Last updated: June 2026
ServantFlow ("we", "us") provides volunteer scheduling software to churches and ministries. This policy explains, in plain language, what data we handle, why, and your choices. We've tried to keep it honest and specific to how the product actually works.
When your church uses ServantFlow, your church is the data controller of the volunteer information it enters, and we are the processor that stores and serves it on your behalf. Your church decides what to collect and is responsible for telling its volunteers how their information is used.
| Data | Why |
|---|---|
| Church admin name & email | To create your account, send login details, and contact you about your service. |
| Volunteer details your church enters (names, emails, ministry roles, availability, blackout dates, qualifications/credentials) | To build and manage the schedule. This is entered and controlled by your church. |
| Login credentials | Passwords are stored only as salted hashes — we never see or store them in plain text. Optional email two-factor is available. |
| Payment information | Handled entirely by Stripe. We never receive or store your card number — only a Stripe customer ID and your subscription status. |
| Basic technical logs | Server logs (timestamps, error messages) for reliability and security. We do not run third-party advertising or analytics trackers. |
Churches may schedule volunteers who are minors, or store safeguarding-related qualifications. ServantFlow does not knowingly collect information directly from children — any such data is entered by your church's administrators, who are responsible for obtaining appropriate consent. We treat all volunteer data as sensitive and isolate it per church (see Security below).
Your church's data is logically separated and tagged to your church; access is enforced by database-level security rules and an application gateway, so your information is never exposed to another church. Data is hosted on Oracle Cloud Infrastructure. Backups are encrypted at rest (AES-256), transferred over an encrypted private network, and stored on our own private off-site server. Connections are encrypted in transit (TLS), and administrative access is over a private encrypted network.
We do not sell your data, ever. We share data only with the service providers required to run ServantFlow:
| Provider | Purpose |
|---|---|
| Stripe | Payment processing & subscription billing |
| Resend | Sending email (login details, reminders, notifications) |
| Cloudflare | DNS, TLS, and secure traffic routing |
| Oracle Cloud | Application & database hosting |
We email you operational messages: your login details, password resets, volunteer reminders, and substitute requests your church sends. Reminder timing and templates are controlled by your church. We don't send marketing email to your volunteers.
Admins can export a full copy of their church's data (people, schedules, settings) as a JSON file at any time, from the Admin area. If you cancel, you can export before your data is removed.
We keep your data for as long as your church has an active account. If you cancel, your live data is removed after your access ends; encrypted backups age out of rotation within 30 days. You can request immediate deletion by emailing us.
Per-church data isolation enforced by database-level rules and an application gateway, hashed passwords, optional email two-factor authentication, encrypted off-site backups, and encrypted transport. No system is perfectly secure, but we design so one church's users cannot access another's data.
You may ask us to access, correct, export, or delete your data. Volunteers should direct such requests to their church administrator first (the church controls the data); we will assist the church in fulfilling them.
If we make material changes to this policy, we'll update the date above and notify church admins by email.
Questions or requests: [email protected]