Legal

Privacy Policy

Last Updated: April 7, 2026

Your privacy matters to us. This Privacy Policy explains how On Christ's Mission Holdings LLC (OCM) collects, uses, shares, and protects your information when you use our services.

OCM operates three main products: OCM Financial (for parish financial management), OCM Engagement (for donor and giving management), and OCM Foundation (for volunteer coordination). This policy covers all three.

1. Identity and Contact

OCM is operated by:

On Christ's Mission Holdings LLC

Charlotte, NC

Email: hello@onchristsmission.com, support@onchristsmission.com

If you have questions or concerns about this Privacy Policy, please contact support@onchristsmission.com. For data protection-specific inquiries, contact our designated Privacy Contact at privacy@onchristsmission.com.

2. Information We Collect

The information we collect depends on which OCM products you use. Here's what we gather:

OCM Financial

When you use OCM Financial to manage your parish's finances, we collect:

  • Parish financial data (budgets, accounts, expense categories)
  • Vendor and payee information
  • Bank account connection data from Plaid (account numbers, routing numbers, account balances, and transaction history)
  • Historical transaction data (deposits, expenses, transfers)
  • Audit logs of who accessed what and when

OCM Engagement

When donors and members use OCM Engagement to give to your parish, we collect:

  • Donor name, email address, and phone number
  • Giving history (donation amounts, dates, and fund designations)
  • Payment methods (card details are handled by Stripe, not stored by us)
  • Bank account information via Plaid for bank transfers
  • Co-branded card application data (if you're eligible)
  • Communication preferences (whether you'd like receipts, statements, etc.)

OCM Foundation

When volunteers use OCM Foundation to sign up and track service, we collect:

  • Volunteer name, email, and phone number
  • Service history and commitment tracking
  • Communication about volunteer opportunities

3. How We Collect Information

We collect your information in several ways:

Directly from You

You provide information when you:

  • Create or update your OCM account
  • Fill out donation or giving forms
  • Apply for a co-branded card
  • Sign up to volunteer
  • Contact our support team

From Our Partners

We work with trusted partners to securely collect specific information:

  • Plaid: Securely connects your bank account for verification and transaction analysis. Plaid Auth product retrieves account numbers, routing numbers, and account balances. Plaid Transactions product retrieves transaction history for reconciliation and financial reporting.
  • Stripe: Processes your donations and confirms payment success. Stripe handles payment card data directly.
  • Lithic: Issues co-branded cards and manages card transactions.

Automatically

When you use our services, we automatically collect:

  • IP address and device information
  • Pages and features you use
  • How long you spend in the app
  • Timestamps of your activity
  • Browser type and operating system

4. How We Use Information

We use your information to deliver and improve our services. Specifically, we use it to:

  • Process donations and other payments
  • Manage your parish's financial records and reporting
  • Issue and manage co-branded cards
  • Facilitate volunteer signups and service tracking
  • Send you transactional communications (donation receipts, financial statements, password resets)
  • Comply with financial regulations and IRS requirements
  • Debug problems and improve our services
  • Protect against fraud and unauthorized access

We do NOT sell your data, display ads, or use your information for marketing to third parties.

5. Information Sharing and Disclosure

We only share your information with the people and organizations who need it to provide our services:

Service Providers

We share specific information with these trusted partners:

  • Stripe (payment processor): your donation amount, email, and payment status
  • Plaid (bank connector): your bank account information and verification data
  • Checkbook.io (check printing): check details and payee information (for parishes using check printing)
  • Lithic (card issuer): co-branded card application and usage data
  • Clerk (authentication): basic account credentials to secure your login

Within Your Parish

Parish administrators can see:

  • Financial data and transaction records for your parish
  • Donation records and donor information
  • Volunteer signups and service history

Diocese and Hierarchy

If your parish is part of a diocese, diocesan administrators may see:

  • Aggregated financial reports and summaries for all parishes in their diocese
  • De-identified or summary-level data to assess financial health across the diocese
  • Individual donor names and giving amounts are NOT shared with the diocese.

Law Enforcement

We disclose information if legally required to do so (subpoena, court order, or to prevent fraud or harm).

What We Don't Do

We want to be clear about what we do NOT do with your data:

  • We do not sell your personal information
  • We do not share your data with advertisers
  • We do not use your data for targeted marketing to third parties
  • We do not rent or lease your data

6. Hierarchical Data Access

OCM operates with a clear data access hierarchy to protect privacy while enabling administration:

Parish Level

Parish administrators and staff can see all data for their parish: financial records, donation history, volunteer signups, and bank connections.

Diocese Level

If your parish is part of a diocese, diocesan administrators can see aggregated data across all parishes in their diocese. They see financial summaries, not individual donor records.

OCM Employee Level

OCM employees who provide technical support or maintain our systems can access data as needed to deliver service, debug problems, and ensure security. All access is logged.

This hierarchy is enforced by our access controls and audit systems. You can request access to or deletion of your own data through the process described in Section 9.

7. Data Retention

We keep your information only as long as needed:

Donation Records

We retain donation records for 7 years to comply with IRS requirements for charitable organizations (Internal Revenue Code Section 501(c)(3)). This allows us to provide substantiation if needed.

Bank Credentials

Bank account credentials (from Plaid) are retained while your account is linked to OCM. If you disconnect your bank account:

  • We immediately notify Plaid to revoke the connection and invalidate access to your bank account
  • We immediately delete the stored access token from our systems
  • The bank connection record is marked as deleted in our system
  • Plaid no longer has access rights to your bank account, and OCM cannot re-establish the connection without your authorization.

Audit Logs

We maintain audit logs indefinitely for compliance and security purposes. Audit logs show who accessed what and when, but do not contain the content itself.

Other Data

Contact information and other service data are retained while your account is active. If you request deletion, personal identifiers are deleted or anonymized within 45 days (see Section 9). Financial records are preserved with anonymized user references for IRS compliance.

8. Data Security

We protect your information with strong security measures:

  • Encryption in transit: All data traveling between your device and our servers is encrypted using industry-standard TLS/SSL.
  • Encryption at rest: Sensitive data is encrypted at rest using industry-standard methods.
  • Access controls: Only authorized employees can access your data, and only if they have a business need.
  • Audit logs: All access to your data is logged and regularly reviewed.
  • Regular security testing: We conduct vulnerability assessments and penetration testing.

9. Your Rights

You have rights over your information:

Right to Access

You can request to see what personal information we hold about you.

Right to Correction

You can ask us to correct any inaccurate information.

Right to Deletion

You can request deletion of your account and personal information through the Delete Account option in your app settings or by submitting a data subject rights request to support@onchristsmission.com. Deletion is subject to legal and compliance obligations, such as the 7-year donation record requirement. Financial records are preserved with anonymized references; personal identifiers are permanently deleted.

Right to Opt Out

You can opt out of non-essential communications (such as newsletters), though we will continue to send you transactional messages (receipts, statements, security alerts).

How to Exercise Your Rights

To exercise any of these rights, email support@onchristsmission.com with your request. Please include:

  • Your full name and email address
  • Which OCM product you use
  • What action you'd like us to take

We will respond within 30 days (or 45 days for CCPA requests, as permitted by law). If your request is complex, we may need additional time, but we will notify you of any extension within the initial response period.

10. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you additional rights:

Right to Know

You can ask what categories of personal information we collect, how we use it, and who we share it with.

Right to Delete

You can request deletion of personal information we have collected from you (subject to certain exceptions, such as IRS donation record retention).

Right to Opt Out of Sale

OCM does not sell personal information. We do not sell your data to advertisers, data brokers, or any third party.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

How to Submit a CCPA Request

To submit a CCPA request, email support@onchristsmission.com with your request. We will verify your identity and respond within 45 days.

10A. Additional State Privacy Rights

In addition to California, several other states have enacted comprehensive consumer privacy laws. OCM is committed to honoring your rights under all applicable state laws.

Virginia (VCDPA)

If you are a Virginia resident, you have the right to access, correct, delete, and obtain a copy of your personal data, as well as opt out of the processing of personal data for targeted advertising or sale. To exercise these rights, email support@onchristsmission.com.

Colorado (CPA)

If you are a Colorado resident, you have similar rights to access, correct, delete, and obtain a portable copy of your data, plus the right to opt out of targeted advertising, sale of personal data, and certain profiling. You may also appeal our decision on your request.

Connecticut (CTDPA)

If you are a Connecticut resident, you have the right to access, correct, delete, and obtain a portable copy of your data. You may opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects.

Other States

Privacy laws continue to evolve. OCM will comply with applicable state privacy laws as they take effect. For all state privacy requests, we will verify your identity and respond within the timeframe required by applicable law (typically 30–45 days, with extensions available for complex requests). Contact support@onchristsmission.com to exercise any privacy right.

11. Children's Privacy

OCM is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected information from a child under 13, we will delete it immediately. If you believe we have collected information about a child under 13, please contact us at support@onchristsmission.com.

12. Cookies and Tracking

OCM uses minimal cookies and tracking to protect your privacy:

Session Cookies

We use Clerk session cookies to keep you logged in and remember your preferences. These cookies are essential to the service.

No Ad Trackers

We do not use third-party cookies for advertising or behavioral tracking.

Analytics

OCM uses privacy-respecting analytics that do not track individual users across the web. We do not use third-party analytics platforms that create advertising profiles.

13. Co-Branded Card Program

If you apply for or receive an OCM co-branded card, your card is issued by a bank partner and managed by Lithic. Your card activity creates a separate data relationship:

  • The issuing bank and Lithic will have their own privacy policies covering card transactions and account information.
  • OCM facilitates the application and provides the card design, but your card data is governed by the bank's and Lithic's privacy policies.
  • Please review the card issuer's privacy policy alongside this one.

14. Plaid-Specific Disclosure

We use Plaid Inc. to securely connect your bank account to OCM. By using our service and linking your bank account, you acknowledge and agree that:

  • Plaid's privacy policy governs Plaid's collection and use of your financial data. You can review Plaid's privacy policy here: https://plaid.com/legal/#end-user-privacy-policy
  • OCM uses Plaid's Auth and Transactions products. From Plaid Auth, we receive: bank account number, routing number, and account holder name. From Plaid Transactions, we receive: transaction history for reconciliation and financial reporting.
  • OCM stores secure connection tokens (not your banking credentials) using industry-standard encryption. Your banking login credentials are never sent to or stored by OCM — Plaid manages those credentials securely.
  • When you disconnect a linked bank account, OCM immediately calls Plaid's secure disconnection service to revoke access rights, and we securely delete the stored connection credentials from our systems.

15. Changes to This Policy

We may update this Privacy Policy as our services evolve or to comply with new laws. When we make material changes, we will notify you:

  • By email (if you've provided one)
  • By prominent notice in our app or website
  • By requiring you to accept the updated policy before using the service

Your continued use of OCM after changes are posted constitutes your acceptance of the updated Privacy Policy.

16. International Users and Military Parishes

If you are located in the European Economic Area (EEA), United Kingdom, or are a member of a U.S. military parish stationed overseas, the General Data Protection Regulation (GDPR) or equivalent laws may apply to the processing of your personal data.

Lawful Basis for Processing: OCM processes your data based on contractual necessity (to deliver our services), legitimate interests (to improve and secure our platform), and your consent (where specifically required by applicable law).

International Data Transfers: Your data is processed and stored in the United States. OCM will implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), where required by applicable law for cross-border data transfers.

Additional Rights: Under GDPR, you may have additional rights including the right to restrict processing, the right to data portability, and the right to lodge a complaint with a supervisory authority in your country of residence.

Privacy Contact: For data protection inquiries, contact our designated Privacy Contact at privacy@onchristsmission.com.

17. Contact Information

For questions, concerns, or requests regarding this Privacy Policy, please contact:

Email: hello@onchristsmission.com

Support: support@onchristsmission.com

Thank you for your trust. We're here to serve your parish and honor your privacy.