Skip to main content

Privacy policy

Last updated: May 20, 2026

Our promise, in one sentence

Your church’s data is not our product. You pay for the platform. We protect your data so you keep paying for the platform. That’s the whole arrangement.

What we do with your data

  • Run the app for you.Store your people, attendance, messages, and notes so they’re there when you sign in tomorrow.
  • Send the emails and texts you ask us to send. Connect-card alerts, weekly summaries, broadcast messages.
  • Bill you.Stripe handles the card; we keep a record of which plan you’re on.
  • Generate your weekly summaryby sending a small set of metrics (attendance counts, visitor first names, follow-up counts) to Anthropic’s Claude API. No emails, phones, addresses, notes, or prayer requests are sent. If you’d rather not use AI at all, we’ll fall back to a non-AI template — let us know.
  • Learn what’s working in the product, in-house, by looking at anonymized event counts (e.g., “how many churches added their first person in week one”). The events we track are restricted by code to event names and counts — we cannot log a name, email, phone, message body, or prayer request as an event property even if we wanted to.

What we don’t do

  • We don’t sell your data. Not to advertisers, not to data brokers, not to anyone. There is no scenario in which a third party pays us for access to your data.
  • We don’t show you ads, and we don’t put ads on top of your data.
  • We don’t profile your members for any purpose other than helping you serve them. No psychographic scoring, no likelihood-to-give models sold to anyone, no list rentals.
  • We don’t train AI models on your data. When we send a metrics payload to Claude to write your weekly summary, Anthropic’s API terms say that input is not used for training, and the payload deliberately excludes content like notes and prayer requests.

Who actually has access

  • Your team.Whoever you’ve invited as a member, admin, or owner of your church. Our database enforces this with row-level security — even if someone bypassed the app, the database would refuse to hand them another church’s data.
  • Mosaic Ridge.As the platform operator, we can access any church’s data via our admin tools — for support, billing investigations, and product debugging. We log when this happens. We’re working toward customer-controlled audit logs (post-launch).
  • The vendors below, each acting under their own privacy policy and security commitments.

The vendors we use

Supabase (database, hosted on AWS)
Everything you enter into the app. Primary data store.
Vercel
The HTTP requests your team makes to the app. App hosting.
Stripe
Your billing email and your card (collected directly by Stripe’s checkout — we never see card numbers). Subscriptions.
Resend
The “to” address, subject, and HTML body of any email we send on your behalf. Email delivery.
Twilio
The phone number and message body for any SMS we send on your behalf. SMS delivery.
Anthropic
A small structured metrics payload (attendance counts, visitor first names, follow-up counts) once a week per church. No notes, no prayer requests, no emails, no phones. Weekly summary generation.
Sentry
Crash reports and error stack traces when something breaks in the app. Our configuration drops personally identifying information (PII) from error context before events are sent. Knowing when the app is broken.

We do not use Google Analytics, PostHog, Mixpanel, Segment, Hotjar, Fullstory, or any other third-party analytics tool. Product analytics live in our own database and never leave it.

How long we keep your data

  • While your church is active:indefinitely, so it’s there when you sign in.
  • When you delete a church:every people record, attendance check-in, message, note, group, follow-up, and connect-card submission is cascade-deleted from our database. We keep a small audit record showing that a deletion happened (the church name, who deleted it, and when), so we can answer questions later if someone asks “was my church really deleted?”
  • Backups:our database provider keeps point-in-time backups for a short window (typically 7–30 days depending on plan). After that window expires, the deleted data is gone from backups too.
  • Stripe records: even after you delete your church, Stripe retains invoice records as required for tax and chargeback purposes. We do not delete those.
  • Vendor copies:Resend, Twilio, and Sentry each retain their own copies under their own policies (typically 30 days to 13 months). We can’t reach into their systems to purge those for you, but the underlying data they hold is limited to what we sent them (e.g., a sent email’s “to” address).

Deleting your data

Two paths, both in the app under Settings → Account → Danger zone:

  • Delete church.Owner-only. Requires your password and typing the church’s name. Cancels your subscription and erases the entire church.
  • Delete account.Removes you personally. If you’re the sole owner of any church, you’ll need to delete that church first (or hand off ownership) — we don’t want to silently destroy a 200-person ministry because you closed your laptop.

We process deletions immediately. There is no 30-day grace period. If you want the grace period, don’t click the button.

Children

Churches may enter information about minors as part of their member directory. That information is managed by the church and governed by their own policies. We don’t knowingly collect data directly from children under 13 outside of what their church enters about them.

Your rights

  • See your data:the entire app is your data — sign in and look at it. CSV export is available for the people list.
  • Correct your data: edit it directly in the app.
  • Delete your data: the danger-zone actions above.
  • Ask us a question: support@ministrymanager.io.

Security posture

  • All data in transit is encrypted with TLS.
  • All data at rest is encrypted by our database provider.
  • We use row-level security at the database layer so the app couldn’t accidentally hand church A’s data to church B even if it tried.
  • We never store card numbers — Stripe handles those.
  • We never store SMS or email content in the customer’s browser; it’s server-rendered and ephemeral on the wire.

Changes

If we change anything material in this policy, we’ll email everyone with an active account. The latest version always lives here.

Contact

Questions, deletion requests, or anything else: support@ministrymanager.io.

Terms of service