Privacy and data safety: how FlockConnect treats your church's data

Who can see your people's data?

Access starts with three roles: the account owner, admins, and care partners. Owners see everything in their church. Admins see what their permission toggles allow, and the toggles are granular, covering things like giving signals, Collie, and user management, so giving someone forms access does not also hand them pastoral notes. Care partners see only the people assigned to them through a direct, household, group, or ministry care assignment, and that boundary is enforced in the database, not just hidden in the interface.

Your members never hold accounts at all. They interact with FlockConnect through secure links scoped to one purpose and built to expire, so there is no member password to lose. And every church's data is church-scoped: the separation is enforced in the database with row-level security and re-checked on the server with every request.

• Your church owns its data. FlockConnect processes it on your instructions, never sells it, and never uses it for advertising.
• Three roles with scoped access: owners, admins with granular permission toggles, and care partners who see only their assigned people.
• Every pastoral note carries a plain-language visibility setting, shown alongside a separate record-by-record Collie setting that is off by default for pastoral notes.
• Owners and admins must use MFA, re-confirmed every 30 days, and sensitive actions like exporting data require it again.
• Giving shows cadence only, never amounts, and only to staff you specifically permit.
• Collie drafts, a person approves. The account owner can export everything as a ZIP, and deletion opens a reversible 90-day window.

How does note visibility work?

Pastoral notes and care records carry a visibility setting written in plain language, from visible only to the owner, to a set of selected admins, to the care team around a person. When you pick a level, FlockConnect shows you in words exactly who can see the note and who cannot.

Collie is governed by a separate control. Visibility decides which people can see a record; a separate record-by-record Collie setting, off by default for pastoral notes, decides whether Collie may use it as context. You decide both, record by record.

Is multi-factor authentication required?

Yes, for the roles that can see the most. Account owners and admins must enroll in MFA, and FlockConnect re-confirms it every 30 days; an owner or admin without a recent verification is redirected to the MFA step before they can keep using the app. This is enforced by the product, not a policy suggestion.

Sensitive actions go further. Exporting data, managing billing or integrations, changing a record's visibility, approving a Collie action, and managing users are each sensitive actions that require MFA. Care partner MFA is optional, and your church can require it with a single setting.

What does FlockConnect know about giving?

Cadence, never amounts. FlockConnect records the rhythm of a household's giving, whether a regular pattern has paused or changed, because a change in rhythm is often a quiet sign that a family is drifting. It does not record amounts, funds, or donor totals. There is nowhere for an amount to live: amounts are dropped at the import boundary, and the giving signal itself has no field for them.

Seeing giving signals at all is its own permission, separate from general access to people, so cadence is visible only to staff you specifically permit. The connection-health thresholds that use it are your church's to adjust in Settings.

What is Collie allowed to see and do?

Collie, FlockConnect's AI assistant, works behind two boundaries. The first is redaction: before any text leaves the server for an AI provider, member names are replaced with stable placeholder labels, and a fail-closed check rejects the request outright if raw emails, phone numbers, or unexpected fields appear in the context. Real names are restored only when the draft comes back, so your reviewer sees them and the model did not. Per our privacy policy, AI processing runs through providers under zero-data-retention terms, and redaction and data minimization apply where possible; we do not pretend that no sensitive detail can ever reach a model, which is exactly why the second boundary exists.

The second boundary is a person. Collie only drafts: every external write and every member-facing message requires human review and approval first, and that requirement is enforced on the server, not just in the interface. Collie never sends anything on its own, and approving a Collie action is itself a sensitive, MFA-gated step. Collie is assistive and can be wrong; it is not a substitute for pastoral judgment.

Can I get my data out?

Yes, at any time. The account owner can request a full workspace export from Settings; it is an owner-only action and requires MFA. The export arrives as a ZIP: tabular data as CSV files, nested records like forms and approved Collie artifacts as JSONL, plus a manifest listing every file, the record counts, and the snapshot window. People, households, groups, ministries, care records, forms and submissions, calendar write-backs, and integration metadata are all included.

The export is built from explicit allow-lists of fields, never a raw database dump, so connection credentials, security tokens, and other secrets are never included. Download links last 15 minutes, MFA is re-checked when you download, every download is logged before the file is served, and the export file deletes itself 7 days after it is generated.

What happens if we delete our account?

Deletion is deliberate and reversible at first. When the account owner requests it (MFA required), FlockConnect opens a 90-day window: during the window you can still export your data, and you can cancel the request entirely if you change your mind.

After the 90 days, deletion proceeds in stages with safety checks along the way, including confirming there is no active subscription, legal hold, or open billing dispute, and revoking the Planning Center, Google, and Microsoft credentials FlockConnect held for your church. Two honest caveats: third-party providers keep their own records under their own policies, and backups, logs, and audit records may persist for a period after the primary records are deleted, with security and audit logs kept longer where the law or an active investigation requires it. We will not tell you deletion is instant, because it is not designed to be.

Where is all of this written down?

The privacy policy and terms of service published on this site (in English) are the governing documents, and the promises above restate them: your church owns its data, FlockConnect processes it on your church's instructions, and member and pastoral data is never sold and never used for advertising. The policy names every category of provider we rely on, and if we confirm a breach affecting your data, we notify your church without undue delay.

Because members do not hold accounts, requests to access, correct, or delete a member's information route through your church, with FlockConnect assisting. Members can manage their own communication preferences through a secure link, though that page handles consent, not data access. We do not claim certifications we do not hold; what we publish on the trust and security page is what we can show. Questions are welcome at support@flockconnect.com.