# policies.yaml — Business policies and terms # # Sources: # - C:\dev\churchwiseai-web\src\app\terms\page.tsx (Terms of Service, last updated March 11, 2026) # - C:\dev\churchwiseai-web\src\app\privacy\page.tsx (Privacy Policy, last updated March 9, 2026) # - C:\dev\churchwiseai-web\docs\AI_GOVERNANCE_AND_DATA_POLICY.md (March 2026) # - C:\dev\CLAUDE.md (billing rules section) # # This file captures business policies that affect product knowledge, marketing copy, # and customer-facing AI agents (chatbot + voice agent). # ═══════════════════════════════════════════════════════════════ # Cancellation & Billing # ═══════════════════════════════════════════════════════════════ cancellation: policy: "Cancel anytime, no contract" how: "Through admin dashboard or by emailing support@churchwiseai.com" service_continuation: "Service remains active until end of current billing period" ai_deactivation: "AI voice agents and chatbots are deactivated at the end of the billing period" data_preservation: "Church data preserved in read-only state for 90 days after cancellation" reactivation: "Can reactivate during 90-day window with one click — no data loss, no re-setup" permanent_deletion: "After 90-day preservation period, data is permanently deleted. Confirmation email sent." billing: auto_renewal: "Subscriptions automatically renew at end of each billing period (monthly or annually)" renewal_reminder: "Reminder email sent at least 7 days before each renewal" express_consent: "By subscribing, customer consents to automatic recurring charges" failed_payments: "Grace period with retry before service interruption" refund: policy: "No refunds on current billing period" partial_refunds: "No refunds for unused portion of a billing period" terms_change_exception: "Pro-rated refund of pre-paid annual fees if terms change and customer disagrees" refund_policy_page: "/refund-policy" price_changes: notice_period: "At least 30 days written notice via email" effective_date: "Start of next billing cycle following notice period" opt_out: "Customer may cancel before price change takes effect" # ═══════════════════════════════════════════════════════════════ # Trial Policy # ═══════════════════════════════════════════════════════════════ trial: chat_plans: enabled: true days: 14 applies_to: ["Starter Chat", "Pro Chat", "Suite Chat"] note: "14-day free trial auto-applied for all chat plans (monthly and annual)" voice_plans: enabled: false reason: "Requires phone provisioning (Telnyx/Twilio) + per-minute voice costs (STT + TTS + LLM)" bundle_plans: enabled: false reason: "Includes voice component — same provisioning constraints" one_time: enabled: false reason: "Instant purchase (AI Starter Kit)" pewsearch: enabled: false reason: "Preview mode serves this purpose" itw: enabled: false sermonwise: enabled: false sharewiseai: enabled: false note: "TBD at launch" # ═══════════════════════════════════════════════════════════════ # Data Handling & Retention # ═══════════════════════════════════════════════════════════════ data_handling: encryption: at_rest: "AES-256 encryption via Supabase (AWS infrastructure)" in_transit: "TLS 1.2+ (HTTPS only). HTTP requests redirected to HTTPS." websocket: "WSS (WebSocket Secure) for voice agent connections" storage: provider: "Supabase (PostgreSQL) on AWS" backups: "Encrypted, geographically separate regions" client_side: "No church data persisted on client devices beyond session tokens" employee_devices: "No church data stored on ChurchWiseAI employee devices" data_ownership: > The church owns all of its data. ChurchWiseAI is a processor, not a controller. This includes conversation transcripts, prayer requests, visitor contacts, callback requests, knowledge base documents, FAQ entries, team member data, usage analytics, and configuration settings. cross_church_isolation: > Church A's knowledge base, conversation history, and settings are never visible to Church B's AI. Each church operates in complete isolation. RAG queries filter by church_id before content retrieval. ai_model_training: > No model training on church data. Both OpenAI and Anthropic API terms explicitly state that API data is not used to train models. ChurchWiseAI has DPAs with both providers. ai_data_persistence: > API requests are processed and discarded. Neither OpenAI nor Anthropic retains API request data beyond stated processing windows (typically 30 days for abuse monitoring). data_retention: call_recordings: period: "90 days" details: "Automatically deleted from Twilio. Church admin can request immediate deletion." access: "Church admin and office_admin only" call_transcripts: period: "1 year" details: "Church admin can request earlier deletion" ai_summaries: period: "1 year" details: "Same retention as call transcripts" chat_conversation_logs: period: "1 year" details: "Church admin can request earlier deletion" prayer_requests: period: "Duration of subscription + 90 days" details: "Church admin can delete individually at any time. Confidential flag preserved." visitor_contacts: period: "Duration of subscription + 90 days" details: "Used for ongoing pastoral follow-up" account_data: period: "Duration of subscription + 90 days" details: "90-day grace period allows reactivation" sermon_content: period: "Duration of subscription + 90 days" details: "Users can export before cancellation" billing_records: period: "7 years" details: "Required by Canadian and US tax law" usage_analytics: period: "2 years (anonymized)" details: "Aggregated metrics retained indefinitely" moderation_violation_logs: period: "2 years" details: "Required for abuse pattern detection" breach_notification_records: period: "24 months minimum" details: "Required by PIPEDA" data_export: availability: "On request for all tiers. Suite tier includes self-service CSV/PDF export." formats: ["CSV", "JSON", "PDF"] includes: - "Conversations" - "Prayer requests" - "Visitor contacts" - "Callbacks" - "Knowledge base" - "FAQs" - "Analytics" excludes: - "Voice call audio files (available via Twilio dashboard)" - "Stripe payment data (available via Stripe dashboard)" data_deletion_requests: fulfillment: "Within 5 business days" logging: "Deletion logged for audit purposes (what, when, by whom)" # ═══════════════════════════════════════════════════════════════ # Call Recording # ═══════════════════════════════════════════════════════════════ call_recording: church_controlled: true description: "Church administrators can enable or disable recording at any time" consent_mechanism: > Automated disclosure at beginning of each call. By continuing after disclosure, caller consents. Callers who do not wish to be recorded may hang up and use alternative contact (email, web chat, or in-person visit). caller_access: "Any caller may request access to their own recording via privacy@churchwiseai.com" caller_deletion: "Callers may request deletion at any time. Fulfilled within 5 business days." # ═══════════════════════════════════════════════════════════════ # Data Classification (from AI Governance doc) # ═══════════════════════════════════════════════════════════════ data_classification: public: description: "Information the church intends to be visible to anyone" examples: "Service times, church address, directions, public announcements, sermon topics, staff names/titles" access: "Anyone (website visitors, search engines, AI responses)" internal: description: "Operational data visible to the church's admin team" examples: "Conversation transcripts, usage metrics, AI analytics, team member list, FAQ entries, KB documents" access: "Church admin, office_admin" confidential: description: "Sensitive pastoral data requiring restricted access" examples: "Prayer requests marked confidential, callback reasons with pastoral sensitivity" access: "PASTORAL_ROLES only: admin, office_admin" restricted: description: "Financial data with the strictest access controls" examples: "Giving history, pledge amounts, tithe records, benevolence requests, budget data" access: "FINANCIAL_ROLES only: admin, treasurer" rules: - "All new data types MUST be classified before any code is written" - "When in doubt, classify UP (more sensitive, not less)" - "Classification enforced at both API layer and UI layer. UI redaction alone is never sufficient." - "Reclassifying data downward requires founder approval" # ═══════════════════════════════════════════════════════════════ # Crisis & Safety Protocols # ═══════════════════════════════════════════════════════════════ crisis_protocols: crisis_resources: - { name: "988 Suicide & Crisis Lifeline", contact: "Call or text 988" } - { name: "Crisis Text Line", contact: "Text HOME to 741741" } - { name: "National Domestic Violence Hotline", contact: "1-800-799-7233" } - { name: "Local emergency", contact: "Call 911" } ai_behavior: > AI provides crisis resources and then offers to connect the person with the church's pastor. It does NOT attempt to provide counseling, therapy, or medical advice. moderation_ladder: - { level: "Warning", trigger: "First abusive message", action: "AI responds with calm redirect. Message flagged.", duration: "Immediate" } - { level: "Cooldown", trigger: "Second violation within session", action: "User cannot send messages", duration: "2 minutes" } - { level: "Temp Block", trigger: "Third violation or continued abuse", action: "User blocked by IP/session", duration: "1 hour" } - { level: "Permanent Block", trigger: "Repeated temp blocks or threat detected", action: "User permanently blocked. Admin notified.", duration: "Indefinite (admin can unblock)" } sensitive_topics: description: "AI does not take positions on divisive topics. It connects to pastor." triggers: - "Affirming theology / LGBTQ+ questions" - "Political issues or candidates" - "Divisive doctrinal positions" - "Interfaith or comparative religion" - "Church discipline situations" - "Allegations against staff or members" # ═══════════════════════════════════════════════════════════════ # HIPAA Considerations # ═══════════════════════════════════════════════════════════════ hipaa: status: "HIPAA-aware, not HIPAA-certified" rationale: > Churches are generally NOT covered entities under HIPAA. However, prayer requests frequently contain PHI-equivalent data. We apply HIPAA design principles without claiming compliance. principles_applied: - "Minimum necessary: AI only accesses data needed for current conversation" - "Access controls: RBAC with 9 roles, confidential data restricted to PASTORAL_ROLES" - "Audit trails: All data access logged with timestamps, user IDs, actions" - "Encryption: AES-256 at rest, TLS 1.2+ in transit" - "Breach notification: 72-hour notification to affected churches" # ═══════════════════════════════════════════════════════════════ # Third-Party Data Processors # ═══════════════════════════════════════════════════════════════ third_party_processors: - { provider: "Supabase (AWS)", data: "All stored data", purpose: "Primary database", compliance: "SOC2 Type II, GDPR" } - { provider: "OpenAI", data: "Chat conversation text, system prompts, RAG chunks", purpose: "Chat AI responses", compliance: "SOC2 Type II, no API training" } - { provider: "Anthropic", data: "Voice transcripts, system prompts", purpose: "Voice AI responses", compliance: "SOC2 Type II, no API training" } - { provider: "Google (Gemini)", data: "Voice transcripts, system prompts", purpose: "Voice AI responses (primary)", compliance: "SOC2 Type II" } - { provider: "Cartesia", data: "Text for TTS", purpose: "Text-to-speech only (Sonic)", compliance: "Managed cloud deployment" } - { provider: "Deepgram", data: "Voice audio for transcription", purpose: "Speech-to-text (Nova-3)", compliance: "SOC2 Type II, HIPAA eligible" } - { provider: "LiveKit", data: "Voice audio, SIP signaling, real-time media transport", purpose: "SIP gateway + real-time audio transport (Agents v1.5)", compliance: "SOC2 Type II" } - { provider: "Twilio", data: "Phone numbers, call audio, metadata, SMS", purpose: "Voice calls + SMS (legacy numbers only)", compliance: "SOC2 Type II, HIPAA eligible, GDPR" } - { provider: "Telnyx", data: "Phone numbers, SIP signaling, call metadata", purpose: "Phone number provisioning + SIP trunking (new customers)", compliance: "SOC2 Type II, HIPAA eligible" } - { provider: "Stripe", data: "Customer email, payment method, billing address", purpose: "Payment processing", compliance: "PCI DSS Level 1, SOC2 Type II" } - { provider: "Resend", data: "Admin emails, notification content", purpose: "Transactional email", compliance: "SOC2 Type II" } - { provider: "Vercel", data: "Application code, edge logs, visitor IPs", purpose: "Next.js hosting", compliance: "SOC2 Type II, GDPR" } - { provider: "Cal.com", data: "Appointment details (name, email, time, reason)", purpose: "Pastoral scheduling", compliance: "TBD" } sub_processor_notification: notice_period: "30 days before new processor begins handling data" mechanism: "Email notification to all active churches" opt_out: "Churches may object or cancel if new processor is unacceptable" # ═══════════════════════════════════════════════════════════════ # Breach Notification # ═══════════════════════════════════════════════════════════════ breach_notification: jurisdiction: "PIPEDA (Canada)" notification_to_individuals: "As soon as feasible after confirming a qualifying breach" notification_to_churches: "Personal communication from ChurchWiseAI leadership within 72 hours" notification_to_opc: "As required by PIPEDA" notification_content: - "What happened (plain language)" - "What data was affected" - "What we have done in response" - "Recommended steps for the affected individual" breach_record_retention: "24 months minimum" principles: - "Transparency over protection — disclose even when not legally required" - "Affected churches hear from us first — never press or third party" - "Over-notify, never under-notify" - "No blame-shifting — we own communication even if third-party processor is root cause" # ═══════════════════════════════════════════════════════════════ # Support # ═══════════════════════════════════════════════════════════════ support: channels: - { type: "Email", address: "support@churchwiseai.com" } - { type: "Privacy email", address: "privacy@churchwiseai.com" } - { type: "Contact form", url: "https://churchwiseai.com/contact" } - { type: "Cal.com booking", url: "https://churchwiseai.com/book" } response_time: "Within 24 hours" appeal_response: "Human review within 48 hours (for moderation/access appeals)" # ═══════════════════════════════════════════════════════════════ # Founder Rate Program # ═══════════════════════════════════════════════════════════════ founder_rates: description: "First 500 churches lock in current rates permanently" threshold: 500 post_threshold: "Prices will increase after 500 signups" badge: "Founder rate badge shown on pricing page" # ═══════════════════════════════════════════════════════════════ # Children's Privacy (COPPA) # ═══════════════════════════════════════════════════════════════ coppa: minimum_age: 13 policy: "Services not directed at children under 13" accidental_collection: "Contact privacy@churchwiseai.com — data deleted immediately" voice_recordings: "Voice recordings of children (including voiceprints) subject to same protections" # ═══════════════════════════════════════════════════════════════ # Legal & Governing Law # ═══════════════════════════════════════════════════════════════ legal: terms_last_updated: "March 11, 2026" privacy_last_updated: "March 9, 2026" ai_governance_last_updated: "March 2026" terms_url: "https://churchwiseai.com/terms" privacy_url: "https://churchwiseai.com/privacy" refund_policy_url: "https://churchwiseai.com/refund-policy"