Privacy Policy

Last updated: May 12, 2026 Operator: CityGate Church Inc ("CityGate", "we", "us", "our") Contact: support@citygatechurch.com Application: CityGate Mobile and CityGate Admin (together, the "App") Governing law: State of North Carolina, USA

1. Why we wrote this

CityGate built the App so members of our church can engage with services, take sermon notes, sign in their kids, share prayer needs, and stay in the loop on what's happening at CityGate. That work involves handling some personal information about you and, in some cases, your family. This Policy is our plain-language explanation of which pieces of information we hold, why we hold them, who else gets to see them, and what you can ask us to do with them. Using the App means you've read this and are comfortable with how it works.

2. The short version

• We only collect what's needed to make the App's features work for our congregation.
• We don't sell your information, run ads against it, or use it for behavioural advertising.
• A small number of trusted vendors help us run things (auth, push, email, our church management system, public Bible and video metadata, and the live-stream player). They're listed by name in section 5.
• Children under 13 never sign up themselves — only a parent or guardian can check a child in. We follow the U.S. Children's Online Privacy Protection Act (COPPA) and the family-policy programmes of the app stores we publish to. See section 6 for details on what's collected and parents' rights.
• You can email support@citygatechurch.com any time to ask a question, opt out of something, or request that we delete information about you or your family.

3. What we hold about you

This section walks through every category of information the App actually stores. We've grouped it by what part of the App produces it, so you can see why each piece is there.

3.1 Your CityGate account

When you sign in, our authentication partner Clerk gives us a stable identifier for your account along with the basic profile fields you provided to it: your email address, your first and last name (and the combined display name), the date you joined, and metadata about your most recent sign-in. We also store internal flags that indicate whether your account has any administrative or super-user privileges inside CityGate.

3.2 Your link to Planning Center

Most of the church-side data CityGate uses (people records, kids check-ins, serving teams) lives in Planning Center Online. When your account is matched to a Planning Center person, the App stores a small set of fields so the two systems stay in sync: the Planning Center person ID, your first and last name as Planning Center has them, your member status, your household ID, and the timestamp of the last successful sync.

3.3 Kids check-in

Each time a parent or guardian uses the App to check a child into a service, we record:

• The Clerk user ID and Planning Center person ID of the adult performing the check-in
• The child's Planning Center person ID and name
• The check-in location, the security code printed for pickup, and the timestamp of the check-in
• The scheduled start time of the service the child is attending
• The check-in ID that Planning Center returns to us once the row is created on its side

We rely on Planning Center as the underlying record of attendance. The fields above are the ones we need to keep our copy consistent with theirs.

3.4 Prayer requests

When you submit a prayer request — either through the always-on intake form or from a live event — we store:

• The name, email, and phone number you chose to share (any of these may be left blank)
• The body of the request and one or more categories you tagged it with
• Whether the request originated from the general intake form or from a live event
• Whether you asked for the request to be treated as anonymous to other participants
• Internal handling state: which staff member marked the request as handled and when, which staff member sent a written response and when, the text of any response that was sent back to you, and an unread flag used by the admin dashboard

3.5 Connect Cards

A Connect Card is the form you fill out when you want CityGate to follow up with you. We collect:

• Your first and last name
• Your email address and phone number
• The follow-up topics you ticked (for example, "I'd like to learn more about baptism")
• The free-text message you wrote
• Your answer to "How did you hear about us?", including any free-text "other" detail you typed
• Once the card has been pushed to Planning Center, the Planning Center person ID it was matched to and a flag indicating the card has been synced

3.6 Live events: chat, raised hands, and live prayer

The video feed for our live services is delivered through the Church Online Platform (ChOP) embed. Everything else that happens during a live event — chat messages, raised hands, and prayer requests submitted from the live screen — is processed and stored by CityGate, not by ChOP. For each interaction we keep:

• The Clerk user ID of the signed-in participant who sent the message or raised their hand, so staff and moderators can attribute it, reply to it, or moderate it
• The live session ID and the display name shown next to the message
• The text and timestamp of each chat message
• Each raised-hand event
• Any moderation flags that other participants or moderators have raised against the message

3.7 Sermon notes and live note annotations

When you take notes against a sermon or against a block inside a live note set, we store the Clerk user ID the note belongs to, the identifier of the sermon or live-note block you're annotating, and the note text itself. Notes are private to your account.

3.8 Push notifications

If you opt in to push notifications, we keep:

• The Expo push token your device hands us
• Whether the device is iOS or Android
• The last time we saw the device check in
• Your notification preferences — whether non-essential alerts are muted, your quiet-hours window, and the timezone we should respect when applying it

3.9 Profile photo

You can set a profile photo from inside the App. When you tap the avatar on your Account screen, the App asks whether you want to use your camera to take a new photo or pick an existing one from your photo library. The first time you choose either option, iOS or Android will show its own permission prompt — you can decline, and the rest of the App will keep working normally; you just won't be able to set a photo until you grant the permission later from your device settings.

Once you confirm a photo:

• The image is resized and compressed on your device before it leaves the phone, so we never receive your full-resolution camera roll original
• The resized image is uploaded to Clerk (the same authentication partner described in section 3.1), which stores it as your account avatar and serves it back to the App over HTTPS
• CityGate does not keep a separate copy of the image file on our own servers; we only reference the URL Clerk gives us so the avatar can render in the mobile App and admin dashboard
• You can replace the photo at any time, or tap Remove photo to delete it from Clerk — once removed, the App falls back to your initials

We do not access your camera or photo library for any other reason. There is no background scanning, no automatic upload of other photos, and no facial recognition performed on the image.

3.10 Operational and security records

To keep the App safe, accountable, and improvable we also keep:

• Engagement timestamps such as when a sermon was opened, or when a staff member edited a record
• An audit trail of every state-changing administrative action: which staff member did what, against which record, when, and — strictly for incident response and abuse investigation — the IP address and browser user-agent string the request came from
• Limited diagnostic logs of request metadata that don't contain personal content, used for debugging and incident response

3.11 Things we deliberately do not collect

For clarity: the App does not collect precise device location, biometric data, your browsing history outside the App, advertising identifiers, or any payment-card or bank-account numbers.

4. What we do with it

We use the information above to:

• Sign you in and keep unauthorised people out of your account
• Run the actual features you came here for: kids check-in, prayer requests, Connect Cards, sermon notes, live participation, push notifications, and the rest
• Let CityGate staff moderate content, respond to prayer needs, follow up on Connect Cards, and run our weekend services
• Send you transactional email related to something you started (for example, confirming we received your Connect Card)
• Look at engagement at the aggregate level so we can decide what to improve next
• Detect, investigate, and respond to abuse, security incidents, and breaches of our Terms

Two things we will never do: sell your personal information, or use it to target you with cross-context behavioural advertising.

5. Who else sees your information

CityGate runs lean and relies on a small slate of vendors to deliver the App. Each of them has its own privacy policy and is bound to us by a written agreement. The list below covers what each one receives and why.

• Clerk — Handles sign-in and account management. Receives your email, your name, and authentication events.
• Planning Center Online (PCO) — Our church management system; the source of truth for people, households, kids check-ins, and serving teams. Receives whatever is needed to look up or create person, household, and check-in records on your behalf.
• Resend — Sends transactional email from us (for example, the email confirmation for a prayer request or Connect Card). Receives the recipient address and the body of that single email.
• Expo — Delivers push notifications to your phone. Receives the device push token and the notification payload itself; we keep personal content out of those payloads beyond what's needed for the alert text.
• YouTube Data API v3 — Read-only mirror of public sermon video metadata. No personal information is shared.
• YouVersion API — Read-only mirror of public Bible reference, version, and verse-text metadata. No personal information is shared.
• Church Online Platform (ChOP) — Hosts and serves the live video stream that the App embeds during live events. CityGate does not hand ChOP your account, your display name, your chat messages, your raised hands, or your prayer requests; those stay inside CityGate's own systems. Your interaction with the embedded video player itself is governed by ChOP's terms.

In addition to the vendors above, the App runs on standard cloud hosting infrastructure. Those hosting providers process data in transit and at rest under contractual confidentiality and security obligations, but they do not access the contents of your records for their own purposes.

6. Children and families

CityGate is built for the whole congregation, including families with kids — but the App is designed so that no child under 13 ever creates or uses their own CityGate account. This section explains how that works, what limited information about a child can end up in the App, and what a parent or guardian can do about it.

6.1 Age cutoff and account creation

You must be at least 13 years old (in the United States) — or the equivalent "age of digital consent" in your country — to create a CityGate account. Sign-up is gated through our authentication partner Clerk and our Terms & Conditions are explicit about this minimum age. We do not knowingly create or maintain accounts for children under the applicable age. If we ever discover that an account belongs to an under-age child, we will close it and delete the associated data.

6.2 How a child's information can enter the App

The only way a child appears in the App is when a parent or guardian — signed in to their own adult account — acts on the child's behalf. In practice that's the kids check-in flow described in section 3.3: the parent taps "Check in," picks the child from their existing household in Planning Center, and the App records the check-in against that child's existing Planning Center person record.

When that happens, the only information about the child that CityGate stores is:

• The child's first and last name as it already exists in Planning Center
• The child's Planning Center person ID (an internal identifier — not a public username)
• The check-in location, the security code printed for pickup, the timestamp of the check-in, and the scheduled service time
• The check-in ID Planning Center returns once the row is created on its side

We do not collect from or about children: email addresses, phone numbers, photos, geolocation, biometric data, contact information for the child's friends, or any free-text content authored by the child. The App has no chat, comment, messaging, or content-creation surface available to children, because children do not have accounts.

6.3 What we do — and don't do — with a child's information

A child's information is used only to complete the check-in and to keep our records consistent with Planning Center. It is never used to:

• Show the child advertisements of any kind (CityGate runs no advertising at all, to anyone)
• Build a profile of the child, or perform any form of personalisation, profiling, or behavioural targeting
• Sell or rent to anyone
• Train machine-learning or AI models

The only third party that receives a child's check-in data is Planning Center Online, the church's own management system, which already holds the child's record independently of the App.

6.4 Parents' rights (COPPA and similar laws)

If you are the parent or legal guardian of a child whose information is in the App, you have the right at any time to:

• Review the information we hold about your child
• Delete that information from CityGate's systems
• Refuse to permit further collection of information about your child — for example, by asking us to stop using kids check-in for that child through the App

To exercise any of these, email support@citygatechurch.com from the email address on the parent account, telling us the child's name and what you'd like us to do. We'll act on the request within 30 days of verifying your identity. (Note: deleting the child from CityGate does not by itself remove the child's record from Planning Center, which the church uses independently of the App. If you want the Planning Center record removed too, please say so in your email so we can pass that to the church office.)

6.5 App-store family-policy commitment

Because the App is available to families and its target age range includes children, we comply with the family-policy programmes of the app stores we publish to, in addition to COPPA. That includes the data-minimisation rules, the prohibition on advertising and behavioural targeting to children, and the parental access and deletion rights described above.

7. How long we keep things

We hang on to information only for as long as it's actually useful for the purpose we collected it for.

• Account and identity data — kept for the lifetime of your account, plus a short archival window afterwards for security and audit purposes.
• Live chat, raised hands, and live-event prayer submissions — currently kept on an ongoing basis so that staff can review moderation decisions, investigate abuse, and follow up pastorally. We will introduce a defined retention and purge schedule for this category once one is set by CityGate.
• Prayer requests, Connect Cards, and kids check-in records — kept according to CityGate's operational policies and the matching retention rules in Planning Center.
• Diagnostic and infrastructure logs — kept on a short rolling window driven by the underlying hosting provider and used only to operate and secure the App.

8. How we keep it safe

We use customary administrative, technical, and physical safeguards to protect your information. In practice that means traffic is encrypted in transit with HTTPS/TLS, data is encrypted at rest where our hosting provider supports it, access to internal tooling is gated by role-based permissions, and every state-changing administrative action is recorded in an audit log. No system is ever perfectly secure; if a breach affecting personal information does happen, we'll notify the people affected and the relevant authorities as the law requires.

9. Where the data lives

The App is operated from the United States, and several of our vendors process data in the United States and other countries. By using the App you understand that information about you may travel to and be processed in countries other than the one you live in. Where the law requires it, we use appropriate transfer mechanisms (for example, standard contractual clauses) with the vendors involved.

10. Your choices

Depending on where you live, the law may give you the right to:

• Ask for a copy of the personal information we hold about you
• Ask us to correct anything that's wrong
• Ask us to delete your information, subject to the retention obligations described above
• Withdraw consent for, or object to, certain processing
• Turn off push notifications at any time from inside the App

To exercise any of these, email us at support@citygatechurch.com. We'll respond within the timeframe required by the law that applies to you.

For a step-by-step walkthrough of how to ask us to delete your account, what we delete, and what we're required to keep, see Delete your CityGate account.

11. Changes to this Policy

We may update this Policy as the App evolves or as the law changes. When something material changes, we'll bump the "Last updated" date at the top of this document and, where the law calls for it, give additional notice — for example, an in-app banner or an email.

12. Getting in touch

Questions about this Policy or about how a specific piece of information is being handled? Please write to us:

CityGate Church Inc 2761 Longpine Rd, Burlington, NC 27215 support@citygatechurch.com