immutable academic records even after account deletion, because their purpose is to allow third parties (employers, institutions, accrediting bodies) to verify your academic record after the fact. The lawful bases for this retention are our legitimate interest in maintaining accurate academic records and, where applicable, the establishment, exercise, or defence of legal claims (GDPR Article 17(3)(e)).

If you delete your account, your certificates remain on file with the snapshot of your name as it was at completion. If you believe your case warrants redaction (for example, if your name is sensitive for safety reasons), email [email protected] and we will review on a case-by-case basis.

Legal-Acceptance Retention Exception

Cathedra retains records of your acceptance of these Terms of Service and this Privacy Policy — including the version accepted, the date and time, the originating IP address and user-agent, and a SHA-256 hash of the document text presented at the time of acceptance — even after account deletion. The lawful bases for this retention are our legitimate interest in maintaining proof of contractual agreement and the establishment, exercise, or defence of legal claims (GDPR Article 17(3)(e)).

These acceptance records contain only the technical metadata of your agreement. They do not contain your name, email, or other directly identifying information beyond the system-generated account identifier you were issued at sign-up; when the rest of your account is deleted, that identifier no longer resolves to a living user record. Records are retained for seven (7) years after account deletion or last activity, whichever is later — covering the longest applicable contract-claim statute-of-limitations period in our governing jurisdiction with a reasonable buffer for late-arising claims. After that period elapses, the records are deleted in our normal data-purge cadence.

Acceptance records are stored in a tamper-evident hash chain: each record cryptographically references the immediately preceding record, so any unauthorized edit, deletion, reordering, or insertion is detectable on verification. We have a CLI verification tool we run periodically to confirm chain integrity.

In addition to the in-database hash chain described above, we anchor the chain’s current head to a third-party RFC-3161 time-stamping authority (FreeTSA) once a day. The resulting timestamp is signed by the TSA’s certificate, not ours, and proves that the anchored hash existed by the TSA’s signing time independent of any state Cathedra controls. Combined with the hash chain, this means an acceptance row can be verified as having existed by a specific date—without trusting our database—down to roughly a one-day granularity.

Right to a copy of your acceptance record. While your account is active, you can retrieve your own acceptance records at any time as JSON from /api/legal/my-acceptances or by emailing [email protected] with the subject line “Acceptance Record Request.” We will provide a copy at no charge within a reasonable time, ordinarily ten (10) business days. After account deletion, the records remain on file under this exception; you can still request a copy by email using the deletion-time email address as identification.

Your Rights (EU / UK / EEA)

If you are in the EU, UK, or EEA you have the right to:

• Access your data: Download a complete copy of all your personal data from your portal (My Portal → Download My Data). The export includes your decrypted AI conversation contents.
• Correct your data: Update your profile at any time (My Portal → My Profile).
• Delete your data: Delete your Self-Examination history, or delete your account and personal data from active systems (My Portal → Delete Account), subject to the limited exceptions described in Data Retention, Certificate Retention Exception, and Legal-Acceptance Retention Exception.
• Withdraw consent: You may stop using the service and delete your account at any time. The explicit consent for religious data can be withdrawn separately from My Profile, which clears the religious-profile fields without deleting the rest of your account.
• Object to processing: Contact [email protected] to object to specific processing or request a restriction.
• Data portability: The export under “Access your data” is in a structured, machine-readable JSON format suitable for transferring to another service.
• Lodge a complaint: If you believe we are mishandling your data, you have the right to lodge a complaint with your local data-protection authority. We will cooperate fully with any such investigation.

California Privacy Notice (Where Applicable)

California state law (CCPA / CPRA) grants California residents specific privacy rights over their personal information when the entity processing it qualifies as a covered business. Cathedra extends the protections below to California residents whether or not Cathedra meets the statutory thresholds, as a matter of policy.

• Know: What categories of personal information we collect, the categories of sources, the purposes for which it is used, and the categories of third parties (if any) with whom it is shared. The relevant categories are described above under What Data We Collect, How We Use Your Data, and Third Parties Who Receive Your Data.
• Access and portability: Receive a copy of the personal information we hold about you. Use My Portal → Download My Data.
• Delete: Request deletion of your personal information. Use My Portal → Delete Account, or contact us. The exceptions described in Data Retention, Certificate Retention Exception, and Legal-Acceptance Retention Exception apply.
• Correct: Request correction of inaccurate personal information. Use My Portal → My Profile, or contact us.
• Opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. There is no opt-out to exercise because no such sale or sharing occurs.
• Limit use of sensitive personal information: Religious or philosophical beliefs are sensitive personal information under CPRA. We use them only to personalize your study experience — never for advertising, profiling, or sale — and you may delete them at any time from My Profile.
• Non-discrimination: We will not deny service, charge different prices, or provide a different level of quality because you exercised any of these rights.

Automated Decision-Making

Cathedra does not subject your data to automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. AI features generate study and reflection content in response to your interactive prompts, but no decisions are taken about your eligibility, access, pricing, or any other matter on the basis of automated processing.

Breach Notification

In the event of a personal-data breach affecting your data, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required by law, and we will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms. Notifications will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take.

Security

We protect your data with:

• AES-256-GCM encryption for AI conversation content at rest
• SSL/TLS encrypted database and cache connections
• Password-protected and TLS-encrypted Redis cache
• Access controls so you can only see your own data
• Operational access by maintainers limited to security investigations, abuse reports, legal obligations, or support requests where you have asked us to inspect the relevant content, and recorded in our audit-log system
• All administrative access to user content is subject to role-based access controls and is auditable
• Step-up authentication required for sensitive operations (email change, account deletion)
• Email notifications to your previous address when your email is changed
• Rate limiting on AI, TTS, and account-management endpoints
• Industry-standard OIDC authentication with optional TOTP and passkey support
• Encrypted secrets management for our own infrastructure

Children

Cathedra is intended for adults and older teens engaged in theological study. By creating an account, you represent that you are at least 13 years of age. We do not knowingly collect personal information from anyone under 13, in compliance with the U.S. Children's Online Privacy Protection Act (COPPA). As a matter of policy, we do not knowingly allow EU/UK users under 16 to create accounts without verifiable parental consent. We do not collect birthdates and rely on this representation at sign-up; if you are a parent and believe a child under the applicable minimum age has created an account, contact us at [email protected] and we will delete the account and associated data without undue delay.

Changes to This Policy

We may update this policy as Cathedra evolves — for example, when AI feature routing changes, when we add or change processors, or when regulatory requirements change. The “Last updated” date at the top of this page reflects the most recent revision. For material changes that affect how we process the data of existing users, we will make reasonable efforts to notify you through the email address on your account before the changes take effect, and we may require you to re-affirm your consent (including your explicit consent for religious data) before continuing to use affected features.

Contact

For privacy questions, data-access requests, deletion requests, or to withdraw consent, contact [email protected].