HIJBLR Care Privacy Policy

Last updated: March 2026

Effective date: March 2026

1. Data Controller Identity

HIJBLR Care is developed and operated by White Clouds Media (“we”, “us”, “our”), based in Bangalore, India. We are the data controller responsible for your personal data.

• Company: White Clouds Media
• Location: Bangalore, Karnataka, India
• Email: info@whitecloudsmedia.com
• Grievance Officer: info@whitecloudsmedia.com

Your ministry administrator acts as a joint data controller for data processed within their ministry context.

2. Information We Collect

We collect the following categories of personal data:

Account Information

• Name, email address, password (hashed)
• Google account identifier (if using Google Sign-In)
• Account role within each ministry

Profile Information

• Phone number, address (street, city, zip code)
• Date of birth, gender, marital status
• Occupation, education level (optional)
• Family member details (spouse name, children names and ages)

Sensitive Personal Data

With your explicit consent, we process the following sensitive personal data:

• Religious beliefs and church membership status (e.g., baptism date, type of visit, first church visit)
• Prayer requests, which may reveal information about health, family circumstances, or personal struggles
• Pastoral care notes, which may include mood assessments, mental health observations, and spiritual well-being data
• House visit notes and follow-up care information

Usage & Technical Data

• Device push notification tokens
• Event attendance records (including QR code and location-based check-ins)
• App crash reports and technical error data (via Sentry — no personal data included)

3. Purpose & Legal Basis for Processing

We process your data for the following purposes:

• Consent: For account creation, general data processing, and sensitive personal data (religious beliefs, prayer requests, pastoral care notes). Consent is obtained during signup/activation via consent checkboxes and recorded with timestamps.
• Contractual Necessity: To provide the pastoral care platform services you have requested.
• Legitimate Interests: For platform security, fraud prevention, and service improvements, balanced against your privacy rights.

You may withdraw consent at any time. You can withdraw pastoral data consent (removing prayer requests, care notes, and visit records while keeping your basic profile) via Profile Settings, or delete your entire account. Withdrawal does not affect the lawfulness of prior processing.

4. How We Use Your Information

Your information is used to:

• Provide and maintain the HIJBLR Care platform
• Enable pastoral care coordination within your ministry
• Facilitate prayer request management and follow-up
• Schedule and track house visits and care activities
• Send push notifications about ministry events, prayer updates, and care activities
• Generate ministry reports and analytics (aggregated)
• Enable event management and QR-based attendance tracking
• Manage member directories within ministry boundaries
• Provide milestone reminders (birthdays, anniversaries)

5. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal data. Your data is shared only with:

Ministry Leaders

Authorized ministry leaders (administrators, prayer managers, event managers, house visit managers) can access relevant member data within their ministry based on their assigned role. Prayer requests marked as confidential are restricted to prayer managers and administrators only.

Third-Party Service Providers

We use the following processors to deliver our services:

• Supabase, Inc. (USA) — Database hosting, authentication, and real-time data services. Data stored with row-level security. Privacy policy: supabase.com/privacy
• Expo / EAS (USA) — Mobile app build services and push notification delivery. Privacy policy: expo.dev/privacy
• Google LLC (USA) — Google Sign-In authentication (OAuth 2.0). Only your email and name are shared. Privacy policy: policies.google.com/privacy
• Vercel Inc. (USA) — Web application hosting. Privacy policy: vercel.com/legal/privacy-policy
• Sentry (USA) — Crash reporting and error monitoring. No personal data is sent; only technical error data. Privacy policy: sentry.io/privacy
• Resend (USA) — Transactional email delivery (invitation emails only). Privacy policy: resend.com/legal/privacy-policy

Legal Requirements

We may disclose your data if required by law, court order, or government regulation, or to protect the rights, property, or safety of our users or the public.

6. Data Storage & International Transfers

HIJBLR Care is operated from India. Your data is stored on servers operated by our third-party processors, primarily located in the United States.

By using HIJBLR Care, you consent to the transfer and storage of your data in the United States and other jurisdictions where our processors operate. Our processors maintain appropriate security safeguards as described in their respective privacy policies.

For users outside India: if you are located in the EU/UK, we rely on Standard Contractual Clauses (SCCs) for data transfers. For users in other jurisdictions, we comply with applicable local transfer requirements.

7. Children's Data

HIJBLR Care requires users to be at least 18 years of age to create an account. Age verification is collected during signup.

Minors under 18 may have limited profile information (name and age) stored in the family profile system, managed entirely by their parent or legal guardian who holds the primary account. We do not knowingly collect data directly from minors under 18.

If you believe a minor under 18 has created an account without parental consent, please contact us immediately at info@whitecloudsmedia.com and we will delete the account.

8. Data Security

We implement industry-standard security measures to protect your data:

• All data transmitted over HTTPS/TLS encryption
• Passwords are hashed using bcrypt (never stored in plaintext)
• Row-Level Security (RLS) policies on all database tables ensure strict data isolation between ministries
• Role-based access control (RBAC) with 5 distinct roles limiting data visibility
• Ministry-scoped data isolation — users in one ministry cannot access another ministry's data
• Authentication tokens with secure session management
• No service role keys exposed in client applications

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We encourage you to use strong passwords and protect your account credentials.

9. Your Rights

Regardless of your location, you have the following rights:

• Access: Request a copy of all personal data we hold about you
• Correction: Correct inaccurate or incomplete data via your profile settings
• Deletion: Delete your account and all associated data at any time via Profile Settings
• Withdraw Consent: Withdraw consent for sensitive data processing (pastoral data) without deleting your account
• Data Portability: Export your data in a structured format (JSON/CSV) via the app
• Objection: Object to processing of your data

India (DPDPA 2023)

Indian residents have rights under the Digital Personal Data Protection Act, 2023, including the right to access, correct, and erase personal data, and to nominate a representative. You may file a complaint with the Data Protection Board of India.

EU/UK (GDPR)

EU/UK residents have additional rights under GDPR Articles 15-21, including the right to restriction of processing and the right to lodge a complaint with your local data protection authority (UK: ico.org.uk, EU: your national authority).

Other Jurisdictions

Users in California (CCPA), Australia (Privacy Act 1988), and Canada (PIPEDA) have additional rights under their respective laws. Contact us to exercise any rights.

To exercise your rights, use the “Export My Data” and “Delete Account” features in the app, or contact us at info@whitecloudsmedia.com. We will respond within 30 days.

10. Data Retention & Deletion

We retain your personal data for as long as your account is active or as needed to provide our services. Specifically:

• Active accounts: Data retained for the duration of your account
• Account deletion: All personal data is permanently deleted immediately upon request, including profiles, prayer requests, care notes, house visits, tasks, attendance records, feed activities, notification preferences, and family member data. A minimal deletion log (user ID, timestamp, tables affected) is retained for compliance.
• Ministry data: If you are a ministry administrator, your ministry data is retained for other members. Your personal data is removed.
• Anonymized analytics: Aggregated, non-identifiable usage statistics may be retained for service improvement

11. Cookies & Local Storage

HIJBLR Care uses local storage mechanisms to provide a seamless experience:

• Authentication tokens: Stored in device-secure storage (AsyncStorage on mobile, localStorage on web) to maintain your login session
• User preferences: Welcome screen status, notification settings, and ministry selection stored locally
• No third-party tracking cookies: We do not use advertising cookies or third-party analytics trackers
• PWA service worker: On web, a service worker caches app assets for offline performance (no personal data is cached)

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we commit to:

• Notifying affected individuals without undue delay
• Notifying the relevant authority as required by applicable law (e.g., Data Protection Board of India under DPDPA, supervisory authority under GDPR within 72 hours)
• Documenting all breaches, including their effects and remedial actions taken
• Providing clear information about what happened, what data was affected, and what steps you should take

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via in-app notification or email. Continued use of the app after changes constitutes acceptance of the updated policy.

14. Contact & Grievance Officer

For questions about this privacy policy, your data, or to exercise your rights:

• General inquiries: info@whitecloudsmedia.com
• Grievance Officer: info@whitecloudsmedia.com
• Ministry-specific questions: Contact your ministry administrator through the app

If you are not satisfied with our response, you have the right to lodge a complaint with the applicable authority:

• India: Data Protection Board of India (once constituted under DPDPA 2023)
• UK: Information Commissioner's Office (ico.org.uk)
• EU: Your national data protection authority
• Australia: Office of the Australian Information Commissioner (oaic.gov.au)
• Canada: Office of the Privacy Commissioner (priv.gc.ca)
• US/California: California Attorney General (oag.ca.gov)