1 Who We Are
AI Church is a free, open-source church management platform developed and maintained by Boreon Industries LLC ("Boreon," "we," "us," or "our"), a company incorporated under the laws of the United States of America. Our platform is also a KWAM.CH product, built in collaboration with KWAM engineers and operated with data sovereignty in Switzerland.
Our contact for privacy matters is: admin@sermonassistant.ch
AI Church is published under the AI Church Community License v1.0 and is provided entirely free of charge to churches, ministries, faith-based nonprofits, and missionary organizations worldwide. We believe faith-based software should never carry a price tag.
2 The Self-Hosted Difference
AI Church is fundamentally different from cloud-based church management software. When you self-host AI Church on your own server (your web host, your VPS, your Infomaniak account, etc.):
In this deployment model, you are the data controller under applicable privacy law (including GDPR, CCPA, and applicable Swiss data protection law). Boreon is not a data processor for your church's data because we never receive it.
The only scenario in which Boreon may have any visibility into usage is the hosted demo instance at aichurch.boreon.com, which is governed by Section 3 below.
3 Data We Collect
3.1 Self-Hosted Deployments
When you run AI Church on your own server, Boreon collects no data whatsoever. We do not embed analytics, telemetry, beacons, or tracking of any kind into AI Church. The software operates entirely within your infrastructure.
3.2 Hosted Demo Instance (aichurch.boreon.com)
When you use our publicly accessible demo at aichurch.boreon.com, Infomaniak (our Swiss hosting provider) generates standard web server access logs. These logs may include:
| Data Type | Purpose | Retention |
|---|---|---|
| IP address (truncated where possible) | Security monitoring, abuse prevention, rate limiting | 30 days |
| Request path, HTTP method, status code | Error diagnosis, uptime monitoring | 30 days |
| User-Agent string | Browser compatibility analysis | 30 days |
| Referrer URL | Detecting referral traffic | 30 days |
| Session cookie (encrypted) | Authentication; expires when browser is closed | Session only |
We do not use cookies for advertising, tracking, or analytics on the demo instance. There are no third-party analytics scripts, ad pixels, or fingerprinting techniques on any AI Church page.
3.3 Knowledge Base (kb/)
The AI Church Knowledge Base is a fully client-side application. No data is transmitted to Boreon when you browse, search, or download PDFs from the Knowledge Base.
4 How We Use Data
The minimal server log data described in §3.2 is used solely for:
- Security and fraud prevention — identifying and blocking abusive IP addresses, brute-force login attempts, and automated scanning
- Infrastructure monitoring — ensuring the demo instance is available and performing correctly
- Legal compliance — responding to lawful requests from law enforcement or regulatory authorities
We do not use your data for advertising, profiling, sale to third parties, or any purpose other than those listed above. We never sell data. We are a mission-driven organization, not an ad-supported business.
5 Third-Party Services
AI Church integrates with a range of third-party services. These integrations are configured by you, using your own credentials. When you enable an integration, data flows between your server and that third party — it does not flow through Boreon.
You should review the privacy policies of any third-party services you connect:
| Service | Purpose | Data Sent By Your Server |
|---|---|---|
| Anthropic (Claude API) | AI assistant, AI Studio content generation | Your prompts and church context data; governed by Anthropic's Privacy Policy |
| Twilio | SMS sending | Phone numbers and message content; governed by Twilio's Privacy Policy |
| Planning Center | Member data import | API credentials only; data pulled into your server |
| Breeze ChMS | Member data import | API credentials only; data pulled into your server |
| Bible API (bible-api.com) | Scripture lookups in Tools page | Book/chapter/verse reference strings only — no personal data |
| Pushpay / Tithe.ly / Stripe / Givebutter | Giving platform integration | API credentials; giving data pulled into your server |
6 Cookies & Sessions
AI Church uses exactly one cookie: a PHP session cookie named PHPSESSID. This cookie:
- Is created only when you log in to the application
- Is HttpOnly (not accessible to JavaScript)
- Is SameSite=Lax (CSRF protection)
- Is marked Secure when the application is served over HTTPS
- Expires when you close your browser, or after 8 hours of inactivity, or after 30 days absolute — whichever comes first
- Contains only a randomly generated session identifier — no personal data is stored in the cookie itself
There are no advertising cookies, analytics cookies, or third-party tracking cookies anywhere on AI Church or the Knowledge Base. We do not use Google Analytics, Facebook Pixel, or any similar service.
7 Data Transfers & Sovereignty
The AI Church demo instance is hosted on Infomaniak infrastructure in Geneva, Switzerland. Switzerland is recognized by the European Commission as providing an adequate level of data protection (EU–Switzerland adequacy decision). Infomaniak is a Swiss company subject to the Swiss Federal Act on Data Protection (nFADP) and, where applicable, the GDPR.
When you self-host AI Church, data sovereignty is entirely under your control. You choose your hosting provider, jurisdiction, and data center. We recommend Switzerland or EU-based hosting for churches serving European congregants.
Boreon Industries LLC is a United States company. In our capacity as operator of the demo instance, we are subject to applicable U.S. privacy law including the California Consumer Privacy Act (CCPA) for California residents.
8 Data Retention
For the hosted demo instance, server log data is retained for 30 days, after which it is automatically purged.
Demo church data (the "Holy Cross Church" dataset) is pre-seeded synthetic data. It can be cleared by the super-administrator at any time and does not contain real member information.
For self-hosted deployments, you control all retention. AI Church provides admin tools to delete members, giving records, and all other data. You may also drop the aichurch.db SQLite file to completely erase all data.
9 Your Rights
Depending on your jurisdiction, you may have the following rights with respect to personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of personal data we hold about you | Contact admin@sermonassistant.ch |
| Rectification | Correct inaccurate data | Contact admin@sermonassistant.ch |
| Erasure | Request deletion of your data | Contact admin@sermonassistant.ch |
| Restriction | Limit how we process your data | Contact admin@sermonassistant.ch |
| Portability | Receive your data in a machine-readable format | Contact admin@sermonassistant.ch |
| Object | Object to processing based on legitimate interests | Contact admin@sermonassistant.ch |
For self-hosted deployments, exercise your rights directly with the church or organization that operates the AI Church instance — they are the data controller, not Boreon.
If you are an EU or Swiss resident and believe we have violated applicable data protection law, you have the right to lodge a complaint with your national supervisory authority (for Switzerland: the Federal Data Protection and Information Commissioner, FDPIC).
10 Children
AI Church is designed for use by adult church administrators, staff, clergy, and ministry leaders. The platform is not directed to children under the age of 13 (or 16 in jurisdictions where that threshold applies).
We do not knowingly collect personal information from children. If you are a parent or guardian and believe a child has submitted personal information through our demo instance, contact us at admin@sermonassistant.ch and we will delete it promptly.
11 Security
We implement appropriate technical and organizational measures to protect the minimal data we process. These include:
- TLS encryption for all data in transit to the demo instance
- Infomaniak's ISO 27001-compliant infrastructure and Swiss data center physical security
- Application-level security headers (CSP, HSTS, COOP, CORP) to prevent interception or hijacking
- Database access controls restricting direct access to the SQLite file
- Rate limiting to prevent automated abuse
For a full technical description of security measures built into AI Church, see our Security page.
12 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will post a notice on the AI Church homepage and, where feasible, notify administrators of the demo instance.
Your continued use of AI Church or the demo instance after changes become effective constitutes acceptance of the revised policy. If you disagree with any change, please cease using the demo instance and consider self-hosting AI Church instead, where you remain the sole data controller.
13 Contact
For any privacy-related questions, requests, or complaints, please contact:
Email: admin@sermonassistant.ch
Subject line: PRIVACY: followed by your request
Response time: we aim to respond within 5 business days.
For in-app help with data management (deleting members, exporting data, managing records), use the Office Helper chatbot or visit the AI Church Knowledge Base.