Privacy Policy
AssemblyFlow ("we", "our", or "us") is a meeting-management platform built for Bahá'í Local Spiritual Assemblies. This policy explains what information we collect, how we use it, how we protect it, and what rights you have. If you have questions, contact us at admin@assemblyflow.org.
1. Information we collect
Information you provide
- Account information — your name and email address when you sign in or submit a contact form.
- Assembly information — the name of the Local Spiritual Assembly you serve on or belong to, your country or region, and your role on the Assembly.
- Content you create — meeting agendas, minutes, action items, correspondence, and other content you enter into the platform.
Information from Google (when you connect your Google account)
When you sign in with Google or grant AssemblyFlow access to Google services, we receive and store:
- Profile information — your name, email address, and profile picture, via the
openid,email, andprofileOAuth scopes. - Google Calendar access — we create and manage calendar events on your primary Google Calendar (
https://www.googleapis.com/auth/calendar.events) to sync Assembly meeting schedules. We do not read or modify existing events that we did not create. - Google OAuth tokens — we store your access and refresh tokens (encrypted) so that the calendar connection can be maintained on your behalf. Tokens are never shared.
Information collected automatically
- Usage data — pages visited, actions taken, and timestamps, used to operate the service. We do not use behavioral analytics that identify individuals.
- Log data — IP addresses, browser type, and error logs, retained for security and debugging purposes. Logs are kept for no longer than necessary and are not used to build user profiles.
2. How we use Google user data
AssemblyFlow's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Data obtained through Google APIs is used only to:
- Authenticate you and display your name and profile picture within the platform.
- Create, update, and delete Google Calendar events for Assembly meetings you manage.
We do not:
- Use Google user data to serve advertising.
- Sell, rent, or share Google user data with third parties for their independent use.
- Use Google user data for any purpose unrelated to providing AssemblyFlow's features.
- Allow humans to read your Google data unless you explicitly request support, you give us written permission, or we are required to do so by law.
3. How we share information
We do not sell your personal information. We share data only in these limited circumstances:
- Within your Assembly — members of the same Local Spiritual Assembly can see content relevant to their role (for example, meeting agendas and approved minutes). Items marked sensitive are restricted to authorized roles.
- Service providers — we use a small number of third-party vendors at the database, transactional-email, and infrastructure layers. Each provider processes your data only on our instructions and under a contractual data-processing agreement; none of them uses your data for their own purposes. A current list of our sub-processors is available on request to admin@assemblyflow.org.
- Legal requirements — if required by law, or to protect the rights, property, or safety of users, the public, or AssemblyFlow itself.
4. Data security
Data in transit between your browser and AssemblyFlow is protected by industry-standard transport encryption. Sensitive fields (including OAuth tokens and the contents of an Assembly's records) are encrypted at rest. Each Assembly's data is kept entirely isolated from every other Assembly's data.
5. Data retention
We retain your data for as long as your account is active. If you wish to delete your account and associated data, contact us at admin@assemblyflow.org and we will process the request within 30 days. Approved minutes that form part of your Assembly's Local Archives are exported to you on deletion so the Archives remain available to your institution after the account is closed.
6. Your rights
You may request to access, correct, or delete your personal data at any time by contacting admin@assemblyflow.org. You may also revoke Google permissions at any time through your Google Account settings; doing so will disable Calendar sync.
Where applicable, you may have additional rights under your local data-protection laws (for example, the GDPR in the European Economic Area, or the CCPA in California). To exercise any such right, write to the address above.
7. Children's privacy
AssemblyFlow is intended for adult members of Local Spiritual Assemblies (the minimum age to serve on an Assembly is 21). The Service is not directed to children, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided personal information through AssemblyFlow, contact us and we will delete it.
8. International transfers
AssemblyFlow operates from the United States and processes data there. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws different from those of your country.
9. Changes to this policy
We may update this policy from time to time. We will post the revised policy on this page with an updated effective date. Continued use of the service after changes constitutes acceptance of the revised policy.
10. Contact
Questions or concerns about this policy? Email us at admin@assemblyflow.org.