Privacy Policy

We respect the dignity of the ministers and churches/ministries we serve. This Policy explains what GospelNote collects, why, and what you can do about it.

Last updated: May 1, 2026

1. Who we are

GospelNote is operated from Atlanta, Georgia, USA. Contact: support@gospelnote.com.

2. What we collect

We collect only what we need to operate the service well.

2.1 Account information

• Name (legal first/last and an optional preferred name)
• Email address (used for sign-in and transactional email)
• Password hash (we never see your plaintext password)
• Phone number, if you provide one
• City, state, country (for time zone and regional pricing)
• Sign-in metadata (last sign-in timestamp, sign-in method, IP address at sign-in for fraud prevention)

2.2 Ministry / organisation profile

• For ministers: bio, focus areas, settings served, ministry positions, education, photos, and any external profile links (website, social media) you choose to add
• For churches/ministries and organisations: name, type, location, description, logo, denomination, and any external profile links you choose to add

2.3 Engagement data

• Booking requests, requirements (honorarium, travel, lodging, hospitality, stage), logistics details, and message threads between speaker and inviter
• Engagement state transitions (pending, approved, confirmed, completed)

2.4 Payment data

• When you pay, Stripe handles your card information directly. We receive only what Stripe sends back: a customer ID, a subscription / payment intent ID, the amount and currency, the payment status, and metadata we attached (which engagement, which side, which tier).
• We never see or store full payment card numbers (PAN, CVV). Card data is stored by Stripe, a PCI-DSS Level 1 processor.

2.5 Approximate location

We read the x-vercel-ip-country header that Vercel attaches to incoming requests in order to (a) display prices in your local currency where supported and (b) apply Africa-free access. We do not store the IP address or country alongside your account; we simply read the header on each request.

2.6 Cookies

We use only essential cookies — those required to keep you signed in (Supabase auth) and to remember your theme preference. We do not use cookies for advertising, retargeting, or analytics-as-a- product.

3. What we do NOT collect

• Card numbers, CVVs, or other PCI data
• Honorarium amounts processed by us (honorarium money does not flow through GospelNote — it is paid directly between speaker and church/ministry)
• Biometric or facial-recognition data
• Health, religious-belief detail, political affiliation, or other “special category” data unless you choose to put it in your profile
• Behavioural tracking outside the GospelNote site
• Device fingerprints for cross-site identification

4. How we use what we collect

• To operate the service (let you sign in, render your dashboard, route invitations, enforce role-based access)
• To send transactional email (engagement state changes, magic links, password resets, receipts)
• To process payments via Stripe
• To detect and prevent fraud, abuse, and security incidents
• To respond to legal obligations (warrants, court orders)
• To improve the service (debugging, performance investigation, aggregated usage patterns — never linked to individual identity in a way that could be re-personalised)

We do not sell your personal information. We do not share your personal information with advertisers. We do not use your data to train third-party AI models.

5. Service providers

We rely on a small set of vendors to operate the platform. Each receives only the data necessary for its role:

• Stripe, Inc. — payments. Receives card data directly; we receive only payment metadata. See stripe.com/privacy.
• Supabase, Inc. — database, authentication, file storage. Hosts our data on AWS in the United States. See supabase.com/privacy.
• Vercel Inc. — web hosting, CDN, edge functions. See vercel.com/privacy.
• Resend — transactional email delivery. See resend.com/privacy.
• Cloudflare, Inc. — DNS only (the Cloudflare proxy is not enabled). See cloudflare.com/privacy.

6. Where your data is processed

Your data is stored on servers in the United States. If you are accessing GospelNote from outside the US (including the European Economic Area, the United Kingdom, or Africa), your information will be transferred to and processed in the US. By using GospelNote you consent to that transfer.

7. How long we keep it

• Active account — for as long as your account exists.
• Soft-deleted account — 30 days from the date you delete the account, during which period the data is hidden but recoverable on request to support@gospelnote.com.
• Engagement records — retained in aggregate, de-identified form for legal, tax, and audit purposes for up to seven (7) years after account deletion.
• Payment audit ledger — retained for the period required by tax and accounting law (currently seven years).
• Server logs — typically 30–90 days, longer where required for security incident investigation.

8. Your rights

Depending on where you live, you may have the right to:

• Access — request a copy of the personal information we hold about you
• Correct — ask us to fix inaccurate information
• Delete — ask us to remove your personal information (subject to retention obligations described above)
• Export — receive a portable copy of your data in a structured, commonly used format
• Restrict or object — limit how we use your information
• Withdraw consent — where we rely on consent (e.g. for non-essential email communications)

To exercise any of these rights, email support@gospelnote.com. We will respond within 30 days. If you are in the European Economic Area or the UK and you believe we have not handled your request properly, you may complain to your local data-protection authority.

California residents also have the right to opt out of the “sale” or “sharing” of personal information under the CPRA. We do not sell or share personal information for cross-context behavioural advertising.

9. Children

GospelNote is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Security

We protect your data with industry-standard practices: TLS in transit, encryption at rest, role-based access controls, row-level security on the database, and regular security review. No system is perfectly secure; if we become aware of a security incident affecting your data we will notify you and the relevant authorities as required by law.

11. Changes to this Policy

If we make material changes to this Policy we will notify registered users by email at least fourteen (14) days before the change takes effect. The “Last updated” date at the top reflects the most recent revision.

12. Contact

Questions, requests, or concerns? Email support@gospelnote.com.