Privacy Policy

Understanding who controls and who processes your data is foundational to this policy. Under applicable US and international privacy frameworks, the following roles apply on the AGAPAY platform:

For the purposes of this policy, "personal data" or "personal information" means any information that identifies or could reasonably be used to identify a natural person, directly or indirectly.

We collect only the information necessary to provide the platform's services. The categories of personal data we collect are:

AGAPAY processes personal data on the following legal bases under applicable law:

• Contractual necessity. Processing required to fulfill our obligations to you under our Terms of Service - including processing donations, transmitting memorial names to clergy, and providing account services.
• Legal obligation. Processing required to comply with applicable law - including IRS record-keeping requirements for charitable organizations (7-year retention of financial records), anti-money-laundering obligations, and applicable state charity registration laws.
• Legitimate interests. Processing necessary for AGAPAY's legitimate business interests where not overridden by your privacy rights - including platform security, fraud prevention, and aggregate analytics to improve the platform.
• Consent. Where required by applicable law, we obtain your consent before processing your data for specific purposes (such as marketing communications). You may withdraw consent at any time by contacting hello@agapay.app, without affecting the lawfulness of prior processing.

We collect and process personal data solely for the following purposes, and we do not use your data for any purpose incompatible with those listed here without your consent:

• Transaction processing. Processing and recording charitable gifts on behalf of the recipient parish or monastery, including generating receipts and confirmation emails.
• Memorial transmission. Transmitting liturgical memorial and intention names to designated clergy for commemoration at the proskomedia, panikhida, or parastas.
• Giving records. Generating annual giving statements and year-end commemoration records for donors, for tax substantiation and personal record-keeping purposes.
• Legal compliance. Complying with applicable tax, accounting, charitable reporting, anti-money-laundering, and financial record-keeping requirements.
• Account services. Maintaining donor and administrator accounts, providing support, and communicating regarding your use of the platform when requested.
• Platform security. Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other harmful activity.
• Platform improvement. Using aggregated, de-identified analytics data to understand usage patterns and improve the platform. Individual user data is not used for this purpose.

AGAPAY uses a minimal, purposeful set of cookies and similar technologies to operate the platform. We do not use cookies for cross-site behavioral advertising or third-party ad targeting.

• Essential cookies. Required for the platform to function - session management, authentication tokens, CSRF protection, and security-related state. These cannot be disabled without impairing platform functionality. They are first-party only and expire at session end or within 30 days.
• Analytics. We use Cloudflare Web Analytics, a privacy-preserving tool that does not use cookies, fingerprinting, or cross-site tracking to collect personally identifiable data. Analytics data is aggregate and anonymized. No user-level behavioral profiles are created.
• No advertising cookies. AGAPAY does not serve advertisements and does not place or permit third-party advertising, retargeting, or behavioral tracking cookies on our platform. We do not use Google Analytics, Meta Pixel, or comparable advertising tools.

You may configure your browser to refuse or delete cookies. Essential platform functionality (login, checkout, session persistence) may not operate correctly if essential cookies are disabled.

We do not currently respond to browser Do Not Track (DNT) signals, as no uniform standard for DNT has been established. We do not engage in cross-site tracking regardless of DNT status.

AGAPAY shares limited personal data with the following service providers, each engaged under contractual data protection obligations. We conduct due diligence on providers' privacy and security practices before engagement.

We do not share personal data with any party beyond those listed above, except as required by law (see Section 7 below).

Beyond the service providers listed in Section 6, AGAPAY may share your personal data only in the following limited circumstances:

• With your Organization. Donor transaction records, memorial submissions, and giving history are shared with the registered administrator(s) of the recipient Organization. This sharing is inherent to the platform's purpose and is the basis on which you donate through AGAPAY.
• Legal process. We may disclose personal data in response to a valid subpoena, court order, or other legal process, or when required by applicable law or regulation. Where legally permitted, we will notify affected users before disclosure.
• Protection of rights. We may disclose personal data when we reasonably believe disclosure is necessary to prevent fraud, protect our legal rights, or protect the safety of any person.
• Business transfers. In the event of a merger, acquisition, or sale of all or substantially all of AGAPAY's assets, personal data may be transferred to the successor entity, subject to the same privacy protections described in this policy. We will provide notice of such a transfer and, where required, obtain consent.
• With your consent. We may share data for any other purpose with your explicit prior consent.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Upon expiration of the applicable retention period, data is securely deleted or irreversibly anonymized using industry-standard methods. You may request early deletion of non-legally-required data under Section 10-11 below.

AGAPAY employs administrative, technical, and physical safeguards designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction.

No method of transmission over the internet or electronic storage is completely secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security against all threats. You also play a role: keep your account credentials confidential and notify us immediately at hello@agapay.app if you suspect unauthorized access.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) affords you the following rights regarding your personal information:

To exercise any California privacy right, submit a verifiable written request to hello@agapay.app with subject line "California Privacy Request." We will verify your identity before processing any request and respond within 45 days as required by law, with a possible 45-day extension for complex requests with prior notice.

You may designate an authorized agent to submit requests on your behalf by providing written authorization. We may require direct verification from you if an agent submits a request.

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, affords you the following rights regarding your personal data:

To exercise any Texas privacy right, submit a written request to hello@agapay.app with subject line "Texas Privacy Request." We will respond within 45 days, with a possible 45-day extension for complex requests.

Appeals. If we decline to act on your request, you may appeal by responding in writing to our decision email. If your appeal is denied, you may contact the Texas Attorney General to submit a complaint.

AGAPAY is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). Our platform is intended for use by adults - parish administrators, clergy, and adult donors - on behalf of their communities.

If you believe we have inadvertently collected personal information from a child under 13, please contact us immediately at hello@agapay.app. We will promptly investigate and delete such information from our records.

If you are between the ages of 13 and 17, you must obtain verifiable parental or guardian consent before submitting any personal information through this platform. By submitting information, you represent that you have obtained such consent.

Memorial names submitted for liturgical commemoration may include the names of minors; this data is treated with the same protections as all personal data under this policy, and is transmitted only to the designated clergy of the recipient Organization.

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or platform features. When we make material changes, we will:

• Post the updated policy on this page with a revised "Last Updated" date.
• Send email notification to parish and monastery Administrators registered on the platform at least 30 days before material changes take effect.
• Display a prominent notice on the AGAPAY platform for at least 30 days following any material update.

Non-material changes - such as typographical corrections, clarifications that do not change our practices, or updated contact information - may be made without advance notice and will be effective upon posting.

Your continued use of the AGAPAY platform following notice of material changes constitutes your acceptance of the updated policy. If you do not agree, you may terminate your account before the effective date by contacting hello@agapay.app.

Any dispute arising out of or relating to this Privacy Policy or AGAPAY's handling of your personal data shall be resolved as follows:

• Informal resolution first. Before initiating any formal proceeding, you agree to contact us at hello@agapay.app with subject line "Privacy Dispute" and attempt to resolve the matter in good faith. We will respond substantively within 30 days.
• Binding arbitration. If informal resolution fails after 60 days, any unresolved dispute shall be settled by binding arbitration administered in Lubbock, Texas, under the Commercial Arbitration Rules of the American Arbitration Association (AAA). The arbitration shall be conducted before a single arbitrator. The arbitrator's written award shall be final and may be entered as a judgment in any court of competent jurisdiction.
• Class action waiver. You and AGAPAY agree that each may bring claims only in an individual capacity, and not as a plaintiff or class member in any purported class or representative proceeding.
• Governing law. This Privacy Policy is governed by the laws of the State of Texas, without regard to conflict of law provisions.
• Regulatory rights preserved. Nothing in this section limits your right to lodge a complaint with applicable state or federal privacy regulators, including the Texas Attorney General or the FTC.

For privacy-related questions, concerns, data access requests, or to exercise any right described in this policy, please contact AGAPAY at:

• Privacy requests: hello@agapay.app - include "Privacy Request" or your applicable right (e.g., "California Privacy Request") in the subject line
• Parish support: parishes@agapay.app
• Technical support: support@agapay.app
• Platform: agapay.app

We will respond to all privacy-related inquiries within 30 days of receipt. For requests under California or Texas law, we will respond within the statutory timeframe (45 days, with possible extension). We will request identity verification before processing any data access, correction, or deletion request.