Privacy Policy

1. Introduction

Welcome to stevenmilanese.com ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you visit our website.

2. Information We Collect

2.1 Information You Provide

• Contact Form Data: When you use our contact form, we collect your name, email address, and message content.
• Chat Messages: If you use our AI chat assistant "Gilfoyle," we collect your messages, a session identifier, and conversation history (limited to 20 requests per 15 minutes for rate limiting).
• Scripture Sharing: When you share scripture via email, we collect the recipient's email address, your name, personal message, and selected scripture verses (limited to 5 emails per hour).
• Notification Subscriptions: If you subscribe to notifications, we collect your name, email address, and content preferences.
• Error Reports: When you report a 404 error, we may collect your email address (optional) and the error details.

2.2 Automatically Collected Information

• Analytics Data: We use Zerocookie, a privacy-focused analytics service, which collects anonymized page view data without using cookies or tracking individual users.
• Technical Data: Your IP address may be temporarily processed for rate limiting purposes to prevent abuse.
• Local Storage: We store your theme preference, chat session ID, game progress, scripture bookmarks, reading history, and notification preferences locally on your device.

3. How We Use Your Information

We use the collected information for the following purposes:

• To respond to your inquiries via our contact form
• To provide AI-powered chat assistance through our "Gilfoyle" assistant
• To send scripture verses with personalized AI-generated pastoral messages via email
• To deliver publication notifications and updates you've subscribed to
• To acknowledge and address 404 error reports
• To analyze website traffic and improve user experience (anonymized data only)
• To prevent abuse and ensure website security through rate limiting
• To remember your preferences (theme, game progress, scripture bookmarks)

4. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data transmissions are encrypted using HTTPS
• Authentication tokens are stored in secure, httpOnly cookies
• JWT authentication with enforced two-factor authentication (2FA) for admin access
• Comprehensive rate limiting: Chat (20/15min), Scripture sharing (5/hr), API (100/15min)
• We sanitize all user inputs using DOMPurify to prevent security vulnerabilities
• Content Security Policy (CSP) headers with nonce generation
• Bcrypt password hashing for administrative accounts

5. Third-Party Services

We use the following third-party services:

• Zerocookie Analytics: Privacy-focused analytics that doesn't track individual users
• Ghost CMS: For blog content management
• Anthropic Claude API: Powers our AI chat assistant "Gilfoyle" and generates pastoral messages for scripture sharing
• External Embeds: YouTube, audio players, and Wikipedia content are only loaded after you explicitly consent by clicking on them
• Email Service: SMTP services for sending scripture shares and notifications (no third-party tracking)

6. Cookies

We use minimal cookies:

• Authentication Cookie: If you access admin features, a secure authentication cookie is used
• No Tracking Cookies: We do not use any third-party tracking cookies

7. Data Retention

We retain your data only for as long as necessary to provide our services:

• Contact form messages: Retained until responded to, then deleted within 30 days
• Chat conversations: Session-based, cleared after 24 hours of inactivity
• Scripture sharing logs: Retained for 7 days for rate limiting purposes
• Error reports: Retained for 90 days for debugging purposes
• Notification subscriptions: Until you unsubscribe

8. Your Rights

You have the following rights regarding your personal data:

• Access to your personal data
• Correction of inaccurate data
• Deletion of your data
• Objection to data processing
• Data portability

To exercise these rights, please contact us using the information provided below.

9. GDPR and CCPA Compliance

If you are a resident of the European Union or California, you have additional rights under GDPR or CCPA respectively, including:

• The right to know what personal information we collect
• The right to opt-out of any sale of personal information (Note: We do not sell your data)
• The right to non-discrimination for exercising your privacy rights

10. Children's Privacy

Our website is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated effective date.

12. Contact Information

If you have any questions about this privacy policy or our data practices, please contact us at:

• Email: [email protected]
• Website: https://stevenmilanese.com