Privacy Policy
Plain-language summary: Ministering is a private, single-ward tool used by one Latter-day Saint bishopric leader. It stores ward-member administrative data in a private database. It connects to that leader's own Google Calendar and Gmail draft folder, with their explicit consent, so it can create calendar events and prepare email drafts for human review. It never sells data, never advertises, never auto-sends a message, and is not affiliated with The Church of Jesus Christ of Latter-day Saints.
1. Who runs this app
Ministering is operated as a private project by an individual ward administrator. It is not multi-tenant SaaS. The app is used by one ward bishopric to reduce the manual paperwork of their callings. Questions about this policy can be sent to contact@ministering.to.
2. What data Ministering handles
2.1 Ward administrative records
The app stores information that a bishopric ordinarily needs to do their work:
- Member names and household groupings imported from Leader and Clerk Resources (LCR), the Church's official record system, using the leader's own LCR credentials.
- Calling assignments, ministering companionships, interview dates, and temple-recommend renewal dates — the same records the bishopric would otherwise track on paper.
- Birthday dates for upcoming-birthday reminders, if the leader chooses to enable that feature.
This information is stored in a private database on infrastructure controlled by the operator. It is not exported, sold, shared with advertisers, or made publicly browsable.
2.2 Google account data
Ministering uses Google OAuth in two stages so that no scope is requested until it is actually used. The leader sees a separate consent screen each time a new scope is added, and may revoke any of them at any time.
Stage 1 — Sign-in (identity only). When the leader chooses "Continue with Google" on the sign-in page, the app requests the three OpenID Connect identity scopes:
openid— the standard OpenID Connect identifier.https://www.googleapis.com/auth/userinfo.email— used solely to identify which ward leader is signing in. The email address is matched against the ward directory; if no match, sign-in is denied. The app stores the lowercase email address only; it is never shared with any third party.https://www.googleapis.com/auth/userinfo.profile— used solely to display the leader's name in the app's header after they sign in. The app stores the leader's name only; it does not store profile photos, locale, or any other profile metadata.
Sign-in does not request, store, or keep a Google "refresh token." It only confirms identity and ends.
Stage 2 — Feature consent (only when a feature needs it). If a leader later activates a feature that requires deeper Google access, the app shows a second Google consent screen for that specific scope. The leader may decline; the rest of the app continues to work without that feature. The two feature scopes the app may request are:
-
https://www.googleapis.com/auth/calendar— requested only when the leader chooses to sync ward-activity events with their personal Google Calendar. Events are written only when the leader takes an action that asks for one. The app does not read or modify calendars that belong to other users. -
https://www.googleapis.com/auth/gmail.compose— requested only when the leader chooses to have the app pre-fill outgoing messages as Gmail drafts. This scope cannot read or send mail; the leader presses "Send" themselves in Gmail. Ministering never sends a message on behalf of the user.
When a Stage 2 scope is granted, the corresponding OAuth refresh token is encrypted at rest (Fernet / AES-128-CBC with HMAC-SHA256) before being stored privately on the operator's server, and can be revoked at any time from the leader's Google Account → Connections page.
2.3 What the app does NOT collect
- It does not request readonly access to your Gmail inbox.
- It does not request access to Google Drive files, Contacts, Photos, YouTube, or any other Google service beyond the four scopes named in §2.2 above.
- It does not load third-party advertising trackers, analytics, or fingerprinting scripts on this site.
- It does not use your data to train any AI or machine-learning model.
- It does not sell, rent, or share data with marketing partners.
3. How data is used
The data above is used only for the following operational purposes:
- Showing the bishopric leader their own list of callings, ministering assignments, recommend renewals, and interview dates.
- Generating private reminder notifications to the leader (for example, a Discord message to the leader's own private channel saying "the youth activity starts in two hours").
- Composing draft emails and SMS deep-links for the leader to review and send.
- Producing internal printed reports (sacrament-meeting conducting sheets, weekly digests) used inside the bishopric.
4. How data is shared
Ministering does not sell or rent data. The app talks to a small number of services solely to perform the functions above:
- Google APIs (Calendar, Gmail) — subject to Google's Privacy Policy. Ministering's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Leader and Clerk Resources (LCR) — the Church's own system. Ministering reads from LCR on the leader's behalf using the leader's authenticated browser session. Ministering never writes to LCR.
- Discord webhooks — if the leader configures one, used to deliver private reminders to a channel the leader controls.
- Railway — the cloud platform that hosts the app's server and database.
5. Limited Use of Google data
Ministering's use of data obtained through Google OAuth scopes complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide or improve user-facing features prominent in our app (calendar events, email drafts).
- We do not transfer Google user data to others except as needed to provide those features, comply with applicable law, or as part of a merger or sale where this policy continues to apply.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data unless we have the user's explicit consent for specific messages, it's necessary for security or to comply with law, or the data is aggregated and used for internal operations in compliance with applicable rules.
6. Retention and deletion
Records stay only as long as needed for the bishopric to do their work. A leader can ask the operator to delete their Google connection, their reminder configuration, or all ward data the app holds, by emailing contact@ministering.to. Google scopes can also be revoked unilaterally by the leader at myaccount.google.com/permissions; the app will simply stop performing the Google-side functions if revoked.
7. Security
The app's server runs over HTTPS. The OAuth refresh token and ward database live on the operator's hosting account. Administrative pages of the app are protected by HTTP Basic authentication so casual visitors cannot browse them. No system is perfect — if you believe a security issue exists, please email contact@ministering.to.
8. Children
Ministering is not directed at children, and ward youth do not log in to it. When information about youth members appears in the app (for example, in a youth-activity reminder), that information is visible only to the adult bishopric leader using the tool and is handled under the same rules above.
9. Changes to this policy
If this policy changes meaningfully, the date at the top will be updated and the leader using the app will be notified by email. Continued use of the app after the effective date constitutes acceptance of the updated policy.
10. Contact
Questions, deletion requests, or security reports: contact@ministering.to.