Data Retention & Your Rights | Fellowship Compass

Fellowship Compass keeps personal data only for as long as it is needed for the purpose it was collected, and only as long as the law requires. This page explains how long we keep different kinds of data, how to get a copy of yours, and how to delete it. It is written to satisfy the EU/UK GDPR, the California CCPA/CPRA, and Canada's PIPEDA.

1. Retention windows

The table below summarises what we keep, why, and for how long.

Data	Retention	Why
Account profile (name, email, ZIP, bio)	Until you delete your account	Operate the service
Saved listings, RSVPs, reminders, notifications	Until you delete your account; reminders & notifications also auto-delete after 12 months	Operate the service
Page views & event engagements (analytics)	User ID and session ID anonymised after 90 days; rows deleted after 24 months	Aggregate trend reporting only
Listing reports you submit	Reporter identity (clerk id, email, free-text details) redacted 12 months after the report is resolved or dismissed	Moderation evidence + appeal window
Listing audit log entries you authored	Author identity replaced with `deleted-user` on account deletion; the structural change record is kept	Editorial integrity
Claims, submissions, planning messages, uploaded files	Identifying fields tombstoned on account deletion; surrounding content kept (or wiped, where appropriate)	Other users' work and event records remain intact
Server logs	Up to 30 days on the hosting platform; auth and session headers are redacted at write time	Operations & abuse prevention

"Anonymised" means the link between the row and a person is permanently broken — the row remains for aggregate trend analysis but can no longer identify you.

2. How we protect your data

Strong technical safeguards are required by GDPR Art. 32, CCPA §1798.150 and PIPEDA Principle 4.7. Here is what we do:

Encryption in transit. All traffic between your browser and Fellowship Compass uses HTTPS with modern TLS (1.2 / 1.3). Connections from our application servers to the database also run over TLS.
Encryption at rest. Files you upload (event images, planning attachments, budget receipts) are stored in Google Cloud Storage and encrypted at rest with AES-256. Sensitive credentials we hold on your behalf — specifically the OAuth tokens that let us read your Planning Center calendar — are individually encrypted with AES-256-GCM before they ever touch the database, using a key kept outside the database.
Hashed bearer tokens. One-time tokens such as invitation links are stored only as a SHA-256 hash. The raw token exists only inside the email we send to you; if our database were ever leaked, those links could not be replayed.
Password security. We do not store passwords ourselves. Sign-in is handled by Clerk, an SOC 2 Type II certified identity provider that uses modern memory-hard password hashing.
Secrets management. API keys, signing secrets and the encryption key itself live in Replit's secrets store, not in source code or the database.
Access controls. Production data is reachable only by our hosting platform and a small number of staff with audited access. Authentication, session cookies and CSRF protections are managed by Clerk.
Logging. Authorization headers, cookies and other obvious credential fields are redacted at write time so they never reach our log files.

No system is perfectly secure. If you discover a vulnerability, please email security@fellowshipcompass.example so we can investigate and fix it.

3. Download a copy of your data

You have the right to receive a copy of all personal data we hold about you (GDPR Art. 15, CCPA "right to know", PIPEDA Principle 4.9). Sign in and request a JSON export at any time:

Download my data (JSON)

The download includes your profile, role, saved listings, RSVPs, reminders, notifications, claims, submissions, planning messages, listing permissions, descriptor tags, and reports you've filed. You must be signed in.

4. Delete your account

You have the right to be forgotten (GDPR Art. 17, CCPA §1798.105, PIPEDA Principle 4.5). Account deletion is immediate and runs in a single transaction:

Your profile, role, saved listings, RSVPs, volunteer signups, reminders, notifications, descriptor tags, and listing permissions are hard-deleted.
Listings you manage have their ownership released.
Content you authored that other people rely on — claims, submissions, planning messages, audit log entries, file uploads, budget items, tasks, co-host invitations — has your identity replaced with deleted-user. Free-text bodies are wiped and any uploaded files are removed from object storage.
Reports you've filed have your identity and free-text details wiped.
Your Clerk authentication record is also deleted so you cannot sign back in.

You can start account deletion from the Settings page or by signing in and calling DELETE /api/users/me.

5. Other rights & how to reach us

You also have the right to correct inaccurate data, restrict or object to certain processing, and lodge a complaint with your local data-protection authority. To exercise any of these rights — or if you believe a listing about you should be removed — please see our DMCA & Takedown Policy or email privacy@fellowshipcompass.example. We respond within 30 days.

6. Changes to this policy

If we change retention windows we'll update the date at the top of this page and, for material changes, notify signed-in users.

1. Retention windows

The table below summarises what we keep, why, and for how long.

Data	Retention	Why
Account profile (name, email, ZIP, bio)	Until you delete your account	Operate the service
Saved listings, RSVPs, reminders, notifications	Until you delete your account; reminders & notifications also auto-delete after 12 months	Operate the service
Page views & event engagements (analytics)	User ID and session ID anonymised after 90 days; rows deleted after 24 months	Aggregate trend reporting only
Listing reports you submit	Reporter identity (clerk id, email, free-text details) redacted 12 months after the report is resolved or dismissed	Moderation evidence + appeal window
Listing audit log entries you authored	Author identity replaced with `deleted-user` on account deletion; the structural change record is kept	Editorial integrity
Claims, submissions, planning messages, uploaded files	Identifying fields tombstoned on account deletion; surrounding content kept (or wiped, where appropriate)	Other users' work and event records remain intact
Server logs	Up to 30 days on the hosting platform; auth and session headers are redacted at write time	Operations & abuse prevention

"Anonymised" means the link between the row and a person is permanently broken — the row remains for aggregate trend analysis but can no longer identify you.

2. How we protect your data

Strong technical safeguards are required by GDPR Art. 32, CCPA §1798.150 and PIPEDA Principle 4.7. Here is what we do:

Encryption in transit. All traffic between your browser and Fellowship Compass uses HTTPS with modern TLS (1.2 / 1.3). Connections from our application servers to the database also run over TLS.

Encryption at rest. Files you upload (event images, planning attachments, budget receipts) are stored in Google Cloud Storage and encrypted at rest with AES-256. Sensitive credentials we hold on your behalf — specifically the OAuth tokens that let us read your Planning Center calendar — are individually encrypted with AES-256-GCM before they ever touch the database, using a key kept outside the database.

Hashed bearer tokens. One-time tokens such as invitation links are stored only as a SHA-256 hash. The raw token exists only inside the email we send to you; if our database were ever leaked, those links could not be replayed.

Password security. We do not store passwords ourselves. Sign-in is handled by Clerk, an SOC 2 Type II certified identity provider that uses modern memory-hard password hashing.

Secrets management. API keys, signing secrets and the encryption key itself live in Replit's secrets store, not in source code or the database.

Access controls. Production data is reachable only by our hosting platform and a small number of staff with audited access. Authentication, session cookies and CSRF protections are managed by Clerk.

Logging. Authorization headers, cookies and other obvious credential fields are redacted at write time so they never reach our log files.

No system is perfectly secure. If you discover a vulnerability, please email security@fellowshipcompass.example so we can investigate and fix it.

3. Download a copy of your data

You have the right to receive a copy of all personal data we hold about you (GDPR Art. 15, CCPA "right to know", PIPEDA Principle 4.9). Sign in and request a JSON export at any time:

4. Delete your account

You have the right to be forgotten (GDPR Art. 17, CCPA §1798.105, PIPEDA Principle 4.5). Account deletion is immediate and runs in a single transaction:

Your profile, role, saved listings, RSVPs, volunteer signups, reminders, notifications, descriptor tags, and listing permissions are hard-deleted.

Listings you manage have their ownership released.

Content you authored that other people rely on — claims, submissions, planning messages, audit log entries, file uploads, budget items, tasks, co-host invitations — has your identity replaced with deleted-user. Free-text bodies are wiped and any uploaded files are removed from object storage.

Reports you've filed have your identity and free-text details wiped.

Your Clerk authentication record is also deleted so you cannot sign back in.

You can start account deletion from the Settings page or by signing in and calling DELETE /api/users/me.

5. Other rights & how to reach us