Privacy Policy and Data Protection — ChurchBox

1. Introduction and Scope

Welcome to ChurchBox. Your privacy and the security of your personal data are fundamental to us. This Privacy Policy and Data Protection document clearly and transparently describes how we collect, use, process, store, share, and protect your personal information when you access and use our platform, mobile applications, and related services (collectively referred to as 'Services'). This document has been prepared in strict compliance with applicable data protection laws. By using our Services, you declare that you are aware of and agree to the terms established herein.

2. What Personal Data We Collect

To provide a personalized and secure experience, we collect different types of personal data, which may be provided directly by you or collected automatically during platform use:

Registration Data: Full name, username, valid email address, date of birth, and gender.
Profile Data: Profile picture, cover photo, biography, links to other social networks, and congregation/ministry information.
Authentication Data: Encrypted passwords, session tokens, and social login credentials (such as Google or Facebook ID).
Contact Data: Mobile phone number (optional, used primarily for notifications or two-step verification).
User-Generated Content: Posts, comments, reactions (amen), direct messages, media files (photos, videos, documents) submitted to the platform, and interactions in groups/brotherhoods.
Technical and Browsing Data: IP address, browser type, operating system, device identifiers, network information, pages visited, time spent, clicks, and crash logs.

3. How and Why We Use Your Data

The collected data is used exclusively for legitimate, explicit, and specific purposes, including, but not limited to:

Service Provision: Create, maintain, and manage your account; authenticate your identity; and ensure the correct functioning of platform features.
Social Experience: Enable the creation of connections (brotherhood), personalized feed display, content sharing, and interaction with other people and churches.
Communications: Send transactional emails (e.g., password reset, account confirmation), push notifications about interactions on your profile, event invitations, and important security updates.
Security and Fraud Prevention: Monitor suspicious activities, investigate Terms of Use violations, protect infrastructure against cyberattacks, and prevent abuse, harassment, or spam.
Continuous Improvement: Analyze anonymized usage metrics to identify performance issues, test new features (A/B testing), and improve the overall ChurchBox usability.

4. Data Sharing with Third Parties

We do not sell, rent, or trade your personal data. Sharing occurs only when strictly necessary for the operation of the Services or by legal requirement, limited to:

Infrastructure Providers: Companies like Amazon Web Services (AWS) and cloud databases, which process or store data under strict confidentiality and security contracts.
Authentication Services (OAuth): When choosing to log in using Google or Facebook, basic profile information (name, email, photo, and unique ID) is exchanged with these platforms exclusively for identity verification purposes.
Churches and Administrators (Management Module): If you formally link to a Church using the ChurchBox management module, the administrators of that institution will have access to your registration data for secretarial purposes, event organization, and internal pastoral communication.
Legal Authorities: Compliance with court orders, requests from competent authorities, or legal defense in judicial or administrative proceedings.

5. Data Security and Storage

We adopt the best industry practices and standards in information security to protect your data against unauthorized access, accidental loss, destruction, alteration, or improper disclosure. Our security measures include: • Encryption of data in transit (TLS/SSL) and at rest (database and S3 encryption); • Use of robust hash algorithms (like bcrypt) for passwords, ensuring they are never stored in plain text; • Implementation of strict Role-Based Access Control (RBAC) and authentication via expiring JWT tokens; • Continuous vulnerability monitoring and regular penetration testing. Although we make every effort to ensure the security of our infrastructure, it is important to note that no data transmission over the internet is 100% secure. Protecting your password and access device is also your responsibility.

6. Your Rights as a Data Subject

You, as the data subject, have absolute control over your information. In compliance with applicable privacy laws, you have the right to request at any time and free of charge:

Confirmation and Access: Confirm the existence of data processing and obtain a copy of the information we hold about you.
Correction: Update, rectify, or complete incomplete, inaccurate, or outdated data directly through your profile settings panel.
Anonymization, Blocking, or Deletion: Request the permanent deletion of your personal data and your account (right to be forgotten), except for data whose maintenance is required by legal or regulatory obligations.
Portability: Request that your data be transferred in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).
Consent Revocation: Withdraw previously granted consent for specific data processing, without affecting the legality of the processing carried out previously.

7. Cookie Policy and Tracking Technologies

We use cookies (small text files stored in your browser) and similar technologies in a limited and strictly necessary manner. • Essential Cookies: Necessary to keep you logged in, authenticate secure API requests, and remember basic preferences (like language and light/dark mode). • Security Cookies: Help prevent fraud, such as repeated login attempts or Cross-Site Request Forgery (CSRF) attacks. ChurchBox does not use invasive advertising trackers or sell behavioral data. You can manage or disable cookies directly in your browser settings, although this may compromise platform functionality.

8. Changes to this Privacy Policy

We reserve the right to modify, add, or remove portions of this Privacy Policy at any time to reflect technological, legal, or business changes. When substantial changes occur, we will publish the new version on the platform and proactively notify you (via email or in-app notification) with reasonable advance notice. Continued use of the Services after the new policy takes effect constitutes your acceptance of such changes.

9. Contact Us

ChurchBox has a dedicated Data Protection Officer (DPO) to oversee your privacy. If you have any questions, requests, or concerns regarding this Policy, the processing of your personal data, or wish to exercise your rights, please do not hesitate to contact us through our official privacy channel:

privacy@churchbox.com.br