Privacy Policy

Last updated: May 21, 2026

1. Who we are

A Pastor App is operated by 153 Comeback Inc. (Arizona, USA), doing business as Operating.Church ("we," "our," "us"). Our mailing address is 4539 North 22nd Street, STE R, Phoenix, AZ 85016. You can reach our privacy team at privacy@operating.church for privacy and data-rights inquiries, or support@operating.church for general support, at any time.

A Pastor App and the Operating.Church platform (collectively, "the Service") are tools for pastors and church staff. The Service helps a pastor track member engagement, generate sermon-based devotional content, process giving, and coordinate church operations through an AI-assisted chat interface.

This Privacy Policy explains what personal information we collect from the pastors and staff who use the Service and from the church members whose information pastors enter into the Service, how that information is used, who it is shared with, how it is protected, and what rights you have over it.

If you are a church member and you want to exercise your rights over your data, the fastest path is to contact your pastor — they control the church account that holds your information. You can also write to us directly at support@operating.church and we will route the request to your pastor and respond to you.

2. Two kinds of users, two roles under data-protection law

Throughout this policy, we distinguish two groups of people:

• Pastor users (account holders). Pastors, church staff, and authorized administrators who create an account, log in, and operate the Service. We are the data controller for pastor-user data.
• Church members (your congregation). People whose names, contact details, attendance, giving, and pastoral notes are entered into the Service by a pastor user. We act as a data processor on behalf of the pastor's church for member data. The pastor's church is the data controller for member data.

Under GDPR terminology this means: if you are a pastor, we are your controller; if you are a member of a church that uses A Pastor App, your church is your controller and we are their processor. We have a Data Processing Agreement with every paying church automatically by virtue of our Terms of Service.

3. Information we collect

3.1 Account information (pastor users)

When you sign up as a pastor, we collect:

• Name and email address
• Password (stored only as a salted hash; we never see your plaintext password)
• Church name, mailing address, and time zone
• Phone number (optional, used for two-factor authentication and support)
• Billing information processed through Stripe (we store a customer ID; full card data is held by Stripe and is never stored on our servers)

3.2 Church member data (entered by pastor users)

Pastors enter information about their congregation into the Service. This typically includes:

• Member names, email addresses, phone numbers, mailing addresses
• Household relationships (spouse, children, guardians)
• Date of birth (used to compute age and identify minors so we can apply additional protections)
• Engagement-stage classification on the 8-stage soul pipeline (Stage 0 First Contact through Stage 7 Sending)
• Attendance history (services, events, small groups)
• Drift scores — a numeric value we compute from attendance and engagement signals to surface members who may need pastoral follow-up
• Pastoral notes written by the pastor or staff
• Visit history and follow-up tasks
• Giving history (donations, dates, amounts, designated funds) where the church uses our Stripe-powered giving feature

3.3 Sermon and content data (entered or generated)

• Sermon recordings, transcripts, and YouTube URLs you upload
• AI-generated devotionals derived from those sermons, before and after pastor review
• Announcements, prayer requests, and other content created in the Service

3.4 Chat and conversation data

When you use the chat-as-OS interface (asking the Assistant Pastor AI questions, drafting messages, reviewing devotionals), we record:

• The text of each message you send and each AI reply
• The chat thread it belongs to
• Pastoral chat history is private to your church account; no other church or pastor can read your threads

3.5 Automatically collected information

When you use the Service, our servers and mobile apps automatically collect:

• IP address, approximate location derived from IP, device type and operating system, app version
• Crash reports and performance metrics (via Apple's standard frameworks and our Railway infrastructure logs)
• Usage analytics — which screens you visit, which AI agents you invoke, response latency
• Push notification tokens (Apple Push Notification service and Firebase Cloud Messaging) when you enable notifications

We do not use third-party advertising trackers or ad networks. The Service contains no ads.

3.6 Information from third parties

If you sign in with Google or Apple, we receive your name and email address from that identity provider. We do not pull your contacts, calendar, or any other data from those accounts without a separate explicit consent prompt.

4. How we use information

4.1 To run the Service

• Authenticate your account, render the interfaces you ask for, compute drift scores, send the push notifications you have enabled, process the giving transactions you initiate, deliver the devotionals you publish.

4.2 To power the Assistant Pastor AI features

When you chat with the Assistant Pastor, generate a devotional from a sermon, draft a message to a member, or trigger any other AI feature, the relevant data is sent to our AI partners (see Section 5). Specifically:

• Your chat prompt, the Assistant Pastor system prompt, your church's member roster (top members by drift risk plus any explicitly referenced names), the last twenty messages of conversation history, and the most recent five sermons are sent to Anthropic (Claude) to generate the response.
• Sermon audio and voice notes are sent to OpenAI Whisper for transcription, and the resulting transcript is sent to Anthropic for devotional or summary generation.
• Outreach planning may query Regrid (parcel and property data) and render maps via Mapbox; in both cases we send only the geographic coordinates required for the requested operation.
• Some AI workloads are routed through Gloo (AI infrastructure) under enterprise terms identical to our direct-vendor terms.
• YouTube video URLs are processed via the public YouTube oEmbed API to fetch metadata; we do not access private YouTube account data.

Anthropic, OpenAI, Gloo, Regrid, and Mapbox are data processors acting on our instructions under their respective enterprise terms. None of them use your data to train general-purpose AI models. Anthropic's policy explicitly excludes API traffic from model training. OpenAI's API terms similarly exclude API traffic from model training, and OpenAI does not retain audio inputs for Whisper beyond the processing window required to return a transcript.

We never sell your data or your members' data to any party.

4.3 To improve the Service

• Aggregate, de-identified usage analytics inform product decisions (which capabilities are used most, where the AI is rejected by pastors, latency hot-spots). Individual pastor or member data is never aggregated outside the church it belongs to.

4.4 To communicate with you

• Transactional emails about your account, billing, and security
• Product update emails about new features (you can opt out of marketing emails at any time; you cannot opt out of transactional emails as long as your account is active)

4.5 To comply with law

• We will disclose information when required by a valid subpoena, court order, or to protect the safety of any person.

5. Third-party processors

The Service operates on infrastructure provided by, and uses features from, the following processors. We have signed Data Processing Agreements with each of them where applicable.

We will update this table when processors change. Continuing to use the Service after an update constitutes acceptance of the revised list.

6. Where data is stored

All primary storage is in the United States (Supabase on AWS, Railway, Vercel). Backups are encrypted at rest and retained for thirty days.

If your church is located in the European Economic Area, the United Kingdom, Switzerland, or any country with cross-border transfer restrictions, your data is transferred to the United States under the Standard Contractual Clauses approved by the European Commission. We will execute additional SCCs on request from any data controller that requires them.

7. How long we keep data

• Active accounts: As long as you have an active subscription, we keep all data you have entered into the Service.
• Cancelled accounts: Thirty days after you cancel, we permanently delete your church's data from primary storage. Backups age out over the following thirty days. Total retention after cancellation is up to sixty days.
• Chat history: Pastor chat threads can be deleted from inside the app at any time. Soft-deleted threads are hard-deleted by an automated process thirty days after deletion.
• Pastoral notes flagged as confidential: Visible only to the pastor who wrote them and the senior pastor of the church, never to our staff. We have technical controls in place to prevent our engineering team from reading confidential notes outside of an explicit incident-response situation.
• Billing records: Retained for seven years to comply with US and EU tax and accounting regulations.
• Anonymized analytics: Retained indefinitely in de-identified form.

You may request earlier deletion at any time by emailing support@operating.church.

8. Pastoral confidentiality

Member data in A Pastor App includes some of the most sensitive information a person can entrust to a church: spiritual struggles, confession, family conflict, and crises of faith. We treat this data with proportional seriousness.

• Member data is encrypted in transit (TLS 1.2+) and at rest (AES-256 at the database layer).
• Our employees have no access to member data or pastoral notes unless responding to a specific incident reported by the pastor account holder, and any such access is logged.
• We do not use member data for any purpose other than running the Service for the pastor's church. We never use it for marketing, profiling, or advertising.
• The Assistant Pastor AI is explicitly instructed (and contractually constrained by our agreement with Anthropic) never to use a member's data for any output other than to serve the pastor who controls that church.

If your church handles legally privileged pastor-penitent communications under your state's clergy-privilege statute, the same protections you apply in pastoral counseling apply to data in A Pastor App. We will resist subpoenas of pastoral notes to the extent the law permits, and we will notify you immediately if a subpoena is received that names your church.

9. Children and minors

Churches frequently keep records about children — youth-group attendance, Sunday-school rosters, family relationships. We acknowledge and accommodate this reality with the following safeguards.

• Member records that include a date of birth resulting in an age under 13 are flagged "minor" in our database and are subject to additional access controls.
• Children's data is never sent to AI partners for processing unless the pastor explicitly opts in to a youth-ministry feature that requires it (no such feature exists in the current Service).
• We do not market the Service directly to anyone under 18. The pastor users who hold accounts must be at least 18 years old.
• If a parent or guardian believes their child's data is being held in the Service and wishes to have it removed, they should contact their pastor first; we will assist on request at support@operating.church.

The Children's Online Privacy Protection Act (COPPA) limits collection of personal information directly from children under 13. Because children do not interact with the Service themselves — only their pastor enters information about them, with the explicit knowledge of the parents who chose to bring their children to that church — COPPA's direct-collection prohibitions are not triggered. We comply nonetheless with COPPA's spirit by minimizing data collection about minors and applying the minor flag described above.

10. Your rights

10.1 Rights for pastor users (controller relationship) — GDPR Articles 13–22

Where GDPR applies, the legal bases on which we process your data are: contract (Article 6(1)(b)) for operating the Service you signed up for; legitimate interests (Article 6(1)(f)) for fraud prevention, security monitoring, and product analytics; consent (Article 6(1)(a)) for any optional features that ask for it; and legal obligation (Article 6(1)(c)) for billing-record retention and tax compliance.

Under GDPR Articles 13–22, the CCPA, and most state privacy laws, you have the following rights:

• Right of access (GDPR Art. 15) — request a copy of the personal information we hold about you. Email privacy@operating.church.
• Right to rectification (GDPR Art. 16) — correct inaccurate or incomplete information. Most fields are editable in-app; contact us for anything you can't change yourself.
• Right to erasure / "right to be forgotten" (GDPR Art. 17) — delete your account and all associated data. In-app cancellation triggers the thirty-day deletion process; you can also email us to expedite.
• Right to restrict processing (GDPR Art. 18) — limit how we use your data while a dispute or correction is pending.
• Right to data portability (GDPR Art. 20) — export your data in a structured, commonly used, machine-readable format. We provide a JSON export within fourteen days of request.
• Right to object (GDPR Art. 21) — object to processing based on legitimate interests, including direct marketing (we honor objections to marketing immediately).
• Rights related to automated decision-making (GDPR Art. 22) — drift scores and engagement classifications are decision-support tools surfaced to pastors, not automated decisions made about you; a human pastor reviews every action. You can request human review of any score that affects a decision about you.
• Right to withdraw consent — for any feature where the legal basis is consent, you can withdraw at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (GDPR Art. 77) — EU residents can contact their national supervisory authority. California residents can contact the California Privacy Protection Agency.

We respond to verifiable requests within thirty days, extendable by an additional sixty days where the request is complex (GDPR Art. 12(3)). We do not charge a fee for the first request in any twelve-month period.

10.2 Rights for church members (processor relationship)

If you are a member of a church that uses A Pastor App, your rights run primarily against your church (the controller). The fastest way to exercise them is to contact your pastor. If your pastor is unable or unwilling to help, you can write to us at support@operating.church and we will:

• Forward your request to the pastor account holder.
• Assist them in fulfilling the request within fourteen days of receipt.
• Confirm to you in writing when the request is complete.

10.3 California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to know what categories of personal information we collect, the sources, the business purposes for collection, and the categories of third parties with whom we share it (Sections 3 and 5 of this policy describe this in detail).
• Right to access the specific pieces of personal information we hold about you.
• Right to delete the personal information we collected from you, subject to the exceptions in Cal. Civ. Code §1798.105(d).
• Right to correct inaccurate personal information we maintain.
• Right to limit use of sensitive personal information — we collect sensitive personal information (account login credentials, and, for paying pastors, financial details processed via Stripe) only as necessary to provide the Service.
• Right to opt out of "sales" and "sharing" — we do not sell personal information and we do not "share" personal information for cross-context behavioral advertising as those terms are defined in the CCPA/CPRA. There is therefore nothing to opt out of, but we honor any Global Privacy Control signal we receive as confirmation of this preference.
• Right to non-discrimination — we will not deny, charge different prices for, or provide a different level of quality of the Service because you exercised your CCPA rights.
• Authorized agents — you may designate an authorized agent to make a request on your behalf. We will require written proof of authorization and verification of your identity before fulfilling such a request.

To exercise any of these rights, email privacy@operating.church with "CCPA Request" in the subject line, or write to us at the postal address in Section 14. We will verify your identity using information already on file (such as your account email) and respond within forty-five days, extendable once by an additional forty-five days where reasonably necessary.

Categories collected in the last twelve months: identifiers (name, email, phone, IP), customer records (mailing address, billing info), commercial information (subscription history), internet activity (usage logs), geolocation (approximate, from IP), audio (sermon recordings, voice notes), professional information (church role), inferences (drift scores). Sources: directly from you, automatically from your devices, and (for member data) from pastor users entering data about their congregation. Business purposes: providing the Service, security, billing, and product analytics.

11. Security

We follow industry-standard practices to protect data, including:

• TLS 1.2 or higher for all network traffic
• AES-256 encryption at rest for all primary and backup data
• Row-level security policies in our database enforcing the rule that no church can read another church's data
• Multi-factor authentication available to all pastor accounts; required for accounts with admin privileges
• Regular dependency-update reviews and quarterly penetration tests
• Sentry-based error monitoring with personally identifiable information stripped before transmission
• Hard role separation: backend engineers have access only to anonymized aggregates in production; named DBAs handle any individual-record access under audit logging

No system is perfectly secure. If a breach affects your data, we will notify you within seventy-two hours of confirmation, as required by GDPR Article 33 and equivalent US state laws.

12. Cookies and tracking

The marketing site (operating.church) uses a small number of first-party cookies for session management and to remember whether you have dismissed the cookie banner. The authenticated dashboard uses session cookies issued by our authentication layer (Supabase Auth). We do not use third-party advertising cookies or pixel trackers. We do not use Google Analytics; we use Vercel's first-party traffic analytics, which are anonymized and do not set cookies.

13. Changes to this policy

We will post material changes to this policy on this page and update the "Last updated" date at the top. For changes that materially expand the categories of data we collect or change the legal basis for processing, we will email all active pastor accounts at least thirty days before the change takes effect.

14. Contact

We maintain two dedicated channels so privacy work is never bottlenecked behind general support:

Privacy inquiries, data-subject requests, and complaints: privacy@operating.church General product support: support@operating.church Mailing address: 153 Comeback Inc., 4539 North 22nd Street STE R, Phoenix, AZ 85016, United States EU representative: On request — write to privacy@operating.church and we will appoint a representative under GDPR Article 27 for European inquiries.

We respond to every privacy request within fourteen days. Most are resolved within forty-eight hours.