We protect what your church entrusts to you.

• Your subscription record: email, plan tier, MCP token, billing customer ID
• Planning Center OAuth tokens (encrypted at rest in Cloudflare KV)
• No member data, donor data, attendance, or giving records

MinistryPulse is a thin pass-through. When you ask Claude a question, Claude calls our tools, our tools query Planning Center on your behalf, and the response goes directly back to Claude. We never persist member records, giving data, or church operational data on our servers.

When you connect Planning Center, we request:

• people:read — search and view people records
• services:read — view service plans and volunteer schedules
• groups:read — view group rosters and attendance
• giving:read — view aggregate giving reports
• check_ins:read — view check-in headcount

v2 introduces opt-in write scopes (schedule_volunteer, send_team_message, update_person) which require explicit confirmation in chat before each mutation.

• Donor names and amounts are never combined in any output
• Member PII is filtered out of summaries and briefings by default
• Sensitive comms drafts are flagged for pastoral review before sending
• You control which Google account, if any, the Workspace connector uses

You can revoke connector access at any time from Claude. To delete your MinistryPulse account and all associated tokens, email privacy@ministrypulse.ai — we honor deletion requests within 30 days.