Flock

Privacy Policy

Effective date: February 15, 2025

1. Introduction

Covenant Labs LLC ("we," "us," or "our") operates the Flock application and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Flock is a church community group management platform. We understand that the data entrusted to us — prayer requests, attendance records, personal information — is sensitive and sacred. We treat it accordingly.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2a. Account Information

When you create an account, we collect information such as your name, email address, profile photo, and the authentication method you use (Google OAuth or email/password). If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

2b. Prayer Requests

When you submit a prayer request, we store the text of the request, the privacy level you select (public, private, or elevated), timestamps, and associated metadata such as encouragement messages and "prayed for" counts. Prayer requests marked as "private" are visible only to group leaders and pastoral staff. We use AI-based analysis to detect prayer sentiment and categorize prayer topics for pastoral intelligence features. This analysis is performed to help church leaders better care for their members.

2c. Attendance Data

When attendance is taken via our AI photo attendance feature, group photos are processed through facial recognition to identify members present at a gathering. Photos are sent to AWS Rekognition for face matching and are not stored permanently by AWS after processing. Attendance records (who was present, absent, or marked as a visitor) are stored in our database. Facial recognition data (face embeddings) are stored securely and used solely for attendance matching within your organization.

2d. Usage Analytics

We collect information about how you interact with the Service, including pages visited, features used, device type, operating system, and general usage patterns. This data helps us improve the Service and is not used to personally identify you outside the context of your account.

2e. Chat Messages

Messages sent through Flock's group chat feature are stored in our real-time database. These include text content, images, GIFs, Bible verse references, reactions, and read receipts. Chat data is scoped to the group or chat sub-group in which it was sent.

2f. Event and RSVP Data

When you create events or respond to RSVPs, we store event details, your RSVP status, and related email communications.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Enable prayer wall features, including privacy levels and pastoral intelligence
  • Provide AI-powered photo attendance and visitor detection
  • Generate group health scores and at-risk member alerts for church leaders
  • Deliver event reminders, RSVP confirmations, and other transactional emails
  • Analyze prayer sentiment and topics to support pastoral care workflows
  • Detect and prevent fraud, abuse, and security incidents
  • Respond to your requests, comments, and questions
  • Comply with legal obligations

4. Data Storage and Security

Your data is stored across multiple secure services, each chosen for its specific strengths:

  • PostgreSQL — Structured data (accounts, groups, attendance, prayer history) is stored in a PostgreSQL database with Row-Level Security (RLS) enforcing complete multi-tenant data isolation at the database level.
  • Google Firebase / Firestore — Real-time data (chat messages, prayer wall updates, notifications) is stored in Google Firestore with organization-scoped security rules.
  • AWS — Facial recognition processing is handled by AWS Rekognition. Face embeddings are stored in AWS collections scoped to your organization.

All data is transmitted over HTTPS (TLS encryption in transit). We follow industry-standard security practices including parameterized database queries, JWT-based authentication, and audit logging of sensitive operations.

5. Third-Party Services

We use the following third-party services to operate Flock:

  • Firebase Authentication (Google) — Manages user authentication via Google OAuth and email/password sign-in. Subject to Google's Privacy Policy.
  • AWS Rekognition (Amazon) — Processes group photos for facial recognition attendance. Subject to AWS's Privacy Notice.
  • SendGrid (Twilio) — Delivers transactional emails including event reminders, RSVP confirmations, and invitation emails. Subject to Twilio's Privacy Policy.
  • Railway — Hosts our backend infrastructure. Subject to Railway's Privacy Policy.

We do not share your data with these services beyond what is necessary to provide the functionality described above. None of these services receive your data for their own marketing or advertising purposes.

6. Data Sharing

We do not sell your personal information. We do not rent, trade, or otherwise share your data with third parties for their own commercial purposes.

We may share your information only in the following circumstances:

  • Within your organization — Your group leaders, ministry directors, campus pastors, and organization administrators can see information appropriate to their role, as governed by our role-based access control system.
  • Service providers — With third-party vendors who assist us in operating the Service (as described in Section 5), subject to confidentiality obligations.
  • Legal requirements — If required by law, regulation, legal process, or government request.
  • Safety — To protect the rights, property, or safety of Covenant Labs LLC, our users, or others.
  • Business transfers — In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.

7. Your Rights

You have the following rights regarding your personal information:

  • Access — You may request a copy of the personal information we hold about you.
  • Correction — You may request that we correct inaccurate or incomplete personal information.
  • Deletion — You may request that we delete your personal information. Upon receiving a verified deletion request, we will remove your account data, prayer requests, attendance records, and chat messages. Some data may be retained in anonymized form for aggregate analytics or as required by law.
  • Export — You may request a machine-readable export of your personal data.
  • Opt out of facial recognition — You may request that your face embeddings be deleted from our system. You can still use the Service with manual attendance options.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

8. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.

9. Cookies and Local Storage

Flock uses cookies and browser local storage for essential functionality, including:

  • Authentication tokens to keep you signed in
  • User preferences and interface settings
  • Offline data caching for offline-first functionality

We do not use cookies for advertising or third-party tracking. We do not participate in ad networks or use tracking pixels.

10. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

Aggregate, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "effective date" at the top. For significant changes, we will also notify you via email or an in-app notification.

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: