Scout

Legal

Privacy Policy

Last updated April 28, 2026

This Privacy Policy (the “Policy”) describes how Scout collects, uses, discloses, retains, and protects personal information when you visit scout.church, sign up for an account, use the Scout church management platform (the “Service”), or interact with a church-facing experience powered by Scout — including a church website, member app, check-in kiosk, online giving form, or text-message communication.

In this Policy, “Scout,” “we,” “us,” and “our” mean Scout Intelligence LLC, a California limited liability company with its principal place of business at 3380 Mono Drive, Riverside, CA 92506. “You” means the person reading this Policy. Capitalized terms used but not defined here have the meanings given in our Terms of Service.

1. Summary

  • Scout sells a church management platform to churches and ministries. Most of the personal information in Scout belongs to a church’s people — members, visitors, donors, volunteers, and children — and is handled by us only on the church’s behalf.
  • We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use congregant data to train artificial intelligence models, and our AI provider is contractually prohibited from doing so.
  • We use a small, named set of subprocessors (listed in Section 8) to operate the Service. We do not disclose data to data brokers or marketing networks.
  • Congregants who want to access, correct, or delete information held about them in Scout should contact their church first, because the church controls that data. We will assist the church in responding.
  • Scout is operated from the United States. If you use Scout from outside the United States, your information will be transferred to, and processed in, the United States under the safeguards described in Section 12.

2. Who we are and our role

Scout is operated by Scout Intelligence LLC, a California limited liability company headquartered in Riverside, California. Depending on the data in question, Scout plays one of two distinct legal roles:

  • Controller / Business. For information about people who sign up for Scout to use it themselves — primarily church staff, pastors, administrators, billing contacts, leads, and visitors to scout.church— Scout is the data controller (under the EU and UK General Data Protection Regulation (“GDPR”)) and the “business” (under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the “CCPA”).
  • Processor / Service Provider.For information that a church puts into Scout about the people it serves — congregants, members, visitors, donors, volunteers, group participants, students, children at check-in, recipients of pastoral notes — Scout is a data processor acting on documented instructions from the church (under GDPR) and a “service provider” under the CCPA. The church is the controller / business and decides what information to collect, why, and who can access it. We do not retain, use, or disclose this information for any purpose other than performing the Service for the church or as otherwise permitted by law.

This Policy applies to both roles. Where we are acting as a processor / service provider for a church, the church’s own privacy notice controls the church’s decisions about its data. If you are a congregant and a section of this Policy conflicts with your church’s privacy notice with respect to congregant data, the church’s notice controls the church’s collection and use, and this Policy describes only what Scout itself does.

3. Personal information we collect

The categories below match the statutory categories described in California Civil Code section 1798.140. We have collected the following categories of personal information from the sources described in Section 4 within the past twelve (12) months:

3.1 Information we collect about church staff and account holders

  • Identifiers. Name, email address, telephone number (optional), postal address (optional), online identifiers, IP address, account username, and authentication tokens.
  • Customer records (Cal. Civ. Code §1798.80(e)). Name, email, phone number, billing address, and payment-method metadata (card brand, last four digits, expiration; the full card or bank number is collected and stored by Stripe and is never received or stored by Scout).
  • Commercial information. Subscription plan, attendance band, billing history, and use of features and add-ons.
  • Internet or other electronic network activity. Information about your interactions with the Service, including pages and screens viewed, actions taken, referring URLs, device and browser type, operating system, language settings, and approximate location derived from IP address.
  • Geolocation. Approximate location (city/region) derived from IP. We do not collect precise GPS location.
  • Professional or employment-related information. Job title, role at the church, and church size and type, where you provide it.
  • Inferences. Limited aggregate inferences about product usage, such as which features your church uses most.

3.2 Information a church puts into Scout about its people

On a church’s instructions, Scout stores and processes the following kinds of information about the church’s congregants (which we collectively call “Congregant Data”). The church decides what to collect; not every church collects every category.

  • Identifiers and contact information. Name, email, phone, postal address, date of birth, household relationships, marital status, photograph, and a Scout-issued person identifier.
  • Sensitive personal information.Religious or philosophical beliefs are inherent to the use of a church platform and may be inferred from the fact of membership or participation. Some churches optionally collect: information that may indicate health (allergies for kids’ check-in; pastoral notes that may reference health, mental health, or family circumstances); precise financial information (account / routing / card numbers, which are handled by Stripe and not stored by Scout — see Section 7); and government-issued identifiers in narrow circumstances (e.g., taxpayer identification numbers required for IRS giving statements). Scout does not use sensitive personal information for any purpose other than providing the Service to the church and complying with law.
  • Engagement and participation records. Attendance and check-in records, group and team memberships, volunteer schedule and history, event registrations, form submissions, and communication preferences.
  • Giving records. Donation amounts, dates, designated funds, recurring gift schedules, pledges, and giving statements. Payment instruments are handled by Stripe Connect; Scout stores the record of the donation and limited tokens that allow Stripe to charge a saved payment method, but does not store full card or bank-account numbers.
  • Pastoral records.Notes about people that the church’s authorized staff create — including prayer requests, care needs, and follow-up history. The church controls which staff can see these records.
  • Engagement scores and AI-generated narratives. Scout computes engagement scores from the data above and uses them to generate written pastoral narratives and suggestions that help church staff care for their people. See Section 6 for how AI is used.
  • Children’s data.If a church uses Scout’s kids’ check-in feature, the church or a parent/guardian provides limited information about a child (typically name, birthdate, household, allergies, and authorized pickup adults). See Section 11.
  • Public-site content. Pages, posts, images, and contact-form submissions on a church website built with Scout.

3.3 Information about donors who give through a Scout-powered church

When a person makes a donation to a church through Scout’s giving forms, Scout collects (on the church’s behalf) the donor’s name, email, billing postal code, donation amount, designated fund, and a Stripe-issued token referencing the saved payment method. Card and bank-account numbers are collected directly by Stripe and never touch Scout’s servers. The donor is the church’s data subject; the church is the controller / business with respect to the donor record.

3.4 Information about visitors to scout.church

When you browse our marketing website, we collect IP address, device/browser metadata, pages viewed, and the contents of any contact or demo-request form you submit. We use a small number of essential cookies described in Section 9.

4. Sources of personal information

  • Directly from you when you sign up, use the Service, or contact us.
  • From a church that has invited you (e.g., a staff member or volunteer) or that has entered information about you into Scout (e.g., as a member, donor, or attendee).
  • From your device automatically when you use the Service (cookies, server logs, error reports).
  • From third-party services you choose to connect, such as Google for single sign-on or Stripe for payments.
  • From integration partners that the church configures (for example, imports from another church management system).

5. How and why we use personal information

We use personal information for the business and commercial purposes described below. Where GDPR or UK GDPR applies, the legal basis for each purpose is identified in brackets.

  • Provide the Service — operate accounts, render dashboards, store church data, send transactional emails (sign-in links, receipts, password resets, billing notices), provide member apps and church websites, and run scheduled background jobs. [Performance of contract; legitimate interests]
  • Process payments and donations — through Stripe and Stripe Connect, including remitting donations to the church and handling refunds, disputes, and chargebacks. [Performance of contract; legal obligation]
  • Compute engagement intelligence and generate AI-assisted narratives for church staff. See Section 6. [Legitimate interests; performance of contract]
  • Authenticate and secure accounts — verify identity, detect and prevent fraud and abuse, rate-limit sensitive endpoints, enforce our Terms. [Legitimate interests; legal obligation]
  • Provide customer support — diagnose issues, respond to inquiries, troubleshoot integrations. [Performance of contract; legitimate interests]
  • Improve the Service — analyze aggregate, de-identified usage to make Scout better. We do not use Congregant Data for this purpose in any way that would identify a person. [Legitimate interests]
  • Send service-related communications — product updates, security advisories, billing changes, and outage notices to church account holders. [Legitimate interests; performance of contract]
  • Marketing communications — we may email account holders and people who request information about Scout. You can unsubscribe at any time. [Consent; legitimate interests]
  • Comply with law and protect rights — respond to lawful requests, defend claims, and protect Scout, our customers, and the public. [Legal obligation; legitimate interests]

We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals. Engagement scores and AI narratives are decision support for human pastors and staff; they do not by themselves grant or deny anything.

6. How Scout uses artificial intelligence

Scout uses artificial intelligence to help church staff understand and care for the people in their church. This section explains, in detail, what AI does, what data it sees, what it does not do, and what protections are in place.

6.1 What the AI does

On a regular schedule (typically nightly), Scout summarizes a person’s engagement record into a short pastoral briefing of two to four sentences and one or two suggested next steps. The briefings are intended to surface people whose patterns have changed — for example, someone who has stopped attending, someone whose serving and giving rhythms suggest they are growing in their connection, or someone with an open prayer request that has not been followed up on. The briefings appear inside the church’s Scout dashboard and are visible only to staff with appropriate permissions configured by the church.

6.2 The AI provider

Scout uses large language models hosted by Anthropic, PBC (“Anthropic”), accessed through Anthropic’s commercial API. Anthropic acts as a subprocessor under our agreement. Anthropic is contractually committed not to train its models on data sent through its commercial API. Scout has not opted into any training, data-sharing, or feedback program offered by Anthropic that would change that default.

6.3 What data the AI sees

Before sending a request to Anthropic’s API, Scout de-identifies the input by replacing the person’s name with a placeholder (“[PERSON]”). The data sent typically includes: the person’s qualitative status label (e.g., engaged, drifting, isolated); the domains in which they are active (serving, giving, groups, connections); the names of groups and teams they participate in within that church; recent pastoral notes the church’s staff have written, including prayer requests; and a qualitative description of giving level and relational connectedness.

The placeholder is replaced with the real first name only after Scout receives the model’s response, on Scout’s servers. Email addresses, phone numbers, postal addresses, dates of birth, donation amounts, payment information, and government identifiers are not sent to the AI provider.

6.4 What the AI does not do

  • Train on your data. Anthropic does not train its models on data sent through its commercial API, and Scout does not authorize Anthropic to do so under our contract.
  • Make consequential decisions.AI narratives are decision support for human staff. They do not by themselves change a person’s status, send a message, charge a card, remove a person from a list, or take any action that affects an individual without a human pastor or staff member acting on the suggestion.
  • Generate predictions about protected characteristics. Scout does not ask the AI to predict race, ethnicity, sexual orientation, immigration status, or any other characteristic that the church does not affirmatively store in the record.
  • Talk to congregants.AI narratives are visible only to authorized church staff in the church’s dashboard. Scout does not generate AI-authored emails or text messages on the church’s behalf without a staff member reviewing the content.

6.5 Accuracy and human oversight

AI-generated narratives are best-effort summaries based on the data in the church’s account. They can be wrong, incomplete, or out-of-date. They should not be treated as clinical, legal, financial, or pastoral counsel. Pastors and staff are responsible for independently verifying important facts before acting on a suggestion, especially in matters involving health, safety, finances, or relationships. If a narrative is incorrect, a church can edit it, regenerate it, or disregard it.

6.6 Opting out

A church can disable AI narratives globally for its account by contacting us at hello@scout.church. A congregant who does not want their record processed by AI features should contact their church, which can disable the feature account-wide or, at the church’s discretion, exclude specific people.

7. Payment information and Stripe

Scout uses Stripe, Inc. (“Stripe”) and Stripe Connect to process subscription payments, donations, and giving disbursements. When you enter card or bank-account information on a Scout-hosted page, that information is sent directly to Stripe through tokenized elements; Scout’s servers do not see, log, or store the full payment instrument. Stripe’s handling of cardholder data is governed by Stripe’s privacy policy (stripe.com/privacy) and PCI DSS compliance program. For donations, Stripe Connect is the merchant of record on the church’s connected account, and Stripe is independently a controller of donor payment data for purposes of regulatory compliance, fraud prevention, and dispute handling.

8. Subprocessors and third parties

We use a small set of subprocessors to operate the Service. Each is bound by a written agreement that requires it to protect personal information and to use it only for the purposes for which we engage it. We do not authorize any subprocessor to sell personal information or to use it for cross-context behavioral advertising.

  • Vercel Inc. — application hosting, content delivery, edge runtime, and Vercel Blob (file storage for uploaded images and documents). United States.
  • Neon, Inc.— managed PostgreSQL database hosting for Scout’s primary data store. United States.
  • Stripe, Inc. — subscription billing, donation processing, and Stripe Connect for church giving. United States.
  • Resend, Inc. — transactional email delivery (sign-in links, receipts, billing notices, system alerts). United States.
  • Anthropic, PBC. — large-language-model API used to generate pastoral narratives. United States. See Section 6.
  • Google LLC. — Google OAuth (when a user chooses to sign in with Google) and Google Fonts. United States.
  • Upstash, Inc. — Redis-based rate limiting and abuse protection for sensitive endpoints. United States.
  • Functional Software, Inc. d/b/a Sentry. — error and exception tracking. United States.

We may add or change subprocessors as the Service evolves. For churches that have signed a Data Processing Addendum (“DPA”) with us, we provide notice of new subprocessors as required by the DPA. Other parties who may receive personal information are: legal, accounting, and compliance advisors; government and regulatory bodies in response to lawful requests; and the parties involved in any merger, acquisition, financing, or sale of assets affecting Scout (with notice to affected churches as legally required).

9. Cookies and similar technologies

Scout uses a small number of cookies and similar technologies that are strictly necessary to operate the Service:

  • Authentication cookies that keep you signed in to your Scout account.
  • Security cookies that protect against cross-site request forgery and other abuse.
  • Preference cookies that remember settings (for example, your last selected church if you administer more than one).

We do not use third-party advertising cookies, marketing pixels, or cross-context behavioral advertising on the Service. Where required by law, our marketing site at scout.church may load a small amount of first-party analytics to understand traffic; you can manage your preference through your browser’s controls. Scout honors the Global Privacy Control (“GPC”) signal as a request to opt out of any “sale” or “sharing” for cross-context behavioral advertising; because Scout does not engage in either, no additional action is needed in response to a GPC signal.

10. Marketing communications

With your consent or where otherwise permitted by law, we may send you marketing emails about Scout. You can unsubscribe at any time using the link in any marketing email or by writing to hello@scout.church. Unsubscribing from marketing email does not stop transactional or service-related emails (such as billing, security, or account notices), which we are required to send to operate your account.

Where a church uses Scout to send communications (email, in-app, or text) to its own people, the church controls those messages and is responsible for obtaining the consents required by law (including the Telephone Consumer Protection Act and CAN-SPAM Act). Recipients can opt out of texts by replying STOP and can opt out of email through the unsubscribe link the church includes.

11. Children’s information

Scout is a tool for churches and is not directed to children. We do not knowingly collect personal information directly from children under thirteen (13) without verifiable parental consent, and we do not market to children.

Some churches use Scout to manage information about children — for kids’ check-in, family records, youth ministry, and so on. In those cases, the church (and the parent or guardian acting on the child’s behalf) is the controller of that information; Scout is a processor / service provider. The church is responsible for obtaining any verifiable parental consent required by the Children’s Online Privacy Protection Act of 1998 (“COPPA”), GDPR Article 8, and applicable state children’s privacy laws. Parents and guardians who want to review, correct, or delete information held about their child should contact the church first; Scout will assist the church in fulfilling the request.

12. International data transfers

Scout is operated from, and stores data in, the United States. If you access or use Scout from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border transfer rules, you understand that your information will be transferred to and processed in the United States.

Where required for transfers from the EEA, UK, or Switzerland, Scout relies on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) with our subprocessors. Churches subject to GDPR may request a copy of our Data Processing Addendum, which incorporates the Standard Contractual Clauses, by writing to hello@scout.church.

13. Data retention

We retain personal information for as long as we need it to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.

  • Active churches.While a church’s Scout account is active, we retain its data for as long as it is in use.
  • Cancellation grace period.When a church cancels, we retain the church’s data for up to ninety (90) days to allow reactivation. After ninety days, we delete the data, except as described below.
  • Payment and giving records. We retain donation records, billing records, and tax-related information for the period required by tax and accounting law (typically up to seven (7) years).
  • Backups. Backups containing deleted data may persist for up to thirty-five (35) days after deletion before they are themselves overwritten or expired.
  • Logs and security data. Server logs, error reports, and security telemetry are retained for up to ninety (90) days for diagnostic and abuse-prevention purposes.
  • Earlier deletion or export. A church can request deletion or export of its data at any time. We will honor the request within the timeframes required by applicable law, subject to limited exceptions for legal, security, or accounting reasons.

14. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction. These include: TLS encryption in transit; encryption of sensitive secrets at rest; password hashing; multi-tenant database isolation that scopes every query to a single church; role-based access control; rate limiting on sensitive endpoints; logging and monitoring; and principle-of-least-privilege access for Scout personnel. No method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

15. Breach notification

In the event of a personal-information breach, we will notify affected churches without undue delay after becoming aware of the breach, and in any event within the timeframes required by applicable law. The notification will describe the nature of the breach, the categories of information involved, the likely consequences, and the measures taken or proposed to address it. Where Scout is acting as a processor / service provider, the church is responsible for any further notifications to data subjects or regulators required by law.

16. Your privacy rights

Depending on where you live, you may have some or all of the following rights with respect to personal information about you:

  • Right to know / access. Request confirmation of whether we process personal information about you and a copy of that information, including the categories of information collected, the sources, the purposes, and the categories of third parties to whom it has been disclosed.
  • Right to delete. Request deletion of personal information about you, subject to legal exceptions.
  • Right to correct. Request correction of inaccurate personal information.
  • Right to portability. Receive a copy of certain personal information in a structured, commonly used, machine-readable format.
  • Right to opt out of sale or sharing. Scout does not sell personal information and does not share personal information for cross-context behavioral advertising. No action is required of you to exercise this right.
  • Right to limit use of sensitive personal information. Scout uses sensitive personal information only for the purposes permitted under California Civil Code section 1798.121, which include providing the Service requested. You may contact us to request additional limits.
  • Right to non-discrimination. We will not deny you service, charge you a different price, or provide you a different level of quality because you exercised a privacy right.
  • Right to object or restrict (GDPR/UK GDPR). Object to or restrict our processing of your personal information on legitimate-interests grounds, or withdraw consent where processing is based on consent.
  • Right to lodge a complaint. Lodge a complaint with a supervisory authority in your country of residence, or with the California Attorney General or California Privacy Protection Agency.

16.1 How to exercise your rights

If you are a congregant (someone whose record was entered into Scout by a church), please contact the church directly. Because the church controls that information, the church is the right place to start. We will assist the church in responding.

If you are an account holder, lead, or marketing-list subscriber, you can exercise your rights by emailing hello@scout.church from the email address on file, or by writing to the postal address in the Contact section. We will respond within forty-five (45) days of receipt of a verifiable request, with one extension of up to forty-five (45) additional days where reasonably necessary.

16.2 Verification

To protect your information, we will take reasonable steps to verify your identity before responding to a request. For account holders, we typically verify by confirming control of the email address associated with the account. For other requests, we may ask for additional information sufficient to match you to the record we hold.

16.3 Authorized agents

You may designate an authorized agent to make a request on your behalf. We will require written proof of the agent’s authority (such as a signed authorization or power of attorney) and may also verify your identity directly.

16.4 California Shine the Light

California Civil Code section 1798.83 (the “Shine the Light” law) gives California residents the right to request information about disclosures of personal information to third parties for those parties’ direct marketing purposes. Scout does not disclose personal information to third parties for their direct marketing purposes.

16.5 Other state privacy laws

Residents of states with comprehensive consumer-privacy laws — including Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia — have rights similar to those described above. We honor verifiable requests from residents of those states. The defined categories and exact procedures may differ from California; in case of any conflict between this Policy and the applicable state law, the law controls.

16.6 Do Not Track

Some browsers transmit a “Do Not Track” signal. Because there is no consensus standard, Scout does not respond to DNT signals, but we do not engage in cross-site tracking or cross-context behavioral advertising regardless of the signal.

17. Sale or business transfer

If Scout is involved in a merger, acquisition, financing, or sale of all or part of its assets, personal information may be transferred as part of that transaction. We will require any successor to honor the commitments in this Policy with respect to information transferred and will give affected churches notice consistent with applicable law.

18. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify churches by email and post a revised version here with a new “last updated” date. Material changes take effect thirty (30) days after notice; non-material changes take effect when posted. Your continued use of the Service after changes take effect means you accept the updated Policy.

19. Contact

Questions about this Policy or how your data is handled? Email hello@scout.church. Postal mail can be directed to: Scout Intelligence LLC, Attn: Privacy, 3380 Mono Drive, Riverside, CA 92506, USA.

For our terms of use, see the Terms of Service.