Privacy Policy

This Privacy Policy explains how RCOTS Inc. ("Atlaza", "we", "us", or "our"), operating as the Atlaza platform, collects, uses, and protects personal information in connection with the Atlaza church directory service.

Atlaza is incorporated in Ontario, Canada. For the purposes of the General Data Protection Regulation (GDPR), Atlaza acts as the data controller for personal data collected through the Platform. Organizational Tenants (such as church denominations) act as data controllers for the parish and member data they submit and manage through their tenant accounts.

Contact: privacy@rcots.com

2.1 Account Information

When you create an account, we collect:

• Email address
• Full name (optional, provided by you)
• Authentication credentials (password, stored as a secure hash by Supabase Auth)
• Two-factor authentication factor metadata (if 2FA is enabled)
• Account creation date and last sign-in date

2.2 Parish and Branch Data

Tenants submit organizational data including:

• Parish names, addresses, cities, countries, and geographic coordinates
• Senior pastor and leadership names and titles
• Contact information (phone numbers, email addresses, website URLs)
• Service schedules and congregation size
• Parish photographs, descriptions, and branding materials
• Organizational hierarchy data (region, province, zone, area)

This data relates to organizations and their representatives, not to private individuals. To the extent it includes personal names (e.g., pastor names), it is processed under legitimate interest as publicly available directory information.

2.3 Usage Data

We automatically collect limited technical data when you use the Platform:

• IP address (used for rate limiting and abuse prevention; stored as a one-way hash for reports)
• Browser type and version
• Pages visited and time spent
• Actions taken within the admin panel (edit history, import logs)
• Error logs

2.4 Geolocation Data

The "Find nearest parish" feature requests your device's geolocation (latitude and longitude) to identify nearby locations. This data is transmitted to our servers only for the purpose of calculating nearest branches and is not stored persistently.

2.5 Payment Information

We do not store payment card details. All payment processing is handled by Stripe, Inc. We receive confirmation of payment status and a Stripe customer ID, but no raw card data.

2.6 AI Query Data

If you use the AI-powered query feature, your natural language query text is transmitted to Anthropic, Inc. for processing. Query text and responses are stored in our database to provide query history. Do not include sensitive personal information in AI queries.

2.7 Claim Submissions

When a user submits a claim to verify ownership of a parish listing, we collect their name, email, title, and a message. This data is used solely for verification purposes.

Under GDPR, we process personal data on the following legal bases:

• Contract: Processing necessary to deliver the Platform services you have subscribed to, including account management, billing, and technical support.
• Legitimate interests: Processing publicly available directory information (church names, addresses, leadership names) for the purpose of operating a religious organization directory; maintaining platform security; preventing fraud and abuse.
• Consent: Device geolocation access (prompted by the browser); analytics cookies (where applicable). You may withdraw consent at any time.
• Legal obligation: Retaining records as required by applicable law.

• Provide, maintain, and improve the Platform
• Authenticate users and enforce account security
• Process subscription payments and manage billing
• Send transactional emails (account activation, claim notifications, password reset)
• Monitor Platform performance and diagnose technical issues
• Enforce our Terms of Service and prevent abuse
• Comply with legal obligations

We do not use your personal data for targeted advertising. We do not sell your personal data to third parties.

We share data with the following service providers as necessary to operate the Platform:

We may also disclose personal data where required by law, regulation, or court order, or to protect the rights, property, or safety of Atlaza, our users, or the public.

We retain personal data for as long as necessary to fulfil the purposes described in this policy:

• Account data: retained while your account is active and for 90 days after deletion
• Parish/branch data: retained while the Tenant subscription is active and for 90 days after termination
• Payment records: retained for 7 years for tax and accounting compliance
• Claim submissions: retained for 3 years after resolution
• Usage logs and error logs: retained for 90 days
• AI query history: retained for 12 months
• Recovery codes: deleted when a new set is generated or when the account is deleted

You may request early deletion of your personal data subject to our legal retention obligations (see "Your Rights" below).

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal retention requirements.
• Portability: Request a copy of your data in a structured, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@rcots.com. We will respond within 30 days. If you are in the European Economic Area and believe we have not adequately addressed your request, you have the right to lodge a complaint with your national data protection supervisory authority.

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and core Platform functionality. These cannot be disabled without breaking the service.
• Analytics cookies: Used to understand how users interact with the Platform (page views, feature usage). Only placed with your consent.

We do not use advertising or tracking cookies. You can manage your cookie preferences through the consent banner that appears on first visit, or by clearing your browser's local storage.

Atlaza is incorporated in Canada. Our service providers (Supabase, Vercel, Stripe, Mapbox, Anthropic, Resend) operate primarily in the United States. By using the Platform, you acknowledge that your data may be transferred to and processed in the United States, which may not have the same data protection laws as your country of residence.

For transfers of personal data from the European Economic Area (EEA) or United Kingdom to the United States, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as mandated by applicable law. Where our service providers are certified under the EU-U.S. Data Privacy Framework or equivalent, we rely on that certification.

For users in Canada, transfers are made in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest by our hosting provider
• Row-level security on all database tables
• Mandatory two-factor authentication for administrative accounts
• Rate limiting on authentication and API endpoints
• Regular security reviews and access control audits

No security system is impenetrable. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

The Platform is not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such information, please contact us at privacy@rcots.com and we will promptly delete it.

The Platform is primarily intended for church administrators, pastors, and adult members of religious organizations.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting a notice on the Platform or by email to your registered address at least 14 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

For privacy-related questions, requests, or concerns, please contact our Privacy Officer: