Privacy Policy

Effective date: July 16, 2026

1. Introduction

Covenant Labs LLC ("we," "us," or "our") operates the Flock application and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Flock is a church community group management platform. We understand that the data entrusted to us — prayer requests, attendance records, group communications, biometric information, and personal information — is sensitive and sacred. We treat it accordingly.

AI processing is integral to the Service. Flock automatically analyzes and embeds member-submitted content to provide its prayer, pastoral-intelligence, search, communication, attendance, and support functions. Flock is not offered without this AI processing. After sign-in and before entering the app, every member receives one disclosure identifying the third-party AI providers, the data sent, and the purposes described below, and must provide explicit, non-preselected permission. Declining or withdrawing AI consent means the member cannot use the Service and will be signed out.

Facial-recognition consent is separate from the required AI consent. Facial recognition remains an optional attendance method governed by the additional choices described in Sections 2c, 6a, and 7.

2. Information We Collect

2a. Account Information

When you create an account, we collect information such as your name, email address, profile photo, and the authentication method you use (Google OAuth or email/password). If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

2b. Prayer Requests

When you submit a prayer request, we store the text of the request, the privacy level you select (public, private, or elevated), timestamps, and associated metadata such as encouragement messages and "prayed for" counts. Prayer requests marked as "private" are visible only to group leaders and pastoral staff authorized for that request. Prayer content can reveal religious or philosophical beliefs, health information, relationships, or other sensitive circumstances.

Every prayer submitted by a signed-in member is automatically sent to Fireworks.ai for sentiment, topic, subject, and pastoral-care classification and is automatically sent to Voyage AI to create a search embedding. The data can include prayer text, type, category, submitter name, dates, status, encouragement context, and answer testimony. AI-generated analysis and embeddings are stored with organization-scoped access controls to support pastoral intelligence and prayer search.

2c. Photos, Facial Recognition, Attendance Sheets, and Biometric Data

Flock's optional Photo Attendance feature may collect profile photos or selfies from members who expressly opt in, group attendance photos submitted by authorized leaders, and derived face data including face crops, face templates or embeddings, AWS Rekognition FaceIds, bounding boxes, image-quality values, pose, detection confidence, match-confidence values, and the applicable consent version and timestamp.

On iOS, Apple Vision is used only on the device to guide selfie framing. That live camera-frame analysis is transient and is not sent to Flock or another service. Flock does not receive or store Apple Face ID or Touch ID biometric data. Face ID and Touch ID are used only by the device operating system for local app authentication when enabled by the member.

Before Flock enrolls a member's profile photo or creates a reusable member face template, that member must provide separate explicit facial-recognition permission. Authorized leaders may submit group attendance photos to Amazon Web Services, including AWS Rekognition, to detect visible faces, compare them only with enrolled members in the same church organization, prepare attendance suggestions for leader review, and temporarily group unmatched faces within one attendance session. Unmatched faces are not enrolled as member identities or reused between events. Facial recognition is optional, separate from the required AI consent, and manual attendance remains available to members who do not enroll in facial recognition.

When a leader chooses Sheet Attendance, an image of the attendance sheet is stored temporarily in private AWS S3 and sent to AWS Textract to extract names, rows, and attendance marks. The extracted attendance suggestions are reviewed by the leader before they are saved.

Attendance records — including who was present, absent, or recorded as a visitor — are stored in our PostgreSQL database separately from the temporary photos and face crops used to prepare the attendance suggestions.

2d. Usage Analytics

We collect information about how you interact with the Service, including pages visited, features used, device type, operating system, and general usage patterns. This data helps us improve the Service and is not used to personally identify you outside the context of your account.

2e. Chat Messages and AI Search

Messages sent through Flock's group chat feature are stored in our real-time database. These include text content, images, GIFs, Bible verse references, reactions, and read receipts. Chat data is scoped to the group or chat sub-group in which it was sent.

Every eligible member-authored, non-system chat message is automatically sent to Voyage AI to generate a search embedding. The data can include message text or captions, sender name, date, content type, reply preview, attachment filename, and link domain. When a member uses AI-powered chat search, the search query, relevant group-member names, and matching message text, sender names, dates, and chat-group names may also be sent to Fireworks.ai to interpret the query and generate a response grounded in the authorized search results.

2f. Event and RSVP Data

When you create events or respond to RSVPs, we store event details, your RSVP status, and related email communications.

2g. Ask Flock, Support, and Feedback

Ask Flock is Flock's AI support assistant powered by Fireworks.ai. After the required account-level AI consent has been accepted, Fireworks.ai receives the current question, up to 20 recent messages in that Ask Flock conversation, and limited account context consisting of the member's name, church role, church name, and subscription plan. Flock stores the user and assistant messages in PostgreSQL so the member can view the conversation history and our support team can assist when a case is created.

Flock uses the OpenAI software package only as a protocol-compatible client for Fireworks.ai; we do not send this data to OpenAI. Support questions, the related assistant response, feedback text, role, platform, and app version may be sent to Fireworks.ai for case detection and feedback categorization.

2h. Other AI-Assisted Features

When a member expressly uses an applicable feature, Fireworks.ai may receive a scripture reference or description and translation choice for scripture lookup; a church-search query and candidate church names and addresses for church discovery; or limited first-name and organization context for member or church matching. We send only the data reasonably necessary for the requested function.

2i. Consent and Preference Records

We store whether the required account-level AI consent was accepted, declined, or revoked, the applicable consent version and timestamps, and the member's separate facial-recognition preference. These records help us honor member choices, prevent access after withdrawal, and demonstrate compliance. A member who previously declined or revoked AI consent may consent again on a later sign-in.

2j. Email Communications and Engagement Data

When we send optional product updates and similar account communications, we may use SendGrid, a Twilio service, to deliver and measure those emails. SendGrid may record whether an email was delivered, opened, or clicked. Open measurement may use a small transparent image, and click measurement may route links through SendGrid before directing you to the intended Flock page.

These events may include your email address, message and campaign identifiers, timestamps, IP address, device or browser information, and the link selected. We use this information to understand delivery and engagement, troubleshoot problems, protect our sending reputation, and improve our communications. We do not sell this information or use it for third-party advertising.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Enable prayer wall features, including privacy levels and pastoral intelligence
  • Provide optional photo attendance, face matching, and visitor review
  • Extract attendance suggestions from a photographed paper attendance sheet
  • Generate group health scores and at-risk member alerts for church leaders
  • Deliver event reminders, RSVP confirmations, and other transactional emails
  • Deliver and measure optional product updates and similar account communications, including delivery, open, and click activity.
  • Analyze prayer sentiment and topics to support pastoral care workflows
  • Create prayer and chat embeddings and provide authorized AI-powered search
  • Answer user-initiated support questions and categorize feedback or support cases
  • Support requested scripture lookup, church discovery, and limited member matching
  • Detect and prevent fraud, abuse, and security incidents
  • Respond to your requests, comments, and questions
  • Comply with legal obligations

4. Data Storage and Security

Your data is stored across multiple secure services, each chosen for its specific strengths:

  • PostgreSQL — Structured data (accounts, groups, attendance, prayer history, consent records, Ask Flock conversations, AI-analysis results, search text, and embeddings) is stored in PostgreSQL with Row-Level Security (RLS) enforcing multi-tenant data isolation at the database level.
  • Google Firebase / Firestore — Real-time data (chat messages, prayer wall updates, notifications) is stored in Google Firestore with organization-scoped security rules.
  • AWS S3 — Member profile photos are stored in a private profile-photo bucket. Group attendance photos, face crops, and photographed attendance sheets are stored in a separate private temporary-processing bucket.
  • AWS Rekognition — Facial-recognition templates are stored as encrypted face vectors in collections scoped to a single church organization. Flock stores the corresponding FaceId and indexing timestamp in PostgreSQL.
  • AI service providers — Fireworks.ai and Voyage AI process the limited inputs described in Sections 2 and 5. Flock stores the resulting support history, analysis, search text, and embeddings only where needed to provide those features.

All data is transmitted over HTTPS (TLS encryption in transit). We follow industry-standard security practices including parameterized database queries, JWT-based authentication, and audit logging of sensitive operations.

5. Third-Party Services

We use the following third-party services to operate Flock. We provide only the data reasonably necessary for each described purpose:

  • Firebase Authentication (Google) — Manages user authentication via Google OAuth and email/password sign-in. Subject to Google's Privacy Policy.
  • AWS Rekognition (Amazon) — Receives profile and group-attendance images and derived face crops to detect faces, create organization-scoped face templates, compare faces, and return match confidence and related metadata. Subject to AWS's Privacy Notice.
  • AWS Textract (Amazon) — Receives a photographed attendance sheet selected by a leader to extract names, rows, and attendance marks. Subject to AWS's Privacy Notice.
  • Fireworks.ai — Handles Flock's core AI generation and receives the limited prayer, chat-search, support, feedback, scripture, church-discovery, and matching inputs described in Section 2, including Ask Flock questions, up to 20 recent messages, and limited name, church role, church name, and subscription-plan context, to generate analysis, categorization, or requested results. Flock uses Fireworks' chat-completions API, which Fireworks documents as not persistently logging prompt or generation content by default; service metadata such as token counts may be retained. Subject to Fireworks' Privacy Notice.
  • Voyage AI — Receives the limited prayer, chat, and search-query context described in Section 2 to create numerical embeddings used for authorized semantic search. API data is processed under Voyage AI's commercial/API terms and Privacy Policy.
  • SendGrid (Twilio) — Delivers transactional emails and optional product or account communications and processes related delivery and engagement events, such as opens, clicks, bounces, and unsubscribes. Subject to Twilio's Privacy Policy.
  • Railway — Hosts our backend infrastructure. Subject to Railway's Privacy Policy.

We do not share your data with these services beyond what is necessary to provide the functionality described above. We require service providers that receive personal data to provide the same or equal protection described in this Privacy Policy, including purpose limitation, appropriate security, and deletion or retention controls. We do not authorize these services to use Flock data for their own advertising or marketing, and we do not sell data to them.

Provider-side retention can differ by service and may include limited safety, abuse-prevention, billing, diagnostic, contractual, or legal records. Where a provider supports customer content controls or deletion requests, we use those controls or submit a request as appropriate. The provider privacy notices linked above describe those provider-side practices in greater detail.

6. Data Sharing

We do not sell your personal information. We do not rent, trade, or otherwise share your data with third parties for their own commercial purposes.

We may share your information only in the following circumstances:

  • Within your organization — Your group leaders, ministry directors, campus pastors, and organization administrators can see information appropriate to their role, as governed by our role-based access control system.
  • Service providers — With third-party vendors who assist us in operating the Service (as described in Section 5), subject to confidentiality, purpose-limitation, security, and data-protection obligations.
  • Legal requirements — If required by law, regulation, legal process, or government request.
  • Safety — To protect the rights, property, or safety of Covenant Labs LLC, our users, or others.
  • Business transfers — In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.

6a. Required AI Consent and Separate Facial-Recognition Consent

After sign-in and before a member can enter Flock, the app presents one account-level AI disclosure that identifies Voyage AI, Fireworks.ai, and AWS Textract, explains the data sent and its purpose, and requests explicit, non-preselected permission. This permission is required to use the Service because the core prayer, pastoral-intelligence, search, communication, attendance, and support functions depend on the processing described in this policy. We record the decision, consent version, and timestamp.

Declining or withdrawing AI consent prevents access to Flock and will sign you out. You may consent again on a later sign-in. Withdrawal stops new member-initiated processing after the withdrawal but does not affect processing already initiated or completed, and provider-side copies may remain for the limited retention periods described in Section 5. Account deletion remains separately available.

Facial recognition uses the existing separate BIPA consent. A member may decline or disable facial recognition while continuing to use Flock after accepting the required AI consent; manual attendance remains available.

7. Your Rights

You have the following rights regarding your personal information:

  • Access — You may request a copy of the personal information we hold about you.
  • Correction — You may request that we correct inaccurate or incomplete personal information.
  • Deletion — You may request that we delete your personal information. Upon receiving a verified deletion request, we will remove your account data, prayer requests, attendance records, and chat messages. Some data may be retained in anonymized form for aggregate analytics or as required by law.
  • Export — You may request a machine-readable export of your personal data.
  • Email communication choices: You may unsubscribe from optional product updates at any time using the preferences or unsubscribe links included in those emails. Opting out of optional updates does not prevent Flock from sending necessary account, security, or transactional messages.
  • Opt out of facial recognition — You may request that your face templates or embeddings and associated FaceIds be deleted. You can still use the Service with manual attendance options.
  • Withdraw required AI consent — You may withdraw AI consent through Settings or by contacting us. Withdrawal signs you out and prevents further use of Flock unless you consent again. You may also request deletion of your account and personal data.
  • Object or restrict — Where applicable law provides this right, you may ask us to object to or restrict particular processing of your personal information.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

8. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.

9. Cookies and Local Storage

Flock uses cookies and browser local storage for essential functionality, including:

  • Authentication tokens to keep you signed in
  • User preferences and interface settings
  • Offline data caching for offline-first functionality

We do not use cookies, pixels, or similar technologies for third-party advertising, and we do not participate in advertising networks. We may use the limited email-engagement technologies described above to measure delivery, opens, and clicks for optional communications.

10. Data Retention

We retain personal information only for as long as reasonably necessary to provide the Service, honor member and church-organization choices, meet legal obligations, resolve disputes, and enforce our agreements. The following more specific periods apply:

  • On-device selfie guidance — Apple Vision face-position data is transient, remains on the device, and is discarded when the camera session ends.
  • Temporary photo-attendance images — Group attendance photos and generated face crops are stored in a private temporary-processing bucket and automatically expire no later than 48 hours after collection. Flock may delete them earlier when they are no longer needed for the attendance workflow.
  • Temporary unmatched-face templates — Session-scoped templates are queued for deletion when the session is completed, canceled, reset, or expires. If AWS cannot confirm every deletion, Flock retains the associated FaceIds solely so deletion can be retried until AWS confirms that the templates are gone. Those templates are not enrolled as member identities or reused across events.
  • Photo-attendance session records — After temporary photos, face crops, and unmatched-face templates are deleted, the photo-attendance session record and resulting non-biometric attendance history may remain under the organization's general attendance-retention practices.
  • Attendance-sheet images — Images submitted for AWS Textract processing are deleted from Flock's temporary-processing storage no later than 48 hours after collection.
  • Profile photos and enrolled face data — A consenting member's profile photo and organization-scoped face template are retained while the account is active and facial recognition remains enabled. Replacing a profile photo deletes the prior profile photo and enrolled face templates. Deleting the profile photo or account deletes the associated profile photo, face templates, and FaceIds. Disabling facial recognition deletes the face templates and FaceIds but does not delete the profile photo used elsewhere in the member profile. Profile-photo object deletion is durably queued and retried if private AWS S3 storage cannot confirm it immediately.
  • Attendance records — The resulting non-biometric attendance record may be retained as part of the church organization's attendance history after temporary photos, crops, and face-session data are deleted.
  • Attendance-sheet extraction results — Names, attendance marks, confidence values, and reviewed extraction results may be retained with the sheet-attendance session and resulting attendance history while the organization's records remain active or as otherwise required for support, security, or legal obligations. The source sheet image remains subject to the 48-hour deletion period above.
  • Prayers, chat, AI analysis, and embeddings — Source content and Flock-stored AI analysis, search text, and embeddings are retained while the content or account remains active and as needed to provide the feature. When source content or an account is deleted, we delete the corresponding Flock-stored analysis and embeddings unless retention is legally required.
  • Ask Flock and support records — Ask Flock conversations and support-case records are retained while the account is active and as needed to provide support, preserve a requested case history, resolve disputes, or satisfy legal obligations.
  • Consent records — AI and facial-recognition consent versions, timestamps, grants, declines, and revocations may be retained as needed to honor member choices and demonstrate compliance, even after access or processing is disabled.
  • Third-party processing — Fireworks.ai documents no persistent prompt or generation storage by default for the APIs used by Flock. AWS and Voyage AI process and retain data according to their linked service terms, privacy notices, account settings, and applicable legal requirements.

If you submit a verified deletion request, we will complete deletion from Flock-controlled systems within 30 days, except where retention is required by law or for a documented legitimate business purpose. We will also use available provider controls or deletion-request processes as appropriate for data held by a service provider.

Aggregate, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "effective date" at the top. For significant changes, we will also notify you via email or an in-app notification.

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: