DRAFT - not legal advice. Review by a qualified lawyer is required before publishing.
Legal

Privacy Policy

Effective date: [TODO: insert date before publishing]  ·  Version 0.1 (DRAFT)  ·  Governing law: Netherlands / EU

1. Who We Are

SermonBridge is a real-time multilingual captioning and translation service for churches and other houses of worship. It is operated by [Legal entity name, e.g. SermonBridge B.V.], registered in the Netherlands ([Chamber of Commerce number / KVK]), hereinafter referred to as "SermonBridge", "we", "us", or "our".

Our infrastructure is hosted in the European Union (Germany, via Hetzner Online GmbH). For questions about this policy or your personal data, see Section 12.

2. Controller and Processor Roles

SermonBridge as controller

SermonBridge acts as the data controller for the account and user data it collects directly - name, email address, hashed password, and OAuth identifiers - for the purpose of providing and securing access to the platform.

Your church as controller; SermonBridge as processor

When a church creates and manages sessions, the church (the "operator") is the data controller for any personal data that flows through those sessions - including session transcripts, church membership records, and any personal information of congregation members. SermonBridge processes that data solely on the operator's documented instructions, acting as a data processor under Article 28 GDPR.

Churches using SermonBridge carry their own GDPR obligations as controllers. This includes obtaining any necessary consent from congregation members, maintaining records of processing activities, and ensuring their own privacy notices cover the use of SermonBridge.

A Data Processing Agreement (DPA) under Article 28 GDPR is available from SermonBridge on request. Contact privacy@sermonbridge.com.

3. Data We Collect

Account and identity data

  • Name and email address - collected at registration for account management and transactional email.
  • Password hash - passwords are never stored in plain text; we store a bcrypt hash only.
  • OAuth provider identifiers - if you sign in via Google or Microsoft, we store the unique identifier from that provider alongside your email address. We do not receive or store your OAuth password.
  • Profile avatar - optionally uploaded as a data URL; stored in the database. You may remove it at any time.

Church and organization data

  • When you join or create a church on the platform, a membership record linking your account to that church is created and stored in our database.
  • Church logo and display settings - church administrators may upload a church logo and configure church-specific display text. The logo and settings are stored in the database and are used solely to display the church's branding within the service.

Waitlist data

The SermonBridge marketing site collects email addresses from people requesting early access, to notify them when access opens. Legal basis: consent (by submitting the form). You can request removal from the waitlist at any time by contacting privacy@sermonbridge.com.

Special-category data (GDPR Article 9) - Religious affiliation. Church membership records may reveal a person's religious beliefs or affiliation, which is a special category of personal data under Article 9 GDPR. We process this data only on the basis of your explicit consent (granted when you create or join a church on the platform), and solely for the purpose of enabling the service. You may withdraw consent and request deletion of your membership records at any time (see Section 9).

Session and audio data

  • Live audio - the host's microphone audio is streamed in real time to our speech recognition and translation sub-processor (Soniox). SermonBridge does not persist audio - it is streamed in real time and never saved. Soniox processes audio and resulting transcript text in transit under the data-processing terms referenced in Section 6 (including the SCCs TODO noted there). Once a session ends, no audio data is retained by SermonBridge.
  • Session transcripts (captions) - the text output of transcription and translation is stored in our database. See Section 7 for retention periods.
  • Session metadata - session identifiers, start/end timestamps, selected languages, and host/participant connection events are logged for operational purposes.

Technical and log data

  • Standard server access logs (IP address, browser user-agent, request path, response code, timestamp) are generated automatically for security and operational purposes.
  • We do not use third-party web analytics. No tracking pixels, no fingerprinting.

5. Minors

SermonBridge is a platform for churches; congregations regularly include children and young people. The service account (host/admin) must be held by an adult aged 18 or over.

Viewers who join a session as audience members do not create accounts; they access a session via a code. However, session transcripts may incidentally capture speech from minors present in the service. As data controller for those sessions, the church (operator) is responsible for ensuring its use of SermonBridge complies with applicable obligations regarding the processing of children's data, including informing parents or guardians as appropriate.

If we become aware that we have inadvertently collected personal data from a child via an account registration without appropriate consent, we will delete it promptly. Please contact privacy@sermonbridge.com if you believe this has occurred.

6. Sub-processors and International Transfers

We engage the following sub-processors. All sub-processors are bound by data processing agreements that require them to protect personal data to at least the standard required by GDPR.

Sub-processor Purpose Location Transfer safeguard
Soniox Inc. soniox.com Real-time speech transcription and translation. Live audio and resulting transcript text are transmitted to Soniox's API during active sessions. United States EU Standard Contractual Clauses (SCCs, 2021) [TODO: confirm SCCs are in place with Soniox before publishing]
Hetzner Online GmbH hetzner.com Cloud hosting and infrastructure. All application servers and the PostgreSQL database run on Hetzner infrastructure in Germany. EU (Germany) Within EU/EEA - no transfer safeguard required
Resend resend.com Transactional email delivery (account verification, password reset, invitations). Data transmitted: recipient's email address and first name. [TODO: confirm Resend's primary processing location] [TODO: confirm safeguard - SCCs or adequacy decision]
Google LLC google.com OAuth sign-in (optional). Used only when you choose to sign in with your Google account. United States EU Standard Contractual Clauses (SCCs, 2021) / Google's Data Processing Terms
Microsoft Corporation microsoft.com OAuth sign-in (optional). Used only when you choose to sign in with your Microsoft account. United States EU Standard Contractual Clauses (SCCs, 2021) / Microsoft's Data Protection Addendum
Cloudflare Inc. cloudflare.com DNS and content delivery network (CDN). Handles DNS resolution and may cache static assets. United States (global PoPs) EU Standard Contractual Clauses (SCCs, 2021) / Cloudflare's Data Processing Addendum

International transfer to Soniox (US). Live audio and transcript text are transmitted to Soniox, a US-based company, during every active session. This constitutes a transfer of personal data to a third country under GDPR Chapter V. The transfer is covered by Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR. [TODO: confirm and attach Soniox DPA / SCCs before publishing]

We do not sell or share personal data with any third party for advertising, marketing, or profiling purposes.

7. Data Retention

Audio

SermonBridge does not persist audio. Audio is streamed in real time to Soniox for transcription and translation, and is discarded immediately - it is never saved to disk or stored in the database. Soniox processes the audio in transit under contractual data-protection terms (see Section 6). Once a session ends, no audio data remains with SermonBridge.

Session transcripts

Transcripts (captions in all enabled languages) are retained for up to 12 months (configurable via TRANSCRIPT_RETENTION_DAYS) and then automatically deleted by a daily background purge. A church administrator can delete a session sooner via the dashboard. Deletion is immediate and permanent.

Account data

Account data (name, email, password hash, OAuth identifiers, avatar) is retained for as long as your account is active. Account deletion is available in the app and erases your account and associated data immediately (an in-app button is being added; until then, deletion can also be requested at privacy@sermonbridge.com). Financial records required by law may be retained for the legally required period.

Church membership records

Church membership records are retained until you leave the church on the platform or delete your account.

Server and access logs

Server access logs are retained for a maximum of 90 days for security and operational purposes, then deleted.

8. Cookies and Local Storage

SermonBridge uses a minimal cookie footprint. We do not use any advertising, analytics, or tracking cookies. Fonts are self-hosted and do not trigger any third-party requests.

Authentication cookie (auth_token)

A single HttpOnly, Secure cookie named auth_token is set when you sign in. It contains a signed JWT that identifies your session. This cookie is strictly necessary for the service to function and does not require your consent under the ePrivacy Directive. It expires after 7 days or when you sign out, whichever is earlier.

OAuth state cookie (oauth_state)

When you initiate a sign-in via Google or Microsoft, a short-lived (typically a few minutes) oauth_state cookie is set to protect the OAuth flow against cross-site request forgery (CSRF). This cookie is strictly necessary and is deleted as soon as the OAuth flow completes.

OAuth PKCE cookie (oauth_pkce_verifier)

A short-lived oauth_pkce_verifier cookie carries the PKCE code verifier used to harden the OAuth authorization code exchange against interception attacks. It is strictly necessary for OAuth security and is deleted immediately after the OAuth callback completes.

OAuth invite cookie (sb_oauth_invite)

If you follow an invitation link and then choose to sign in via Google or Microsoft, a short-lived sb_oauth_invite cookie (maximum 10 minutes) carries the pending invitation code through the OAuth redirect round-trip so it is not lost. It is strictly necessary for the invitation flow and is deleted as soon as the callback has been processed.

No analytics or third-party cookies

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or analytics service. No consent banner is required for the cookies we use, as they are all strictly necessary. We have chosen to document them here for full transparency.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at privacy@sermonbridge.com. We will respond within one month (extendable by two further months for complex requests).

  • Right of access (Art. 15) - You may request a copy of the personal data we hold about you and information about how it is used.
  • Right to rectification (Art. 16) - You may ask us to correct inaccurate or incomplete personal data. You can also update your name and email directly in your profile.
  • Right to erasure / "right to be forgotten" (Art. 17) - You may request deletion of your personal data. Account deletion is available in the app and erases your account and associated data immediately (an in-app button is being added; until then, deletion can also be requested at privacy@sermonbridge.com). Session transcripts can be deleted by the church administrator at any time.
  • Right to data portability (Art. 15/20) - You can download a copy of your personal data as a JSON file via the app (GET /api/auth/export-data). You may also contact us at privacy@sermonbridge.com to request a data export.
  • Right to restriction of processing (Art. 18) - Under certain circumstances, you may ask us to restrict how we process your data while a dispute is resolved.
  • Right to object (Art. 21) - You may object to processing carried out on the basis of legitimate interests. We will cease that processing unless we have compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3)) - Where processing is based on consent (in particular, the storage of church membership records that reveal religious affiliation), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Congregation members who are not account holders (e.g. viewers who join a session without creating an account) should direct rights requests to the church that operates the session. The church is the data controller for those individuals.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Passwords are hashed using bcrypt with an appropriate work factor; plaintext passwords are never stored or logged.
  • Authentication tokens are signed JWTs set as HttpOnly, Secure cookies.
  • Database access is restricted to application servers within the private network; it is not exposed to the public internet.
  • Infrastructure is hosted on ISO 27001-certified Hetzner facilities in Germany.

No system is perfectly secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "effective date" at the top of this page. Continued use of the service after the effective date of an updated policy constitutes acceptance of the changes.

Previous versions of this policy will be made available on request.

12. Contact and Complaints

For all privacy-related questions, data subject requests, or concerns, please contact our privacy point of contact:

SermonBridge - Privacy

[Legal entity name]

[Street address, postal code, city, Netherlands]

Email: privacy@sermonbridge.com

Response time: within one calendar month

Supervisory authority

You have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (AP):

Autoriteit Persoonsgegevens

Hoge Nieuwstraat 8, 2514 EL Den Haag, Netherlands

Website: autoriteitpersoonsgegevens.nl

Phone: +31 88 1805 250

We always prefer to resolve concerns directly. We encourage you to contact us first before filing a complaint with the supervisory authority.