# MURPHIE API — Privacy Policy
**Effective Date:** May 4, 2026
**Last Revised:** May 4, 2026
**Version:** 1.0
> **Legal Notice:** This Privacy Policy is a template drafted for compliance guidance. It should be reviewed and adapted by qualified legal counsel before being published as a binding policy. The Operator must supplement this policy with information specific to their organization, jurisdiction, and applicable regulatory requirements.
---
## 1. Introduction and Who This Policy Covers
The MURPHIE API ("API") is a church and ministry management platform operated by the church or ministry organization that has deployed this software ("Operator", "we", "us", or "our").
This Privacy Policy describes how we collect, use, store, share, and protect information when:
- Congregants, visitors, or members of the public interact with digital experiences powered by the MURPHIE API (such as the Live Ministry Rooms lobby page, ministry moment carousels, event calendars, or prayer boards).
- Ministry leaders and staff use authenticated API features to manage church content.
- Our systems interact with third-party platforms including Zoom, Google, and Wix.
**This policy applies to:**
- **End Members** — congregants, website visitors, and prayer request submitters.
- **Authorized Users** — church staff, ministry leaders, and approved volunteers who use the API's administrative features.
- **API Consumers** — Wix site pages, embedded components, and backend modules that interact with the API on behalf of the above individuals.
**This policy does not apply to:**
- Third-party websites or services linked from API-powered pages. Each third party's own privacy policy governs their data practices.
- Offline data collected by the Operator outside of API-powered systems.
---
## 2. Data Controller Identity
For the purposes of applicable data protection law (including GDPR and CCPA), the **Operator** is the data controller for all personal data processed through the MURPHIE API. The Operator's identity, contact details, and Data Protection Officer (if designated) are:
> **[Operator Name]**
> [Address]
> [City, State, ZIP]
> [Privacy contact email]
> [DPO name and contact, if applicable]
*The Operator must complete the above fields before publishing this policy.*
The developers and contributors to the MURPHIE API codebase act as **data processors** — they process personal data only as directed by the Operator through the configured software, and do not independently access, use, or monetize Operator data.
---
## 3. Information We Collect
### 3.1 Information You Provide Directly
| Data Type | How Collected | Who Provides It |
|-----------|--------------|-----------------|
| **Prayer requests** | Submitted through the public prayer board form | End Members |
| **Name** | Optionally provided with prayer requests or chat messages | End Members |
| **Contact information** | Optionally provided with prayer requests | End Members |
| **Ministry chat messages** | Sent through the AI-assisted chat interface | Authorized Users |
| **Photos and images** | Uploaded as Ministry Moments or weekly flyer images | Authorized Users |
| **Ministry content** | Announcements, scripture posts, calendar events, savings goals | Authorized Users |
| **Member email and display name** | Forwarded from Wix Members upon login | Authorized Users |
### 3.2 Information Collected Automatically
When the MURPHIE API serves responses or receives requests, the following data may be collected automatically by our infrastructure:
| Data Type | Source | Purpose |
|-----------|--------|---------|
| IP address | HTTP request | Security logging, rate limiting, abuse prevention |
| HTTP request metadata | Google Cloud Run logs | Debugging and performance monitoring |
| Timestamps | All API interactions | Audit trail, data freshness |
| User agent strings | HTTP request headers | Compatibility and security analysis |
| Zoom webhook event data | Zoom Event Subscriptions | Meeting lifecycle management (start/end events) |
We do not use cookies, tracking pixels, or persistent browser identifiers directly from the API layer. Any such tracking by Wix or other embedded platforms is governed by their own privacy policies.
### 3.3 Information from Third Parties
| Source | Data Received | Purpose |
|--------|--------------|---------|
| **Wix Members API** | Member ID, login email, display name, role | Verifying identity and role for RBAC |
| **Wix Data CMS** | Ministry assignments, approved leader status, existing CMS records | Permissioning and content management |
| **Zoom** | Meeting ID, meeting status, host identity (for webhook events) | Updating live lobby display when meetings end |
| **Google Calendar** | Event titles, descriptions, dates, locations | Ministry and church-wide calendar feeds |
---
## 4. How We Use Your Information
We use the information we collect for the following purposes:
### 4.1 Service Delivery
- To post, update, and delete ministry announcements, scripture, calendar events, and weekly flyers on behalf of Authorized Users.
- To display active Zoom meetings in the Live Ministry Rooms lobby for congregants to join.
- To manage and display the Ministry Moments photo carousel.
- To track and display church savings and fundraising goals.
### 4.2 Prayer Board Operations
- To receive, store, and display prayer requests submitted by End Members.
- To allow pastoral staff to mark prayers as answered, pray for requests, or remove them.
- Prayer request data is accessible only to Authorized Users with appropriate roles and is not used for advertising, marketing, or profiling.
### 4.3 AI-Assisted Chat Features
- Ministry leaders may submit natural-language chat messages to create or update church content. These messages are processed by **Google Vertex AI (Gemini)** to classify intent and extract structured data.
- We do not use End Member personal data as input to AI features. Only Authorized User chat messages and non-personal church content metadata are submitted to the AI.
- Responses are generated to assist with content creation only and are not published without review by an Authorized User.
### 4.4 Security and Access Control
- To authenticate API requests using shared secrets and Wix member identity.
- To enforce role-based permissions (church admin, approved leader, assigned member).
- To verify Zoom webhook authenticity using HMAC-SHA256 signatures.
- To rate-limit public endpoints against abuse.
### 4.5 Legal and Compliance
- To maintain audit logs of significant API operations.
- To respond to lawful requests from regulatory authorities.
- To detect, prevent, and respond to security incidents.
---
## 5. Legal Basis for Processing (GDPR / UK GDPR)
If the Operator serves individuals in the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring a legal basis for processing, the following bases apply:
| Processing Activity | Legal Basis |
|---------------------|-------------|
| Prayer request handling | **Consent** (Article 6(1)(a)) — the End Member voluntarily submits their request. |
| Ministry content management by staff | **Legitimate interests** (Article 6(1)(f)) — administration of church ministry operations. |
| Zoom meeting lifecycle events | **Legitimate interests** — maintaining accurate and up-to-date live meeting information. |
| Security logging and fraud prevention | **Legitimate interests** — protecting the security of the platform and its users. |
| RBAC and identity verification | **Legitimate interests** — ensuring only authorized individuals can administer church data. |
| Responding to legal requests | **Legal obligation** (Article 6(1)(c)). |
For processing of **special category data** (e.g., health information shared in prayer requests), the legal basis is **explicit consent** (Article 9(2)(a)) or, where applicable, processing by a religious organization relating to its members (Article 9(2)(d)).
---
## 6. Special Category Data — Prayer Requests
Prayer requests may contain sensitive personal information, including details about health conditions, family situations, grief, mental health, financial hardship, or other matters that may qualify as **special category data** under GDPR or equivalent protections under other laws.
We treat prayer request data with heightened care:
- Access is restricted to pastors and authorized pastoral staff only.
- Prayer request data is **never** used for marketing, analytics, fundraising solicitation, or shared with third parties outside of pastoral ministry.
- End Members submitting prayer requests should be informed (via the Operator's website) that their request will be stored digitally and accessed by pastoral staff.
- The Operator is responsible for obtaining appropriate consent and displaying a clear notice at the point of submission.
- The Operator should establish a retention period for prayer requests and delete records in accordance with their data retention policy.
---
## 7. Data Sharing and Disclosure
We do not sell personal data. We do not share personal data with advertisers or data brokers.
We may share data in the following limited circumstances:
### 7.1 Third-Party Processors
| Processor | Data Shared | Purpose | Privacy Link |
|-----------|-------------|---------|--------------|
| **Google Cloud (Run, Storage, Firestore)** | All API data in transit and at rest | Hosting, compute, storage | [Google Privacy Policy](https://policies.google.com/privacy) |
| **Google Vertex AI** | Authorized User chat messages, church content context | AI intent classification | [Google Cloud Privacy](https://cloud.google.com/terms/cloud-privacy-notice) |
| **Wix.com** | Member identity, CMS content | Member authentication, content storage | [Wix Privacy Policy](https://www.wix.com/about/privacy) |
| **Zoom Video Communications** | Zoom meeting IDs, join URLs | Live meeting management | [Zoom Privacy Policy](https://explore.zoom.us/en/privacy/) |
The Operator is responsible for ensuring that appropriate data processing agreements (DPAs) are in place with each of the above processors to the extent required by applicable law.
### 7.2 Authorized Users and Staff
Ministry leaders and church administrators with appropriate roles can access:
- Announcements, moments, and calendar events they are authorized to manage.
- Prayer requests submitted to the prayer board (pastoral access only).
- Ministry assignment data for members within their assigned ministry.
Authorized Users may not access data beyond their assigned permission level, as enforced by the API's RBAC system.
### 7.3 Legal Requirements
We may disclose personal data if we have a good-faith belief that disclosure is required by:
- A valid court order, subpoena, or other legal process.
- Applicable law or regulation.
- To protect the legal rights, safety, or property of the Operator or its congregation.
We will attempt to notify affected individuals of such disclosures to the extent permitted by law.
### 7.4 Organizational Transfers
In the event of a merger, acquisition, reorganization, or change in church leadership structure, personal data may be transferred to the successor organization. The Operator will provide reasonable notice to End Members in advance of such a transfer.
---
## 8. International Data Transfers
The MURPHIE API is deployed on Google Cloud Run in the **us-central1** region (United States) by default. If the Operator serves individuals in the EEA, UK, or other jurisdictions with cross-border transfer restrictions:
- Transfers to Google Cloud are governed by Google's [Data Processing Addendum](https://cloud.google.com/terms/data-processing-addendum) which incorporates Standard Contractual Clauses (SCCs) under GDPR.
- Transfers to Zoom are governed by Zoom's [Data Processing Addendum](https://explore.zoom.us/en/gdpr/DPA/).
- The Operator must ensure that appropriate transfer mechanisms are in place before deploying the API for users in transfer-restricted jurisdictions.
---
## 9. Data Retention
| Data Category | Default Retention | Responsibility |
|---------------|------------------|----------------|
| Announcements and content | Until deleted by Authorized User | Operator |
| Prayer requests | Until marked answered/deleted, or as per Operator policy | Operator |
| Ministry Moments photos | Until removed by Authorized User | Operator |
| Zoom meeting records | Until meeting ends (auto-deactivated by webhook) | Operator |
| GCS media files (images) | Until manually deleted from GCS bucket | Operator |
| Firestore draft records | Until confirmed, cancelled, or expired (TTL configurable) | Operator |
| Cloud Run access logs | Per Google Cloud logging retention policy (default 30 days) | Google / Operator |
The Operator is responsible for establishing and documenting a formal data retention schedule and ensuring data is deleted when no longer necessary for the purposes collected.
---
## 10. Data Security
We implement the following technical and organizational security measures:
**In Transit:**
- All API traffic is encrypted using TLS 1.2 or higher, enforced by Google Cloud Run.
- Zoom webhook payloads are verified using HMAC-SHA256 message authentication.
**At Rest:**
- GCS media files are stored in Google Cloud Storage with access controls managed by the Operator's GCP project IAM policies.
- Firestore data is encrypted at rest by Google by default.
- Wix CMS data is protected by Wix's platform-level security.
**Access Controls:**
- Server-side RBAC prevents unauthorized access to privileged operations.
- Shared secrets are stored in Wix Secrets Manager (encrypted at rest) and Cloud Run environment variables (not committed to source control).
- Zoom `start_url` (host-only meeting link) is never returned by public-facing API endpoints.
**No system is completely secure.** The Operator must maintain their own security program covering credential management, access reviews, incident response planning, and staff security training.
---
## 11. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
| Right | Description |
|-------|-------------|
| **Access** | Request a copy of the personal data we hold about you. |
| **Rectification** | Request correction of inaccurate personal data. |
| **Erasure** | Request deletion of your personal data ("right to be forgotten"). |
| **Restriction** | Request that we limit the processing of your personal data. |
| **Portability** | Request a machine-readable copy of your personal data. |
| **Objection** | Object to processing based on legitimate interests. |
| **Withdraw Consent** | Where processing is based on consent, withdraw it at any time. |
| **Non-Discrimination** | California residents have the right not to be discriminated against for exercising CCPA rights. |
**To exercise any of these rights**, contact the Operator using the contact information in Section 2. The Operator will respond within the timeframe required by applicable law (generally 30 days under GDPR; 45 days under CCPA).
Note that some rights may be limited where data retention is required for legal or legitimate ministry purposes (e.g., financial records, pastoral accountability).
---
## 12. Children's Privacy
The MURPHIE API is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children without verifiable parental consent.
If you believe a child has submitted personal data through an API-powered form (e.g., a prayer request) without appropriate consent, please contact the Operator immediately. We will take steps to delete such data promptly.
The Operator must ensure that any publicly accessible forms powered by the API include appropriate age verification or parental consent mechanisms where required by COPPA or applicable local law.
---
## 13. AI-Generated Content and Automated Decision-Making
### 13.1 AI Processing
The API uses Google Vertex AI (Gemini models) to classify the intent of ministry leader chat messages and extract structured data for content operations. This is a processing step — AI output is not automatically published; it is presented as a draft for review and explicit confirmation by an Authorized User.
### 13.2 No Automated Decisions About End Members
The API does not use automated decision-making or profiling that produces legal or similarly significant effects on End Members. AI features are used exclusively to assist Authorized Users with content creation tasks.
### 13.3 GDPR Article 22
The API does not engage in automated individual decision-making as defined under GDPR Article 22. End Members are not subject to decisions made solely by automated means.
---
## 14. Cookies and Tracking
The MURPHIE API itself does not set cookies or use tracking technologies. However:
- The Operator's **Wix website** may use Wix's own cookie and analytics infrastructure. End Members should refer to the Operator's Wix site cookie policy for details.
- **Embedded components** (e.g., lobby iframe, moments carousel) served from the API host do not set first-party cookies.
- Third-party services (e.g., Zoom join links) may set cookies subject to their own privacy policies.
---
## 15. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy at any time. When we make material changes, we will:
- Update the "Last Revised" date at the top of this document.
- Note the change in the project repository changelog.
- Where required by law, provide direct notice to affected End Members or Authorized Users through the Operator's communication channels.
Continued use of API-powered features after a policy update constitutes acceptance of the revised policy.
---
## 16. Contact Us
For questions, concerns, or requests related to this Privacy Policy or the handling of your personal data, please contact:
> **[Operator Name] — Privacy Contact**
> Email: [privacy@yourchurch.org]
> Mailing Address: [Church Address]
If you are located in the EEA or UK and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority:
- **EU:** Your national Data Protection Authority ([edpb.europa.eu](https://www.edpb.europa.eu/about-edpb/about-edpb/members_en))
- **UK:** Information Commissioner's Office ([ico.org.uk](https://ico.org.uk/make-a-complaint/))
---
*This Privacy Policy was prepared using a general compliance framework and has not been reviewed by licensed legal counsel. The Operator is strongly encouraged to engage a qualified privacy attorney or data protection officer before publishing this policy, particularly if serving individuals in jurisdictions with specific data protection requirements (EU, UK, California, etc.).*