Privacy Policy

1. Introduction

MKDSCPLS ("we," "our," or "us") operates the website mkdscpls.com (including go.mkdscpls.com) and provides a Christian discipleship platform with related services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services.

By creating an account or using our Services, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our Services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (stored as a cryptographic hash -- we never store your actual password)

2.2 Profile Information

You may optionally provide:

• Profile photo (uploaded and stored on our CDN)
• Phone number (for contact preferences you control)
• Organization or church affiliation

2.3 Platform Activity Data

As you use our Services, we collect data related to your participation:

• Course progress, workbook answers, and assessment responses
• Reading plan progress and completion status
• HEAR journal entries and personal reflections
• Group memberships and participation
• Badges and achievements earned
• Feedback submissions and support tickets

2.4 Sensitive Personal Information

2.5 Payment Information

When you subscribe or make a payment, your payment card details are collected and processed directly by Stripe. We do not receive, store, or have access to your full credit card number. We receive only transaction confirmations, subscription status, and limited billing details (such as the last four digits of your card) from Stripe.

2.6 Information Collected Automatically

When you use our Services, we may automatically collect:

• Log Data: IP address, browser type, pages visited, timestamps
• Device Information: Device type and operating system
• Usage Data: Features used, courses accessed, login frequency
• UTM Parameters: If you arrive at our site via a marketing link, we may store campaign tracking parameters (such as utm_source, utm_medium, and utm_campaign) in your user preferences to understand how you found us

2.7 Information from Third Parties

• Stripe: Transaction confirmations and subscription status
• Organization Administrators: Your church or organization may provide your information when inviting you to groups or courses

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and Operate Services: Deliver courses, manage groups, track progress, process subscriptions and payments, and coordinate mission trips
• Communicate With You: Send reading plan reminders, course notifications, subscription confirmations, and important service announcements via email
• Improve Our Services: Analyze usage patterns, diagnose technical issues, and develop new features
• Ensure Security: Protect against fraud, unauthorized access, and abuse; monitor for errors and service disruptions
• Support Leaders and Administrators: Enable group leaders and organization administrators to view participant progress and provide guidance within their assigned scope
• Process Payments: Handle subscription billing, donations, and mission trip payments through Stripe
• Understand Marketing Effectiveness: Use UTM tracking data to understand which channels bring users to our platform

4. Third-Party Services

We rely on a limited number of third-party service providers to operate our platform. These providers only receive the minimum information necessary to perform their functions:

4.1 Stripe (Payment Processing)

We use Stripe to process subscriptions and payments. When you make a payment, your card information is sent directly to Stripe and is subject to Stripe's Privacy Policy. We do not store your full payment card details on our servers.

4.2 DigitalOcean (Hosting and File Storage)

Our application servers and database are hosted on DigitalOcean infrastructure in the United States. User-uploaded files (such as profile photos and content library resources) are stored on DigitalOcean Spaces, a cloud object storage service with CDN delivery.

4.3 Resend (Transactional Email)

We use Resend to send transactional emails including account notifications, reading plan reminders, subscription confirmations, and leader-to-member messages. Resend processes your email address and message content on our behalf.

4.4 Sentry (Error Monitoring)

We use Sentry for application error tracking and performance monitoring. Sentry may receive technical data such as error messages, stack traces, browser information, and IP addresses to help us diagnose and fix issues. Sentry does not receive your personal profile content or journal entries.

4.5 No Data Sales

5. Information Sharing and Disclosure

Beyond the third-party services described above, we may share your information in these circumstances:

5.1 Within the Platform

• Group Leaders: Can view participant progress, course responses, and contact information (if you have enabled sharing) for their assigned groups
• Organization Administrators: Have access to member data within their organization
• Trip Leaders: Can access participant information necessary for mission trip coordination
• Fellow Participants: Limited profile information (name, profile photo) may be visible to others in your groups. You can control phone and email sharing through your contact preferences

5.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

If MKDSCPLS is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. Cookies and Tracking Technologies

We use a minimal set of cookies to operate our Services:

• Session Cookie (JWT): A JSON Web Token stored as a cookie to maintain your authenticated login session. This is essential for the platform to function and cannot be disabled while using the Services.
• Session Storage: We use browser session storage to temporarily hold UTM campaign parameters during your visit so that marketing attribution is preserved when you register.

We do not use third-party tracking cookies, advertising pixels, or social media tracking widgets. We do not participate in cross-site tracking or behavioral advertising.

You can clear cookies through your browser settings at any time, though doing so will log you out of your account.

7. Data Security

We take the security of your information seriously and implement the following measures:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS enforced via HSTS)
• Password Security: Passwords are hashed using industry-standard cryptographic algorithms and are never stored in plain text
• Content Security Policy: We deploy CSP headers to protect against cross-site scripting and injection attacks
• Input Sanitization: User-submitted content is sanitized to prevent malicious code injection
• Access Controls: Role-based access ensures users only see information they are authorized to view
• Security Headers: We employ security headers including X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
• Subresource Integrity: Third-party scripts loaded from CDNs are verified using SRI hashes

8. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes described in this policy:

• Account Data: Retained while your account is active. After a deletion request, we will remove your data within 30 days, except where retention is required by law.
• Course Progress and Journal Entries: Retained for the duration of your account
• Subscription and Payment Records: Retained for 7 years for financial and tax compliance
• Mission Trip Records: Retained for 7 years for legal and financial compliance
• Error Logs (Sentry): Automatically expire per Sentry's retention policies (typically 90 days)
• Uploaded Files: Profile photos and content are deleted when you delete your account or remove the file, though CDN-cached copies may persist briefly

9. Your Rights and Choices

You have the following rights regarding your personal information:

9.1 Access and Portability

You can access most of your personal information through your account dashboard, including your profile, course progress, journal entries, and assessment results. You may request a complete copy of all data we hold about you by contacting us.

9.2 Correction

You can update your profile information, contact preferences, and notification settings at any time through your account. For other corrections, contact us.

9.3 Deletion

You may request deletion of your account and personal data by contacting us. Please note:

• Some data may be retained for legal, financial, or legitimate business purposes (such as payment records)
• Anonymized or aggregated data that cannot be linked back to you may be retained
• Content you shared within groups may persist in other participants' records

9.4 Communication Preferences

You can manage your email notification preferences (such as reading plan reminders) in your account settings. You can also control whether your phone number and email are visible to group members through your contact preferences.

9.5 Additional Rights for California Residents (CCPA)

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of your personal information
• Right to non-discrimination for exercising your privacy rights
• We do not sell personal information, so the right to opt out of sale does not apply

9.6 Additional Rights for EEA/UK Residents (GDPR)

• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to lodge a complaint with your local data protection authority

10. Children's Privacy (COPPA Compliance)

MKDSCPLS is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, you may not create an account or use our Services.

For users between the ages of 13 and 17:

• We recommend parental or guardian awareness and consent before using our Services
• For mission trip participation, we require parental or guardian consent and a guardian account
• Guardians can access, review, and request deletion of their minor's information

If you believe we have inadvertently collected information from a child under 13, please contact us immediately at [email protected] and we will promptly delete the information.

11. International Data Transfers

Our servers and third-party service providers are located in the United States. If you access our Services from outside the United States, your information will be transferred to and processed in the United States. By using our Services, you consent to this transfer. We take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

• Update the "Effective Date" at the top of this page
• Post the revised policy on our website
• For material changes, send an email notification to registered users

Your continued use of the Services after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us