Audit Date: 2026-01-02 Audit Version: 2.0 Legal Entity: The Florida Conference of The United Methodist Church
This report provides a comprehensive audit of all privacy, legal, and compliance measures implemented in FLUMC Daily Devotionals (current series: Awakened to Grace), operated by The Florida Conference of The United Methodist Church.
Overall Compliance Status: ✅ COMPLIANT
✅ Status: COMPLIANT - Legal basis for processing documented - Data subject rights implemented - Data Protection Impact Assessment completed - Privacy by design principles applied - DPO contact information available
✅ Status: COMPLIANT - Right to know implemented - Right to delete implemented - Right to opt-out implemented - Privacy notice compliant - Do Not Sell My Personal Information available
✅ Status: FULLY COMPLIANT - Age Verification System: Unified onboarding flow (October 2025) - Text input fields for accessibility (MM/DD/YYYY) - Real-time age calculation and validation - First step in onboarding (cannot be skipped) - Users under 13 BLOCKED immediately - No duplicate verification screens - Parental Consent: Active for ages 13-15 - Email verification system - Social features restricted until verified - Audit trail maintained - Kids Mode: Implemented with enhanced privacy - Content Moderation: AI-powered and operational - Data Minimization: Practiced throughout - Security Measures: Encryption, access controls, audit logs - Testing: 59+ comprehensive test cases covering all scenarios
✅ Virginia (VCDPA): Compliant ✅ Colorado (CPA): Compliant ✅ Connecticut (CTDPA): Compliant ✅ Utah (UCPA): Compliant
✅ Encryption at rest (AES-256) ✅ Encryption in transit (TLS 1.3) ✅ Secure authentication (Firebase Auth) ✅ Access controls implemented ✅ Audit logging enabled ✅ Incident response plan documented
✅ Privacy settings available ✅ Data export functionality ✅ Account deletion ✅ Cookie controls ✅ Marketing consent management ✅ Age Verification System (Implemented October 2025) - Unified onboarding flow - Text input for accessibility - Under 13 blocking (COPPA) - Ages 13-15 parental consent - Ages 16-17 minor privacy defaults (CA AB 2273) - Legacy user enforcement - Comprehensive test coverage (59+ tests)
✅ Unified Onboarding Flow: - Age verification is the FIRST step (before any other onboarding) - All authentication methods use same flow: Auth → AuthWrapper → OnboardingWrapper → Onboarding - No duplicate age verification screens (critical fix for OAuth users) - Cannot be skipped or bypassed
✅ User Interface: - Text input fields: Month (MM), Day (DD), Year (YYYY) - Accessible design (no complex date picker) - Real-time validation and age calculation - Clear error messages - Privacy notice displayed - Works in all 5 supported languages
✅ Age-Based Rules: - Under 13: BLOCKED immediately, account creation prevented - 13-15: Allowed with parental consent requirement - Parent email collected (optional but recommended) - Social features restricted until parent verifies - Restricted mode dialog shown - 16-17: Allowed with minor privacy defaults (CA AB 2273) - Profile visibility: Private by default - Data collection: Minimized - Location sharing: Disabled - 18+: Full access without restrictions
✅ Data Storage: - Birthdate stored in separate
userAgeData Firestore collection - Age verification
timestamp recorded - Parent email stored securely (if provided) - Audit
trail maintained for compliance
✅ Legacy Users: - Users without age verification forced to complete on next login - OnboardingWrapper detects missing age data - Routes to onboarding with age verification as first step - No app access until age verified
✅ Comprehensive Testing (59+ test cases): - New
test file: age_verification_onboarding_e2e_test.dart (44
tests) - Updated existing tests (15+ tests) - All age ranges tested
(under 13, 13, 13-15, 16-17, 18+) - Boundary cases (exactly 13 years
old) - Text input validation - Email validation for parents - Under 13
blocking verified - Parental consent flow tested - All 5 languages
tested - Accessibility verified - COPPA compliance assertions -
California AB 2273 compliance - Legacy user migration tested
✅ COPPA: - Users under 13 cannot create accounts ✓ - Ages 13-15 require parental consent ✓ - Age data collected and stored securely ✓ - No data collection from children without consent ✓
✅ California AB 2273 (Age-Appropriate Design Code): - Minor privacy defaults applied for users under 18 ✓ - Profile visibility set to private ✓ - Data collection minimized ✓ - Location sharing disabled ✓
✅ Accessibility: - Text input more accessible than date picker ✓ - Clear labels and instructions ✓ - WCAG AA compliant ✓ - Works with screen readers ✓
✅ Localization: - All strings available in 5 languages ✓ - English, Spanish, Portuguese, French, Haitian Creole ✓
| Service | Purpose | Compliance | DPA Status |
|---|---|---|---|
| Firebase | Backend, Auth, Analytics | GDPR, CCPA, COPPA | ✅ Signed |
| Google Analytics | Usage analytics, insights | GDPR, CCPA, COPPA | ✅ Signed |
| PostHog | Product analytics, session replay | GDPR, CCPA, COPPA | ✅ Signed |
| Google Sign-In | Authentication | GDPR, CCPA | ✅ Signed |
| Apple Sign-In | Authentication | GDPR, CCPA | ✅ Signed |
| Unsplash | Images | GDPR compliant | ✅ Active |
| OpenAI | AI content moderation | GDPR compliant | ✅ Active |
| Google Cloud Vision | Image moderation | GDPR compliant | ✅ Active |
This application uses open source software packages. For a complete list of dependencies and their licenses, please see the “Credits & Licenses” section in the app settings.
✅ Data export available ✅ Account data viewable ✅ Response within 30 days
✅ Profile editing enabled ✅ Settings management ✅ Real-time updates
✅ Account deletion ✅ Data removal within 30 days ✅ Third-party data deletion ✅ Confirmation provided
✅ Data export in JSON format ✅ Structured, machine-readable ✅ Common format used
✅ Clear and specific ✅ Freely given ✅ Informed consent ✅ Granular controls ✅ Easy to withdraw
✅ Who consented ✅ When consented ✅ What consented to ✅ How consented ✅ Audit trail maintained
✅ Clear and accessible ✅ Age-appropriate language ✅ Regular updates ✅ Version control
✅ Cookie categories explained ✅ Consent required ✅ Opt-out available ✅ Essential cookies identified
✅ Enhanced security for kids ✅ Parental controls ✅ Content moderation ✅ Limited data collection ✅ Regular audits
✅ Encryption ✅ Firewalls ✅ Access controls ✅ Authentication ✅ Monitoring
✅ Staff training ✅ Access policies ✅ Incident response plan ✅ Regular audits ✅ Vendor management
✅ Privacy awareness training (internal materials) ✅ GDPR/CCPA training (self-directed learning) ✅ Security best practices (internal protocols) ✅ Incident response training (internal procedures) ✅ Regular refresher courses Note: Training materials developed internally; professional legal training recommended
✅ Privacy Policy ✅ Terms of Service ✅ Cookie Policy ✅ COPPA Notice ✅ DPA templates ✅ Consent forms ✅ Audit reports ✅ Training records
✅ Comprehensive privacy framework ✅ Strong technical security ✅ Clear documentation ✅ User-friendly privacy controls ✅ Proactive compliance approach
IMPORTANT DISCLAIMER: This is an internal self-assessment of compliance practices. It has not been independently verified by a third-party auditor or legal professional.
This self-assessment indicates that FLUMC Daily Devotionals (current series: Awakened to Grace) has implemented systems and practices designed to meet applicable privacy and data protection requirements as of the assessment date.
Self-Assessment Status: ✅ PASSED (Internal Review) Next Review Due: 2026-04-02 Recommendation: Independent third-party legal review recommended before public launch
Self-Assessment Information - Conducted by: Internal automated compliance review with AI assistance - Date: 2026-01-02 - Version: 2.0 - Scope: Complete application self-assessment - Standards Referenced: GDPR, CCPA, COPPA, VCDPA, CPA - Status: Self-assessed compliance (not independently verified)