Privacy Policy

We collect three categories of information:

• Account information. Your name, email, and authentication tokens, via Clerk. We use Clerk Organizations to scope every record to your church.
• Content you supply. Chat messages, voice memo transcripts, pending action drafts, reading-list entries, pastoral visit logs, and theological-guardrail settings — anything you type or upload into Collie.
• Connected service data. When you opt in to integrate with Planning Center, Google Workspace, Microsoft 365, Slack, or Mailchimp, we read only the scopes you grant — never restricted scopes (we use gmail.compose, calendar.events, drive.file, and documents instead of the broader read-everything alternatives).

The following are platform-level guardrails enforced in code, not just policy. They cannot be turned off by a church admin or unlocked by a paid tier:

• No counseling, confessional, or crisis content. If a chat message contains markers we recognize (counseling sessions, confidentiality language, suicide or self-harm references, abuse disclosure), we refuse at the input layer and the content never reaches our AI provider. We log only the matched phrase pattern, never the surrounding message.
• No information about specific minors. Adults enter rosters; Collie does not summarize, classify, or generate text about individual children.
• No automated external sends. Every email, calendar invite, social post, and message is queued for human approval before leaving Collie. There is no "auto-send" mode in v1.
• No new sermon content. Sermon Repurposing transforms your existing audio into derivative formats (social posts, devotional emails, small-group questions). We do not generate new theological claims attributed to you.

• To provide and operate the assistant.
• To maintain Row-Level Security so your data is isolated from other churches.
• To send transactional email (sign-in links, approval notifications) via Resend.
• To process payments via Stripe (we never see or store your card numbers).
• To track usage for billing and capacity planning, in our internal usage_events table.
• To investigate bugs and security incidents, using append-only audit logs that record who did what and when (never the content of refused messages).

Chat messages, voice memo transcripts, and skill inputs are sent to Anthropic's Claude API via Vercel AI Gateway. Anthropic's Commercial API is contracted with Zero Data Retention — your content is not used to train models, and Anthropic deletes inference inputs and outputs after processing per their retention policy. Read Anthropic's privacy policy for the full terms.

Voice transcription, when enabled, runs through Deepgram. Audio files are sent for transcription and discarded by Deepgram per their policy; we keep both the audio file (in your church's Supabase Storage) and the transcript (in our database) until you delete them.

• Database: Supabase Postgres (US-East-1, AWS). Every tenant table has Row-Level Security enabled and policies that scope reads, writes, updates, and deletes to your church's Clerk organization id.
• Application: Vercel (US regions). Stateless functions; no persistent disk writes other than the database.
• Authentication: Clerk.
• Email: Resend.
• Payments: Stripe.
• Background jobs: Inngest.
• AI: Anthropic via Vercel AI Gateway.

When you connect a third-party service (Planning Center, Google, Microsoft, Slack, Mailchimp), data flows directly between Collie and that service over OAuth — we do not mirror it into long-term storage beyond what you've used in a draft.

We don't sell your data. We share data only with the sub-processors listed above (Anthropic, Vercel, Supabase, Clerk, Resend, Stripe, Inngest, Deepgram, and the third-party services you explicitly connect).

We will disclose data when legally required (subpoena, court order, regulatory request) and will notify the affected church unless legally prohibited.

• Account data: kept while your subscription is active, deleted within 30 days of cancellation request.
• Chat messages and conversations: kept until the church admin deletes them.
• Voice memos and transcripts: kept until the church admin deletes them.
• Audit log entries: append-only, kept for 7 years for compliance.
• Backups: rolling 30-day window in Supabase.

Church admins can export their data at any time from /settings. To request deletion outside the in-app flow, email michael@tribett.dev and we'll honor the request within 30 days.

Row-Level Security gates every read at the database layer, not just the UI — this is the cornerstone of our multi-tenant isolation. The Supabase service role key is never shipped to browser code. Stripe and Resend webhooks are signature-verified before any state changes.

We do not yet have SOC 2 Type I attestation; that work is planned for Q4 2026. We will notify customers when it lands.

When we materially change this policy, we'll update the "Effective" date at the top and email account owners. Older versions are available on request.

Questions, complaints, or deletion requests: michael@tribett.dev.