Privacy Policy

Last updated: February 23, 2026

1. Information We Collect

Account information: name, email address, and organization details when you sign up.

Content you provide: sermons, documents, event data, and other materials you upload to power your chatbot.

Usage data: pages visited, features used, and interactions with your chatbot to improve the Service.

2. How We Use Your Information

We use your information to provide, maintain, and improve the Service. Specifically: to power your AI chatbot with your uploaded content, to generate engagement analytics, to communicate with you about your account, and to ensure the security of the platform.

We do not use your information for advertising. We do not build profiles on your congregation. We do not monetize your data in any way beyond providing the Service you signed up for.

3. AI and Your Data

We understand that churches entrust us with sensitive material — sermons, pastoral communications, member information. We treat that responsibility with the gravity it deserves. Here is exactly what happens with your data when AI is involved:

Your data is never used to train AI models. We access AI models exclusively through API agreements that explicitly prohibit using customer data for model training. This is not a setting we toggle on — it is a contractual guarantee from each provider:

  • Anthropic (Claude): Under Anthropic's Commercial Terms of Service, customer API data is never used for model training. This is a hard contractual prohibition — not an opt-out, not a setting. It cannot be overridden. Anthropic is SOC 2 Type II certified, ISO 27001 certified, and offers HIPAA Business Associate Agreements.
  • OpenAI (GPT): OpenAI's API terms state that data sent through the API is not used to train or improve their models unless you explicitly opt in. FaithBase does not opt in. OpenAI is SOC 2 Type 2 certified, ISO 27001/27017/27018/27701 certified, and CSA STAR certified.
  • OpenRouter (routing layer): OpenRouter does not store prompt or response content by default — only request metadata (token counts, latency). We do not enable prompt logging. OpenRouter is SOC 2 compliant and GDPR compatible.

When your sermon text is sent to an AI model to generate a chatbot response or a newsletter draft, that data is processed and discarded. It does not enter any training dataset. It does not improve their models.

Zero-data-retention models are available. For organizations that require the highest level of data protection, we offer zero-data-retention (ZDR) configurations upon request. With ZDR enabled, AI providers do not store any input or output data — not even temporarily for abuse monitoring. All three of our upstream providers support ZDR: OpenRouter supports it per-request, Anthropic offers it through enterprise arrangements, and OpenAI offers it through an approval process. Contact us to enable ZDR for your account.

Your data is isolated to your organization. Each church's data is stored in its own isolated environment. No other FaithBase customer, no FaithBase employee outside of authorized support staff, and no third party can access your sermons, documents, or member data. There is no shared data pool between organizations.

AI responses are grounded in your content only. Your chatbot answers questions using only the content you have uploaded — your sermons, your statement of faith, your event calendar. It does not pull from other churches' data, general internet sources, or any shared knowledge base.

4. Data Sharing

We do not sell your data. Period. Not to advertisers, not to data brokers, not to anyone.

We work with a limited number of infrastructure providers to operate the Service. Each provider is contractually bound to strict data protection obligations:

  • Database (Convex): SOC 2 Type II certified, HIPAA compliant, and GDPR compliant. Your data is stored with full encryption at rest and in transit.
  • Cloud infrastructure (AWS): SOC 2 Type II certified, ISO 9001 certified, HIPAA compliant, and GDPR compliant, among dozens of additional compliance programs.
  • AI providers (Anthropic, OpenAI, via OpenRouter): Bound by API agreements prohibiting data retention and training, as described in detail in Section 3. Anthropic holds SOC 2 Type II and ISO 27001. OpenAI holds SOC 2 Type 2, ISO 27001/27017/27018/27701, and CSA STAR.
  • Payment processing (Stripe): PCI DSS Level 1 certified — the highest level of payment security certification. We never see or store your full card number.
  • Authentication (WorkOS): SOC 2 Type II certified identity provider handling all login and session management.

No provider listed above has access to your sermon content, member data, or chatbot conversations unless strictly necessary to perform their function. AI providers process text to generate responses, then discard it. Your database provider stores your data but cannot read its contents. Your payment processor never touches your church data at all.

5. Security

We protect your data with multiple layers of security:

  • Encryption everywhere: All data is encrypted in transit (TLS 1.3) and at rest (AES-256). This applies to your uploaded content, your chatbot conversations, and your account information.
  • Access controls: Role-based access ensures only authorized team members within your organization can view or manage your data. FaithBase employees access customer data only with explicit permission for support purposes.
  • Infrastructure security: Our infrastructure providers maintain SOC 2 Type II compliance, undergo regular third-party penetration testing, and operate within data centers with physical security controls.
  • Monitoring: We run continuous monitoring for unauthorized access attempts and anomalous activity across all systems.

6. Data Retention and Deletion

We retain your data for as long as your account is active. When you delete your account:

  • All uploaded content (sermons, documents, event data) is permanently deleted within 30 days.
  • All chatbot conversation logs are permanently deleted within 30 days.
  • All vector embeddings generated from your content are permanently deleted within 30 days.
  • Account information may be retained only where required by law (e.g., billing records for tax compliance).

You may also request deletion of specific content at any time without deleting your entire account.

7. Cookies

We use essential cookies for authentication and session management. We may use analytics cookies to understand how the Service is used. You can control cookie preferences through your browser settings. We do not use tracking cookies for advertising.

8. Your Rights

Regardless of where you are located, you have the right to:

  • Access all personal data we hold about your organization
  • Export your data in a standard format
  • Request correction of inaccurate data
  • Request deletion of your data

If you are in the EU, UK, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us to exercise any of these rights — we respond within 30 days.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email at least 30 days before they take effect. The previous version of this policy will remain available upon request.

11. Contact

Questions about this policy? We welcome them. Contact us at privacy@usefaithbase.com.