DRAFT: This policy has not yet been reviewed by legal counsel and must not be shown to end users in its current form. Regional addenda for Anguilla, Nigeria, United Kingdom, UAE, and Canada are required before production activation.

The Sonship Place (T.S.P.) Church

Privacy Policy

Last updated April 2026. Questions? Email contact@tsp.church.

Overview

This privacy policy applies to The Sonship Place (T.S.P.) Church (referred to as "T.S.P.", "we", "us", or "our") and describes how we collect, use, store, and protect your personal data. T.S.P. is operated through two registered legal entities:

Sonship Place Inc. (EIN 92-3495575). Registered 501(c)(3) nonprofit, United States.
The Sonship Place Church Nigeria (CAC 7970735). Registered with the Corporate Affairs Commission, Nigeria.

Our website is tsp.church. Our primary contact email is contact@tsp.church.

Data We Collect

We collect personal data in four protection categories. We collect only what is necessary for you to engage with our church family and formation resources. We do not sell, rent, or trade your personal information.

We classify all personal data into four protection tiers.

Tier 1: Sacred Private

Bible annotations (your personal notes on scripture) and Bible plan progress. These records are yours alone. No member of the T.S.P. staff, pastoral team, or technical team can read your Tier 1 data. This is enforced at the database level by row-level security policies that permit access only to your own authenticated session.

Tier 2: Personal

Your profile (name, email address, phone number, date of birth, profile photo), journal entries, prayer requests, giving transactions, and formation progress records. You own this data. Staff access is permitted only within their pastoral or administrative role and is logged to a tamper-evident audit trail.

Tier 3: Sensitive Pastoral

Crisis alert records, care requests, care intake forms, welfare cases, pastoral meeting notes, pulse checks, altar-call responses, and safeguarding reports. Access is restricted to the pastoral team only, every access is logged, and all records in this tier are retained for seven years for safeguarding and continuity-of-care purposes.

Tier 4: Operational

Sermon content, declarations, app configuration, gathering schedules, and other operational data. This data is either public or accessible to all authenticated users and carries no elevated protection requirement.

Giving data is processed by Zeffy (USD) and Providus Bank or Mono (Nigerian naira). No payment card data is stored by T.S.P.

Why We Process Your Data

We process personal data only when we have a lawful basis to do so.

Consent

We process your Bible annotations, journal entries, prayer requests, and care intake submissions on the basis of your explicit consent. You can withdraw consent at any time using the deletion and export tools in the T.S.P. app or by contacting us. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

Contract

We process your profile, formation progress, and attendance records on the basis that processing is necessary to provide the membership service you have registered for.

Legal Obligation

We process safeguarding records, welfare disbursement records, and giving statements on the basis of our legal obligations under child-protection law, charity-regulation law, and tax law in each jurisdiction where T.S.P. operates.

Vital Interests

When our crisis-detection system identifies a risk to life in text you submit, we process that information on the basis of vital interests. Every crisis alert is reviewed by a human pastor before any action is taken.

Legitimate Interests

We process attendance records, role transition logs, gathering feedback, and anonymised analytics on the basis of our legitimate interest in running a safe and well-organised church. We have assessed that these interests are not overridden by your rights and freedoms.

Some data we process is special-category data under data-protection law because it relates to your religious beliefs, health, or pastoral disclosures. We rely on your explicit consent (GDPR Article 9(2)(a)) and on our status as a not-for-profit religious body (GDPR Article 9(2)(d)) as the additional legal basis for processing this data.

How We Use Your Data

We use your data to:

Respond to your messages and prayer requests.
Route care requests to the appropriate pastoral team member.
Track your formation progress within the T.S.P. Church App so you can resume where you left off.
Send announcements, teaching content, and gathering updates, where you have opted in.
Comply with our legal obligations, including safeguarding duties under Nigerian, UK, and US law.

We do not use your data for automated pastoral decision-making. No AI system generates pastoral responses or care messages that are sent directly to you without human review.

Service Providers We Use

We share personal data only with service providers who process data on our behalf under a written Data Processing Agreement. We do not sell, rent, or share your personal data with any third party for their own purposes.

The following 18 service providers process data on our behalf:

Supabase (supabase.com): database, authentication, and file storage. Holds all personal data across all four tiers. United States.
Google Cloud Platform (cloud.google.com): web application hosting and build infrastructure. United States.
Cloudflare (cloudflare.com): content delivery network, DNS, WAF, and object storage (huddle recordings, media assets). United States (primary bucket); global edge.
Sentry (sentry.io): application error monitoring. Holds error stack traces and pseudonymous user identifiers. EU region (Germany). No personally identifiable information in error payloads.
Resend (resend.com): transactional and broadcast email delivery. Holds recipient email addresses and message content. United States. Tier 3 pastoral data is never transmitted through Resend.
LiveKit Cloud (livekit.io): audio room (huddle) infrastructure. Holds session metadata and ephemeral media. United States.
Expo / EAS (expo.dev): mobile app build, over-the-air update delivery, and push notification tokens. United States.
Sanity CMS (sanity.io): content management for sermons, events, and formation resources. Holds editorial content only, not member data. United States.
Anthropic (anthropic.com): AI crisis-detection service. Receives only a hashed representation of submitted text. No raw text is transmitted and no data is retained by Anthropic beyond the duration of the API call. United States.
OpenAI (openai.com): audio transcription for huddle recordings. Processes raw audio ephemerally; audio is deleted after processing. United States.
Zeffy (zeffy.com): USD donation processing. Holds giving transaction data. United States and Canada. No payment card data is stored by T.S.P.
Providus Bank (providusbank.com): Nigerian naira bank statement reconciliation for donation accounting. Nigeria.
Mono (mono.co): fallback NGN open-banking aggregator. Used only if Providus Bank is unreachable. Nigeria.
API.Bible (scripture.api.bible): scripture text retrieval. Receives only a scripture reference; no personal data is transmitted.
Bible Brain / DBT v4 (4.dbt.io): narrated scripture audio. Receives only a scripture reference; no personal data is transmitted.
Giphy (giphy.com): GIF and sticker search in the app. Receives only search query strings; no personal data is transmitted.
PostHog (eu.posthog.com): cookieless product analytics. Receives only anonymised event names and feature-usage counts. No personal identifiers are included. EU region (Frankfurt).
Have I Been Pwned / Pwned Passwords (haveibeenpwned.com): password-breach check at sign-up using a k-anonymity model. Only the first five characters of a one-way hash of your candidate password are transmitted. No password, full hash, or identity leaves your device.

We do not sell, rent, or share your personal data with any third party for their own purposes.

Tracking and Analytics

At launch, we do not use tracking cookies or advertising pixels on tsp.church.

We use PostHog in cookieless mode for aggregate product analytics. Events contain only anonymous usage counts. No personal identifiers are included. PostHog processes this data in the EU (Frankfurt). You may opt out of analytics at any time in your account settings.

We do not serve advertising on tsp.church or in the T.S.P. Church App. Third-party video embeds (YouTube) may set their own cookies when you interact with embedded video content.

How Long We Keep Your Data

Retention periods depend on the tier of data and the legal basis for processing.

Tier 1 data (Bible annotations, Bible plan progress) is kept until you delete it. No automatic deletion applies.
Tier 2 data (profile, journal, prayer requests, giving records, formation progress) is kept for the lifetime of your account and for 30 days after account deletion during which backups are purged. Giving transaction records are retained for seven years to satisfy tax-reporting obligations.
Tier 3 data (pastoral care records, crisis alerts, welfare cases, safeguarding reports, pastoral notes) is retained for seven years from the date of the record. This aligns with safeguarding standards for religious organisations in the UK and applicable law in each jurisdiction where T.S.P. operates. After seven years, records are deleted automatically unless a legal hold is in place.
Tier 4 data (operational and public content) is retained for the operational lifetime of the relevant record.

Database backups include your personal data for up to 30 days (point-in-time recovery window). After 30 days, backup data is purged automatically. Deletion requests are fulfilled on the live database within 24 hours; backup purge follows within 30 days.

Anonymised analytics events are retained for 12 months in PostHog. Raw event data on our side expires after 30 days.

Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data.

Access. You may request a copy of all personal data we hold about you.
Rectification. You may ask us to correct any inaccurate data.
Erasure. You may ask us to delete your data, subject to any legal retention obligations (for example, seven-year retention on safeguarding and giving records).
Objection and restriction. You may object to or ask us to restrict certain processing activities.
Withdraw consent. Where we process your data on the basis of consent, you may withdraw that consent at any time.
Portability. You may request your Tier 1 and Tier 2 data in a structured, machine-readable JSON format.

These rights apply under GDPR (European residents), UK-GDPR (UK residents), NDPR and the Nigeria Data Protection Act 2023 (Nigerian residents), CCPA (California residents), and related frameworks. To exercise any of them, email contact@tsp.church with the subject line "Data Request". We will respond within 30 days.

You can request:

A full export of your Tier 1 and Tier 2 data in JSON format, via the "Download my data" option in the Me tab of the T.S.P. app or by emailing us.
Correction of any inaccurate profile or account data.
Deletion of your account and all associated data, via the "Delete my account" option in the Me tab or by emailing us.

To verify your identity, send your request from the email address associated with your T.S.P. account. If you do not have an account, include enough identifying information for us to locate your data (such as the name you used when submitting a care request). We will never release data to a third party claiming to act on your behalf without written authorisation from you.

We do not make solely automated decisions that have a legal or similarly significant effect on you. The T.S.P. crisis-detection system is a decision-support tool; every crisis alert is reviewed by a human pastor before any action is taken.

Children and Minors

T.S.P. requires all users to be 18 years of age or older to register independently. Users under 18 must have a parent or legal guardian register on their behalf. The parent or guardian is the account holder and their contact details are used for all communication.

Under the US Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501), we do not knowingly collect personal information from children under 13 without verifiable parental consent. If a user is identified as under 13 during sign-up, parental or guardian consent is required before the account is activated. If you believe a child under 13 has submitted data without parental consent, please contact us immediately and we will delete it within 48 hours.

This policy complies with COPPA (US), GDPR Article 8 and UK-GDPR (EU and UK), the Nigeria Data Protection Act 2023 and NDPR, and equivalent legislation in all jurisdictions where T.S.P. operates.

Children registered through a household account (the kids check-in feature) are represented by a kids profile linked to the guardian's account. Kids profiles carry no authentication credentials. All activity is logged against the guardian account. Photo consent for minors is collected separately from the guardian and is automatically invalidated when the minor turns 18.

For users under 18 accessing formation pathways (particularly trauma-informed content), additional parental or guardian informed consent is required. See our Safeguarding Policy for details.

Data Storage and Security

All personal data is stored in Supabase, a PostgreSQL-based cloud database. Production databases are encrypted at rest and in transit using TLS 1.3. Row-level security is enforced on all 159 tables, with policies specific to each data tier.
Email sending is handled by Resend. Tier 3 pastoral data is never included in email payloads. Registration information is held in your browser's session storage (cleared when you close the tab) during the welcome process.
We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, subject to the retention periods described in this policy.

Technical measures include: database encryption at rest and in transit, row-level security on all tables, TLS 1.3 for all client traffic, HTTP Strict Transport Security with preload, Content Security Policy, rate limiting on all API routes, structured audit logging of all access to Tier 2 and Tier 3 data, and automated weekly enforcement of retention periods.

International Data Transfers

T.S.P. operates across multiple regions. Your data may be processed in countries outside your own.

Primary data processing occurs in the United States (Supabase, GCP, Cloudflare, Resend, LiveKit, Expo, Anthropic, OpenAI, Zeffy). Analytics and error-monitoring processing occurs in the EU (PostHog Frankfurt, Sentry Germany).

For transfers of EU or UK resident data to US-based processors, we rely on Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor) under GDPR Article 46(2)(c). We do not rely solely on the EU-US Data Privacy Framework. All US processors have written Data Processing Agreements in place.

Nigerian resident data processed by Providus Bank and Mono remains in Nigeria. For Nigerian residents whose data transits US-based processors, we apply the requirements of the Nigeria Data Protection Act 2023.

Regional addenda for UK, UAE, and Canada are in preparation and will be published at tsp.church/privacy before T.S.P. activates services in those regions.

Updates to This Policy

We may update this policy as we add new features, services, or as applicable law changes. The date at the top of this page reflects the most recent revision. Material changes will be communicated to registered users by email at least 14 days before they take effect.

Contact and Data Rights Requests

For privacy questions, data requests, or safeguarding concerns, contact us at contact@tsp.church. We aim to respond within 5 business days.

Phone: +1 206 730 6292.

Data controller: contact@tsp.church. For formal data protection enquiries, use the subject line "Data Protection" to ensure your message is routed correctly.

A Data Protection Officer appointment is pending before public launch. Until then, all data-protection enquiries are handled at contact@tsp.church.