Security & Privacy Basics
How we keep the site and your optional account data protected—in plain language.
Transport & infrastructure
We use Cloudflare for HTTPS encryption on the vast majority of traffic, DDoS protection, and safe delivery of pages. No personal data is collected unless you choose to sign in—then it is handled through Supabase with encryption in transit and at rest. Sign-in is optional; core reading and local tools work without an account, including offline use where the browser allows it.
XSS & script protection
We enforce a Content-Security-Policy (CSP) and Trusted Types so untrusted scripts and markup cannot take over the page. User-facing strings are sanitized (for example with DOMPurify) before they reach the DOM. Inline scripts use nonces where required by policy. We do not treat raw HTML from users or third-party APIs as safe by default.
Privacy quick answers
No. Prayer lines you type in the quiet room are stored with care; we do not monetize them. Newsletter emails go only to the rhythm you pick. See Privacy for the full picture.
We use privacy-minded counts to see which pages help people—never to profile individuals. Search topics are not logged as raw text in our analytics pipeline.
Core verse, plans, and local tools work without an account. Data that belongs on your device generally stays there until you choose sync.
Questions
For details on what we collect, analytics, and your choices, see Privacy. Technical questions or reports: support@todaysdailybattle.com.