Privacy Policy

For the purposes of this Privacy Policy, the following capitalized terms have the meanings set out below:

• “Flint,” “we,” “us,” or “our” refers to hypetheory LLC, a Texas limited liability company that operates the Service.
• “Service” refers to the Flint text-based companion product, accessed via walkwithflint.com and via SMS, iMessage, and RCS messaging.
• “You” or “your” refers to the individual using the Service, or the entity on whose behalf they are using it.
• “Personal Information” means information that identifies, relates to, describes, or is reasonably capable of being associated with you.
• “Conversation Content” means the text content of inbound and outbound messages, your replies to check-ins, prayer requests, journal entries, and any personal facts the Service infers from your messages.
• “Processor” means a third-party service provider that processes Personal Information on our behalf to operate the Service.

Flint is a product of hypetheory LLC. This Privacy Policy explains how we collect, use, disclose, and protect Personal Information when you use the Service.

By creating an account or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, do not use the Service.

We collect the following categories of information so we can provide and improve the Service:

3.1 Account and identity information

• Email address (collected via our authentication provider)
• Mobile phone number (required — this is the channel we text you on)
• Your name (if you provide it)
• Your timezone
• Your faith tradition (e.g., Protestant, Catholic, Orthodox, Exploring)
• Your preferred Bible translation

3.2 Payment information

We use Stripe to process payments. Stripe collects and stores your payment-card information directly — Flint does not receive, store, or have access to your full card number, security code, or banking details. We retain Stripe customer identifiers and subscription metadata (status, plan, billing period, locked-in price) for billing administration.

3.3 Conversation and content data

The Service is built around conversation. As a result, we collect and store:

• The full text content of every message you send to and receive from Flint (inbound and outbound)
• Message metadata (timestamps, delivery status, message protocol)
• Vector embeddings (numerical representations) of your messages used for search and memory features
• Your replies to weekly faith goals and daily check-ins, including classifications of those replies (hit, miss, partial, skipped, no response) and any LLM-extracted notes derived from them
• Prayer requests you share with the Service, including title, content, and status
• Journal entries (if the feature is enabled for your account)
• Personal facts about you that the Service's language model may infer from your conversations (for example, family, work, or spiritual context) and store for personalization

3.4 Goal and engagement data

• Your weekly faith goals (kind, title, cadence, schedule)
• Check-in history and outcomes
• An audit log of state changes (e.g., when goals are created, swapped, paused, or resumed)

3.5 Technical and analytics data

• IP address and approximate location (city/region) from server logs
• Browser type, device type, and operating system
• Pages viewed on our website and basic interaction events (sign-up funnel, subscription state changes, feature usage)
• Anonymous session recordings of your interactions with our website (mouse movement, clicks, scrolling, and page navigation), used to diagnose usability issues and improve the funnel. All form inputs (including phone numbers, verification codes, and payment fields) are automatically masked at the browser before any data leaves your device, so we never see what you type
• Phone-number routing and delivery metadata from our SMS provider
• Advertising click-through identifiers and UTM parameters captured from the URL on first visit (for example, ttclid, utm_source), used to measure the effectiveness of our marketing

The Service is built around faith and spirituality. As a result, the information you share with us may include data that is considered sensitive or special-category under laws including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), including but not limited to:

• Religious or philosophical beliefs
• Mental or emotional health information you choose to share
• Information that the Service's safety classifier may flag as relating to self-harm, abuse, or acute mental-health crisis

By using the Service, you explicitly consent to our processing of this information for the purposes described in this Policy. You may withdraw consent at any time by deleting your account (see Section 9).

We use your information to:

• Operate, maintain, and provide the Service
• Send you text messages including daily check-ins, weekly reflections, and responses to your messages
• Generate personalized responses using AI language models (see Section 7)
• Process payments and manage your subscription
• Detect and respond to safety concerns (see Section 8)
• Communicate with you about your account, billing, and service updates
• Analyze usage patterns to improve the Service
• Measure the performance of our marketing and advertising
• Detect, prevent, and address technical issues, fraud, or abuse
• Comply with legal obligations and enforce our Terms of Service

We rely on the following third-party service providers (“Processors”) to operate the Service. Each Processor handles data only as needed to perform its specific function, and each maintains its own privacy practices.

• Clerk— authentication and account management. Clerk Privacy Policy
• Stripe— payment processing. Stripe Privacy Policy
• Linq— SMS, iMessage, and RCS message delivery. Your message content passes through Linq's infrastructure for transmission to and from your phone. Linq Privacy Policy
• OpenRouter— request routing to AI language models. Your message content is transmitted through OpenRouter to AI providers. OpenRouter Privacy Policy
• Anthropic— AI language model provider (Claude). Your message content is sent to Anthropic to generate responses, in accordance with their standard API terms. Anthropic Privacy Policy
• Voyage AI— text embedding generation. Your message text is sent to Voyage AI to produce vector embeddings for memory and search features. Voyage AI Privacy Policy
• PostHog(United States instance) — product analytics. PostHog Privacy Policy
• TikTok— advertising pixel and Events API used to measure the performance of our advertising campaigns. We send TikTok hashed identifiers (phone number, our internal user ID, optionally email), conversion event metadata (subscription events, page views), and the click-through identifier (ttclid) from your original ad click. We do not send your Conversation Content to TikTok. TikTok Privacy Policy
• Convex— backend database and serverless infrastructure. Convex Privacy Policy
• Vercel— web application hosting. Vercel Privacy Policy

We do not sell your Personal Information. We do not share your Conversation Content with advertisers. We do not authorize Processors to use your content for any purpose other than providing their contracted service to us.

We will update this list within a reasonable time after engaging a new Processor that materially affects how we handle your data.

The Service uses artificial intelligence (large language models) to generate responses to your messages, classify your replies, write weekly reflections, and otherwise personalize the experience. You should understand the following:

• AI-generated responses are not authored or reviewed by a human in real time
• AI-generated content may contain errors, including factual inaccuracies, misquoted or misattributed scripture, or theological framing you do not agree with
• Flint is not a substitute for a pastor, priest, counselor, therapist, spiritual director, doctor, attorney, or any other professional advisor
• Your conversations are sent to third-party AI providers (see Section 6) for processing under each provider's standard terms

To help keep users safe, every inbound message you send is passed through an automated safety classifier. This classifier is designed to detect language suggesting self-harm, abuse, or an acute mental-health crisis. When the classifier flags a message in one of these categories, the Service responds with a hardcoded handoff message directing you to professional crisis resources, such as the 988 Suicide & Crisis Lifeline (call or text 988 in the U.S.) or the Crisis Text Line (text HOME to 741741).

We retain crisis-classified messages along with the rest of your conversation history. We do not proactively report individual crisis content to law enforcement or third parties, except where required by law.

The Service is not a crisis-response service. If you are in immediate danger, please call 911 or your local emergency number. Do not rely on Flint for emergency assistance.

You have the following rights with respect to your information:

• Access. You may request a copy of the Personal Information we hold about you. Access requests are fulfilled manually by our team.
• Correction. You may request that we correct inaccurate information.
• Deletion. You may request that we delete your account and associated data, including conversation history and derived embeddings. Deletion requests are handled manually by our team upon request. We will fulfill verified deletion requests within 30 days of receipt, subject to any legal retention obligations.
• Export. You may request a portable copy of your conversation history. Export requests are fulfilled manually by our team.
• Opt-out of messaging. Reply STOP at any time to any Flint message to halt all outbound texts. Reply HELP for assistance.
• Withdraw consent. You may withdraw consent to our processing of your information by deleting your account.

To exercise any of these rights, email [email protected]. We may need to verify your identity before completing certain requests.

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have additional rights including the right to know what categories of Personal Information we collect, to delete that information, to correct it, to limit the use of sensitive Personal Information, and to opt out of sale or sharing of Personal Information.

We do not sell your Personal Information. We do not engage in cross-context behavioral advertising. We share limited conversion event metadata (hashed identifiers, click-through tokens) with TikTok solely to measure the performance of our own advertising. We do not enable TikTok or any other advertising partner to retarget you with behavioral ads on the basis of your Service activity, and we do not share your Conversation Content for advertising purposes.

We honor Global Privacy Control (GPC) signals as a valid opt-out request with respect to any sharing of Personal Information for which the right to opt out applies.

To exercise any CCPA rights, email [email protected]. You may also designate an authorized agent to act on your behalf.

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other jurisdictions where our Processors operate.

Users in the European Economic Area, United Kingdom, and Switzerland have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws, including the right to access, rectify, erase, restrict processing of, and port their Personal Information, and the right to lodge a complaint with a supervisory authority.

11.1 Legal bases for processing

Where GDPR or equivalent law applies, we rely on the following legal bases to process your Personal Information:

• Consent. Your explicit consent to process special-category data, including religious beliefs and any mental-health-related content you choose to share (see Section 4). You may withdraw consent at any time by deleting your account.
• Performance of a contract. Processing necessary to provide you with the Service you have subscribed to (delivering messages, generating AI responses, managing your subscription).
• Legitimate interests. Improving the reliability, safety, and quality of the Service; measuring the performance of our marketing; preventing fraud and abuse. We balance these interests against your privacy rights and apply this basis only where your rights do not override our interests.
• Legal obligation. Retaining records (e.g., payment data) as required by applicable tax, accounting, or other law.

We retain your information for as long as your account is active and as needed to provide the Service. After you delete your account, we delete Personal Information within 30 days, except where retention is required by law (for example, payment records may be retained for tax and accounting purposes for up to seven years). Backups containing your data are retained on a rolling basis and overwritten in the ordinary course. Server logs containing IP addresses are retained for up to 30 days for security and debugging purposes.

We use industry-standard safeguards to protect your information, including encryption in transit (HTTPS/TLS) and access controls. Your data is hosted in cloud infrastructure with baseline security controls. However:

• We do not provide end-to-end encryption on your messages. Messages can be read by our systems and by the third-party AI providers that process them
• Access to user conversations is restricted to a small operations team and is only exercised for the purpose of investigating reported issues, debugging, or complying with legal obligations
• No system is perfectly secure. We cannot guarantee that unauthorized access will never occur

In the event of a Personal-Information breach — that is, an unauthorized access, disclosure, alteration, or loss of your Personal Information — that is reasonably likely to result in a risk to your rights and freedoms, we will:

• Notify affected users without undue delay, and where required by applicable law (such as GDPR Article 33-34) within 72 hours of becoming aware of the breach
• Notify the relevant supervisory authorities where required by law
• Provide affected users with the information needed to evaluate the impact and take protective steps, including the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it
• Investigate and document the incident in line with our internal security procedures

You can report a suspected security issue at any time by emailing [email protected].

The Service is intended for adults aged 18 and older. We do not knowingly collect Personal Information from anyone under the age of 18. If we learn that we have collected information from a person under 18, we will delete it promptly. If you are a parent or guardian and believe your child has provided us information, please contact [email protected].

Our website uses cookies and similar technologies for essential functionality (authentication, session management), preferences (timezone, display options), and analytics. You can control cookies through your browser settings. Disabling cookies may affect your ability to use the Service.

The following categories of cookies and similar technologies are set by or on behalf of the Service:

• Authentication and session— set by Clerk to keep you signed in
• Product analytics — PostHog session and identifying cookies (e.g., ph_*) used to measure funnel performance and feature usage
• Advertising measurement — TikTok Pixel cookies (e.g., _ttp) used solely to attribute paid-ad conversions to our campaigns; not used by us for behavioral retargeting
• Attribution — first-party browser storage of advertising click-through identifiers and UTM parameters captured from the URL on landing, used to attribute eventual signups to the originating campaign

We may revise this Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If we make material changes, we will provide additional notice (for example, by email or in-app notification). Your continued use of the Service after a revised Policy is posted constitutes acceptance of the revised Policy.

For privacy-related questions, requests, or complaints, contact us at [email protected].