Privacy Policy

Effective Date: February 13, 2026
Last Updated: February 13, 2026

1. Introduction

Ekkleios, Inc. ("we," "us," "our," or "Ekkleios") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our church management platform ("Service" or "Platform").

This Privacy Policy applies to:

Organizations (churches, ministries, nonprofits) subscribing to our Service
Users (staff, volunteers, administrators) accessing the Platform
Donors making donations through the Platform
Members whose information is stored in the Platform
Visitors to our website and public pages

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

Account Information

When you create an account, we collect:

Full name
Email address
Password (encrypted)
Phone number (optional)
Organization name and details
Job title/role

Organization Data

Organizations using our Service may input:

People Data: Names, contact information, addresses, phone numbers, email addresses, birthdays, family relationships, tags, notes
Donation Data: Donor names, donation amounts, payment methods (tokenized), donation dates, fund allocations
Discipleship Data: Spiritual growth stages, pathway progress, milestone completions
Community Data: Posts, comments, prayer requests, testimonies
Event Data: Event attendance, registrations, participation records
Communication Data: Email content, SMS messages, interaction logs

Payment Information

When you subscribe or make donations:

Credit/debit card information (processed and stored by Stripe, not by us)
Billing address
Transaction history

Communications

When you contact us:

Support tickets and correspondence
Feedback and survey responses
Email communications

2.2 Information Collected Automatically

Usage Data

We automatically collect:

IP address
Browser type and version
Device information (type, operating system)
Pages visited and features used
Time and date of visits
Time spent on pages
Referring website addresses
Click patterns and navigation paths

Cookies and Tracking Technologies

We use:

Essential Cookies: Required for platform functionality (authentication, session management)
Analytics Cookies: Google Analytics to understand usage patterns
Preference Cookies: Remember your settings and preferences
Security Cookies: Detect fraudulent activity and enhance security

See our Cookie Policy for more details.

Firebase Analytics

We use Firebase Analytics to collect:

App usage statistics
Feature engagement metrics
Error and crash reports
Performance data

2.3 Information from Third Parties

Stripe

We receive limited payment information from Stripe:

Payment success/failure status
Transaction IDs
Last 4 digits of card numbers
Cardholder names

Authentication Providers

If you sign in with Google or other providers:

Name and email address from your provider account
Profile picture (if you choose to share)

3. How We Use Your Information

3.1 To Provide and Maintain the Service

Create and manage your account
Process subscriptions and payments
Enable donation processing
Provide customer support
Send service-related notifications
Maintain platform security

3.2 To Improve the Service

Analyze usage patterns and trends
Develop new features and functionality
Conduct research and analytics
Test and optimize performance
Fix bugs and technical issues

3.3 To Communicate with You

Send account updates and notifications
Respond to inquiries and support requests
Send marketing communications (with your consent)
Provide training and educational content
Announce new features and updates

3.4 For Legal and Security Purposes

Comply with legal obligations
Enforce our Terms of Service
Protect against fraud and abuse
Resolve disputes
Protect our rights and property

3.5 With Your Consent

Any other purpose disclosed to you at the time of collection
As otherwise permitted or required by law

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on:

Contract Performance: Processing necessary to provide the Service you've subscribed to
Legitimate Interests: Improving our Service, preventing fraud, ensuring security
Legal Obligation: Complying with applicable laws and regulations
Consent: Where you have given explicit consent (e.g., marketing communications)

5. How We Share Your Information

5.1 We DO NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers

We share data with trusted third-party service providers who assist us:

Firebase/Google Cloud: Hosting, database, authentication, analytics
Stripe: Payment processing and donation management
SendGrid: Email delivery and communications
Twilio: SMS notifications (if enabled)
Intercom: Customer support and live chat (if enabled)

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.3 Within Your Organization

Data you input is accessible to authorized users within your organization based on role-based permissions.

5.4 Legal Requirements

We may disclose information if required by law or in response to:

Court orders or subpoenas
Legal processes or government requests
Protection of our rights, property, or safety
Investigation of fraud or security issues

5.5 Business Transfers

If Ekkleios is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

5.6 Aggregated Data

We may share aggregated, anonymized data that cannot identify you individually for research, marketing, or analytics purposes.

6. Data Retention

6.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide the Service.

6.2 Closed Accounts

After account closure:

You have 30 days to export your data
After 30 days, data may be permanently deleted
Some data may be retained for legal or compliance purposes

6.3 Legal Requirements

We may retain certain data longer if required by law, for tax purposes, or to resolve disputes.

6.4 Backups

Deleted data may persist in backups for up to 90 days before permanent deletion.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to:

Access your personal data
Export your data in standard formats (CSV, JSON, PDF)
Request a copy of your data

7.2 Correction and Update

You can:

Update your account information at any time
Correct inaccurate data through your account settings
Request corrections by contacting support

7.3 Deletion (Right to be Forgotten)

You can:

Delete your account at any time
Request deletion of specific data
Request complete data erasure (subject to legal retention requirements)

7.4 Opt-Out Rights

You can opt out of:

Marketing emails (via unsubscribe link)
Non-essential cookies (via cookie settings)
Analytics tracking (via browser settings)
SMS notifications (via account settings)

7.5 Data Portability (GDPR)

EU users can request their data in a structured, machine-readable format.

7.6 Object to Processing (GDPR)

EU users can object to processing based on legitimate interests.

7.7 Restrict Processing (GDPR)

EU users can request restriction of processing in certain circumstances.

7.8 Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

7.9 Lodge a Complaint

EU users can lodge a complaint with their local data protection authority.

8. Data Security

8.1 Security Measures

We implement industry-standard security measures:

Encryption: 256-bit SSL/TLS encryption for data in transit
Authentication: Firebase Authentication with secure password hashing
Access Control: Role-based permissions and multi-factor authentication (optional)
Firestore Security Rules: Database-level access controls
Regular Audits: Security assessments and vulnerability scanning
Backups: Automated daily backups with encryption
Monitoring: Real-time security monitoring and alerts

8.2 Payment Security

PCI DSS compliant payment processing via Stripe
We never store complete credit card numbers
Tokenized payment methods only

8.3 Data Isolation

Multi-tenant architecture with organization-level data isolation
Each organization's data is logically separated
No cross-organization data access

8.4 Employee Access

Limited employee access on a need-to-know basis
All employees sign confidentiality agreements
Access logs maintained for audit purposes

8.5 No Guarantee

While we implement strong security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

9.1 Data Location

Your data is stored on Firebase/Google Cloud servers, which may be located in various countries including the United States.

9.2 EU-US Data Transfers

For transfers from the EEA to the US, we rely on:

Standard Contractual Clauses (SCCs)
Google Cloud's GDPR compliance certifications
Appropriate safeguards as required by GDPR

9.3 Your Consent

By using our Service, you consent to the transfer of your data to countries outside your country of residence.

10. Children's Privacy

10.1 Age Restriction

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

10.2 Parental Consent

If you are under 18, you must have parental consent to use the Service.

10.3 Discovery of Child Data

If we discover we have collected data from a child under 13 without parental consent, we will delete it immediately.

10.4 Church Member Data

Organizations may store information about children as part of their membership records. Organizations are responsible for obtaining appropriate parental consent.

11. California Privacy Rights (CCPA)

11.1 California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know

You can request:

Categories of personal information collected
Sources of personal information
Business purpose for collection
Categories of third parties with whom we share data
Specific pieces of personal information we hold

Right to Delete

You can request deletion of your personal information (subject to exceptions).

Right to Opt-Out

You can opt out of the "sale" of personal information (Note: We do not sell personal information).

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

11.2 How to Exercise Rights

Email us at privacy@ekkleios.com with your request. We will verify your identity and respond within 45 days.

11.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf.

12. Donor Privacy

12.1 Donor Information

When you make a donation through the Platform:

Your donation is processed by the receiving organization, not Ekkleios
The organization controls and owns your donor data
Ekkleios acts as a data processor on behalf of the organization

12.2 Donor Rights

You can request your donation history from the organization
You can request removal from the organization's donor list
You can opt out of donation-related communications

12.3 Tax Receipts

Organizations are responsible for providing tax receipts and maintaining donation records for tax purposes.

12.4 Anonymity

You may request anonymous donations, but this may affect your ability to receive tax receipts.

13. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

14.2 Material Changes

For material changes, we will:

Send email notification to registered users
Display a prominent notice on our website
Provide 30 days' notice before changes take effect

14.3 Continued Use

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

15.1 Privacy Questions

For questions about this Privacy Policy or our privacy practices:

Email: privacy@ekkleios.com Support: support@ekkleios.com Website: https://ekkleios.web.app

15.2 Data Protection Officer

For GDPR-related inquiries:

Email: dpo@ekkleios.com

15.3 Exercising Your Rights

To exercise your privacy rights (access, deletion, correction, etc.):

Email: privacy@ekkleios.com Subject Line: "Privacy Rights Request" Include: Your name, email, organization name, and specific request

We will respond within 30 days (45 days for CCPA requests).

16. Specific Data Processing Activities

16.1 Email Communications

Purpose: Service notifications, support, marketing (with consent)
Legal Basis: Contract performance, legitimate interest, consent
Retention: Until you unsubscribe or close your account
Third Parties: SendGrid (email delivery)

16.2 Analytics

Purpose: Improve Service, understand usage patterns
Legal Basis: Legitimate interest
Retention: 26 months (Google Analytics default)
Third Parties: Google Analytics, Firebase Analytics
Opt-Out: Browser settings, Google Analytics Opt-out Browser Add-on

16.3 Payment Processing

Purpose: Process subscriptions and donations
Legal Basis: Contract performance
Retention: As required by tax and financial regulations (typically 7 years)
Third Parties: Stripe

16.4 Customer Support

Purpose: Respond to inquiries and resolve issues
Legal Basis: Contract performance, legitimate interest
Retention: 3 years after last interaction
Third Parties: Intercom (if enabled)

17. Acknowledgment

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO ITS TERMS.

Version: 1.0 Effective Date: February 13, 2026 Last Updated: February 13, 2026