Security you can see.

Every table that holds personal content (prayers, journal entries, voice transcripts, scripture interactions, anchor completions, AI summaries) has Postgres row-level security policies that limit reads to the row owner.

The database refuses to return rows that do not belong to the authenticated user, even if a query forgets a where clause. Our admin dashboard cannot read your content. It can only see aggregate metrics like row counts and dates for cost monitoring.

If you bring your own OpenAI or Anthropic key, we encrypt it with AES-256-GCM using a 32-byte master key (BYOK_MASTER_KEY) that lives in our deployment platform, not in the database.

Each encryption uses a fresh 12-byte initialization vector and authenticated additional data bound to your user ID and the provider name, preventing row-swap attacks. We never display the raw key after you save it. Only a fingerprint (sk-ant-...F0Ji) shows in the UI.

When a key fails, we soft-revoke it immediately and surface a friendly error. We never silently fall back to charging our platform AI budget for your call. That would be both a cost leak and a trust violation.

Supabase Postgres encrypts every byte at rest in AWS US-East. Voice audio files in Supabase Storage use the same infrastructure encryption. Backups are encrypted.

BYOK keys carry a second layer of encryption on top of the database default, because they are a higher-value target than ordinary content.

AnchoredTime never uses your prayers, journal entries, or any personal content to train AI models. We pass content to Anthropic or OpenAI only for the specific feature you invoked, then discard it.

Per the public API policies of those providers, content sent via their APIs is not used to train their models. Their Terms differ from consumer ChatGPT or Claude.ai apps, where free-tier use can be used for training. AnchoredTime uses API-only.

Errors and breadcrumbs are reported to Sentry for debugging. Before any payload reaches Sentry, our scrubber strips Anthropic, OpenAI, and OpenAI legacy key shapes plus Bearer tokens and master-key fragments.

Authorization, x-api-key, anthropic-api-key, and x-byok-key headers are deleted from request payloads before transmission. The scrubber runs on both beforeSend and beforeBreadcrumb so failed-fetch breadcrumbs cannot leak keys either.

Settings includes a one-click data export. We package every prayer, journal, scripture interaction, and voice transcript as JSON, drop it into Storage, and email you a 24-hour signed download link.

Account deletion runs the same instant. We hard-delete BYOK keys, anonymize usage ledger rows (so financial records stay accurate but contain no personal identifier), and remove your auth row. Done within seconds.