CALIFORNIA DATA PROTECTION IMPACT ASSESSMENT (DPIA)

FLUMC Daily Devotionals

Current Series: Awakened to Grace

Assessment Date: 2026-01-02

1. EXECUTIVE SUMMARY

This Data Protection Impact Assessment (DPIA) evaluates the privacy risks and compliance measures for FLUMC Daily Devotionals (current series: Awakened to Grace), operated by The Florida Conference of The United Methodist Church, in accordance with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

2. DATA CONTROLLER INFORMATION

• Organization: The Florida Conference of The United Methodist Church
• App Name: FLUMC Daily Devotionals
• Current Series: Awakened to Grace
• Contact: privacy@awakenedtograce.app

3. DATA COLLECTION ACTIVITIES

3.1 Personal Information Collected

• Identifiers: Name, email address, user ID
• Account Information: Profile data, preferences
• User Content: Posts, comments, prayer requests
• Usage Data: App interactions, feature usage
• Device Information: Device type, operating system
• Analytics Data: Usage statistics, performance metrics

3.2 Sensitive Personal Information

• Age Information: For age verification and COPPA compliance
• Religious Information: Implicit through app usage
• Location Data: Not collected (we do not track precise location)

4. PROCESSING PURPOSES

We process personal information for: - Service Delivery: Providing app functionality - User Authentication: Secure account management - Content Moderation: Ensuring community safety - Analytics: Improving app performance and user experience - Legal Compliance: Meeting regulatory requirements

5. DATA SHARING

5.1 Third-Party Processors

• Firebase (Google): Authentication, database, storage
• Google Analytics: Usage analytics
• PostHog: Product analytics (privacy-protected)

5.2 Data Sales

We do NOT sell personal information to third parties.

6. CALIFORNIA CONSUMER RIGHTS (CCPA/CPRA)

6.1 Right to Know

California residents can request: - Categories of personal information collected - Sources of personal information - Business purposes for collection - Third parties with whom information is shared

6.2 Right to Delete

California residents can request deletion of personal information, subject to legal exceptions.

6.3 Right to Opt-Out

• Sale of Data: Not applicable (we don’t sell data)
• Sharing for Cross-Context Behavioral Advertising: Not applicable
• Sensitive Personal Information: Can limit use via Settings → Privacy

6.4 Right to Correct

California residents can request correction of inaccurate personal information.

6.5 Right to Non-Discrimination

We will not discriminate against users who exercise their privacy rights.

7. PRIVACY RISKS AND MITIGATIONS

7.1 Risk: Unauthorized Access

Mitigation: - Encryption in transit (TLS/SSL) - Encryption at rest (AES-256) - Firebase Authentication - Regular security audits

7.2 Risk: Data Breach

Mitigation: - Industry-standard security measures - Breach notification procedures - Regular security monitoring

7.3 Risk: Excessive Data Collection

Mitigation: - Data minimization principles - Purpose limitation - User controls via Settings → Privacy

8. CHILDREN’S PRIVACY

8.1 COPPA Compliance

• Users under 13 cannot create accounts
• Ages 13-15 enter Restricted Mode
• Enhanced privacy protections for minors

8.2 California AB 2273 Compliance

• Age-appropriate design principles
• Privacy by default for users under 18
• Enhanced protections for minors

9. DATA RETENTION

• Active Accounts: Data retained while account is active
• Inactive Accounts: Deleted after 24 months
• Legal Requirements: Some data retained for compliance

10. USER CONTROLS

Users can: - Access their data via Settings → Data Management - Delete their account and data - Opt-out of analytics via Settings → Privacy - Export their data in JSON format

11. ASSESSMENT CONCLUSION

Risk Level: LOW - Comprehensive privacy protections implemented - User controls available - No data sales - Strong security measures - COPPA and AB 2273 compliant

Recommendations: - Continue regular security audits - Monitor for regulatory updates - Maintain transparency with users

12. CONTACT

For privacy requests: - Email: privacy@awakenedtograce.app - Mail: The Florida Conference of The United Methodist Church, Privacy Department - In-App: Legal & Privacy Center

Assessment Date: 2026-01-02 Next Review: 2026-04-02