Trust and security
Built for sensitive pastoral data.
FlockConnect is designed around church-scoped access, role-based visibility, human approval, privacy-aware AI, and careful service integrations, so pastors can act on relationship needs without exposing more data than necessary.
Church-scoped data
Every church's data is scoped to that church. The boundary is enforced in the database with row-level security and checked again on the server with every request, so each church's records stay within that church.
Roles and visibility
Account owners, admins, and care partners have different levels of access. A care partner only sees the people assigned to them, not the whole congregation. Members never log in at all, so the people a church serves are not asked to manage an account.
Human approval before anything leaves
Collie can draft a note, suggest a next step, or surface who looks isolated. It never sends a message, writes to a connected system, or acts on its own. A person reviews and approves every external write and every member-facing message.
Privacy-aware AI
AI context is permission-aware, redacted where required, and source-tracked. Member names are replaced with neutral labels before context goes to the AI, and the provider, model, and provenance of each result are recorded, so a pastor can see where a suggestion came from.
Encrypted integration credentials
Connections to services like Planning Center use OAuth. The tokens are encrypted at rest and are never exposed to browser JavaScript. Disconnecting a service revokes the stored credential.
Telemetry with PII controls
Error monitoring and product analytics are scrubbed. Names, emails, church names, pastoral notes, and AI prompts are kept out of error reports. Analytics use explicit events and surrogate IDs rather than raw member data, and sensitive screens are masked.
Safer communication and calendar defaults
Member assessments are sent by email first. SMS is only a limited fallback after an assessment goes uncompleted, with consent and opt-out respected, and it never carries sensitive care content. Calendar events use generic text and secure links, so pastoral details do not travel in a calendar invite.
Evidence before claims
Every claim on this page is held to an evidence bar before it ships: automated tests, browser checks for each role, and provider configuration review. Where something cannot yet be proven, it stays a design intention rather than a public promise.
What leaves FlockConnect, and what does not
FlockConnect uses a small set of trusted providers to do its job. Here is what each one receives, at a high level. A church on Planning Center connects through the official two-way Planning Center integration.
- Supabase
- Stores FlockConnect's app data in church-scoped records protected by row-level security and server authorization.
- Stripe
- Receives billing and subscription data. It does not receive pastoral notes or care content.
- Planning Center
- Receives reviewed writebacks only after a person approves them. Pastoral notes and AI summaries are not written back by default.
- Resend
- Sends transactional email and secure assessment links using safe template variables.
- Twilio
- Sends limited SMS assessment reminders, only after an email goes uncompleted, with consent and opt-out checks.
- Google and Microsoft Calendar
- Receive generic event details and secure links, not sensitive pastoral details.
- Google Maps and Mapbox
- Used through server-side adapters for routing and proximity, under approved storage rules.
- AI providers (Gemini and the AI gateway)
- Receive only approved, redacted context, with the provider, model, and provenance tracked.
- Sentry
- Receives scrubbed technical error context and release metadata.
- PostHog
- Receives explicit, privacy-reviewed product events and surrogate IDs.
- Linear
- Receives opt-in feedback and scrubbed screenshots only where allowed.
Shared responsibility
We do our best to protect the data churches trust us with, using the measures described above. At the same time, we will be honest: security is never absolute, and no tool can remove every risk. FlockConnect is provided as is, under our Terms of Service.
You have a part too. You decide who to invite, what access to grant them, and what to record. Keeping your own login credentials safe, and using FlockConnect responsibly with the people in your care, is up to you. If anything here raises a question about how your church's data is handled, please reach out and ask.
For the binding details, read our Privacy Policy and Terms of Service. Questions about how your church's data is handled? Email support@flockconnect.com.
Care for your people without overexposing their data.
FlockConnect adds the relational layer on top of the church management system your church already runs. Priced by church size, with a free trial.