Legal

Privacy Policy

Last updated: March 20, 2026 · ChurchStacks Inc.

Plain-English Summary

  • ·We collect only what we need to run the platform.
  • ·We never sell your data to anyone.
  • ·We never share member data with other churches.
  • ·We never use your data to train AI models.
  • ·You can export or delete all your data at any time.
  • ·Payments go through Stripe — we never store card numbers.

1. Who we are

ChurchStacks Inc. ("ChurchStacks", "we", "us", "our") operates the church management platform available at churchstacks.com and app.churchstacks.com. We are the data controller for the information described in this policy.

Contact: privacy@churchstacks.com

2. What we collect

Account data: Name, email address, role, and church affiliation provided at sign-up.

Church data: Member records, giving history, event attendance, volunteer schedules, sermon notes, prayer requests, and any other content your church enters into ChurchStacks. This data belongs to your church — we are processors, not owners.

Usage data: Pages visited, features used, timestamps, and browser/device type. Used to improve the product.

Payment data: Billing name, last 4 card digits, and invoice history. Raw card numbers are never stored — all payment processing is handled by Stripe.

Communications: Emails or messages you send to our support team.

3. How we use it

  • ·To provide and operate the ChurchStacks platform.
  • ·To process subscription payments via Stripe.
  • ·To send transactional emails (receipts, password resets, account alerts).
  • ·To provide customer support.
  • ·To improve the platform through anonymised usage analytics.
  • ·To comply with legal obligations.

We do not use your data for advertising. We do not use church member data to train AI or machine learning models.

4. Who we share data with

We share data only with the following sub-processors, each bound by a Data Processing Agreement:

  • ·Stripe — payment processing. Bound by PCI DSS Level 1.
  • ·Supabase — database and file storage. Bound by SOC 2 and GDPR.
  • ·Clerk — authentication and session management. Bound by SOC 2 Type II.
  • ·Vercel — web hosting and CDN. Bound by SOC 2 Type II.

We do not sell data to third parties. We do not share member data with advertisers, data brokers, or other churches. We will share data with law enforcement only when required by valid legal process.

5. Data retention

We retain your data for as long as your account is active. If you cancel your account, all data is permanently deleted within 30 days. Backups containing your data are purged on a rolling 30-day cycle.

Payment records may be retained for up to 7 years to comply with tax and accounting obligations.

6. Your rights

You have the right to:

  • ·Access — request a full copy of all data we hold about you.
  • ·Correction — update or correct inaccurate data.
  • ·Deletion — request permanent deletion of your account and all associated data.
  • ·Portability — export all church data in CSV or JSON format at any time from Settings.
  • ·Objection — object to certain types of processing.
  • ·Restriction — request that we restrict processing in certain circumstances.

To exercise any of these rights, email privacy@churchstacks.com. We respond within 30 days.

7. Cookies

We use strictly necessary cookies for authentication and session management. We use analytics cookies (anonymised) to understand how the platform is used. We do not use advertising cookies.

You can disable non-essential cookies in your browser settings at any time.

8. GDPR & CCPA

For EU users (GDPR): ChurchStacks acts as a data processor for the church (data controller). A Data Processing Agreement is available on request at privacy@churchstacks.com. Our lawful basis for processing is contract performance and legitimate interests.

For California users (CCPA): We do not sell personal information. California residents have the right to know, delete, and opt out of the sale of personal information. Contact us at privacy@churchstacks.com to exercise these rights.

9. Security

We use AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, and row-level security to protect your data. For full details see our Security page.

10. Changes to this policy

We will notify you by email and in-app notification at least 14 days before making material changes to this policy. Continued use of ChurchStacks after that date constitutes acceptance of the updated policy.

11. Contact

For privacy questions, data requests, or to report a concern:

Email: privacy@churchstacks.com

Response time: Within 30 days for data requests, within 2 business days for general enquiries.

Terms of ServiceRefund PolicySecurityDPA