Privacy Policy

1. Introduction

Climax Enterprises LLC (“we,” “us,” “our,” or “Company”) operates the SteepleOS church management platform (“SteepleOS,” “Platform,” or “Service”). This Privacy Policy describes how we collect, use, store, share, and protect personal information when you visit our website, create an account, or use any part of the SteepleOS platform.

This policy applies to all users of SteepleOS, including church administrators, staff members, volunteers, and any individual whose information is processed through the platform.

Our Role as a Data Processor. Churches and religious organizations that subscribe to SteepleOS (“Customers”) act as the data controllers for the personal information of their congregation members. We act as a data processor on behalf of these churches, processing member data only as directed by the Customer and in accordance with our Data Processing Agreement. If you are a church member whose data is managed through SteepleOS, your church is the primary party responsible for how your data is used, and you should direct any questions about that usage to your church first.

2. Information We Collect

We collect and process the following categories of information:

2.1 Account Information

When you create a SteepleOS account, we collect your name, email address, and a securely hashed version of your password. We also store your assigned role within your organization (such as administrator, staff, or volunteer) to manage access permissions.

2.2 Church Member Data

On behalf of your church (the data controller), we process congregation member information including names, email addresses, phone numbers, mailing addresses, demographic details (such as date of birth, gender, and marital status), family relationships, group memberships, attendance records, and any custom fields your church configures. This data is entered and managed by the church and is processed by us solely to provide the Service.

2.3 Financial Data

We process donation amounts, giving frequency, fund allocations, pledge records, and tax receipt information. We do not store credit card numbers, bank account numbers, or other direct payment credentials. All payment processing is handled by our payment partner, Stripe, which maintains PCI DSS Level 1 compliance. We receive only tokenized transaction references and confirmation details from Stripe.

2.4 Communications Data

When your church sends emails or SMS messages through SteepleOS, we process the content, recipients, timestamps, and delivery status of those communications. This data is retained to provide delivery reporting and to comply with anti-spam regulations.

2.5 Usage and Analytics Data

We automatically collect information about how you interact with the platform, including pages viewed, features used, click patterns, time spent on pages, IP addresses, and general geographic location derived from your IP address. This data helps us understand how SteepleOS is used and where we can improve.

2.6 Device and Log Data

We collect technical information such as your browser type and version, operating system, device type, screen resolution, referring URLs, access timestamps, and error logs. This data is used for troubleshooting, security monitoring, and ensuring compatibility across devices.

3. How We Use Information

We use the information we collect for the following purposes:

• Provide and Maintain the Service. We use your data to operate SteepleOS, authenticate users, manage permissions, and deliver the features your church relies on for day-to-day ministry operations.
• Process Donations and Generate Tax Receipts. We process financial transaction data to record giving history, allocate funds, generate year-end tax statements, and provide financial reporting to church administrators.
• Send System Notifications and Transactional Emails. We send emails and notifications related to account activity, security alerts, subscription changes, payment confirmations, and other service-related communications that are necessary for the operation of SteepleOS.
• Improve Platform Performance and Features. We analyze aggregated and anonymized usage data to identify trends, fix bugs, optimize performance, and develop new features that better serve churches.
• Detect Fraud and Enforce Terms. We monitor for suspicious activity, unauthorized access attempts, and violations of our Terms of Service to protect your church and the broader SteepleOS community.
• Comply with Legal Obligations. We may process data as required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information or your members' personal information to any third party for marketing or advertising purposes. We share information only in the following limited circumstances:

• Service Providers. We share data with trusted third-party service providers who assist us in operating SteepleOS, including Stripe (payment processing), Supabase and Amazon Web Services (cloud hosting and database infrastructure), Resend (transactional email delivery), and Twilio (SMS messaging). These providers are contractually obligated to use your data only to perform services on our behalf and to maintain appropriate security measures.
• Legal Requirements. We may disclose information when required to do so by law, regulation, subpoena, court order, or other governmental request. We will attempt to notify affected Customers of such requests where legally permitted.
• With Your Consent. We may share information with third parties when we have obtained explicit consent from the Customer or the individual whose data is being shared.
• Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction. We will provide notice to affected Customers before their information is transferred and becomes subject to a different privacy policy.

5. Data Security

We take the security of your data seriously and implement a comprehensive set of technical and organizational measures to protect it:

• Encryption at Rest. All stored data is encrypted using AES-256, the same encryption standard used by financial institutions and government agencies.
• Encryption in Transit. All data transmitted between your browser and our servers is protected using TLS 1.2 or higher, ensuring your information cannot be intercepted during transmission.
• Multi-Tenant Isolation. Each church's data is logically isolated within our infrastructure. One organization's data is never accessible to another organization using the platform.
• Role-Based Access Control. SteepleOS enforces granular permissions so that users can only access the data and features appropriate to their assigned role within their organization.
• Session Fingerprinting. We employ session fingerprinting techniques to detect and prevent unauthorized session hijacking and account takeover attempts.
• Two-Factor Authentication. We support two-factor authentication (2FA) for all accounts, adding an additional layer of security beyond passwords.
• Security Audits. We conduct regular security assessments, penetration testing, and code reviews to identify and address potential vulnerabilities.
• SOC 2 Alignment. Our security practices are designed to align with SOC 2 Type II compliance standards, and we are actively working toward formal certification.

While no system can guarantee absolute security, we are committed to maintaining industry-leading protections and responding promptly to any security incidents. If we become aware of a data breach that affects your information, we will notify affected parties in accordance with applicable law.

6. Data Retention

We retain personal information according to the following schedule:

• Active Subscription. We retain all Customer data for the duration of the active subscription to SteepleOS.
• Post-Termination Export Window. After a subscription is terminated or canceled, we provide a 30-day window during which Customers can export their data in standard formats.
• Permanent Deletion. All Customer data is permanently deleted from our primary systems within 90 days following subscription termination, unless a legal obligation requires longer retention.
• Backup Purge. Data contained in encrypted backups is purged within 180 days following subscription termination.
• Legal Holds. Where required by law, regulation, or legal proceedings, we may retain specific data beyond the standard retention periods described above. We will notify the Customer of any such legal hold where legally permitted.

7. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

7.1 General Rights

• Right to Access. You have the right to request a copy of the personal information we hold about you.
• Right to Correction. You have the right to request that we correct any inaccurate or incomplete personal information.
• Right to Deletion. You have the right to request the deletion of your personal information, subject to certain legal exceptions.
• Right to Data Portability. You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another service provider.
• Right to Opt Out. You have the right to opt out of certain types of data processing, including processing for analytics and non-essential communications.
• Right to Withdraw Consent. Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
• Right to Lodge a Complaint. You have the right to lodge a complaint with a data protection supervisory authority in your jurisdiction if you believe your rights have been violated.

7.2 For Church Members

If you are a member of a church that uses SteepleOS and you wish to exercise any of the rights described above, please contact your church directly first. Your church is the data controller for your personal information and is responsible for responding to your requests. If your church is unable to assist you, or if you believe your request has not been adequately addressed, you may contact us directly at privacy@steepleos.com, and we will work with your church to resolve the matter.

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know. You have the right to know what personal information we collect, use, disclose, and sell (if applicable) about you.
• No Sale of Personal Information. We do not sell your personal information as defined under the CCPA/CPRA. We do not and will not sell the personal information of any SteepleOS user or church member.
• Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Shine the Light. Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes.

To exercise any of these rights, please submit a request to privacy@steepleos.com with the subject line “California Privacy Request.” We will verify your identity before processing your request and respond within 45 days as required by law.

8. Children's Privacy

SteepleOS is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 through direct interaction with our platform. Account creation requires users to be at least 18 years of age.

However, we recognize that churches may store information about children in their congregations (such as names, dates of birth, and family relationships for children's ministry or nursery check-in purposes). In such cases, the church acts as the data controller and is responsible for obtaining appropriate parental or guardian consent as required by the Children's Online Privacy Protection Act (COPPA) and any other applicable laws before entering children's information into SteepleOS.

If you believe that we have inadvertently collected personal information from a child under 13 without proper consent, please contact us immediately at privacy@steepleos.com, and we will take prompt steps to delete such information.

9. International Data Transfers

SteepleOS is operated from and data is processed in the United States. If you access the platform from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

By using SteepleOS, you consent to the transfer of your information to the United States. We implement appropriate safeguards for international data transfers, including standard contractual clauses where applicable, to ensure that your data receives an adequate level of protection regardless of where it is processed.

10. Cookies and Tracking Technologies

SteepleOS uses cookies and similar tracking technologies to operate and improve the platform. We use essential cookies that are strictly necessary for authentication, session management, security, and core platform functionality. We may also use optional analytics cookies to understand how users interact with SteepleOS and to improve our services.

For detailed information about the types of cookies we use, how to manage your cookie preferences, and your choices regarding tracking technologies, please review our Cookie Policy.

11. Third-Party Links

The SteepleOS platform may contain links to third-party websites, services, or resources that are not operated or controlled by us. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party site you visit. We are not responsible for the content, privacy practices, or security of any third-party websites or services.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes to this policy, we will provide at least 30 days advance notice through email to the account administrators on file or through an in-app notification within the SteepleOS dashboard.

The “Effective Date” at the top of this policy indicates when it was last revised. Your continued use of SteepleOS after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with any changes, you should discontinue use of the platform and contact us to discuss your concerns.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Company: Climax Enterprises LLC
• Email: privacy@steepleos.com
• Data Requests: Send an email to privacy@steepleos.com with the subject line “Data Request”

We will acknowledge receipt of your request within 5 business days and endeavor to respond substantively within 30 days, or within the timeframe required by applicable law.