For [CHURCH NAME]'s Tech Lead, Operations, or Governance Team
Security & Privacy
A one-page brief on how Stablish protects member data, what the church sees versus what stays private, and what happens to data if Stablish or the member leaves.
Three things this document answers
- How is member financial data protected?
- What does the church see versus what stays private?
- What happens to member data if Stablish or the member leaves?
Bank connection security: Plaid
Stablish uses Plaid as the secure connection layer between member bank accounts and the Stablish app. Plaid is the same trusted infrastructure used by:
- Venmo (PayPal)
- Robinhood
- EveryDollar (Ramsey Solutions)
- YNAB, Mint, Acorns, and 12,000+ other apps
Plaid is independently audited (SOC 2 Type 2, ISO 27001) and uses bank-level encryption. Stablish never sees or stores raw banking credentials — Plaid handles the secure connection, and only transaction-level data flows through.
What pastors see vs. what stays private
This is the most important boundary in Stablish's design. Pastors never see individual member transactions.
| What pastors see (StashAI dashboard) | What stays private (member only) |
|---|---|
| Aggregate giving health (overall trends) | Individual member spending categories |
| At-risk recurring givers (flagged by lapsed-gift pattern) | What members purchased, where, or for how much |
| First-time givers (to thank pastorally) | Member's debt, savings balances, income |
| Giving rhythm patterns (weekly/monthly aggregates) | Member's Money Map sub-scores or coaching activity |
| Campaign performance (broad metrics) | Anything happening in the Stewardship App that the member hasn't actively shared |
The promise we will never break
A pastor will never receive a notification like “John Smith spent $400 at restaurants this month.” That's not a feature we offer — and it's not a feature we ever will. The Stewardship App is the member's private space. The StashAI dashboard is the pastor's view of aggregate giving health — not member behavior surveillance.
Member opt-in & consent
- Every member chooses whether to use Stablish — there is no automatic enrollment
- Members can disconnect their bank at any time — their data stops flowing immediately
- Members can delete their account — all financial data is purged within 30 days per our retention policy
- Members consent to Plaid's terms separately before any bank connection is made
- The pastor cannot enroll a member, see a member's data without their consent, or override a member's privacy choices
Data handling & retention
| Data type | How long we keep it | Where it's stored |
|---|---|---|
| Member account & profile | While the account is active; 30 days after deletion request | Encrypted, US-based cloud (Supabase + Vercel infrastructure) |
| Bank transaction data | Rolling 24 months for Money Map analysis; older data is aggregated and de-identified | Encrypted at rest, accessed via secure APIs only |
| Giving records (church-side) | Per IRS/501(c)(3) requirements (typically 7 years for tax records) | Encrypted; accessible to designated church admins only |
| StashAI aggregate insights | Indefinitely for trend analysis | De-identified aggregate data; never tied to individual members |
Compliance: SOC 2 Type 2 in progress (target completion: [DATE]). Plaid + our infrastructure providers are already SOC 2 / ISO 27001 certified.
What happens if a member leaves the church
The member keeps their Stablish account. Their personal Money Map and stewardship coaching continue uninterrupted (the app is theirs to use, regardless of church affiliation). Their giving history with [CHURCH NAME] remains in the church's records per standard 501(c)(3) retention.
What happens if Stablish goes out of business
Three layers of protection:
- Member data is portable. Members can export their full financial history at any time.
- Church giving data lives in the giving platform — not solely in Stablish. If you use Planning Center Giving (or any platform that integrates with Stablish), your historical giving records remain there.
- Annual contract terms mean the church has no multi-year lock-in. You can leave any year with no penalty.
Your existing giving infrastructure (Planning Center, Pushpay, Tithe.ly, etc.) is not replaced by Stablish — it sits alongside. So the failure mode is “we lose the stewardship app layer,” not “we lose our giving infrastructure.”
IRS / 501(c)(3) compliance
Stablish handles compliant giving rails when giving flows through Stablish's Intelligent Giving:
- Year-end tax statements generated automatically and delivered to members
- Receipt records meet IRS substantiation requirements (date, amount, organization, no-goods-or-services language)
- Aggregate giving reports for the church's 990 filing
- Recurring giving authorization records retained per regulation
If your church uses a third-party giving platform (Planning Center, Pushpay, etc.) and Stablish only provides the stewardship layer, your existing platform handles all giving compliance — Stablish doesn't replace it.
Questions or concerns?
Direct any tech, security, or compliance questions our way.
Schedule a 30-min tech review →We're happy to walk through anything in detail with your tech team or governance committee.