Privacy Policy

Effective Date: January 1, 2025  ·  Last Updated: January 1, 2025

Steeple Security ("we," "us," or "our") operates steeplesec.com and the Steeple Security platform. This policy explains what data we collect, how we use it, and the choices you have.

1. Information We Collect

Account data. When you create an account, we collect your name, email address, church name, and billing information.

Assessment data. Answers you provide in security assessments are stored to generate your report and track progress over time.

Connected service data. If you connect Google Workspace, Planning Center, or Microsoft 365, we request read-only access to run security checks. We store OAuth tokens to enable repeated scanning. We do not store or retain the content of your emails, files, or ministry records — only security configuration metadata used to evaluate your posture.

Usage data. We collect standard server logs including IP addresses, browser type, and pages visited. We use this to maintain and improve the service.

Payment data. Billing is handled by Stripe. We do not store card numbers. We receive confirmation of successful payments and your subscription status.

2. How We Use Your Data

We do not sell your data. We do not use your data for advertising.

3. Connected Services and Third-Party Access

Google Workspace. We use ScubaGoggles, a CISA-published open-source tool, to evaluate your GWS configuration. Access is read-only via a service account you create and control. You can revoke access at any time from your Google Admin console.

Planning Center. We use read-only OAuth scopes (people, giving, check-ins, services) to run 8 security checks. We do not read, store, or transmit your congregation's personal data. You can revoke access at any time from your Planning Center settings.

Microsoft 365. We use read-only Microsoft Graph API permissions to evaluate your M365 security configuration. We do not access email content, files, or personal data. You can revoke access at any time from Azure Enterprise Applications.

4. Data Sharing

We share data with the following service providers, solely to operate the platform:

We do not share your data with any other third parties.

5. Data Retention

We retain your account and assessment data for as long as your account is active. If you cancel, we retain data for 90 days to allow account recovery, then delete it. You can request immediate deletion by emailing privacy@steeplesec.com.

OAuth tokens for connected services are deleted immediately upon disconnection from the dashboard.

6. Security

All data is encrypted in transit (TLS 1.2+) and at rest. OAuth tokens are stored in an encrypted Cloudflare D1 database. We perform regular security reviews of our own infrastructure.

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@steeplesec.com. We will respond within 30 days.

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to data portability and the right to lodge a complaint with your supervisory authority.

8. Cookies

We use a single session cookie to keep you logged in. We do not use tracking cookies or third-party advertising cookies.

9. Children

The Steeple Security platform is intended for use by church administrators and staff. We do not knowingly collect personal data from anyone under 18.

10. Changes to This Policy

We will notify account holders of material changes to this policy by email at least 14 days before they take effect. The current version is always available at steeplesec.com/privacy.

11. Contact

Questions about this policy or your data: privacy@steeplesec.com

Steeple Security · steeplesec.com