Privacy Policy

Effective Date: April 1, 2026

1. Introduction

Tend (“we,” “our,” or “us”) is a pastoral care management application designed for churches and ministry teams. We take the privacy of your personal information and the sensitive pastoral data you entrust to our platform seriously. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding that data.

By creating an account or using Tend, you agree to the practices described in this policy.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address — used for authentication and account recovery.
• Password — hashed by our authentication provider; we never store or see your plaintext password.
• Display name and title — shown to other team members in your church.

2.2 Pastoral & Congregation Data

Tend stores data you enter about your congregation, including member profiles, prayer requests, care logs, tasks, events, households, discipleship pathways, tags, and custom fields. This data is encrypted on your device before it ever leaves your browser (see Section 5). We cannot read this data on our servers.

2.3 Church Management System (ChMS) Credentials

If you choose to connect a church management system (Breeze or Planning Center Online), we store the API credentials needed to sync data. These credentials are encrypted server-side by our integration service and are never stored in plaintext in our database.

2.4 Usage & Technical Data

We do not use any third-party analytics, tracking pixels, or advertising services. We do not track your behavior within the app. Standard server logs (IP address, request timestamps) are generated by our infrastructure providers as part of normal operations.

3. How We Use Your Data

We use your data solely to:

• Provide and operate the Tend application.
• Authenticate your identity and manage your session.
• Sync your encrypted data across your devices.
• Sync data with your connected church management system (if enabled).
• Send transactional emails (account verification, password reset).

We do not sell, rent, or share your data with advertisers or data brokers. We do not use your data for marketing purposes.

4. Data Sharing & Third-Party Services

We rely on the following third-party services to operate Tend. Each service only receives the minimum data necessary for its function:

4.1 Supabase (Authentication & Database)

Supabase provides our authentication system and hosts our database. Your email and hashed password are managed by Supabase Auth. All pastoral data stored in Supabase is encrypted before transmission — Supabase holds only encrypted blobs it cannot read.

4.2 Cloudflare (Integration Proxy & Hosting)

Our application is hosted on Cloudflare Pages. Our church management system integration service runs on Cloudflare Workers. This service securely handles ChMS credential encryption and data synchronization.

4.3 Planning Center Online & Breeze ChMS (Optional)

If you choose to connect one of these church management systems, data is synced between Tend and your ChMS. Only member directory data is exchanged. Your ChMS provider’s own privacy policy governs their handling of data on their platform.

4.4 Google Fonts

We load fonts from Google Fonts. When your browser requests these fonts, Google may receive your IP address and browser information. We cache these fonts locally to minimize subsequent requests. See Google’s privacy policy for details.

4.5 On-Device AI (Optional)

Tend offers optional natural language command processing. When available, this runs entirely on your device using your browser’s built-in AI capabilities. No data is sent to external AI services for this feature.

5. Encryption & Security

Tend uses a zero-knowledge encryption architecture for all pastoral and congregation data:

• Client-side encryption: All pastoral data (members, prayers, care logs, tasks, events, households, pathways, tags, and custom fields) is encrypted on your device using AES-256-GCM before being sent to our servers.
• Church Master Key (CMK): Each church has a unique encryption key. This key is wrapped (encrypted) with your password and stored securely. We never have access to your plaintext encryption key.
• ChMS credential encryption: Church management system API credentials are encrypted server-side by our integration service using a separate encryption key. They are never stored in plaintext in our database.
• Church isolation: Database-level security policies ensure users can only access data belonging to their own church.
• Transport encryption: All data in transit is protected by TLS (HTTPS).

Because we use zero-knowledge encryption, we cannot read, access, or recover your pastoral data. If all users in a church lose their passwords, the encrypted data cannot be recovered.

6. Data Storage & Retention

6.1 On Your Device

Tend stores data locally using your browser’s IndexedDB for offline access. This data persists until you sign out or clear your browser data. As a Progressive Web App (PWA), Tend also caches application assets via a service worker for offline use.

6.2 On Our Servers

Encrypted pastoral data is retained on our servers as long as your church account is active. Deleted records are soft-deleted (recoverable for 30 days) and then permanently removed.

6.3 Backups

Automated database backups are maintained by our infrastructure provider for disaster recovery purposes. Backups contain only encrypted data and follow the same retention schedule.

7. Multi-User & Team Access

Church owners can invite team members to share access to pastoral data. All team members share the same encryption key and can read data marked as “team” visibility. Tend provides visibility controls for sensitive records:

• Team: Visible to all users in your church (default).
• Shared: Visible only to specific team members you select.
• Personal: Visible only to you.

An audit trail records who created or last modified each record. Church owners can remove team members, which revokes their access.

8. Cookies & Local Storage

Tend does not use cookies for tracking or advertising. We use browser storage (IndexedDB and localStorage) to store your encrypted data cache, session information, and theme preferences. Our authentication provider may use session cookies to maintain your login state.

9. Children’s Privacy

Tend is designed for use by adult church leaders and pastoral care teams. We do not knowingly collect personal information directly from children under 13. Member records for minors are entered and managed by authorized adult users of the application.

10. Your Rights

You have the right to:

• Access your data at any time through the application.
• Export your data from the application.
• Delete your data, including your account and all associated records.
• Disconnect any church management system integration at any time.

To exercise these rights or request account deletion, contact us at the address below.

11. Data Breach Notification

In the unlikely event of a data breach, we will notify affected users via email within 72 hours of discovery. Because pastoral data is encrypted with keys we do not hold, a breach of our database would not expose the contents of your pastoral records.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the application and updating the effective date above. Continued use of Tend after changes constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Email: support@tendpastoralcare.app