Privacy
This page is the truthful map of what MercyChain holds about you, why we hold it, and what we have decided not to hold. It applies to Pearl Shell, R2E, Anvil, the SONO Card service, and the People directory — together, the MercyChain apps. We have written it to be read, not skimmed.
Our shape, before the details
We do not run advertising. We do not sell or rent your information. We do not measure you for the benefit of strangers. We do not run third-party analytics, session recorders, or behavioural trackers. We do not run on a public blockchain, so the things you carry inside MercyChain do not become public the moment you carry them. Most of what follows is a careful description of how we live up to those choices.
What we collect when you create a shell
Your name, your email, and — if you choose to add it — your phone number in international format. A unique identifier for your shell (the shell address) and a short shell user code, generated for you. The choices you have made inside Pearl Shell: PIN status (we store a hash, not the PIN itself), whether you have turned on biometric unlock (we store the toggle; the biometric template never leaves your device), and the language and accessibility preferences you have set.
What we collect when you use R2E
The sacred and knowledge books you have selected. The page you were assigned today, and the pages you have completed. The verse you chose to keep, in the form of a pearl: its denomination, its serial number, the book and chapter and verse it came from, the date you kept it. Your reading streak and totals. We do not record what time you started reading, how long you paused, or what you scrolled past. The reading is yours; only the pearl is kept.
What we collect when pearls move
Every transfer of a pearl between two shells leaves a record: the sending shell, the receiving shell, the denomination, the serial number, the date and time, and the small note you may have attached. The record is visible to the two shells involved and to us — it is not visible to anyone else. We keep it for the lifetime of the shell, because the integrity of pearls depends on a continuous chain of custody. If you close your shell, the records on your side are removed; the records on the other side remain, because they belong to the other person.
What we collect when you use Anvil
The photographs you upload, stored on Cloudinary — our chosen storage provider — under a private path keyed to your shell. The notes you write on each photograph. The lists you build, the items inside them, the prices you estimate, and the dates you set. The opinions your friends mark — yes, no, neutral — on photographs you have asked them about, and any comment they chose to leave. None of this is used to train an artificial-intelligence model. None of this is shown to anyone you have not chosen to show it to.
What we collect when you use the SONO Card
The unique identifier of each card you register, the name you have given it, the daily limit you have set, and the status you have chosen for it (active, frozen, lost, pending replacement). When a card is tapped, we record only what is needed to route the tap: the card identifier, the time of the tap, and the device that received it. We do not record where, in the world, the tap happened.
What we collect — and what we do not — when you use People
When you import your contacts, the phone numbers and email addresses are turned into one-way fingerprints — cryptographic hashes — on your device, before any of them leave it. Only the fingerprints are sent to us. The plain phone number and email of someone you have not yet contacted stay on your device. The plain version is used only when you choose to send an invitation through WhatsApp — and that message goes through WhatsApp, not through us. We do not keep a copy of your address book on our side.
What we collect when shells find each other nearby
When you turn on Connect Nearby, your phone broadcasts a small Bluetooth beacon containing the address of your shell — and only that — for a window you control (default two minutes). We do not record where you were, who else was in the room, or how long you stayed. The beacon ends when you stop it, or when the timer expires.
Where your data lives
Your shell, your pearls, your transactions, your contracts, your loans, and your reading progress live on Supabase, our database provider. Your photographs and the assets they reference live on Cloudinary. Authentication — the act of proving you are you, when you sign in — happens through Supabase Auth and, if you choose, through Google Sign-In. We may add or change providers in the future; if and when that happens, we will update this page and tell you what has moved and why.
Permissions your phone grants the app
Camera, for the QR scanner and for taking photographs in Anvil. Photo Library, for picking existing photographs in Anvil. NFC, for tapping SONO Cards. Bluetooth, for finding nearby shells through Connect Nearby. Contacts, for matching your address book against the existing shells (read locally; only fingerprints leave the device). Location, required by the Android Bluetooth API as a side effect of Bluetooth scanning; we do not use your location for any other purpose. Biometrics, for unlocking your shell and authorising transactions, with the biometric template kept by your phone — never by us. Notifications, for telling you when a pearl has arrived, a request has been made, or an invitation has been opened.
How long things are kept
Shell account, pearls, and transaction records: as long as your shell is open. When you close the shell, we remove what is removable on our side and tell you, plainly, what is not (transfers leave a trace on the other side, in another person’s shell). Anvil photographs: until you delete them, or until you close Anvil within your shell, whichever comes first. Pending gift treasury: 24 hours from the moment a knowledge pearl is sent to a person who does not yet have a shell; if no one claims it within that window, the pearl returns to the treasury, not to you. The Spiral cache: one day; refreshed at midnight, every day, by your shell.
Children
MercyChain is not designed for, or directed at, children under thirteen. We do not knowingly collect personal data from children. If you believe we have, please write to us and we will remove it.
Your rights
You can ask for a complete copy of what we hold about you. You can ask us to correct anything that is wrong. You can ask us to close your shell, and we will. You can revoke any permission from your phone’s settings and the corresponding feature will simply stop working — no protest, no nag screen, no penalty. To exercise any of these rights, write to us at mercychain@snoxfedc.com. We aim to answer within seven days.
When law asks
If a court of competent jurisdiction asks us for information about a shell, we will respond as the law requires — and we will, where the law permits, tell the person whose shell it is. We will not volunteer information to anyone, public or private, without a clear legal obligation. We have not, to date, received any such request. If that ever changes, we will say so on this page.
Security
All traffic between your shell and our servers is encrypted in transit. Our database access is limited to a small number of named engineers, and changes are logged. We do not store your PIN; we store a hash that allows us to confirm the PIN you typed is the one you set, without ever holding the original. If we ever suffer a breach that may have exposed your information, we will tell you, in plain language, what happened and what we are doing about it — within the timelines the law requires, and sooner where we can.
Changes to this page
When we change anything that affects what we collect, why, or what we do with it, we will update the date at the top of this page and notify you inside the app. Continuing to use MercyChain after a change means you accept the new version; if you do not, you can close your shell at any time.