Skip to main content
ColliePrivacy

Privacy Policy

Effective May 6, 2026

This Privacy Policy explains what Collie collects when a church uses the assistant, how we use that information, who we share it with, and how long we keep it. Collie is operated by FlockConnect LLC ("we", "us", "our"). If you have questions, email michael@tribett.dev.

What we collect

We collect four categories of information:

  • Account information. Your name, email, and authentication tokens, via Clerk. We use Clerk Organizations to scope every record to your church.
  • Content you supply. Chat messages, voice memo transcripts, pending action drafts, reading-list entries, pastoral visit logs, and theological-guardrail settings — anything you type or upload into Collie.
  • Connected service data. When you opt in to integrate with Planning Center, we read only the People data needed to help you find and reference church contacts inside Collie. Any future integration will be listed here before launch.
  • Operational data. Usage events (usage_events), append-only audit log entries (audit_log), people and households metadata, IP address and request metadata, error reports, and billing status needed to operate, secure, debug, and bill the Service.

What we never collect or process

The following are platform-level guardrails enforced in code, not just policy. They cannot be turned off by a church admin or unlocked by a paid tier:

  • No counseling, confessional, or crisis content. If a chat message contains markers we recognize (counseling sessions, confidentiality language, suicide or self-harm references, abuse disclosure), we refuse at the input layer and the content never reaches our AI provider. We log only the matched phrase pattern, never the surrounding message.
  • No information about specific minors. Adults enter rosters; Collie does not summarize, classify, or generate text about individual children.
  • No automated external sends. Every email, calendar invite, social post, and message is queued for human approval before leaving Collie. There is no "auto-send" mode in v1.
  • No new sermon content. Sermon Repurposing transforms your existing audio into derivative formats (social posts, devotional emails, small-group questions). We do not generate new theological claims attributed to you.

How we use what we collect

  • To provide and operate the assistant.
  • To maintain Row-Level Security so your data is isolated from other churches.
  • To send transactional email (sign-in links, approval notifications) via Resend.
  • To process payments via Stripe (we never see or store your card numbers).
  • To track usage for billing and capacity planning, in our internal usage_events table.
  • To investigate bugs and security incidents, using append-only audit logs that record who did what and when (never the content of refused messages).

Your church's responsibilities

Your church is responsible for deciding what information it has authority to upload, connect, approve, send, publish, or rely on through Collie. That includes obtaining any required notices, permissions, parental consents, employment approvals, safeguarding reviews, or denominational approvals before using the Service with church records or connected Planning Center data.

To the fullest extent permitted by law, FlockConnect LLC is not responsible for your church's pastoral, legal, financial, employment, safeguarding, counseling, reporting, or compliance decisions, or for actions taken outside Collie or through third-party services your church chooses to connect.

Children's data

Collie is not directed to children under 13 and is not intended to collect personal information directly from children. Your church may store adult-entered roster or household records that include minors when it has authority to do so, but Collie does not summarize, classify, or generate text about individual children. If your use case would require COPPA consent or other child-privacy approvals, your church is responsible for obtaining those approvals before entering the data.

AI processing

Chat messages, voice memo transcripts, and skill inputs are sent to Google Vertex AI Gemini through our production Google Cloud project. Before model calls, Collie PII-redacts common personal identifiers such as names, email addresses, phone numbers, postal addresses, and Social Security numbers, then rehydrates placeholders only inside Collie when a draft is returned. Under Google Cloud's Vertex AI data-use commitments, customer content is not used to train models without permission. Read Google Cloud's privacy notice for the full terms.

Voice transcription, when enabled, runs through ElevenLabs Scribe. Audio files are sent to ElevenLabs for transcription and are not retained by Collie; the transcript is stored in our database until you delete it.

Where your data lives

  • Database: Supabase Postgres (US-East-1, AWS). Every tenant table has Row-Level Security enabled and policies that scope reads, writes, updates, and deletes to your church's Clerk organization id.
  • Application: Vercel (US regions). Stateless functions; no persistent disk writes other than the database.
  • Authentication: Clerk.
  • Email: Resend.
  • Payments: Stripe.
  • Background jobs: Inngest.
  • Error reporting: Sentry.
  • Product analytics: PostHog (when enabled). Tracks aggregated, non-PII events (which skills were invoked, how long until first approval, retention) so we can improve the product. The PostHog SDK is loaded only when the operator opts in by setting an analytics key; we do not auto-capture clicks, scroll, or input text.
  • AI: Google Vertex AI Gemini as the production path. Local development may use Google Gemini through Vercel AI Gateway, but production launch requires direct Vertex Gemini configuration and cache/data-use confirmation.

When you connect Planning Center, data flows between Collie and Planning Center over OAuth. We do not mirror connected-service records into long-term storage beyond the records you choose to use in Collie.

Sharing

We don't sell your data. We share data only with the sub-processors listed above (Google Vertex AI Gemini, Vercel, Supabase, Clerk, Resend, Stripe, Inngest, Sentry, ElevenLabs, PostHog when enabled, and Planning Center when you explicitly connect it).

We will disclose data when legally required (subpoena, court order, regulatory request) and will notify the affected church unless legally prohibited.

Retention

  • Account data: kept while your subscription is active, deleted within 30 days of cancellation request.
  • Chat messages and conversations: kept until the church admin deletes them.
  • Voice memo transcripts: kept until the church admin deletes them.
  • Audit log entries: append-only, kept for 7 years for compliance.
  • Backups: rolling 30-day window in Supabase.

Your rights

Email us to request an export or deletion outside the in-app flow: michael@tribett.dev and we'll respond within 30 days.

Security

Row-Level Security gates every read at the database layer, not just the UI — this is the cornerstone of our multi-tenant isolation. The Supabase service role key is never shipped to browser code. Stripe and Resend webhooks are signature-verified before any state changes.

We do not yet have SOC 2 Type I attestation; that work is planned for Q4 2026. We will notify customers when it lands.

Changes to this policy

When we materially change this policy, we'll update the "Effective" date at the top and email account owners. Older versions are available on request.

Contact

Questions, complaints, or deletion requests: michael@tribett.dev.

Mailing address: FlockConnect LLC, 4030 Wake Forest Road, Ste 349, Raleigh, NC 27609.