Privacy & security
Private by design.
Pastoral care involves the most sensitive conversations in people's lives. Verge is built with that weight in mind. Your congregation's data belongs to you — not us.
Core principles
Per-pastor isolation
Your account runs on its own infrastructure — a dedicated database, not a shared pool. No other pastor can see your data, and we cannot accidentally serve your congregation's information to another user.
Encrypted at rest
Your care notes, voice memos, and OAuth tokens are encrypted at rest. Confidential pastoral notes receive field-level encryption with a key unique to your account — so even a stolen backup yields ciphertext, not plaintext.
You approve every action
No message is sent, no task is created, no calendar event is added without your explicit approval. Verge drafts. You decide. The approval queue is always in your hands.
We cannot read your notes
Atrium staff (super_admins) can view configuration and metrics. They cannot read your notes, messages, conversations, or care history. This is enforced in code, not just policy.
Your data is yours
Export everything at any time — notes, conversations, people, care history — as open JSON. Cancel and request immediate deletion; after 90 days we delete automatically. No lock-in.
No training on your data
We do not use your congregation's data to train AI models. Not now, not ever without your explicit opt-in. Your ministry context stays private.
Security practices
How we protect your account in practice.
Authentication & access
You authenticate through a secure identity provider. Access tokens are short-lived (15 minutes); stored in your device's hardware-secured keychain. Multi-factor authentication is available and encouraged.
Encryption in transit
All connections use TLS 1.2 or 1.3. The path from your phone to your account, from your account to AI providers, and from your account to Planning Center or Gmail — all encrypted.
Connector permissions
When you connect Planning Center, Gmail, or Calendar, Verge requests only the permissions it actually needs — read-only for people data, compose and send for drafts (with approval), read for calendar. No delete access. No broad admin scopes.
AI provider data handling
Your conversation content is sent to AI providers to generate responses. We use providers with enterprise data agreements where possible (Anthropic: zero data retention). Your data is not used for provider model training.
Support access
If you request hands-on support, we ask your explicit consent first. You select the scope, confirm with Face ID, and see a persistent notification while access is active. You can revoke it at any time. Every action taken during a support session is logged and visible to you.
Incident response
If a security incident affects your data, we notify you within 24 hours with specifics. Post-incident review published within 72 hours for significant events.
Your rights
What you can always do with your data.
Subprocessors
A complete list of third-party services that process your data is available in our Privacy Policy. This includes hosting providers, AI inference providers, identity and payment services.
We disclose every subprocessor. Nothing is hidden.
Private by design
Your congregation's stories are safe here.
Request access and we'll walk you through how Verge protects your account before you commit to anything.