Privacy Policy

The Luke 10:28 Project, LLC

Effective Date: May 1, 2026 Last Updated: May 1, 2026 Version: 1.0

1. Who We Are

The Luke 10:28 Project is a Christian formation platform built around the Greatest Commandment Model™ (GCM) — a framework for measuring and growing in psychological and spiritual wellbeing. The platform is operated by The Luke 10:28 Project, LLC, a registered business in the State of Tennessee.

References to "we," "us," or "our" in this policy refer to The Luke 10:28 Project, LLC.

2. What Data We Collect

2.1 Account and Profile Data

When you create an account or use our platform, we may collect:

  • Name and email address
  • Username or display name
  • Password (stored in encrypted form — we never see it in plain text)
  • Organization or church name (if applicable)

2.2 Assessment Responses

When you complete a Greatest Commandment Model™ (GCM) assessment, we collect your responses across the seven measurable wellbeing domains. These responses are used to generate your personal wellbeing report and, over time, to track your growth.

Important: Once your assessment responses are linked to your authenticated account, we treat them as sensitive personal data. We do not sell, share, or use them for advertising purposes — ever.

2.3 Payment Information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store your credit card number, bank account details, or other sensitive payment credentials on our servers. Stripe handles this data under their own privacy and security standards.

2.4 Technical and Usage Data

When you use the platform, we automatically collect certain technical information, including:

  • IP address
  • Device type, operating system, and browser
  • Pages visited, features used, and time spent on the platform
  • Error reports and performance data

We collect this data using the following services:

  • BugSnag — error monitoring and performance tracking
  • Google Analytics — usage analytics and behavioral data

Both services may transfer data outside your country. See Section 6 for details on international transfers.

2.5 Organizational Accounts (Churches and Organizations)

If your church or organization purchases access on your behalf, your organization administrator may have access to aggregate usage data about members. They will not see the content of your individual assessment responses unless you choose to share them.

3. Why We Collect Your Data

We only collect data we actually need. Here is why we collect each type:

  • Account and profile data — to create and manage your account, authenticate your identity, and provide your personalized experience.
  • Assessment responses — to generate your GCM wellbeing report, track your growth over time, and improve the assessment experience.
  • Payment information — to process your subscription and manage billing.
  • Technical and usage data — to keep the platform running reliably, fix errors, and understand how people use the platform so we can improve it.

We do not use your data to train AI models. We do not sell your data. We do not use your data for advertising.

4. Legal Basis for Processing (GDPR)

If you are located in the European Union, United Kingdom, or another jurisdiction governed by the General Data Protection Regulation (GDPR) or equivalent laws, we process your personal data on the following legal bases:

  • Contract performance — processing necessary to provide the service you have signed up for
  • Legitimate interests — platform security, error monitoring, and usage analytics that help us operate and improve the platform, provided these interests are not overridden by your rights
  • Consent — where we specifically ask for your permission (e.g., optional communications)
  • Legal obligation — where we are required to process data by law

5. How Long We Keep Your Data

We retain your data only as long as necessary:

  • PII (email, account credentials) — retained for 3 years of inactivity, then deleted on request or after 3 years, whichever comes first
  • Assessment responses (pseudonymous research data) — retained for 10 years to support academic research and publication
  • Payment records — retained for 7 years as required by financial regulations
  • Technical and usage data — retained for up to 12 months, then aggregated or deleted

You can request deletion of your data at any time. See Section 9 for your rights.

6. International Data Transfers

We are based in the United States. If you are accessing the platform from outside the US, your data may be transferred to and processed in the United States, which may have different data protection laws than your country.

For users in the EU or UK, we ensure appropriate safeguards are in place for international transfers, including reliance on Standard Contractual Clauses (SCCs) where required. Our third-party processors (BugSnag, Google Analytics) operate under their own international transfer mechanisms.

7. Who We Share Your Data With

We do not sell your data. We share data only with the following third parties, strictly to operate the platform:

  • Supabase — database and backend infrastructure
  • Vercel — application hosting
  • BugSnag — error monitoring and performance analytics
  • Google — usage analytics (Google Analytics)
  • Stripe — payment processing

Each of these providers is contractually bound to protect your data and use it only for the purpose we have specified. We do not share your data with advertisers, data brokers, or other third parties for commercial purposes.

We may disclose your data if required by law, court order, or to protect the rights, safety, or property of our users or the public.

8. How We Protect Your Data

We take data security seriously and implement industry-standard protections, including:

  • Encryption in transit (HTTPS/TLS for all connections)
  • Encryption at rest for sensitive data
  • Strict access controls — only authorized personnel can access personal data
  • Regular security monitoring and error tracking via BugSnag
  • Separation of authentication and assessment data to minimize risk

No system is 100% secure. If you believe your account has been compromised, contact us immediately at security@luke1028.com.

9. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

For All Users

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your account and associated data
  • Data portability — request your assessment data in a portable format

For EU / UK Users (GDPR)

In addition to the above, you have the right to:

  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Lodge a complaint with your local data protection authority

Your EU/UK supervisory authority contact details are available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For California Users (CCPA)

California residents have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising privacy rights

To submit a data rights request, email privacy@luke1028.com with the subject line "Data Rights Request" or use the in-app account settings.

10. Cookies and Tracking

We use cookies and similar technologies to operate the platform, authenticate users, and analyze usage. A full description of our cookie practices is available in our Cookie Policy, linked in the platform footer.

You can manage your cookie preferences through your browser settings. Note that disabling certain cookies may affect platform functionality.

11. Children's Privacy

The Luke 10:28 Project is not intended for use by children under the age of 13 (or 16 in the EU/UK). We do not knowingly collect personal data from minors. If you believe a child has provided us with personal information, please contact us at privacy@luke1028.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this document and, for material changes, notify you by email or in-app notification.

Your continued use of the platform after any changes constitutes your acceptance of the updated policy.

13. Contact Us

The Luke 10:28 Project, LLC 1400 Chestnut Street, Apt 521, Chattanooga, TN 37402

Email: privacy@luke1028.com

The Luke 10:28 Project · luke1028.com · privacy@luke1028.com