Privacy Policy
Plain English first. This policy is written to be read, not buried. We collect the minimum data necessary to run Group Tuesday. We do not sell your data. Your spiritual content — your reflections, your notes, your responses — belongs to you. We store it encrypted. You can delete it at any time. Everything else is explained below.
- 01Who We Are
- 02What Data We Collect
- 03How We Use Your Data
- 04Lawful Basis for Processing
- 05How Sharing Works
- 06Sub-Processors & Third Parties
- 07Data Retention
- 08Your Rights — Globally
- 09International Transfers
- 10Security
- 11Minors
- 12Business Transactions & Acquisitions
- 13Policy Updates
- 14Contact & Data Requests
Who We Are
Group Tuesday is a daily Bible study platform operated by Group Tuesday, LLC, a limited liability company registered in the State of Idaho, United States. References to "Group Tuesday," "we," "us," or "our" in this policy refer to Group Tuesday, LLC and its authorized agents.
Group Tuesday acts as the data controller for personal data collected through its platform. For users in the European Union and United Kingdom, Group Tuesday processes personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR respectively, utilizing Standard Contractual Clauses (SCCs) for any transfer of personal data from the EU or UK to the United States.
Group Tuesday does not maintain a formal establishment in the European Union. Users or supervisory authorities may direct GDPR-related inquiries to privacy@grouptuesday.com.
What Data We Collect
We collect only what is necessary to provide the Group Tuesday platform. The following categories of personal data may be collected:
| Category | Examples | Purpose |
|---|---|---|
| Account Identifiers | Name, email address | Account creation and authentication |
| Spiritual Content | Reflections, notes, fill-in-the-blank responses, reading completions | Core platform functionality |
| Behavioral Data | Reading streaks, engagement patterns, completion timestamps | Streak tracking, platform improvement |
| Sharing Preferences | Per-reflection sharing selections and submission history | Managing content visibility |
| Payment Information | Billing details (Church Leader tier only) | Subscription processing via third-party payment processor |
| Media | Profile photos, user-uploaded content | Profile display |
| Location Data | General location derived from IP address | Regional compliance, service delivery |
| Authentication Data | OAuth tokens (Google, Apple, Facebook Sign-In) | Third-party login |
| Technical Data | IP address, device type, browser, operating system | Security, analytics, error monitoring |
Group Tuesday may collect additional categories of data in the future as the platform evolves. Any material expansion of data collection practices will be disclosed through a policy update with 30 days advance notice and, where required, fresh user consent.
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
How We Use Your Data
Personal data collected by Group Tuesday is used exclusively for the following purposes:
Service Delivery — To operate the platform, deliver daily readings, process reflections, manage sharing preferences, and maintain account functionality.
Communication — To send transactional emails including account confirmation, password reset, sharing notifications, and platform updates via PostmarkApp. We do not send unsolicited marketing communications without explicit consent.
Platform Improvement — To analyze anonymized, non-attributable usage patterns to improve features, performance, and user experience. No personally identifiable spiritual content is used for this purpose.
Security & Fraud Prevention — To detect and prevent unauthorized access, abuse, and fraudulent activity.
Legal Compliance — To fulfill our obligations under applicable law, including responding to lawful requests from government authorities.
Billing — To process subscription payments for Church Leader tier users through our third-party payment processor.
Lawful Basis for Processing
For users in the European Union and United Kingdom, Group Tuesday processes personal data under the following lawful bases as defined by GDPR Article 6:
| Data Type | Lawful Basis |
|---|---|
| Account creation and management | Contractual necessity (Article 6(1)(b)) |
| Spiritual content, reflections, sharing decisions | Explicit consent (Article 6(1)(a) and Article 9(2)(a)) |
| Financial and billing records | Legal obligation (Article 6(1)(c)) |
| Platform security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Anonymized analytics | Legitimate interests (Article 6(1)(f)) |
Users may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact privacy@grouptuesday.com or delete your account through the platform settings.
Special Category Data. Spiritual content — including reflections, notes, and responses — may constitute special category data under GDPR Article 9 as data revealing religious or philosophical beliefs. Group Tuesday processes this data exclusively on the basis of explicit consent and applies heightened security measures accordingly, including encryption at rest and in transit.
How Sharing Works
All user-generated content — including reflections, notes, and responses — is private by default. Content is encrypted and visible only to the user who created it unless an explicit sharing action is taken.
Double Opt-In Sharing. Sharing requires two deliberate, sequential actions: (1) selecting the intended recipient or audience, and (2) submitting that selection. No content is shared as a result of passive action or platform defaults.
Named-Person Sharing. When a user shares a reflection with a named individual — such as a Group Leader or Session Leader — access is granted to that specific person only. If that person leaves the group or platform, access is automatically and immediately revoked. A new person assuming the same role does not inherit access to previously shared content. The user must explicitly re-share with any new named individual.
Role-Based Sharing (Church Leaders). Sharing with the Church Leaders role grants access to whoever holds that role at any given time. Church Leaders may change without requiring the user to re-share. Users may revoke Church Leader access at any time through their sharing preferences.
Revocation on Account Deletion. Upon account deletion, all shared content is revoked from all recipients within 72 hours and is permanently deleted. No recipient retains access to shared content following the originating user's account deletion.
Group Tuesday's Role in Shared Content. Group Tuesday acts solely as a conduit for user-directed sharing. Group Tuesday does not review, moderate, or make editorial judgments about shared content. Group Tuesday assumes no liability for the actions of any recipient in response to shared content. Users share content at their own discretion and risk.
Sub-Processors & Third Parties
Group Tuesday engages the following sub-processors to deliver its services. Each sub-processor is bound by a Data Processing Agreement (DPA) ensuring equivalent privacy protections to those described in this policy:
| Vendor | Service | Location |
|---|---|---|
| inMotion Hosting | Web hosting and infrastructure | United States |
| PostmarkApp | Transactional email delivery | United States |
| Payment Processor (TBD) | Subscription billing (Church Leader tier) | To be disclosed upon selection |
| Authentication Providers (TBD) | Third-party login (Google, Apple, Facebook) | United States |
| Analytics Provider (TBD) | Anonymized usage analytics | To be disclosed upon selection |
A current and complete list of sub-processors is maintained at GroupTuesday.com/legal/subprocessors. Group Tuesday will provide 30 days advance notice of any material change to its sub-processor list via email and in-app notification.
Sub-Processor Liability. Group Tuesday is not liable for data incidents originating at the sub-processor level provided that reasonable due diligence was performed in vendor selection and that applicable DPAs were in place at the time of the incident. In the event of a sub-processor breach, Group Tuesday will notify affected users within 72 hours of becoming aware of the incident, in compliance with GDPR Article 33.
Data Retention
Group Tuesday retains personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to resolve disputes.
| Data Type | Retention Period |
|---|---|
| Spiritual content (reflections, notes, responses) | Deleted within 72 hours of account deletion. Non-recoverable. |
| Personal identifiers (name, email) | Deleted within 30 days of account deletion |
| Behavioral data (streaks, completions) | Anonymized within 30 days of account deletion; aggregate data retained indefinitely |
| Billing and payment records | Retained for 7 years in compliance with US tax regulations |
| Clickwrap agreement records | Retained for life of account plus 7 years following deletion |
| Anonymized analytics | Retained indefinitely (no personal attribution) |
| Security and access logs | 90 days, then purged |
Users may request early deletion of their personal data at any time by submitting a deletion request to privacy@grouptuesday.com or through platform account settings. Deletion requests will be fulfilled within 30 days except where retention is required by law.
Your Rights — Globally
Group Tuesday extends the full suite of GDPR data subject rights to all users globally, regardless of jurisdiction, as a matter of platform policy and not merely legal obligation. You do not need to be located in the EU to exercise these rights.
To exercise any of these rights, submit a request to privacy@grouptuesday.com. We will verify your identity before fulfilling any request and will respond within 30 days. Complex requests may be extended by an additional 60 days with notice.
California Residents (CCPA/CPRA). California residents have the additional right to know whether their data is sold (it is not), the right to opt out of sale (not applicable), and the right to non-discrimination for exercising privacy rights.
International Transfers
Group Tuesday is based in the United States. If you are located in the European Union, United Kingdom, or another jurisdiction with data transfer restrictions, your personal data will be transferred to and processed in the United States.
For transfers of personal data from the EU and UK to the United States, Group Tuesday relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our agreements with sub-processors including inMotion Hosting and PostmarkApp.
By using Group Tuesday from outside the United States, you acknowledge that your personal data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.
Group Tuesday complies with applicable privacy frameworks including GDPR (EU), UK GDPR, CCPA/CPRA (California), PIPEDA (Canada), and LGPD (Brazil), and endeavors to comply with all other applicable international privacy regulations as they apply to data subjects who access the platform.
Security
Group Tuesday implements technical and organizational security measures appropriate to the sensitivity of the data processed, including encryption of spiritual content at rest and in transit, access controls limiting employee access to personal data, and regular security assessments.
Breach Notification. In the event of a personal data breach that poses a risk to users' rights and freedoms, Group Tuesday will notify affected users within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
Limitation. No security system is impenetrable. While Group Tuesday employs industry-standard protections, we cannot guarantee absolute security. Group Tuesday is not liable for unauthorized access to personal data resulting from circumstances beyond our reasonable control, including but not limited to breaches originating at the sub-processor level, force majeure events, or user-initiated security compromises such as sharing login credentials.
Minors
Group Tuesday is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal data from any person under the age of 18. By creating an account, you represent and warrant that you are at least 18 years of age.
If Group Tuesday becomes aware that personal data has been collected from a person under 18, such data will be permanently deleted within 72 hours of discovery. If you believe a minor has created an account, please contact privacy@grouptuesday.com immediately.
Business Transactions & Acquisitions
Personal data collected by Group Tuesday is considered a business asset. The following provisions govern how personal data is handled in connection with any merger, acquisition, asset sale, or similar corporate transaction involving Group Tuesday, whether as the selling party, acquiring party, or otherwise.
Sale or Acquisition of Group Tuesday. In the event that Group Tuesday, LLC or substantially all of its assets — including the Platform and associated user data — is acquired by or merged with another entity, users will be notified via email and in-app notification no less than 30 days prior to any transfer of personal data to the new data controller. The acquiring entity will be required to honor the terms of this Privacy Policy for a minimum of 30 days following the closing of the transaction. Thereafter, any material changes to privacy practices will follow the standard update process described in Section 13, including 30 days notice and in-app re-consent where required.
Asset-Only Sale. In the event that user data is transferred as part of an asset-only sale — where Group Tuesday, LLC as a legal entity is not acquired but the Platform or user database is sold independently — users will be notified no less than 30 days prior to the transfer. The purchasing party must agree in writing, as a condition of the transaction, to privacy protections equivalent to or greater than those described in this policy at the time of sale. Users retain all rights described in Section 08 of this policy, including the right to request deletion of their data prior to transfer.
GDPR Article 14 — Change of Controller. For users in the European Union and United Kingdom, any change of data controller resulting from a business transaction triggers notification obligations under GDPR Article 14. Group Tuesday will provide written notification to affected EU and UK users within the timeframes required by applicable law, including the identity and contact details of the new controller, the purposes and lawful basis for continued processing, and the user's rights in connection with the transfer.
Group Tuesday Acquires Another Company. Where Group Tuesday acquires another entity or its assets, the privacy treatment of data inherited through that acquisition will be determined on a case-by-case basis appropriate to the nature of the transaction. In all cases, Group Tuesday will conduct a data audit of inherited personal data within 90 days of closing. Data that does not meet Group Tuesday's privacy and security standards will be deleted. Users of any acquired platform will be notified of any material change to their data handling within 30 days of closing and will be subject to appropriate re-consent processes where required by applicable law.
Bankruptcy or Insolvency. In the event of Group Tuesday's bankruptcy, insolvency, or dissolution, personal data may be transferred to a successor entity or liquidated as a business asset. Users will be notified as soon as practicable under the circumstances. To the extent permitted by applicable law, any successor entity will be required to honor the terms of this Privacy Policy or provide users with the opportunity to delete their data.
No Additional Consent Required for Structural Transactions. By agreeing to these Terms and this Privacy Policy at account creation, you acknowledge that personal data may be transferred as part of a business transaction as described in this section, and you consent to such transfer subject to the protections described above. This does not limit your right to request deletion of your data prior to any such transfer.
Policy Updates
Group Tuesday reserves the right to modify this Privacy Policy at any time. We categorize changes as material or non-material:
Material Changes — Changes that affect how we collect, use, or share personal data; changes to user rights; changes to sub-processors handling personal data; or changes to the lawful basis for processing. Material changes will be communicated no less than 30 days prior to taking effect via email to the address on file and via prominent in-app notification. Users will be required to affirmatively re-consent to materially changed terms before continuing to access the platform.
Non-Material Changes — Clarifications, formatting updates, or corrections that do not affect your rights or how your data is handled. These may take effect immediately with notice.
All prior versions of this Privacy Policy remain publicly accessible at GroupTuesday.com/legal/archive. A plain-English changelog summarizing all modifications is maintained at GroupTuesday.com/legal/changelog.
Contact & Data Requests
For any privacy-related questions, data subject requests, or concerns about this policy, contact Group Tuesday's privacy team:
Group Tuesday, LLC
Privacy & Data Protection
privacy@grouptuesday.com
State of Idaho, United States
All requests will receive an acknowledgment within 5 business days and a substantive response within 30 days.