Plain English Summary: We collect only what we need to run your church management platform. We never sell your data. Church member data belongs to the church. You can request deletion at any time.
1 Overview
REACH ChurchConnect ("REACH," "we," "our," or "us") is a church management software-as-a-service platform operated by Reach Church MS, LLC. This Privacy Policy applies to our mobile applications (iOS and Android), web application, and website at reachchurchms.com (collectively, the "Services").
This Privacy Policy describes how we collect, use, disclose, and safeguard information about:
- Church Administrators & Staff — Organizations that subscribe to our platform ("Church Customers").
- Church Members & Visitors — Individuals whose information is managed within the platform by Church Customers ("End Users").
- Website Visitors — Anyone who visits our marketing website.
By using REACH ChurchConnect, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.
2 Information We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed), phone number, church name, job title | Account creation, authentication, support |
| Church Profile | Church name, address, logo, denomination, campus locations, service times | Directory, public profile, QR code generation |
| Member Records | Names, email, phone, address, birthdate, gender, family relationships, notes, groups, attendance, giving history | Member management, communications, reporting |
| Financial Data | Donation amounts, fund designations, payment method tokens (not raw card numbers), giving statements | Donation processing, receipts, financial reporting |
| Communication Content | SMS messages, emails, prayer requests, testimonies, event RSVPs | Platform functionality, delivery |
| Support Requests | Messages, attachments, feedback you send us | Customer support, product improvement |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device Information | Device type, OS version, app version, unique device identifiers | Troubleshooting, compatibility |
| Usage Data | Features accessed, pages visited, session duration, button taps, error logs | Product analytics, bug fixing |
| Log Data | IP address, browser type, access timestamps, referring URLs | Security, fraud prevention |
| Location Data | General location derived from IP address (not GPS unless you explicitly grant permission) | Analytics, compliance |
| Cookies & Tracking | Session cookies, preference cookies, analytics identifiers | Authentication, analytics — see Section 9 |
2.3 Information from Third Parties
- Stripe — Payment processor. We receive tokenized payment method confirmations and subscription status. We never store raw card numbers.
- Twilio / SignalHouse — SMS delivery providers. We receive message delivery status reports.
- Daily.co — Video meeting provider. We receive session identifiers for meeting management.
- OpenAI — AI features. We send anonymized prompts; responses are returned to you and not stored by OpenAI beyond their standard retention policies.
3 How We Use Your Information
We use the information we collect for the following purposes:
3.1 Providing and Improving the Services
- Creating and managing your account
- Processing donations and subscription payments via Stripe
- Sending SMS messages, emails, and push notifications on behalf of churches
- Generating QR codes, giving pages, event registrations, and member check-in flows
- Powering AI-driven follow-up suggestions, giving insights, and attendance analytics
- Hosting video meetings and live streaming sessions
- Providing multi-campus management and RBAC (role-based access control)
3.2 Platform Security & Compliance
- Detecting and preventing fraud, abuse, and unauthorized access
- Meeting our legal obligations under GDPR, CCPA, HIPAA-style data handling requirements, and telecommunications regulations (CTIA, 10DLC/A2P)
- Responding to lawful requests from law enforcement
3.3 Communications
- Sending transactional emails (receipts, password resets, account alerts)
- Sending product announcements, feature updates, and tips — you can opt out at any time
- Responding to your support requests
3.4 Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process personal data under these legal bases:
- Contract: Processing necessary to provide the Services you've subscribed to.
- Legitimate Interest: Security, fraud prevention, product analytics, and support.
- Consent: Marketing emails and optional analytics — withdrawable at any time.
- Legal Obligation: Compliance with applicable laws.
4 Sharing & Disclosure
We do not sell, rent, or trade your personal information to third parties for advertising purposes. Ever.
We share information only in these limited circumstances:
4.1 Service Providers (Sub-processors)
We share data with vendors who help us operate the platform under strict data processing agreements (DPAs):
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing, Connect payouts | Name, email, payment tokens, church bank account info |
| Twilio / SignalHouse | SMS delivery | Phone numbers, message content |
| Amazon Web Services (AWS) | Cloud hosting, object storage | All platform data (encrypted at rest) |
| Resend / SendGrid | Email delivery | Email addresses, message content |
| Daily.co | Video meetings | Session tokens, participant identifiers |
| OpenAI | AI-powered features | Anonymized prompts (no member PII sent) |
| Google Analytics | Website analytics | Anonymized usage data, IP (truncated) |
| Sentry | Error monitoring | Error logs, device info (no personal data) |
4.2 Church Customers as Data Controllers
REACH acts as a data processor on behalf of Church Customers, who act as data controllers for their members' information. Church Customers control what data is entered, how it is used within the platform, and who within their organization has access. We process member data only as directed by the Church Customer and as described in this policy.
4.3 Legal Requirements
We may disclose information if required by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of REACH, our customers, or the public.
4.4 Business Transfers
If REACH is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify affected users and provide choices before any personal information becomes subject to a different privacy policy.
5 Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, or as required by law.
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of active subscription + 90 days after cancellation |
| Financial / donation records | 7 years (IRS compliance) |
| SMS message logs | 90 days |
| Email logs | 90 days |
| Application error logs | 30 days |
| Deleted account data | Purged within 30 days of deletion request |
| Backup data | Purged within 90 days of account deletion |
Church Customers may request earlier deletion at any time. Financial records required for tax compliance may be retained longer as required by applicable law.
6 Security
We implement industry-standard technical and organizational measures to protect your information:
- Encryption in Transit: All data transmitted using TLS 1.2+
- Encryption at Rest: All stored data encrypted using AES-256
- Access Controls: Role-based access control (RBAC) limits data access to authorized personnel
- Password Security: Passwords hashed using bcrypt with appropriate cost factor; plaintext passwords never stored
- Payment Security: PCI-DSS compliant via Stripe; raw card data never passes through our servers
- Vulnerability Management: Regular dependency audits, SAST scanning, and penetration testing
- Incident Response: Breach notification within 72 hours as required by GDPR Article 33
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.
7 Your Rights
Depending on your location, you may have the following rights regarding your personal data:
| Right | Description | Applies To |
|---|---|---|
| Access | Request a copy of your personal data we hold | All users |
| Correction | Request correction of inaccurate data | All users |
| Deletion | Request deletion of your personal data | All users |
| Portability | Receive your data in a structured, machine-readable format | EEA, UK users |
| Restriction | Request restriction of processing | EEA, UK users |
| Objection | Object to processing based on legitimate interests | EEA, UK users |
| Withdraw Consent | Withdraw consent where processing is based on consent | All users |
| Non-Discrimination | Not be discriminated against for exercising your rights | California residents |
To exercise any of these rights, email us at privacy@reachchurchms.com or write to us at our address below. We will respond within 30 days (or within any shorter period required by applicable law).
Note for Church Members: If you are a member of a church using REACH, the church is the data controller for your member information. You should direct data requests to your church administrator in the first instance. We will assist Church Customers in fulfilling their obligations to respond to such requests.
8 Children's Privacy
REACH ChurchConnect is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under 13 without verifiable parental consent.
Our Kids Check-In feature allows churches to record children's attendance and guardian information. This data is:
- Entered and controlled by the Church Customer (the data controller)
- Accessible only to authorized church staff
- Not used for advertising or shared with third parties
- Subject to deletion upon church request
If you believe we have inadvertently collected information from a child under 13 without consent, please contact us immediately at privacy@reachchurchms.com.
9 Cookies & Tracking Technologies
We use the following types of cookies and similar technologies on our website and web application:
| Type | Purpose | Essential? |
|---|---|---|
| Session Cookies | Maintain your logged-in session; expire when browser closes | Yes |
| Preference Cookies | Remember your settings (theme, language) | No |
| Analytics Cookies | Understand how users interact with our platform (Google Analytics) | No |
| Security Cookies | CSRF protection, fraud detection | Yes |
You can control non-essential cookies through your browser settings. Disabling cookies may affect platform functionality. Our mobile applications do not use browser cookies; they use device-local storage and secure token storage for authentication.
10 SMS & Communications Compliance
REACH ChurchConnect provides SMS messaging capabilities to church administrators. All SMS functionality is subject to our SMS Compliance Policy and applicable regulations:
- Consent Required: Churches must obtain prior written consent from members before sending SMS messages
- Opt-Out: All SMS messages include opt-out instructions (reply STOP to unsubscribe)
- Message Frequency: Disclosed to members at the time of opt-in
- No Data Selling: Phone numbers are never sold or shared for marketing purposes
- 10DLC / A2P Compliance: All messaging campaigns are registered in accordance with CTIA guidelines and carrier requirements
- Data Rates: Standard message and data rates may apply; members should check with their carrier
To opt out of SMS messages from a church using REACH, reply STOP to any message. To opt back in, reply START. For help, reply HELP or contact the church directly.
11 Third-Party Services & Links
Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party services. We encourage you to review their privacy policies before providing any information.
Third-party services integrated into REACH include:
- Stripe — stripe.com/privacy
- Google Analytics — policies.google.com/privacy
- OpenAI — openai.com/policies/privacy-policy
- Daily.co — daily.co/privacy
12 International Data Transfers
REACH is headquartered in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we use the following safeguards for international transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Technical measures including encryption in transit and at rest
13 California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: What personal information we collect, use, disclose, and sell (we don't sell)
- Right to Delete: Request deletion of personal information we've collected
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell data)
- Right to Limit Use: Limit use and disclosure of sensitive personal information
- Right to Non-Discrimination: Not be discriminated against for exercising your rights
To submit a request, email privacy@reachchurchms.com with the subject line "California Privacy Request." We will verify your identity before processing.
Shine the Light: California Civil Code §1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing. We do not disclose personal information for direct marketing purposes.
14 Apple App Store & Google Play Compliance
Our mobile applications are available on both the Apple App Store and Google Play Store. The following disclosures are made in accordance with their respective requirements:
14.1 Apple App Store — Privacy Nutrition Labels
REACH ChurchConnect collects the following data types as disclosed in our App Store listing:
- Data Used to Track You: None. We do not track users across third-party apps or websites for advertising.
- Data Linked to You: Contact info, financial info (giving records), identifiers, usage data
- Data Not Linked to You: Crash logs, performance data, diagnostics
We do not use your data for targeted advertising. We do not share your data with data brokers. We comply with Apple's App Tracking Transparency framework.
14.2 Google Play — Data Safety Section
In accordance with Google Play's data safety requirements:
- Data collected: Account info, financial info, app activity, identifiers, personal info
- Data shared: With service providers only (Stripe, SMS providers) as described in Section 4
- Security practices: Data encrypted in transit; you can request data deletion
- No data sold: We do not sell personal data
14.3 Push Notifications
Our app may request permission to send push notifications for:
- New messages from your church
- Event reminders
- Giving receipts and confirmations
- Prayer request updates
You can disable push notifications at any time in your device's Settings app. Disabling notifications will not affect your ability to use the core app.
14.4 Camera & Microphone Access
Our app may request access to your device camera and microphone for:
- QR code scanning (Kids Check-In, visitor connect)
- Video meetings (Daily.co integration)
- Profile photo upload
Camera and microphone are accessed only when you actively use these features. We do not access these sensors in the background.
15 Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
| Method | Details |
|---|---|
| privacy@reachchurchms.com | |
| General Inquiries | sales@reachchurchms.com |
| Website | reachchurchms.com |
| Mailing Address | Reach Church MS, LLC — Privacy Officer United States |
For GDPR-related inquiries, our EU Representative can be contacted at gdpr@reachchurchms.com.
We will respond to all privacy inquiries within 30 days. For complex requests, we may take up to 90 days and will notify you of the extension.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will notify you via email (if we have your address) or via a prominent notice in our app at least 30 days before the change takes effect. Your continued use of the Services after changes become effective constitutes your acceptance of the revised policy.