Privacy Policy

Citizen Sites (“Citizen Sites,” “we,” “us,” or “our”) is a software platform that helps churches build websites, manage members, accept giving, schedule serving teams, run check-in, and connect their day-to-day ministry tools. This Privacy Policy describes how we handle personal information across the Citizen Sites platform and our companion Citizen Send mobile experience.

When a church signs up with Citizen Sites, that church is the “Customer” or “Tenant.” The Customer controls the personal information of its members, donors, volunteers, and visitors (the “End Users”). For that information, Citizen Sites acts as a service provider / data processor on the Customer’s behalf. End Users with questions about their personal data should contact their church directly first.

This policy applies to information collected through:

• Our marketing websites at buildcitizensites.com and any beta marketing site we operate.
• The Citizen Sites authoring surfaces — the page editor, user portal, admin console, and renderer used to build and publish church sites.
• Tenant church websites we host on your behalf, including custom domains pointed at our infrastructure.
• The Citizen Send mobile app and its public web profile pages at buildcitizensites.com/citizensend/…
• Email and other direct communication you send us.

This policy does not cover third-party websites that we link to but do not operate.

Account & authentication

When a church staff member, volunteer, or member signs in, we collect a name, email address, password (stored only as a salted hash by Firebase Authentication), optional phone number, role, and any tenant-church identifiers required to scope access. We also collect a session cookie so signed-in pages know who you are.

Sensitive optional profile fields

The user model supports optional fields a church may choose to collect on a member or staff record — including birthdate and medical notes. These fields are sensitive; we store them only when the church configures them and only the staff with proper permissions can read them.

Member & family data

Tenant churches use Citizen Sites to maintain a directory of members, families, groups, prayer requests, and serving teams. The Customer determines which fields are collected and which staff members can see them. We store this data in Firestore, scoped under the tenant’s own document.

Giving & payment data

When an End User makes a gift, payment data (card number, bank routing, billing address) is collected directly by Stripe through their Stripe Connect platform. Citizen Sites does not see or store full card numbers or bank account numbers. We do store gift amount, date, fund allocation, donor name, donor email, an optional donor address (for receipts), and Stripe identifiers used to look up the gift.

Calendar, registrations & check-in

We store events, registrations (including paid registrations and the resulting Stripe fulfillment record), check-in records, family check-in pickup tags, and serving-team assignments. For child check-in we may store a child’s name, date of birth, guardians, allergies, and a one-time pickup code if your church configures these fields.

Content & uploaded media

Pages, blocks, images, fonts, recordings metadata, and any other content your church creates in the editor. Uploaded media lives in Firebase Storage and the static-site export bucket on Google Cloud Storage.

Forms & submissions

Anything submitted through forms your church builds (contact forms, signup forms, custom registration forms, our own beta-application and contact forms).

Integrations

If your church links Google Workspace, Google Calendar, Planning Center, or YouTube, we exchange OAuth tokens and read the data each integration is granted to read. We store the integration tokens and any synced records (events, calendar links, channel metadata) but do not request access beyond the documented scopes.

Logs, telemetry & usage

Web servers and edge caches record IP addresses, user agents, timestamps, and request paths for security, rate limiting, and debugging. Our contact form additionally stores a one-way hashed IP address and the submitting browser’s user agent to deter abuse and spam — we cannot reverse the hash to recover the original IP.

We run Vercel Analytics and Vercel Speed Insights on our own platform surfaces only — the marketing site, signed-in user portal, page editor, and admin console. These tools collect aggregate performance and page-view metrics with no advertising identifiers. Tenant church sites do not run any third-party analytics by default. A tenant may add their own analytics or pixel in their site settings; if they do, those tools collect data under the tenant’s own privacy policy, not ours.

• To operate the platform — sign-in, page rendering, scheduled jobs, email delivery, search, caching, and backups.
• To process gifts and registrations through Stripe and reconcile them in your church’s books.
• To send transactional email (sign-in links, password resets, registration confirmations, giving receipts, serving reminders).
• To investigate security incidents, prevent abuse, and rate-limit malicious traffic.
• To improve product reliability through aggregated, non-identifying usage measurement.
• To respond when you contact us.

We do not sell personal information. We do not use End User data to train AI models. We do not use End User data for advertising.

Personal information is shared only as required to run the service or as required by law:

• With your church (the Customer). End User data is visible to authorized staff and volunteers of the Customer church.
• With service providers (sub-processors). See the next section.
• For legal reasons. Subpoena, court order, or to protect the rights, property, and safety of Citizen Sites, our customers, and the public.
• In a corporate transaction. If Citizen Sites is acquired or merges, customer relationships and the data tied to them transfer with the business under this same policy or a more protective one.

We rely on a small number of carefully chosen sub-processors to deliver the platform:

• Google Cloud / Firebase — authentication, Firestore database, Cloud Storage, Cloud Tasks queues, hosting for the Citizen Send Firebase project.
• Vercel — hosting, edge caching, image optimization, domains API, and Vercel Blob storage for static-site exports.
• Stripe — subscription billing for the platform and Stripe Connect for tenant online giving.
• Resend and AWS Simple Email Service — transactional email delivery.
• Google Workspace, Google Calendar, Planning Center, and YouTube — only when a Customer chooses to connect their account.

Each sub-processor is bound by their own privacy commitments. We will publish material changes to this list in advance.

We use a small number of first-party cookies and local-storage entries:

• A signed session cookie that proves you’re authenticated to the user portal, page editor, and admin console.
• Firebase’s authentication cookies for the same purpose.
• A non-identifying preferences entry that remembers your last-used tenant church.
• Caching headers on tenant site responses for performance, not tracking.

We do not use third-party advertising cookies or cross-site trackers. Tenant churches may add their own analytics or pixels; if they do, those tools collect data under the tenant’s own privacy policy.

Citizen Sites is not directed to children under 13, and we do not knowingly collect personal information directly from children. Many churches use Citizen Sites for children’s ministry and Sunday-morning check-in. In those cases the church is the data controller; the church collects child information from parents and guardians under their own consent practices, and the church is solely responsible for obtaining any parental or guardian consent required by law (including COPPA in the United States).

Citizen Sites stores child check-in data only on the tenant church’s scoped Firestore records, accessible only to authorized church staff. Fields may include a child’s name, optional date of birth, allergies, family relationships, and a one-time pickup code used to claim the child at the end of service. We do not store photos of children unless the church explicitly enables a photo field. If you are a parent or guardian and would like a child’s record reviewed or removed, contact your church directly and they can act on the request inside the platform.

All card and bank data is collected by Stripe and tokenized inside Stripe’s PCI-DSS certified environment. Citizen Sites never sees raw card numbers or bank account numbers. The Stripe identifiers we store let us reconcile gifts and produce receipts and statements but cannot, by themselves, be used to charge a card again outside of Stripe’s controls.

When tenant churches enable Stripe Connect to receive gifts, the church becomes the merchant of record and is bound by Stripe’s Connected Account Agreement.

Citizen Send is our free groups and prayer-vault mobile app. It runs on its own dedicated Firebase project (citizen-send) that is logically and architecturally separated from the Citizen Sites platform’s Firebase project. They do not share databases, authentication state, or service accounts.

In Citizen Send we collect a username, display name, optional photo, group memberships, messages, prayer-vault entries, and device push-notification tokens. The public web surface at /citizensend/u/[username] shows only the public profile card the user has chosen to share.

Linking a Citizen Send account to a Citizen Sites tenant is optional and only happens when a user explicitly authorizes it. Even when linked, the two databases stay separate; we move only the minimum data needed for the linked feature.

We retain personal information for as long as a tenant church’s account is active. When a church cancels, we keep their data for a 30-day grace period in case they want to reactivate, then delete primary records on a rolling schedule. We keep up to 25 publish backups per church so a recent published version can be restored on request. Short-lived records self-expire via Firestore TTL: pending signup invitations within an hour, password-reset and email-change tokens within 10 minutes, email-job and static-site export dedupe records within 12 hours, and Stripe webhook events and pending deletion requests within 14 days.

Tenants can request a full export or deletion at any time through our contact form. Individual End Users should contact their church first; if the church will not act on a valid request, reach out to us and we’ll help.

We use Firebase Authentication, Firestore security rules, per-tenant access checks at the API layer, signed session cookies, content security policy headers, HTTPS everywhere, IP-based rate limiting on every API endpoint, server-side HTML sanitization, and least-privilege service accounts. We log security events and monitor for abnormal access patterns.

No system is perfect. If you discover a security issue, please report it through our contact form. We will not pursue legal action against good-faith researchers who follow standard responsible-disclosure norms.

Depending on where you live, you may have rights to access, correct, export, or delete your personal information, to object to processing, or to lodge a complaint with a supervisory authority. End Users should normally exercise these rights through the church that maintains their record. We will help any Customer fulfill a verified request that they need our help with.

Citizen Sites is operated from the United States. By using the platform from outside the U.S., you understand that your information will be processed in the U.S. and other countries where our service providers operate.

We’ll update the “Last updated” date at the top whenever this policy changes. For material changes (new sub-processors, expanded data uses, new categories of collection) we’ll notify Customers by email at least 30 days before the change takes effect.

For privacy questions, deletion requests, or anything else covered by this policy, write to us. We read every email ourselves.