Privacy Policy

Effective date: May 1, 2026 Last updated: May 1, 2026

Quick Summary

Vestry helps churches plan worship services. To do that, we collect some information about you and your church, store it securely, and share only what's necessary with the third parties who help us run the service (like our payment processor and our hosting provider). We do not sell your personal information. You have the right to access, correct, and delete your data at any time, either yourself in your account settings or by emailing us at privacy@getvestry.com.

The full details are below.

1. Who We Are

This Privacy Policy describes how Vestry LLC ("Vestry," "we," "us," or "our"), a Virginia limited liability company, collects, uses, and shares your personal information when you use the Vestry service at getvestry.com (the "Service").

Mailing address: Vestry LLC 8401 Mayland Dr Ste A Richmond, VA 23294-4648 United States

Privacy contact: privacy@getvestry.com

Person responsible for the protection of personal information (Quebec Law 25 § 3.1): Lawrence Chen, reachable at privacy@getvestry.com.

2. Information We Collect

2.1 Information you give us directly

When you sign up for and use Vestry, we collect:

Account information: your email address, full name, and (optionally) your profile photo, all provided through our authentication provider Clerk.
Workspace information: the name of your church or ministry, the names and roles of team members you invite, and any organization-level configuration you provide.
Worship content: services you create, song selections, prayer notes, custom song entries you add to the song bank, journey assignments, and any text you contribute to community posts.
Billing information: your billing address and payment method, collected and stored by our payment processor Stripe (Vestry's servers do not see or store your full credit card number).
Communications you send us: the contents of any email you send to privacy@getvestry.com, legal@getvestry.com, hello@getvestry.com, or other Vestry-operated addresses.

2.2 Information collected automatically

When you use the Service, we automatically collect:

Usage data: pages you visit, features you use, time spent in the application, and click and scroll behavior on the Service.
Device and connection data: IP address, browser type and version, operating system, device type, language preference, and time zone.
Cookies and similar technologies: see Section 13 below for details.

2.3 Information from third parties

Authentication providers: if you sign in using a third-party identity provider (such as Google), we receive the basic profile information that provider supplies (typically email, name, and profile image) — only what you authorize the provider to share with us.
Payment processor: we receive transaction status, subscription state, and (in limited cases) email and name from Stripe in order to manage your subscription.

3. How We Use Your Information

We use your personal information for the following purposes:

To provide and operate the Service — including hosting your workspace, displaying services and song selections, syncing edits across devices, and authenticating you on each visit.
To process payments and manage subscriptions — including handling trials, charging your card on the renewal date, issuing receipts, and processing refunds when applicable.
To communicate with you about your account — including transactional notifications (trial reminders, billing receipts, security alerts), responses to your support questions, and notices required by law.
To send you product updates and announcements — you may unsubscribe from these at any time using the link in any such email or by contacting privacy@getvestry.com.
To improve the Service — including analyzing how features are used, identifying and fixing bugs, and developing new features.
To suggest songs and generate worship-planning recommendations — using algorithmic and embedding-based features that compare song metadata, theology profiles, and your past selections.
To prevent fraud and abuse — including detecting unauthorized access, blocking malicious automated traffic, and enforcing our Terms of Service.
To comply with applicable law — including responding to lawful requests from law enforcement, preserving records required by tax and accounting laws, and meeting our regulatory obligations.
To protect Vestry, our users, and the public — including responding to actual or imminent threats to security, life, or property.
To support our business operations — including financial accounting, legal matters, audits, and corporate transactions.
To use Customer Content in de-identified form to improve the Service — see Section 6 (Aggregated and De-identified Data) below.

4. Legal Bases for Processing (UK and EU Users)

If you are in the United Kingdom or European Economic Area, we process your personal information on the following lawful bases under the UK GDPR / GDPR:

Performance of a contract (Art. 6(1)(b)) — to provide the Service you have signed up for, manage your subscription, and respond to your requests.
Legitimate interests (Art. 6(1)(f)) — to improve and secure the Service, prevent fraud, communicate product announcements, and operate our business. We balance these interests against your privacy rights and process only what is reasonably necessary.
Compliance with legal obligations (Art. 6(1)(c)) — to comply with applicable laws, regulations, court orders, and lawful requests from public authorities.
Consent (Art. 6(1)(a)) — where we ask for your specific consent (such as for non-essential cookies in jurisdictions where consent is required).
Vital interests (Art. 6(1)(d)) and public interest (Art. 6(1)(e)) — only in extreme cases such as preventing imminent harm.

5. How We Share Your Information

We share your personal information only with the third parties below, each of which has agreed by contract to protect your data and use it only for the purposes we authorize. We do not sell your personal information — see Section 12 for the formal CCPA, VCDPA, and equivalent disclosures.

5.1 Service providers ("sub-processors")

Vestry uses the following sub-processors. We will update this section within 30 days of any material change to these relationships. Customers with a signed Data Processing Agreement will receive notifications as specified in that agreement.

Sub-Processor	Purpose	Data Categories	Region	DPA
Clerk	Authentication, identity, OAuth	Email, name, profile image, OAuth IDs, session tokens, IP address	United States (AWS us-east)	Clerk DPA
Microsoft Clarity	Session-replay analytics	DOM snapshots, click paths, IP, user agent, page URLs	US/global	Microsoft DPA
OpenAI	Embedding generation for song-similarity and theology features	Free-text inputs (e.g., custom song titles), worship-content metadata	United States	OpenAI DPA
Sentry	Error tracking and performance monitoring	Internal user identifier (opaque), IP address, browser metadata, error context	United States	Sentry DPA
Stripe	Payment processing, subscriptions, customer portal	Email, name, billing address, payment method, transaction history	United States	Stripe DPA
Supabase (App database)	Primary database for user content, workspace data, audit logs	All user-generated content, account data, audit events	United States (AWS us-east-1, Northern Virginia)	Supabase DPA
Vercel	Application hosting, edge content delivery	All HTTP request and response data, server logs	United States (primary), global edge	Vercel DPA
Google Workspace	Email infrastructure (`@getvestry.com`)	Contents of email correspondence with Vestry	Global	Google Workspace DPA

5.2 Other recipients

We may also share your personal information:

With your consent — when you direct us to share specific information with a third party.
With your authorized users — your workspace's services, song selections, prayer notes, and other Customer Content are visible to other authorized users of your workspace, in accordance with the role-based permissions set by your workspace owner.
In public community channels — when you post in a public community channel, your post (including the username, handle, or "Anonymous" attribution you choose) is visible to anyone, including non-members of Vestry, search engines, AI search and answer engines, and third-party archives. See Section 5.3 below.
For legal reasons — when we believe in good faith that disclosure is required to comply with applicable law, a court order, or a lawful government request, or to protect Vestry's rights, property, or safety, or those of our users or the public.
In a corporate transaction — in connection with a merger, acquisition, financing, or sale of substantially all of Vestry's assets, in which case we will require the recipient to honor this Privacy Policy with respect to your personal information.
In aggregated or de-identified form — see Section 6.

5.3 Public Community Channels

Vestry's community feature is organized into channels with two visibility levels:

Members-only channels are visible only to authenticated Authorized Users. Posts in members-only channels are stored and processed under the operational license described in our Terms of Service Section 5.2. Sensitive content — including prayer requests, pastoral case discussions, member-roster information, and internal church matters — should be posted in members-only channels.

Public channels are publicly accessible on Vestry's website. Posts in public channels are intended to be visible to anyone, including non-members of Vestry, search engines, AI search and answer engines (subject to the conditions described in our Terms of Service Section 4.4), and third-party archives.

When you post in a public channel:

(a) Your post — together with the username, handle, or pseudonym you choose for that post — is visible to anyone in the world. (b) Search engines, AI search engines, and third-party archives may index, cache, or copy your post. (c) Once content is published in a public channel, residual copies may persist in third-party caches, archives, and AI training datasets created in violation of our Terms even after you delete the original. Vestry's ability to remove content from third-party surfaces is limited. (d) You may choose to post under a pseudonym or "Anonymous" attribution. When you do, Vestry will not link the pseudonym to your real name or church identity in any publicly visible surface, but Vestry retains the underlying linkage internally for compliance, fraud prevention, DMCA processes, and lawful disclosure.

Default visibility for new community posts is members-only unless you explicitly select a public channel.

6. Aggregated and De-identified Data

We may use, disclose, or sell aggregated or de-identified data — such as aggregate song-selection statistics or anonymized usage patterns — for purposes including reporting to music publishers, songwriters, and industry partners. Aggregated and de-identified data does not identify you and is not "personal information" under applicable privacy laws.

When we de-identify data, we apply a process designed to ensure the data cannot reasonably be linked, alone or in combination with other available information, to any individual user, workspace, church, or member.

7. How Long We Keep Your Information

We retain your personal information for as long as your account is active, plus a limited period afterward as described below.

While your account is active — we retain your data so you can continue to use the Service. There is no time limit while your subscription remains active or in a paused/frozen state.
If your subscription is cancelled but your account or workspace is not deleted — we retain your data indefinitely so you can resume the Service at any time. To request deletion, see Section 8 below.
When you delete your account or workspace — we delete the personal information associated with it within 90 days of your deletion request. In practice, live data is removed at the end of a 7-day soft-delete recovery window (during which you may contact us to undo the deletion), and residual data in our automated database backups expires within an additional 7 days. Total residual lifetime is typically 14 days, never exceeding the 90-day commitment.
Backups — we keep daily backups of our primary database for 7 days. Residual personal information in those backups expires when the backup containing it rotates out.
Audit and security records — we retain certain audit logs (records of administrative and security-relevant actions) beyond the standard retention period where required for security, fraud prevention, or legal compliance. These logs reference internal user identifiers; we redact or remove personal information that is no longer needed.
Payment and tax records — Stripe and our financial systems retain transaction records as required by applicable tax, accounting, and anti-fraud laws (typically 7 years under IRS recordkeeping rules, longer where applicable). We cannot delete these records during the retention period.

8. Your Privacy Rights

Wherever you are located, you have the right to:

Access the personal information we hold about you.
Correct information that is inaccurate or incomplete.
Delete your personal information, subject to limited exceptions (such as records we must keep for legal or financial reasons).
Receive a copy of your personal information in a structured, commonly-used, machine-readable format (commonly called "data portability").
Object to our use of your personal information for direct marketing.
Withdraw consent at any time where we are processing on the basis of your consent.

8.1 How to exercise your rights

Access, correction, deletion of your account: in most cases, you can do these yourself directly in your account settings.
Data portability / export: email privacy@getvestry.com to request a copy of your data. We will provide it within 30 days in a structured, machine-readable format (CSV or JSON).
All other requests: email privacy@getvestry.com.

We will respond to verifiable requests within the timeframe required by your applicable law (typically 30 to 45 days), and we will not discriminate against you for exercising your rights.

8.2 California (CCPA / CPRA)

If you are a California resident, in addition to the rights above, you have the right to:

Know what categories of personal information we collect, use, disclose, and sell or share, and the purposes for each.
Opt out of "sale" or "sharing" of your personal information for cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising — see Section 12 — but you may submit a "Do Not Sell or Share My Personal Information" request at privacy@getvestry.com.
Limit the use of sensitive personal information to certain authorized purposes.
Non-discrimination for exercising these rights.

Sensitive personal information disclosure (post-validation refinement). Because Vestry serves churches, your use of the Service may reveal your religious or philosophical beliefs (an enumerated category of sensitive personal information under Cal. Civ. Code § 1798.140(ae)(1)(C)) — including through your church name, denominational affiliation, prayer notes, theology profiles, and song selections. We use this information solely to provide the Service you have signed up for and do not use or disclose it for any purpose that would require us to offer a "Limit the Use of My Sensitive Personal Information" option under Cal. Civ. Code § 1798.121, consistent with the exemption at 11 C.C.R. § 7027(m). We do not collect other categories of sensitive personal information (such as Social Security numbers, biometric data, precise geolocation, or health-care information) other than what is described above and incidentally through Stripe payment processing.

To exercise these rights, email privacy@getvestry.com. We may need to verify your identity by asking for information that matches what we already have on file.

You may also designate an authorized agent to make a request on your behalf. We will require written proof of the agent's authorization.

We do not use your personal information to train large language models or generative artificial intelligence models. Our use of OpenAI's embedding APIs is described in Section 3 above.

8.3 Virginia (VCDPA)

If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 to 59.1-585), including the rights listed above and the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Vestry does not engage in such profiling.

If we deny your request, you have the right to appeal within a reasonable period after our denial. To appeal, email privacy@getvestry.com with the subject line "VCDPA Appeal." We will respond within 60 days. If we deny the appeal, you may contact the Virginia Attorney General at oag.state.va.us.

8.4 Other US States (named subsections post-validation)

Residents of the following US states with comprehensive consumer privacy laws have rights similar to those described in Section 8.3 (access, correct, delete, port, opt out of sale/targeted advertising/profiling, and where applicable appeal denied requests). To exercise any of these rights, email privacy@getvestry.com. Where your state's law gives you an appeal right, we will respond within 60 days (or your state's specified period); if we deny the appeal, you may submit a complaint to your state Attorney General.

States with comprehensive consumer privacy laws as of the Effective Date include: Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and others as enacted from time to time.

State-specific call-outs:

8.4(a) Colorado

Colorado residents may opt out of sale and targeted advertising via the Universal Opt-Out Mechanism (UOOM). When we detect a Global Privacy Control or other recognized UOOM signal, we apply it as an opt-out for that browser session and, where you are signed in, persist that preference to your account. Colorado residents have the right to appeal a denied request; we will respond to appeals within 60 days.

8.4(b) Connecticut

Connecticut residents have the rights described above plus the right to opt out of profiling that produces legal or similarly significant effects. Connecticut residents under 18 receive heightened protections regarding targeted advertising, profiling, and sale of personal data. Vestry does not engage in any of those practices. We do not use your personal information to train large language models or generative artificial intelligence models (Conn. Gen. Stat. § 42-518 disclosure, effective July 1, 2026).

8.4(c) Maryland

Maryland residents are protected by the Maryland Online Data Privacy Act (MODPA), one of the strictest US state privacy laws. Vestry does not sell sensitive personal data; processes sensitive personal data only as strictly necessary to provide the Service; and does not target advertising to or sell the personal data of users under 18 regardless of consent.

8.4(d) New Jersey

New Jersey residents are protected by the New Jersey Data Privacy Act (NJDPA). Vestry treats financial-account credentials as sensitive personal data and does not process or share them beyond what Stripe handles directly during payment. New Jersey residents have the right to appeal a denied request; we will respond within 60 days.

8.4(e) Oregon

Oregon residents have the right to obtain a list of specific third parties to whom we have disclosed their personal data (not just categories). To request this list, email privacy@getvestry.com.

8.4(f) Texas

Vestry does not sell sensitive personal data as defined under the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541.102), and the statutory notice requirement at § 541.102(c) therefore does not apply. Texas residents have the rights described above and may exercise them at privacy@getvestry.com.

8.5 United Kingdom and European Economic Area (UK GDPR / GDPR)

If you are in the UK or EEA, you have additional rights under the UK GDPR / GDPR, including the right to lodge a complaint with your supervisory authority (such as the UK Information Commissioner's Office at ico.org.uk or your national data protection authority).

Vestry does not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of UK GDPR / GDPR Article 22.

8.6 Canada (PIPEDA / Quebec Law 25 / provincial laws)

If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), and if you are in Quebec, you have additional rights under An Act to modernize legislative provisions as regards the protection of personal information ("Quebec Law 25"). Residents of Alberta and British Columbia are also protected under their respective Personal Information Protection Acts. To exercise these rights, email privacy@getvestry.com.

8.7 Australia (Privacy Act / APPs)

If you are in Australia, you have rights under the Privacy Act 1988 and Australian Privacy Principles ("APPs"), including the right to lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

Australian users may also bring a statutory claim for serious invasions of privacy under Part IIIA of the Privacy Act 1988 (effective June 10, 2025).

Vestry does not use automated decision-making to make decisions that significantly affect Australian users' rights or interests within the meaning of APP 1.4.

9. International Data Transfers

Vestry is based in the United States and stores personal data in the United States (AWS us-east-1, Northern Virginia). If you are located outside the United States, your personal information will be transferred to and processed in the United States.

Some sub-processors listed in Section 5 may process data in additional regions. Where personal information of EU, UK, or Swiss residents is transferred to a country that does not have an adequacy decision, we rely on the following lawful transfer mechanisms:

EU-U.S. Data Privacy Framework (and UK Extension and Swiss-U.S. DPF) — for sub-processors that are self-certified under the framework. The framework was adopted by Commission Implementing Decision (EU) 2023/1795 and upheld by the EU General Court on September 3, 2025 (Latombe challenge dismissed).
EU Standard Contractual Clauses (SCCs) — Module Two (Controller to Processor), as adopted by Commission Implementing Decision (EU) 2021/914.
UK International Data Transfer Addendum (UK IDTA) — for transfers from the United Kingdom.
Swiss SCC modifications recognized by the Swiss Federal Data Protection Authority — for transfers from Switzerland.

10. Vestry Is a US-Based Service

The Service is operated from the United States and primarily intended for users in the United States. If you access the Service from outside the United States, you do so at your own initiative and are responsible for compliance with your local laws.

11. Children's Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. By signing up for or using the Service, you represent that you are at least 16 years old.

If you become aware that a child under 16 has provided us with personal information, please contact privacy@getvestry.com. If we learn that we have collected personal information from a child under 16, we will delete that information promptly and terminate the associated account.

We do not knowingly collect any of the categories of personal information defined as "personal information" under the COPPA Rule (16 C.F.R. § 312.2) — including persistent identifiers, biometric data, geolocation data, and behavioral or inferred data — from any user under 16. If we obtain actual knowledge that a user is under 16, including through age-verification technologies if we deploy them, we will delete the account and the information collected from it promptly, consistent with the FTC's Policy Statement of February 25, 2026.

For users in jurisdictions with elevated minor protections (Delaware, Maryland, Connecticut, and certain other states), we do not process personal data of users under 18 for targeted advertising, profiling, or sale, regardless of consent.

12. Sale or Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

If we ever change this practice, we will update this Privacy Policy, provide a clear notice on the Service, and provide a "Do Not Sell or Share My Personal Information" mechanism in compliance with applicable law before any such change takes effect.

(For the carve-out covering aggregated and de-identified data — which is not "personal information" under applicable law — see Section 6 above.)

13. Cookies and Tracking Technologies

13.1 What we use

Vestry uses the following cookies and similar technologies:

Essential cookies — required to provide the Service, including authentication cookies set by Clerk, session cookies, and CSRF protection cookies.
Analytics cookies — set by Microsoft Clarity to record interactions with the Service, including session replays, click patterns, and scroll behavior, for the purpose of improving usability.

13.2 Microsoft Clarity disclosure

Vestry uses Microsoft Clarity to record interactions with the Service for the purpose of improving usability. You can opt out by disabling cookies in your browser, by enabling "Do Not Track" or "Global Privacy Control" signals in your browser, or by contacting privacy@getvestry.com. Microsoft Clarity acts as our service provider under California law and is contractually prohibited from using session data for its own purposes.

13.3 Browser controls

Most browsers allow you to control cookies through their settings. Disabling essential cookies will prevent the Service from functioning correctly.

We honor the Global Privacy Control (GPC) browser signal as a request to opt out of the "sale" or "sharing" of personal information under applicable US state privacy laws. When we detect a GPC signal, we apply it as an opt-out for that browser session and, where you are signed in, persist that preference to your account. You will see a visible confirmation on your account settings page that your opt-out has been processed, in compliance with California Privacy Protection Agency regulations effective January 1, 2026 and equivalent state requirements.

For Colorado, Montana, New Hampshire, New Jersey, Delaware, Minnesota, and other states that recognize a Universal Opt-Out Mechanism (UOOM), we treat GPC as a recognized UOOM signal.

14. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These include:

Encryption in transit (HTTPS/TLS) for all data exchanged with the Service.
Encryption at rest in our primary database.
Access controls including role-based access, multi-factor authentication for administrative access, and the principle of least privilege.
Continuous monitoring for security incidents using error tracking and audit logging.
Regular review of our security posture and dependencies.

No system is perfectly secure, however, and we cannot guarantee absolute security of any data transmitted to or stored on the Service.

15. Security Incident Notification

In the event of a security incident that materially affects the personal information of users, Vestry will notify affected users without undue delay and in any event within 72 hours after confirming the incident, where feasible. The notice will describe:

(a) the nature of the incident, (b) the categories of personal data affected, (c) the steps Vestry has taken to mitigate the impact, and (d) recommended actions users should take, including monitoring for suspicious activity.

Where required by law, we will also notify the relevant supervisory authority within applicable deadlines.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or through a prominent notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

17. How to Contact Us

For privacy questions, complaints, or to exercise your rights:

Email: privacy@getvestry.com
Mail: Vestry LLC, 8401 Mayland Dr Ste A, Richmond, VA 23294-4648, United States

For copyright concerns (DMCA notices), please instead contact our designated agent at legal@getvestry.com. See our Terms of Service for the DMCA process.