Privacy Policy

Effective Date: February 20, 2026

This Privacy Policy (“Policy”) describes how MyEdah LLC (“MyEdah,” “Company,” “we,” “us,” or “our”) collects, processes, stores, discloses, transfers, retains, and protects information in connection with the MyEdah software-as-a-service platform and related websites, applications, APIs, communications, and services (collectively, the “Service”).

This Policy is intended to comply with applicable United States federal and state privacy laws, including (where applicable) the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), the Utah Consumer Privacy Act (UCPA), and other state privacy frameworks, as well as the Children’s Online Privacy Protection Act (COPPA), and industry security practices (including PCI DSS where applicable).

This Policy does not create contractual promises beyond those required by applicable law and does not expand or create statutory privacy rights. Nothing herein shall be construed as creating a fiduciary obligation, joint controllership, partnership, or agency relationship beyond what applicable law expressly requires.

We may update this Policy at any time. Changes are effective upon posting with an updated effective date, unless applicable law requires additional notice. Your continued use of the Service after changes are posted constitutes your acknowledgment of the updated Policy, to the extent permitted by law.

1. Definitions

• “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular individual or household, as defined by applicable law. Where “personal data” or “personal information” is defined differently in a specific statute, that statute’s definition applies for purposes of requests under that statute.
• “Customer” means the church, ministry, or organization that subscribes to the Service.
• “Customer Data” means Personal Information or other data a Customer (or its authorized users) submits, uploads, stores, sends, or makes available through the Service.
• “Company Data” means information collected by MyEdah as a controller, such as website visitor data, account administrator contact information, billing contacts, and support communications.
• “Sensitive Personal Information / Sensitive Data” includes information treated as sensitive under applicable law (which may include religious affiliation, religious participation, and related data processed through the Service).

2. Scope and Applicability

This Policy applies to Personal Information processed through the Service and MyEdah-controlled properties (including our marketing site and support channels), subject to the “Controller vs. Processor” role distinctions below.

This Policy does not apply to third-party websites, applications, or services linked from the Service (including app stores, payment processors, or third-party integrations). Their practices are governed by their own policies, and you should review them carefully.

3. Role of MyEdah: Controller vs. Service Provider / Processor

3.1 Customer Data (Processor / Service Provider Role)

When Customers use the Service to manage member directories, donor records, volunteer rosters, attendance, event registration, communications, nursery/youth check-in/out data, prayer submissions, pastoral notes, incident/safety logs, and similar ministry operations, MyEdah generally acts as a service provider / processor processing Customer Data on the Customer’s behalf.

In that context, the Customer is generally the controller (or “business” under CCPA/CPRA) and is solely responsible for:

• Providing legally required notices to its members, donors, volunteers, and other data subjects;
• Obtaining valid consents where required (including parental consent where applicable);
• Ensuring lawful collection and processing of Customer Data;
• Responding to requests relating to Customer Data (access, deletion, correction, etc.).

MyEdah processes Customer Data only as necessary to provide, secure, maintain, and improve the Service; to comply with law; and as otherwise permitted by contract and applicable law.

3.2 Company Data (Controller Role)

MyEdah acts as a controller for Company Data, such as marketing site interactions, administrator and billing contact information, and support communications.

4. Categories of Personal Information We Collect

Depending on how you interact with the Service, we may collect the following categories:

We do not knowingly collect Personal Information from children under thirteen (13) for our marketing site. However, Customers may use the Service for ministry operations that involve minors (e.g., nursery/youth attendance). Customers are responsible for any required parental notices and consents, unless applicable law requires otherwise.

5. Sensitive Personal Information

Some data processed through the Service may constitute “Sensitive Personal Information” or “Sensitive Data” under applicable laws. This may include religious affiliation, religious participation, and other faith-based ministry data processed at Customer direction.

MyEdah processes Sensitive Data:

• Solely for purposes of providing, securing, maintaining, and improving the Service;
• At the direction of the Customer (for Customer Data);
• Not for selling Personal Information;
• Not for cross-context behavioral advertising;
• Not for profiling in furtherance of decisions that produce legal or similarly significant effects.

6. Sources of Information

• Directly from you (forms, uploads, account setup, support).
• Automatically (logs, cookies, device signals).
• From Customers (when you are included in a Customer’s data set).
• From service providers (payment processors, hosting vendors, security providers).
• From public sources where permitted by law (limited and context-dependent).

7. Purposes of Processing

We process Personal Information for legitimate business purposes, including:

• Providing, operating, maintaining, and supporting the Service;
• Account administration, authentication, and access control;
• Processing subscription payments and billing management;
• Security monitoring, abuse prevention, fraud detection, and risk management;
• Debugging, service improvement, performance analytics, and reliability engineering;
• Legal compliance, audits, and responding to lawful requests;
• Protecting rights, safety, and property of MyEdah, Customers, and users.

We do not sell Personal Information as defined under CCPA/CPRA. We do not “share” Personal Information for cross-context behavioral advertising.

8. Disclosure of Personal Information

We may disclose Personal Information to the following categories of recipients, strictly as needed:

• Service Providers / Processors (hosting, storage, monitoring, payment processing, email delivery) bound by contractual obligations to protect data;
• Professional Advisors (legal, accounting, security consultants) subject to confidentiality duties;
• Authorities and Regulators when required by law, legal process, subpoena, or court order;
• Corporate Transaction Parties in connection with a merger, acquisition, financing, reorganization, or sale of assets (subject to appropriate safeguards);
• Other parties with your direction or consent (for example, integrations you enable).

We require service providers to use Personal Information only for the specified purpose, implement reasonable safeguards, and restrict onward disclosure where applicable.

9. Cookies and Tracking Technologies

We may use cookies, local storage, pixels, and similar technologies for: (a) essential Service functionality, (b) security, (c) preferences, (d) analytics and performance.

You can control cookies through your browser settings. Disabling certain cookies may limit functionality. We honor “Do Not Track” signals only to the extent required by applicable law, because the Service may not uniformly recognize such signals across environments.

10. Data Retention

We retain Personal Information only as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law. Retention may also be extended for legitimate needs such as dispute resolution, enforcement of agreements, audits, and compliance obligations.

11. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect Personal Information from unauthorized access, use, alteration, or disclosure. Measures may include (as appropriate): encryption in transit (TLS 1.2+), encryption at rest where applicable, access controls, least-privilege practices, audit logging, monitoring, vulnerability management, and disaster recovery planning.

No method of transmission or storage is 100% secure. Accordingly, we do not guarantee absolute security. Users are responsible for maintaining the confidentiality of credentials, using strong passwords, and promptly reporting suspected compromise.

12. Security Incidents and Notifications

If we confirm a security incident involving Customer Data, we will notify the affected Customer without unreasonable delay and as required by applicable law. Customers are generally responsible for assessing and fulfilling any obligations to notify individuals, regulators, or other parties, unless applicable law requires otherwise.

13. U.S. State Privacy Rights

Depending on your state of residence and applicable law, you may have rights such as:

• Right to Access / Know categories and specific pieces of Personal Information processed;
• Right to Delete Personal Information, subject to exceptions;
• Right to Correct inaccurate Personal Information;
• Right to Opt-Out of certain processing (e.g., sale/sharing or targeted advertising) where applicable;
• Right to Limit certain uses of Sensitive Personal Information where applicable;
• Right to Non-Discrimination for exercising rights.

Submitting a request: email privacy@myedah.com. We may request additional information to verify your identity and authority. We will respond within legally required timeframes, subject to statutory extensions and exceptions.

Customer Data requests: If your request relates to Customer Data processed on behalf of a church or organization, we may direct you to that Customer. In many cases, the Customer must handle the request as the controller/business, and MyEdah will assist as required by contract or law.

14. Children’s Privacy

The marketing site is not directed to children under 13. The Service may be used by Customers to manage ministry operations involving minors. Customers are solely responsible for providing any required notices and obtaining any required parental consents for minors’ data in Customer Data, unless applicable law provides otherwise.

15. Automated Decision-Making

MyEdah does not engage in automated decision-making or profiling that produces legal or similarly significant effects as contemplated by certain state privacy laws.

16. International Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States, where privacy laws may differ. By using the Service, you acknowledge and consent to such processing to the extent permitted by law.

17. Third-Party Links, Integrations, and Services

The Service may allow Customers to enable third-party integrations or link to third-party sites. MyEdah is not responsible for third-party privacy practices or content. You should review third-party policies before using third-party services.

18. Law Enforcement and Legal Process

We may disclose Personal Information to comply with applicable law, legal process, governmental requests, subpoenas, or court orders, or to protect the rights, property, and safety of MyEdah, our Customers, users, or others. Where permitted and appropriate, we may attempt to notify the relevant Customer or user before disclosure.

19. No Expansion of Rights; Reservation of Defenses

This Policy does not create additional rights beyond those provided by applicable law and does not waive or limit any legal defenses available to MyEdah. Any inconsistencies between this Policy and applicable law shall be interpreted in a manner consistent with applicable law, and the remainder shall remain in effect.

20. Contact Information

For questions about this Policy or to submit a privacy request, contact: privacy@myedah.com