Skip to content

Privacy Policy

Effective: June 13, 2026Last updated: June 13, 2026Version: 1.0.0

Effective date: 13 June 2026 Last updated: 13 June 2026 Version: 1.0.0

Faith Is Fire is a Christian ministry operated by Norman Bermúdez and Rosselyn Ramírez, individuals resident in Italy (together, "we", "us"). This Privacy Policy explains what personal data we collect on faithisfire.com, how we use it, who we share it with, how long we keep it, and the rights you have under the European Union's General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Italian Legislative Decree 196/2003 ("Codice Privacy") as amended by Legislative Decree 101/2018.

We are not a registered company, association, or non-profit. We are private individuals offering free Christian content. This Policy is written in plain language as required by Article 12(1) GDPR.

1. Who is responsible for your data (data controllers)

The joint data controllers under Article 26 GDPR are:

  • Norman Bermúdez
  • Rosselyn Ramírez

Both resident in Italy. You can contact us about anything in this Policy at:

Email: fire@faithisfire.com

This is the only email channel we operate. There is no postal address for written contact at this time; if you need one, please request it by email and we will provide it directly.

Data Protection Officer (DPO): none designated. As individual controllers processing only newsletter contact data on a small scale and not engaging in systematic monitoring or large-scale processing of special-category data, we are not required to appoint a DPO under Article 37 GDPR.

As joint controllers under Article 26 GDPR, Norman and Rosselyn have agreed in writing on their respective responsibilities: Rosselyn is the primary point of contact for data-subject requests sent to fire@faithisfire.com; Norman is the technical custodian of the subscriber database. Both are jointly and severally responsible toward you for compliance with GDPR. A summary of this internal arrangement is available on request.

2. What data we collect and why

We collect only the minimum data needed to operate this site. Today, we collect:

2.1 Newsletter subscription data

When you subscribe to The Fire Circle newsletter, we collect:

| Data | Purpose | Legal basis | | -------------------------------------------------------------- | ---------------------------------------------------------------- | -------------------------------------------------------------------- | | Email address | Send you the newsletter and the double opt-in confirmation email | Consent — Art. 6(1)(a) GDPR | | Language preference (EN or ES) | Send the newsletter in your chosen language | Consent — Art. 6(1)(a) GDPR | | IP address at signup | Audit trail to demonstrate valid consent — Art. 7(1) GDPR | Legal obligation to demonstrate consent — Art. 6(1)(c) + Art. 7 GDPR | | Browser user-agent at signup | Same as above | Same as above | | Timestamp of consent | Same as above | Same as above | | Version of the consent text you accepted | Same as above | Same as above | | Confirmation timestamp (when you click the double opt-in link) | Confirm a valid subscription | Consent + Art. 7 GDPR | | Unsubscribe timestamp (if you unsubscribe) | Honor your withdrawal of consent | Consent + Art. 7(3) GDPR |

We do not collect your name, age, gender, location beyond what your IP address implies, payment data, or any other category. We do not process special categories of personal data (Article 9 GDPR).

Providing your email is voluntary. If you do not provide it, the only consequence is that you cannot receive The Fire Circle newsletter. There is no other service or content on this site that requires your data.

2.2 Server logs

Our hosting provider (Vercel) keeps standard server logs (IP address, request URL, response code, user-agent) for security, abuse prevention, and reliability. The legal basis is our legitimate interest under Article 6(1)(f) GDPR in operating a secure service. You have the right to object to this processing under Article 21 GDPR; in practice this would mean we can no longer serve you the site. Vercel retains these logs under its own retention policy (typically 30 days for access logs).

2.3 Video embeds

When you click play on a YouTube video embedded on this site, we use youtube-nocookie.com (YouTube's privacy-enhanced mode). No YouTube cookies are set on your device until you click play. After you click play, YouTube may set cookies and process data under its own privacy policy (https://policies.google.com/privacy).

2.4 No analytics, no advertising

We do not use Google Analytics, Plausible, PostHog, Vercel Analytics, Hotjar, Meta Pixel, Google Ads, or any other tracking or advertising tool. We do not sell, rent, or share your data with advertisers.

2.5 No cookies that require consent

We do not set first-party cookies for tracking, analytics, or advertising. The only cookies that may be present are strictly necessary cookies set by the platform (e.g., session cookies needed for the site to work), which are exempt from consent under Article 122 of the Codice Privacy and EDPB guidance.

3. How we obtain your consent

When you subscribe to the newsletter, you must:

  1. Enter your email address;
  2. Tick a checkbox confirming you have read this Privacy Policy and consent to receive the newsletter at the email you provided.

The checkbox is not pre-ticked. You can submit the form only after ticking it. We log the timestamp, IP address, user-agent, and the exact version of the consent text shown to you. This is our audit trail under Article 7(1) GDPR.

After you submit the form, we send a confirmation email with a single-use link ("double opt-in"). Your subscription is not active until you click that link. Until then, your email sits in a pending state and is automatically deleted if you do not confirm within 30 days.

4. Who we share your data with (processors and recipients)

To operate the site and the newsletter we use the following service providers ("data processors" under Article 28 GDPR), each of which is contractually bound to process your data only on our instructions:

| Processor | Role | Country | Transfer safeguard | | --------------------------- | -------------------------------------- | ------------- | ------------------------------------------------------------------------------- | | Vercel Inc. | Website hosting | United States | EU-US Data Privacy Framework (DPF) certification + Standard Contractual Clauses | | Supabase Inc. | Database (your subscription record) | United States | Standard Contractual Clauses (Art. 46 GDPR) | | Resend Inc. | Newsletter email delivery | United States | Standard Contractual Clauses (Art. 46 GDPR) | | GitHub Inc. (Microsoft) | Automated newsletter dispatch pipeline | United States | EU-US Data Privacy Framework (DPF) certification |

We do not share your data with any other party. We will never sell or rent it. We will only disclose data if compelled by a lawful order from an Italian or EU authority.

5. International transfers (data leaving the EU)

All four processors above store and process data in the United States. Transfers outside the European Economic Area are protected by either:

  • EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023), where the processor is DPF-certified; and/or
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), per Article 46(2)(c) GDPR.

You can request a copy of the safeguards by emailing fire@faithisfire.com.

6. How long we keep your data (retention)

| Data | Retention period | | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Pending (unconfirmed) subscription record | 30 days, then deleted | | Active subscription record + consent audit trail | For as long as your subscription is active, plus 24 months after you unsubscribe (kept solely to demonstrate that valid consent existed at the time of subscription — Art. 7(1) GDPR). The 24-month window balances Art. 5(1)(c) GDPR data minimization against the ordinary 5-year civil-limitation period under Art. 2947 of the Italian Civil Code; we have chosen this conservative window rather than the full statutory limit. | | After the 24-month archive period | Anonymized (email hashed) or deleted | | Server logs (Vercel) | Per Vercel's retention policy | | YouTube playback data | Per YouTube's own policy |

You can request earlier deletion by emailing fire@faithisfire.com — see Section 7.

7. Your rights

Under Articles 15 to 22 GDPR and the Codice Privacy you have the right to:

  • Access (Article 15) — ask us what personal data we hold about you and receive a copy;
  • Rectification (Article 16) — ask us to correct inaccurate data;
  • Erasure / "right to be forgotten" (Article 17) — ask us to delete your data;
  • Restriction of processing (Article 18) — ask us to pause processing while a dispute is resolved;
  • Data portability (Article 20) — receive your data in a machine-readable format and have it transmitted to another controller;
  • Objection (Article 21) — object to processing based on legitimate interests (not currently applicable, since we rely on consent);
  • Withdraw consent at any time (Article 7(3)) — without affecting the lawfulness of processing before withdrawal.

How to exercise these rights

Send an email to fire@faithisfire.com with:

  • Your request (e.g., "I want a copy of my data," "Please delete my data");
  • The email address you used to subscribe (so we can locate your record);
  • If you write from a different email, a short statement confirming the subscription email is yours.

We respond within one month of receiving your request, as required by Article 12(3) GDPR. This may be extended by two further months for complex requests; we will tell you within the first month if that applies.

Exercising any of these rights is free of charge for the first request (Article 12(5)).

Unsubscribing from the newsletter

The fastest way to withdraw consent is the unsubscribe link at the bottom of every newsletter email. One click is enough — no login, no form. Withdrawal is effective immediately. We then keep only the audit-trail record described in Section 6 to prove your subscription was valid while it lasted.

8. Your right to complain to the supervisory authority

If you believe we have violated your data-protection rights, you have the right under Article 77 GDPR to lodge a complaint with the supervisory authority. For Italy, the competent authority is the:

Garante per la Protezione dei Dati Personali Piazza Venezia, 11 — 00187 Roma, Italia Web: https://www.garanteprivacy.it

You may also complain to the supervisory authority of the EU Member State where you live or work.

9. Children

Faith Is Fire is intended for adults. We do not knowingly collect data from children under the age of 14 — the digital-consent age set by Italy in Article 2-quinquies of Legislative Decree 196/2003 (introduced by Legislative Decree 101/2018), exercising the option Article 8(1) GDPR grants Member States to derogate from the default age of 16. If you believe a child has subscribed, please write to fire@faithisfire.com and we will delete the record.

10. Automated decision-making

We do not make any automated decisions that produce legal effects on you, and we do not profile you. Article 22 GDPR does not apply.

11. Security

Personal data is stored encrypted at rest (Supabase managed Postgres) and transmitted over TLS. Access to the database is restricted to the controllers. No system is perfectly secure; if a breach affecting your data occurs, we will notify the Garante within 72 hours as required by Article 33 GDPR and notify you directly if the breach poses a high risk to your rights (Article 34 GDPR).

12. Changes to this Policy

We will update this Policy if we add new processors, new processing purposes, or new categories of data. The Effective date, Last updated, and Version at the top will change. For substantive changes (new processor, new purpose, retention extension), we will notify active subscribers by email at least 15 days before the change takes effect, and you can withdraw consent if you do not accept the change.

Older versions of this Policy are kept in the public repository of this site at docs/legal/ so you can compare.

13. Contact

Questions, requests, complaints: fire@faithisfire.com.

This Privacy Policy is provided in good faith and in compliance with Articles 13 and 14 GDPR. It is not legal advice. We recommend that you also read the Terms of Service.