Privacy Policy

1. Introduction

Welcome to Ekkle (“we,” “us,” or “our”). Ekkle operates the church community platform available at ekkle.app, its associated subdomains (e.g., yourchurch.ekkle.app), the Ekkle web application and mobile application for iOS, and any white-label iOS applications published on behalf of individual churches using the Ekkle platform (collectively, the “Service”).

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding that data. This policy applies to all users of the Service, whether accessed through the main Ekkle app, a church-branded white-label app, or the web platform.

2. Information We Collect

2.1 Information You Provide

Account information: Name, email address, and password when you register.
Profile information: Profile details such as first name, last name, and optional profile photo.
Church membership: The church(es) you join and your role within them (e.g., member, admin).
Messages: Content of messages you send through the in-app messaging feature. Messages are encrypted (see Section 5).
Donation information: When you make a donation, our payment processor (Stripe) collects your payment card details. We receive a transaction record (amount, date, donation category) but never store your full card number.
Content uploads: Sermons, images, videos, or other media uploaded by church administrators.
AI feature inputs: Content you submit to AI-powered features, such as onboarding chat, sermon transcription/metadata generation, moderation checks, and AI assistant prompts.

2.2 Information Collected Automatically

Device information: Device type, operating system version, app version, and unique device identifiers for push notification delivery.
Usage data: Pages visited, features used, timestamps, and general interaction patterns to improve the Service.
Log data: IP addresses, browser type, and referring URLs recorded in server logs.

2.3 Information from Third Parties

We receive limited information from third-party services that are connected to the Service, such as payment status/details from Stripe and account/channel metadata from connected livestream platforms (e.g., YouTube or Facebook) when church administrators enable those integrations. See Sections 12 and 13 for the specific Google/YouTube and Facebook/Meta disclosures.

3. How We Use Your Information

Provide the Service: Authenticate your account, display your church content, deliver messages, process donations, and send push notifications.
Improve the Service: Analyze usage patterns, diagnose technical issues, and develop new features.
Communicate with you: Send transactional emails (e.g., donation receipts, password resets), notification emails based on your preferences, and service-related messages.
Safety and compliance: Enforce our Terms of Service, comply with legal obligations, and protect against fraud or abuse.

4. SMS / Text Messaging

Ekkle uses Twilio, a third-party communications platform, to deliver SMS (text) messages on behalf of Ekkle and the churches that use the Service. This section describes our SMS practices. See our SMS Terms for the program description, message frequency, HELP/STOP instructions, and additional details.

4.1 Categories of SMS We Send

Account verification and two-factor authentication: One-time verification codes sent when you add a phone number to your account, sign in with two-factor authentication enabled, or perform other security-sensitive actions.
Platform and billing alerts: Service-related notices to church administrators (for example, a failed subscription payment).
Church broadcasts: Announcements, prayer requests, event reminders, and similar messages composed by your church and sent to lists you have joined.

4.2 How We Collect Your Phone Number and Consent

In the Ekkle app: You can add a phone number from your profile and enable two-factor authentication. By adding your number you consent to receive verification and security-related SMS from Ekkle.
Church-managed lists: Your church may add you to one of its SMS lists after you have given written or verbal consent (for example, a sign-up form, connection card, or church website opt-in). Your church is responsible for collecting and maintaining proof of that consent.
Keyword opt-in: You can join a church's SMS list by texting a published keyword (for example, JOIN) to that church's SMS number. Sending the keyword constitutes your consent to receive recurring messages from that church.

4.3 No Sharing of Mobile Information for Marketing

Mobile information (phone numbers and SMS opt-in data) will not be shared with third parties or affiliates for marketing or promotional purposes. Phone numbers and consent records are used only to deliver the SMS categories described in Section 4.1. We share the minimum information necessary with our SMS delivery provider (Twilio) and underlying mobile carriers solely to transmit the messages you have opted in to receive. The “no third-party sharing for marketing” restriction applies specifically to mobile information collected for SMS, regardless of any broader sharing described elsewhere in this policy.

4.4 Message Frequency, Rates, and Help

Frequency: Message frequency varies depending on the lists you have joined and your church's communication patterns.
Cost: Message and data rates may apply. Check with your mobile carrier for details.
Help: Reply HELP to any Ekkle SMS to receive support information, or email support@ekkle.app.

4.5 Opt-Out

You can opt out of any church's SMS list at any time by replying STOP (or UNSUBSCRIBE, CANCEL, or QUIT) to a message from that church's SMS number. We will record your opt-out and stop sending broadcast messages to that number from that church. To re-subscribe, reply START (or YES/ UNSTOP) to the same number. Opting out of a church's broadcast list does not stop transactional account-security SMS such as two-factor authentication codes; to stop those, remove your phone number or disable two-factor authentication in your profile.

5. How We Share Your Information

We do not sell your personal data. We share data only in these circumstances:

With your church: Church administrators can see member account and membership data for their church, and donation records for giving features. They cannot read private message content unless they are a participant in that conversation.
Payment processor: Stripe processes your donations. Stripe's use of your data is governed by Stripe's Privacy Policy.
Infrastructure providers: We use cloud hosting and CDN providers to deliver the Service. These providers process data on our behalf and are contractually bound to protect it.
Service providers: We use service providers for email delivery (Postmark), push notification delivery (including Apple APNs for iOS), and AI processing (OpenAI) to power specific product features.
Legal requirements: We may disclose data if required by law, subpoena, or court order, or to protect the rights, safety, or property of Ekkle or others.

6. Data Security & Encryption

We take the security of your data seriously:

Message encryption (AES-256-GCM): All private messages are encrypted before being written to the database. The plaintext content is never stored. Even with direct database access, messages appear as unreadable ciphertext.
Encryption in transit (TLS): All communication between your device and our servers is protected by TLS, preventing interception during transmission.
Password hashing: Passwords are hashed using industry-standard algorithms and are never stored in plain text.
Access controls: Internal access to production systems and data is restricted and logged.
Short-lived tokens: Authentication uses JWT access tokens that expire after 15 minutes, paired with secure refresh tokens.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

Account data: Retained until you delete your account.
Messages: Encrypted message data is retained while the related conversation exists and according to church/community controls.
Donation records: Retained as needed for accounting, tax, fraud prevention, and legal compliance.
Server logs: Retained for operational and security monitoring, then deleted or anonymized based on operational needs.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate personal data.
Delete your account and associated account/profile data, subject to legal retention requirements.
Manage email and push notification preferences in the app.
Request assistance with privacy inquiries by contacting us.

To exercise any of these rights, contact us at privacy@ekkle.app.

9. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal data, please contact us at privacy@ekkle.app.

10. White-Label & Tenant Apps

Churches using Ekkle may have a branded iOS application published under their own name on the Apple App Store. These white-label apps are powered by the Ekkle platform and are governed by this same Privacy Policy. The church's administrators manage their community within the app, but all data processing, storage, and security is handled by Ekkle as described in this policy.

If a specific church has additional privacy practices, they may supplement this policy. However, the Ekkle platform privacy policy serves as the baseline for all tenant apps.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal data.

12. Google / YouTube API Services

When a church administrator connects their YouTube channel to Ekkle's livestream forwarding feature, Ekkle accesses YouTube data through the YouTube Data API v3 on that administrator's behalf. This section is provided in addition to, and for the purposes of, our compliance with the Google API Services User Data Policy.

12.1 Compliance with Google API Services User Data Policy

Ekkle's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. By connecting your Google account, you also agree to YouTube's Terms of Service and to Google's Privacy Policy.

12.2 Scopes Requested

When a church administrator connects YouTube, Ekkle requests the following Google OAuth scope:

https://www.googleapis.com/auth/youtube — required to create and manage live broadcasts and reusable live streams on the connected channel, and to read the channel's id and title for display in the Ekkle admin interface.

12.3 How We Use Google User Data

Read the connecting account's YouTube channel id and title to display “Connected as <channel>” in the church admin panel.
Create one reusable liveStream resource on the connected channel so that Ekkle can forward the church's RTMP feed to YouTube without re-encoding.
Create a new liveBroadcast each time the church goes live and bind it to that reusable stream.
Refresh the OAuth access token in the background using the long-lived refresh token, solely to keep the integration working between services.

12.4 What We Do Not Do With Google User Data

We do not transfer Google user data to third parties except as necessary to provide or improve the integration, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
We do not use Google user data to train, develop, or improve generalized or non-personalized AI/ML models.
We do not allow humans to read Google user data unless we have the user's affirmative agreement for specific communications, it is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or the data is aggregated and anonymized for internal operations.

12.5 Storage and Security of Google Tokens

OAuth access tokens and refresh tokens issued by Google are encrypted at rest using AES-256 with a key held only by Ekkle's backend, and transmitted only over TLS. Tokens are scoped to a single church and are never exposed to other churches, end users, or third parties.

12.6 Revoking Access and Token/Data Deletion

A church administrator may revoke Ekkle's access at any time by either:

Clicking Disconnect YouTube in the church's Live Stream settings in the Ekkle admin panel, which deletes the stored Google tokens and the associated forwarding destination from Ekkle's database; or
Visiting myaccount.google.com/permissions and removing the “Ekkle” application.

When a church or user account is deleted, all associated Google tokens and channel metadata are deleted from Ekkle's systems.

13. Facebook Login and Meta Platform Data

When a church administrator connects a Facebook Page to Ekkle's livestream forwarding feature, Ekkle accesses Meta platform data on that administrator's behalf using the Facebook Graph API. This section describes that integration.

13.1 Permissions Requested

Ekkle requests the following Facebook permissions during login:

pages_show_list — list the Pages the connecting user manages so the administrator can choose which Page to broadcast to.
pages_read_engagement — read basic Page metadata (id and name) for the selected Page to display in the admin panel and to obtain a Page Access Token.
pages_manage_posts — required by Meta to publish Live Video objects on the selected Page.
publish_video — create a Live Video on the selected Page each time the church goes live and supply Ekkle with the RTMPS ingest URL used to forward the broadcast.

13.2 How We Use Meta Platform Data

Display the connected Page's name in the Ekkle admin panel.
Create a Live Video object on the selected Page when the church goes live, and use the returned ingest URL to forward the church's existing RTMP feed to Facebook.
Store the Page Access Token to keep the integration working between services.

13.3 What We Do Not Do With Meta Platform Data

We do not post anything other than the church's own Live Video to the connected Page.
We never post to a user's personal Facebook timeline, groups, profile, or any other Page than the one explicitly selected by the administrator.
We do not read followers, comments, messages, insights, or advertising data from the connected Page.
We do not sell, rent, or share Meta platform data with third parties, and we do not use it to train AI/ML models or for advertising.

13.4 Storage and Security of Page Access Tokens

Page Access Tokens issued by Meta are encrypted at rest using AES-256 with a key held only by Ekkle's backend, and transmitted only over TLS. Each token is scoped to a single Page selected by the connecting administrator and is never exposed to other churches, end users, or third parties.

13.5 Revoking Access and Data Deletion

A church administrator may revoke Ekkle's access at any time by either:

Clicking Disconnect Facebook in the church's Live Stream settings in the Ekkle admin panel, which deletes the stored Page Access Token and the associated forwarding destination from Ekkle's database; or
Visiting Facebook Settings → Business Integrations and removing the “Ekkle” integration.

For full instructions on deleting your Ekkle account and any connected platform tokens, see our Account Deletion page. This URL is also registered as the “Data Deletion Instructions URL” for the Ekkle Facebook application.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we may also send a notification through the app.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: privacy@ekkle.app
Website: meet.ekkle.app