Privacy Policy

Bnei Israel is a scholarly timeline of the Children of Israel. We collect minimal data, use it only to provide the service, and never sell it to third parties. This policy explains what we collect, why, and how you can control it.

We use Supabase to manage user accounts and sessions. When you sign in via email magic-link or Google OAuth, Supabase stores:

• Your email address
• An encrypted session token (stored in a secure, HttpOnly cookie)
• Your OAuth provider identifier (if you use Google sign-in)

We create a profile record linked to your account that stores your patron status and subscription date. We do not store passwords — authentication is passwordless.

Supabase stores data on servers located in the EU (Frankfurt) by default. Their privacy policy is available at supabase.com/privacy.

Patron memberships and one-time tips are processed through Ko-fi (ko-fi.com). When you support us, Ko-fi sends a webhook to our server containing:

• A unique message ID (for idempotency)
• Your email address (so we can link your contribution to your account)
• Your display name as entered on Ko-fi
• The transaction type (Tip, Subscription, Commission, Shop Order), amount, currency, and tier name if applicable

We log every webhook payload in our Supabase events table for audit purposes. We also store a patron_events record that links your transaction to your account when a match is found. Each payload is processed exactly once — duplicates from Ko-fi retries become no-ops.

We do not store payment card details — Ko-fi handles all payment processing. Ko-fi's privacy policy is at ko-fi.com/legal/privacy.

Webhook calls are authenticated via a static verification token sent inside the JSON payload, compared in constant time to a secret only our server knows. Ko-fi does not currently offer HMAC signatures; payloads without a valid token are rejected.

We use the following cookies:

No advertising, analytics, or third-party tracking cookies are set. The site works fully if you block all optional cookies.

We collect data only when you actively provide it:

• Sign-in: email address used to create your account.
• Patron support: your email as forwarded by Ko-fi in a webhook.

We do not run analytics scripts, ad trackers, or social-media pixels. Server logs (request IP, timestamp, path) are retained for up to 30 days for security purposes.

Your account data is retained until you request deletion. To delete your account and all associated data, email us at privacy@bneiisrael.com. We will process deletion requests within 30 days.

Patron event audit logs are retained for 12 months for fraud-prevention purposes, then purged.

You have the right to:

• Access — request a copy of all data we hold on you.
• Rectification — correct inaccurate personal data.
• Erasure — request deletion of your account and data.
• Portability — receive your data in a machine-readable format.

To exercise any of these rights, contact privacy@bneiisrael.com.

Questions about this policy? Email privacy@bneiisrael.com.