Skip to main content
CollieTrust Center

What Collie will never do

These are platform-level guardrails. They cannot be turned off by a church admin or unlocked by a paid tier. They are enforced in code, not in policy.

Reviewed by FlockConnect · Updated June 2, 2026

Direct answer

Is Collie safe for church data?

Collie is designed for churches that need AI help without giving up pastoral control. It refuses sermon generation, counseling or confessional content, AI summaries about specific children, writable financial actions, and automatic external sends. Church data is scoped to the authenticated organization, external actions wait in Pending for human approval, and the Trust Center explains the data flow pastors and church boards should review before adopting the product.

Never write a sermon.

Sermon Repurposing is transformation only — your existing audio becomes social posts, devotional emails, or small-group questions. Collie will not generate new sermon content, new exegesis, or new theological claims attributed to you.

Never process counseling or confessional content.

If you mention counseling sessions, confessions, confidential disclosures, or crisis content (suicide, self-harm, abuse), Collie refuses at the input layer. Nothing about that message reaches the AI model. The audit log records the refusal but never the content that triggered it. For crisis situations, please connect the person to professional help directly.

Never derive information about specific children.

Adults enter rosters; Collie does not summarize, classify, or generate from children's personal information. You can ask logistical questions (room assignments, sign-up counts) but not interpretive ones about individual minors.

Never auto-send to the outside world.

Every external action — email, calendar invite, social post, message — queues in your /pending inbox for explicit approval. There is no "let Collie handle it from here" mode in v1. You see the draft, you press Approve, and only then does the action go out.

Never treat financial data as writable.

Collie can read giving summaries and attendance trends to inform planning. It cannot create giving entries, generate tax receipts as new content, or modify any financial record. Tax documents are deterministic templates filled from your data, not AI- generated text.

How your data flows

  1. Your messages are stored in a Postgres database scoped to your church via Row-Level Security. Even with a bug in our code, another church cannot see your rows.
  2. AI calls run through Google Vertex AI Gemini in production. Model-visible inputs are PII-redacted before they leave Collie, then rehydrated only inside Collie when a draft returns. Your content is not used to train models without permission, and production launch requires the Google Cloud project cache setting and data-use posture to be confirmed.
  3. Voice memos are transcribed through ElevenLabs. The transcript is stored in your church's database records — encrypted at the application layer with AES-256-GCM before it touches the disk — until you delete it. The source audio is not retained by Collie.
  4. Every approval, every external action, every refusal is logged in an append-only audit trail. To request an export, email us and we will respond within 30 days.
Data flow diagram
Your browser (mobile or desktop)
You sign in via Clerk magic link or social OAuth. Browser → TLS 1.3 → our app.
Collie on Vercel (US regions, Fluid Compute)
Stateless serverless functions. No persistent disk writes other than to the database. All sub-processor calls leave from here.
Postgres (Supabase, US-East-1)
Row-Level Security forces every read/write to your church's organization id. Sensitive fields (OAuth tokens, voice transcripts) layered with AES-256-GCM application-level encryption on top of the disk-level AES-256.
Google Vertex AI Gemini (production AI)
Commercial Google Cloud path, not a consumer chatbot. Inputs are PII-redacted before the model sees them, then rehydrated only in Collie after the response returns. No training on your data without permission.
ElevenLabs (voice transcription only)
Audio file sent for transcription. Audio not retained by Collie. Transcript returns encrypted at our app layer before storage.
Resend (transactional email)
Sends only approved drafts. No marketing. From a sender domain verified to your church when you connect one.
Stripe (billing only)
Subscription billing for the church. We never store your card. Webhook signatures verified; replayed events deduped via an append-only event log.
Inngest (durable workflows)
Cron schedules (Monday brief, Sunday visitor scan, monthly board prep, etc.) and pause-on-approval pauses. Signed callbacks; carries identifiers and metadata, never content.
Clerk (authentication only)
Holds your account record, organization membership, and session tokens. Never sees the body of any message, draft, or pastoral note.
Sentry (error reporting)
Stack traces and request metadata. A scrubber strips PII patterns (emails, phone numbers, names) from breadcrumbs before they leave our runtime.
Planning Center, Google Workspace, Microsoft 365, Slack, Mailchimp — when you connect one, OAuth tokens travel on the same flow. Your church's data inside those tools is read by Collie only when you ask for it (reading a calendar, drafting an email). We never mirror connected-service data into long-term storage beyond the records you choose to use here. FlockConnect import is coming soon and will stay listed as unavailable until there is a supported API.

Roles and access

Your pilot workspace uses Clerk Organizations to keep one church separate from every other church. Row-Level Security scopes rows to the active organization at the database layer, not just the UI. Team invitations and finer-grained staff roles are being added as the pilot expands; until then, only invite people you trust inside your church's workspace.

Responsibility stays with the church

Your church remains responsible for pastoral, safeguarding, employment, legal, financial, counseling, reporting, and compliance decisions. Collie drafts, summarizes, retrieves, and queues work for review; FlockConnect LLC does not make ministry decisions for your church and does not provide legal, financial, medical, mental health, or professional pastoral counseling advice.

Questions?

We're a small team. If something here is unclear or you want to dig deeper before you trust us with your church's data, email michael@tribett.dev. Real human, fast reply.