Privacy Policy

01 Data Controller & Contact Information

The data controller responsible for the processing of your personal data in connection with the Vespera application and website is:

As data controller, OakDev & AI AB determines the purposes and means of processing your personal data. All questions, requests, and complaints relating to the processing of your personal data should be directed to the contact above. We will respond to all verified requests within the timeframes required by applicable law, and in any event within thirty (30) calendar days.

02 Scope of This Policy & Definitions

This Privacy Policy applies to:

• The Vespera mobile application for iOS and Android (the "App");
• The Vespera website located at https://vespera.oakdev.app (the "Website");
• Any related services, features, content, or applications offered by OakDev & AI AB in connection with Vespera (collectively, the "Services").

This Policy does not apply to third-party websites or services that may be linked to from the Services. We encourage you to read the privacy policies of any third-party services you access.

Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person (the "data subject") as defined under GDPR Article 4(1).
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and erasure.
• "Reflections" means the in-app currency unit used within the Vespera App, representing the number of spiritual category visits a user may make.
• "Blessed" means the paid subscription tier available within the Vespera App, providing enhanced access to reflections and content.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "EEA" means the European Economic Area.
• "We," "Us," "Our" refers to OakDev & AI AB.
• "You," "Your" refers to any individual using our Services.

03 Personal Data We Collect

We collect personal data in several ways: directly from you when you use the App or Website, automatically through your device, and from third-party platforms through which you access or purchase the App.

3.1 Data You Provide Directly

• Account registration data: If you create an account, we collect your email address and any display name or username you choose to provide. Passwords, if applicable, are stored in hashed form and never in plain text.
• Support communications: When you contact us at hello@oakdev.app, we process the content of your messages, your email address, and any information you voluntarily include.
• Feedback and survey responses: If you choose to participate in user research or submit feedback, we process the content of those communications.

3.2 Data We Collect Automatically

• Device identifiers: Device model, operating system version, unique device identifiers (such as IDFA on iOS or Android Advertising ID), and App instance identifiers.
• Usage data: Which categories within the App you visit, frequency and timing of App sessions, screens viewed, features used, and the number of reflections consumed and remaining.
• Technical data: IP address, network type (Wi-Fi or cellular), time zone, language settings, App version, and crash reports.
• Log data: Server-side logs including request timestamps, referral URLs, and error logs for debugging and security purposes.
• Performance data: App load times, crash diagnostics, and ANR (Application Not Responding) data to improve App stability.

3.3 Data From Third-Party Platforms

• App Store (Apple): When you download or purchase the App through the Apple App Store, Apple processes the transaction. We may receive aggregate or anonymized purchase confirmation data from Apple, but we do not receive your Apple ID, payment card details, or billing address.
• Google Play Store: When you download or purchase the App through Google Play, Google processes the transaction. We may receive aggregate or anonymized purchase confirmation data from Google, but we do not receive your Google Account details, payment card details, or billing address.
• In-App Purchase APIs: We receive purchase receipt validation confirmations (not payment details) to confirm and activate Blessed tier status.

04 Special Category Data (Sensitive Personal Data)

Specifically, the following aspects of your App usage may fall within or be inferred to relate to religious belief data:

• The categories of spiritual content you access (e.g., Morning Prayer, Rosary Reflections, Eucharistic Devotion);
• The frequency and pattern of your spiritual engagement within the App;
• Your use of the Vespera App itself as an indicator of Catholic religious practice.

We process such data only on the basis of your explicit consent (GDPR Article 9(2)(a)), which you provide by voluntarily downloading and using the App after reading this Privacy Policy. You may withdraw this consent at any time by deleting your account and ceasing use of the App (see Section 12 — Your GDPR Rights).

We do not sell, rent, share, or otherwise disclose any data that reveals or could infer your religious beliefs to any third parties for advertising, profiling, or commercial targeting purposes. Such data is used solely to deliver and improve the spiritual content features of the App.

We do not require you to identify yourself as Catholic or confirm any religious affiliation to use the App. The App is available to anyone who finds value in its content.

05 Legal Basis for Processing

We only process your personal data where we have a valid legal basis under GDPR Article 6 (and Article 9 for special category data, where applicable). The following table sets out our legal bases for each category of processing:

Where we rely on legitimate interests as a legal basis, we have conducted a balancing test to confirm that our interests are not overridden by your fundamental rights and freedoms. You may request further information about these balancing tests by contacting us.

Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

06 How We Use Your Personal Data

We use your personal data for the following purposes:

Service Delivery

• To create, maintain, and manage your account;
• To deliver the spiritual content categories you access;
• To track and deduct your reflection balance, and to credit Reflections upon valid purchases;
• To activate and maintain your Blessed tier subscription status;
• To send you transactional notifications (e.g., purchase confirmations, low reflection balance alerts, where you have opted in to notifications).

Security and Integrity

• To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activity;
• To verify the validity of in-app purchase receipts;
• To monitor for unauthorized access to our systems;
• To enforce our Terms of Service.

App Improvement and Analytics

• To understand how users interact with the App in order to improve features, content, and performance;
• To diagnose technical problems, crashes, and errors;
• To measure aggregate usage patterns (we use anonymized or aggregated data wherever possible for analytics).

Legal and Regulatory Compliance

• To comply with applicable Swedish and EU law, including VAT and accounting obligations (Swedish Bookkeeping Act, Bokföringslagen);
• To respond to lawful requests from public authorities, courts, or law enforcement agencies;
• To establish, exercise, or defend legal claims.

Customer Support

• To respond to your inquiries and resolve technical issues;
• To process account deletion requests submitted through our designated channels.

We will never use your personal data to display advertisements within the App. Vespera contains no advertising whatsoever.

We will never use your personal data for automated individual decision-making that produces significant effects on you, without appropriate safeguards as required by GDPR Article 22.

07 Reflections System & In-App Purchases

"Reflections" are the in-app unit within Vespera that represent a user's available spiritual category visits. One (1) reflection is consumed each time you access a content category. This is a core functional feature of the App, not a monetary transaction on our platform — reflections are not a crypto-asset, token, or financial instrument of any kind.

Your reflection balance is personal data in the sense that it is associated with your account and reflects your usage of the App. We process this data on the basis of contract performance (to deliver the agreed service).

Blessed Tier (Paid Subscription)

The Blessed subscription tier is offered through the native in-app purchase mechanism of the Apple App Store or Google Play Store. All payment processing is handled exclusively by Apple or Google. OakDev & AI AB does not at any time receive, store, or process your payment card details, bank account information, or billing address.

We receive from Apple or Google only a purchase receipt token and a confirmation of the purchase status (active, expired, refunded). This information is used solely to activate, maintain, and deactivate your Blessed tier access within the App.

For subscription billing disputes, refunds, or billing inquiries, please contact Apple Support or Google Play Support directly, as these transactions are governed by their respective terms and privacy policies.

08 Disclosure and Sharing of Personal Data

We do not sell, rent, trade, or otherwise commercially disclose your personal data to third parties for their own marketing or commercial purposes. We may share your personal data in the following limited circumstances:

8.1 Service Providers (Data Processors)

We engage certain trusted third-party service providers who process personal data on our behalf and under our documented instructions. These are "data processors" under GDPR. All processors are bound by written data processing agreements that comply with GDPR Article 28. Current categories of processors include:

• Cloud infrastructure and hosting providers for storing App data and serving content;
• Analytics providers for aggregated, anonymized App usage analysis;
• Crash reporting services for diagnosing technical errors;
• Customer support tools for managing email correspondence.

8.2 Platform Providers

Apple (App Store) and Google (Google Play) act as independent data controllers when you transact with them. Their processing of your data is governed by their own privacy policies.

8.3 Legal Requirements

We may disclose your personal data if required to do so by law, court order, or binding request from a competent governmental or regulatory authority. Where legally permissible, we will notify you of such a request before disclosing your data.

8.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or other corporate restructuring, your personal data may be transferred to a successor entity, subject to the same protections as described in this Policy. We will notify you of any such transfer and provide you the opportunity to delete your data if the new entity's privacy practices are materially different from this Policy.

8.5 Protection of Rights

We may disclose personal data to enforce our Terms of Service, to protect the rights, safety, and property of OakDev & AI AB, our users, or others, or to detect and prevent fraud or illegal activity.

In all cases, we share only the minimum amount of personal data necessary for the stated purpose (the principle of data minimisation under GDPR Article 5(1)(c)).

09 Third-Party Services & Integrations

The App and Website may use or interact with the following categories of third-party services. Each third party operates under its own privacy policy, and we encourage you to review them:

"SCCs" refers to the Standard Contractual Clauses adopted by the European Commission for international data transfers, as described in Section 10.

We do not integrate advertising networks, cross-app tracking frameworks, or third-party data brokers of any kind into Vespera.

10 International Transfers of Personal Data

OakDev & AI AB is incorporated in Sweden and your personal data is primarily processed within the European Economic Area (EEA). However, some of our third-party service providers (such as Apple and Google) are located in, or may transfer data to, countries outside the EEA, including the United States.

When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place, as required by GDPR Chapter V. These safeguards include:

• Standard Contractual Clauses (SCCs): The European Commission-approved contractual clauses for international data transfers (Commission Implementing Decision (EU) 2021/914), incorporated into our data processing agreements with processors located outside the EEA;
• Adequacy decisions: Where the European Commission has determined that a third country ensures an adequate level of data protection;
• Other appropriate safeguards as recognised under GDPR Article 46.

You may request a copy of the relevant transfer mechanisms by contacting us at hello@oakdev.app.

11 Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The following retention periods apply:

At the end of the applicable retention period, personal data is securely deleted or anonymized in a manner that ensures it cannot be reconstructed. Where we are unable to delete data due to legal or regulatory obligations, we will inform you of this when responding to a deletion request.

12 Your Rights Under GDPR

As a data subject under GDPR, you have the following rights with respect to your personal data. You may exercise any of these rights by contacting us at hello@oakdev.app. We will respond within one (1) calendar month of receiving your request. This period may be extended by a further two months where necessary, considering the complexity and number of requests, in which case we will notify you within the first month.

We will not charge a fee for responding to your rights requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act, in accordance with GDPR Article 12(5).

We may require verification of your identity before acting on a rights request to prevent unauthorized disclosure or deletion of another person's data.

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process personal data concerning you, and if so, to receive a copy of that data along with supplementary information about how it is processed.

Right to Rectification (Art. 16)

You have the right to request the correction of inaccurate personal data and to have incomplete data completed, including by providing a supplementary statement.

Right to Erasure — "Right to be Forgotten" (Art. 17)

You have the right to request the erasure of your personal data where: the data is no longer necessary for the purposes it was collected; you withdraw consent and there is no other legal basis; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required by law. You may also submit a deletion request through our dedicated page at /delete-account.

Please note that we may retain certain data after erasure where required by legal obligation (e.g., financial records required under the Swedish Bookkeeping Act).

Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, including while the accuracy of the data is contested, or while we assess an objection you have raised.

Right to Data Portability (Art. 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller.

Right to Object (Art. 21)

You have the right to object at any time to processing of your personal data based on our legitimate interests (GDPR Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims. You may also object at any time to processing for direct marketing purposes (if applicable).

Rights Related to Automated Decision-Making (Art. 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. We do not currently engage in such automated decision-making with respect to our users.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.

13 California Privacy Rights (CCPA / CPRA)

If you are a resident of the State of California, United States, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section supplements the GDPR rights described above.

Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers (e.g., email address, device ID);
• Internet or other electronic network activity information (e.g., App usage data, interaction records);
• Inferences drawn from personal information (e.g., user preferences derived from category usage patterns).

Your California Rights

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. You do not need to opt-out as this activity does not occur.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Services.

To exercise any California right, please contact us at hello@oakdev.app. We will respond within 45 days. If necessary, we may extend this by a further 45 days with notice.

14 Children's Privacy

The Vespera App is not directed at, and we do not knowingly collect personal data from, children under the age of thirteen (13) in the United States or under the age of sixteen (16) in the European Union (as applicable under Member State law, including Sweden where the age is thirteen (13) pursuant to GDPR recital 38 and the Swedish Data Protection Act).

If you are a parent or guardian and believe that a child under the applicable minimum age has provided personal data to us without your consent, please contact us immediately at hello@oakdev.app. We will take prompt steps to delete such information from our systems.

If we become aware that we have collected personal data from a child below the applicable minimum age without verifiable parental consent, we will delete that information without undue delay.

Users aged thirteen (13) through seventeen (17) may use the App only with the knowledge and supervision of a parent or guardian. The parent or guardian assumes responsibility for ensuring such use complies with this Policy.

15 Security Measures

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with GDPR Article 32 and the principle of security by design and by default.

Technical Measures

• All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher;
• Data at rest is encrypted using industry-standard encryption algorithms;
• Passwords are never stored in plain text; they are hashed using strong, salted algorithms;
• Access to production systems and personal data is restricted on a need-to-know basis and protected by multi-factor authentication;
• Regular security updates and vulnerability patching are applied to all systems;
• API endpoints are protected against common attack vectors including SQL injection, cross-site scripting (XSS), and brute-force attacks.

Organisational Measures

• Internal data protection policies governing how personal data is handled by our team;
• Confidentiality obligations for all personnel who have access to personal data;
• Vendor due diligence for all third-party processors;
• Periodic review of our security practices and data flows;
• An incident response procedure for handling data breaches (see Section 17).

Notwithstanding the above, no method of transmission over the internet or electronic storage is entirely secure. While we take our security obligations seriously, we cannot guarantee absolute security. If you have reason to believe that your account has been compromised, please contact us immediately at hello@oakdev.app.

16 Cookies & Tracking Technologies

Website

The Vespera website at https://vespera.oakdev.app may use strictly necessary cookies and similar technologies required for the Website to function correctly (e.g., session management). We do not currently use analytics cookies, advertising cookies, or third-party tracking cookies on our Website without your prior consent. Where consent is required under Directive 2002/58/EC (the ePrivacy Directive) and applicable Swedish law (Lagen om elektronisk kommunikation), we will obtain it before placing non-essential cookies.

Mobile App

The Vespera App does not use web cookies. The App may use:

• App instance identifiers (e.g., Firebase Installation ID) for backend communication and crash reporting;
• Platform advertising identifiers (IDFA on iOS, Android Advertising ID on Android) — we access these only where permitted by the platform and only for analytics, never for advertising. On iOS, we comply with Apple's App Tracking Transparency (ATT) framework and only access the IDFA with your explicit permission.

You may opt out of device advertising identifier use at any time via your device settings: iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads → Opt out of Ads Personalization.

17 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the breach, in accordance with GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with GDPR Article 34. Such notification will include, at minimum:

• A description of the nature of the breach;
• The name and contact details of our Data Protection contact;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and, where applicable, to mitigate its possible adverse effects.

If you become aware of or suspect a security incident involving our Services, please notify us immediately at hello@oakdev.app.

18 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. All updates will be posted on this page with an updated "Last updated" date.

For material changes — defined as changes that expand the scope of personal data collected, change the purposes for which it is used, or reduce your rights — we will provide prominent notice through the App and/or via email (if you have provided one) at least thirty (30) days before the change takes effect.

Your continued use of the Services after the effective date of any revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to the updated terms, you should cease using the Services and may request deletion of your account.

We maintain an archive of previous versions of this Policy, which is available upon request.

19 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

As we are a Swedish company, the competent supervisory authority is:

We would, however, always appreciate the opportunity to address your concerns before you approach the supervisory authority. Please contact us first at hello@oakdev.app so we may endeavour to resolve the matter to your satisfaction.

20 Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

This Privacy Policy was drafted in the English language. In the event of any conflict between an English version and a translation, the English version shall prevail.

© 2026 OakDev & AI AB. VAT SE559431678701. All rights reserved. This Privacy Policy constitutes a legally binding document governed by the laws of Sweden and the applicable law of the European Union.