Privacy Policy

The website is hosted by Vercel Inc. When you visit the website, technical access data may be processed automatically, such as IP address, date and time of access, requested URL, browser type, operating system, and referrer URL. This processing is necessary to deliver the website securely and reliably.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure, stable and efficient website.

The domain and DNS services are managed through Cloudflare. Cloudflare may process technical data required to resolve the domain and protect the availability and security of the website. Emails sent to the contact address may be routed through Cloudflare Email Routing and forwarded to the configured destination mailbox.

The IGCLife app provides:

• a welcome / About surface with church info,
• a donation surface routed through Apple Pay and Stripe,
• an Events surface that can add selected church events to your iOS Calendar with your explicit permission,
• the MultiSphere community surface: text chat, voice rooms, prayer requests, announcements, and pastor-managed structures (groups).

The data we collect from app users is described in the sections below. The machine-readable data declarations are also embedded in the app binary's privacy manifest and match the answers in Apple App Store Connect → App Privacy.

To create an IGCLife account we collect:

• Name — your display name in the church community.
• Email address — used to deliver login codes (via the email delivery provider Resend) and to send receipts where applicable.
• User identifier — a random unique identifier we generate for your account row. We never use IMEI, IDFA, or any other device-wide identifier as a primary key.
• Church-member role — Member, Leader, Pastor, or Admin, approved by a pastor. Roles control which surfaces you can access.

We do not ask for or store phone numbers, postal addresses of members, government IDs, health or fitness data, location, contacts list, or biometric data beyond the Apple Pay flow handled by Apple itself.

Legal basis: Art. 6(1)(b) GDPR — performance of the church-membership relationship; Art. 6(1)(f) — our legitimate interest in safe, verified community communication.

When you make a voluntary donation in the app, the payment is processed by:

• Apple Pay — Apple handles the payment authentication on your device. Apple gives the church a tokenised payment credential that does not include your raw card number.
• Stripe — our payment processor. Stripe receives the tokenised credential, authorises and settles the transaction, and returns to the church a PaymentIntent record linked to your account (user identifier + amount + currency + status).

The church does not see your raw card number, full card expiry, CVC, or billing address. Stripe and Apple act as processors / joint controllers for the payment data they handle. The donation backend runs on Render and never stores raw card data.

Donations are voluntary. No app feature, content, or community role is unlocked by donating.

Legal basis: Art. 6(1)(b) GDPR — performance of the donation transaction; Art. 6(1)(f) — our legitimate interest in administering church finances.

When you grant push-notification permission in the IGCLife app, iOS issues:

• a standard APNs device token (for announcements, prayer requests, chat messages, donation receipts);
• a VoIP PushKit token (for incoming MultiSphere voice calls, routed through Apple's CallKit).

We store these tokens on the backend so we can deliver pushes addressed to your account. Tokens are operational identifiers and are not used for any marketing, advertising, or profiling purpose. Apple's APNs gateway acts as a processor for push-message transport.

You can revoke push permission at any time in iOS Settings → Notifications → IGCLife. Tokens are removed on sign-out, device change, or account deletion.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating the church-community communication service.

When you use MultiSphere chat, prayer requests, or other community surfaces, we collect:

• chat messages (text, optional media attachments, optional voice messages);
• avatar / profile images and chat media you upload via the iOS Photo Picker;
• reports you submit against another user or message (reason categories: harassment, hate, sexual content, violence, spam, misinformation, other) — visible only to pastors and admins;
• blocks you create against another user — stored as a blocker / blocked pair so the block is applied consistently;
• moderation actions (report resolution, dismissal, user disable / restore) recorded by pastors and admins;
• EULA / Code of Conduct acceptance receipts (account ID, EULA version, timestamp).

We use this data to deliver the community feature, to investigate reports and apply moderation decisions, and to comply with our safety obligations under the App Store Review Guidelines (Guideline 1.2 — user-generated content safety).

Legal basis: Art. 6(1)(b) GDPR — performance of the community service; Art. 6(1)(f) — our legitimate interest in user safety and content moderation.

If you join a MultiSphere voice room or place / receive a call, real-time audio is routed through Agora using encrypted real-time transport. The current app version does not record voice-room or call audio server-side. If recording is ever enabled, we will update this policy and the App Privacy questionnaire before shipping the feature.

Incoming calls appear in the standard iOS call UI through Apple's CallKit framework. VoIP push tokens are used to wake the device for incoming calls. Microphone access is requested only when you actively enter a voice room or accept a call.

Legal basis: Art. 6(1)(b) GDPR — performance of the community service.

You can delete your account directly from the app: About → Delete Account → Confirm.

When you confirm:

• your user row is soft-disabled on the backend and a deletion-request timestamp is recorded;
• all active sessions for your account are purged — any future login attempt is rejected;
• your push tokens are removed;
• your visibility in the community is removed.

Historical chat messages, reports, donation records, and EULA acceptance receipts are retained for the periods described in the next section. Hard-deletion of personally identifiable fields is performed after the retention period elapses.

You can also request deletion by email at hello@multiring.app.

• Account row — retained while active; soft-disabled on deletion request; personally identifiable fields hard-deleted after a reasonable additional period to satisfy church-administration, audit, and tax obligations.
• Sessions — time-to-live bound; purged on expiry or on deletion.
• Chat messages, prayer requests, announcements — retained as long as the conversation thread exists; removed on user deletion subject to safety / moderation needs.
• Reports and moderation events — retained for an audit window so pastors and admins can review historical decisions; sensitive fields can be redacted on user request.
• Blocks— retained while the blocker's account is active.
• Donation records — subject to Stripe and church accounting retention requirements. The church does not store raw card data; Stripe does, per its own retention rules.
• Push tokens — removed on sign-out, device change, or account deletion.
• EULA acceptance receipts — retained while the account exists for legal-compliance purposes.
• Website email inquiries — kept only as long as necessary to respond and for reasonable business or legal retention purposes.

We do not use the App Tracking Transparency framework. The app does not request ATT permission. We do not embed third-party advertising or measurement SDKs. We do not sell or rent personal data. We do not profile users for marketing purposes across other apps or sites.

The only third parties involved are operational processors: Apple (App Store, App Privacy, Apple Pay, APNs, CallKit), Stripe (donation processing), Agora (voice-room audio transport), Resend (email delivery), and Render and Vercel (hosting). Each is contracted as a processor on our behalf.

The website currently uses no analytics tools and no marketing or tracking cookies.

You have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17, subject to retention requirements above), restrict processing (Art. 18), portability (Art. 20), and to object to processing based on legitimate interest (Art. 21). Where processing is based on consent, you may withdraw consent at any time (Art. 7(3)). You may also lodge a complaint with a supervisory authority (Art. 77). The competent supervisory authority in Berlin, Germany is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

To exercise any of these rights, contact us at hello@multiring.app.

For privacy questions, account-deletion confirmations, or general support: hello@multiring.app.

For matters that Apple's App Store reviewer needs to verify, the same contact applies. The IGCLife app ships a machine-readable privacy manifest inside the binary; the human-readable answers in App Store Connect → App Privacy are consistent with this policy.

Privacy contact email: hello@multiring.app.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes that affect how we process your personal data will be announced inside the app or by email before they take effect.