What FTC orders, investigations, and the companies' own privacy policies show about how faith apps, giving platforms, and data brokers handle the data of people who pray, give, and seek help — and the standard AskMyChurch holds itself to.
A church holds a different kind of information than a retailer does. People tell their pastor about a marriage falling apart, a relapse, a death, a crisis of faith. They give money. They show up at an address on a Sunday morning. When that activity moves onto an app or a website, it becomes data — and data about grief, addiction, sexuality, religion, and giving is among the most sensitive a person can generate.
The cases below are not hypotheticals. They are documented findings from news investigations, a federal regulator, academic researchers, and companies' own published policies. We've grouped them so you can see the patterns, and we've linked every source so you can read it yourself.
Location data from a phone is rarely just a dot on a map. Visited often enough, it reveals where you worship, who you are, and sometimes what you're struggling with.
In November 2020, a Vice/Motherboard investigation by Joseph Cox found that the Muslim prayer app Muslim Pro — downloaded over 98 million times — was sending users' granular location data to the data broker X-Mode, a firm the report found had sold location data to defense contractors and, ultimately, the U.S. military. Motherboard reported that Muslim Pro did not name X-Mode in its privacy policy. After the report, Muslim Pro said it was "immediately terminating our relationships with our data partners—including with X-Mode." A January 2021 follow-up by Cox found that several more Muslim prayer and Quran apps beyond Muslim Pro had also sent location data to X-Mode, which the report states "has sold location data to military contractors and by extension U.S. military intelligence."
The military procurement side was confirmed on the record. According to a November 17, 2020 Al Jazeera report, the U.S. Special Operations Command was procuring commercial location data from several companies, and Navy Commander Tim Hawkins stated that "our access to the software is used to support Special Operations Forces mission requirements overseas." In December 2020, Apple and Google ordered app developers to remove X-Mode's location-tracking SDK or face removal from the app stores, per an Engadget report.
X-Mode's story ended in front of the FTC. In a final order issued April 12, 2024, the FTC prohibited X-Mode and its successor Outlogic from sharing or selling any sensitive location data, settling allegations that the company sold precise location data that could be used to track people's visits to sensitive locations including places of worship. The FTC charged that the company failed until May 2023 to remove sensitive locations from the raw data it sold. FTC Chair Lina Khan called it a "first-ever ban" on the use and sale of sensitive location data, saying the Commission "rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people's sensitive location data."
Christian apps surface in this category too. A January 2022 BuzzFeed News investigation by Emily Baker-White reported that an audit of Pray.com by privacy researcher Zach Edwards found the app shared granular data about the content its users consumed with several other companies, including Facebook. Edwards said "the Pray privacy policy, combined with the aggressive attribution vendors they partner with, creates a perfect storm to build deeply invasive profiles of religious voters," and the report noted such profiles could be uploaded into Facebook or Google to target ads. According to a Mozilla *Privacy Not Included* review from April 2022, Pray.com shared users' location data with vendors including Google Analytics, Braze, Mixpanel, Amplitude, and Twilio. Pray.com told BuzzFeed it "does not share users' public, private, or anonymous prayers" and content consumption with third parties for commercial purposes, but did not answer which data it shared with Facebook — and it added language disclosing that it buys data from brokers on December 22, 2021, after BuzzFeed's inquiry.
Tracking is a choice. A breach is a failure — and faith apps have had serious ones.
In 2020, Pray.com left four misconfigured Amazon S3 buckets publicly accessible. According to a November 19, 2020 vpnMentor report by Noam Rotem and Ran Locar — covered by Threatpost and Infosecurity Magazine — the exposure totaled roughly 262 GB across about 1.19 million files, potentially compromising the personal information of as many as 10 million people, most of whom were not Pray.com users. The exposed data included user profile photos (some belonging to minors), church attendee lists with full names, home and email addresses, phone numbers and marital statuses, church donation records, and entire phonebooks uploaded from users' devices containing the personal information of non-users. vpnMentor reported it discovered the exposure on October 6, 2020 and made repeated contact attempts; per Infosecurity Magazine, CEO Steve Gatena's reply to the breach notification was the single word "Unsubscribe," and the files were not removed until roughly five weeks later, after vpnMentor contacted Amazon directly.
Giving platforms have been exposed too. According to a December 11, 2023 vpnMentor report, researcher Jeremiah Fowler discovered a non-password-protected database of 948,029 records (465.27 GB) belonging to DonorView, a cloud-based donor-management and giving platform used by nonprofits including religious institutions — exposing donor names, addresses, phone numbers, emails, and payment-method details. And the breadth of the problem is documented academically: a 2022 peer-reviewed Concordia University study (Samarasinghe, Kapoor, Mannan & Youssef) measured 62,373 religious websites and 1,454 religious Android apps and found 32% of the sites and 78% of the apps hosted Google trackers, with session-replay services on 198 sites transmitting sensitive information to third parties.
For perspective on what these failures aren't: even well-run faith organizations get attacked. The Church of Jesus Christ of Latter-day Saints disclosed in October 2022 a cyberattack on its own systems that exposed members' names, birthdates, and contact information, which U.S. federal law enforcement suspected was state-sponsored — while stating the affected data "did not include donation history, or any banking information." A breach by a foreign adversary is a different category than a vendor quietly selling data on purpose. Both belong in a church's risk picture.
The hardest cases involve people reaching out at their lowest moment.
Crisis Text Line is a nonprofit mental-health crisis service. According to a February 1, 2022 Politico report by John Hendel, it shared anonymized data from texters' crisis conversations with Loris.ai, a for-profit company it created in 2018 and held an ownership stake in, which used the insights to build and market customer-service software. A Silicon Republic report citing the same Politico investigation noted the two entities shared the same CEO for at least a year and a half and that Loris had pledged to share revenue with the nonprofit. Crisis Text Line defended the arrangement by pointing to "an approximately 50-paragraph disclosure statement" texters consent to before being paired with a counselor — and critics questioned whether someone in emotional distress can reasonably process that.
The reaction was swift. FCC Commissioner Brendan Carr wrote to both organizations asking them to end the arrangement "to preserve the integrity of mental health hotlines," and called some of the nonprofit's characterizations of its data sharing "disturbingly dystopian." Sen. Kirsten Gillibrand said "someone seeking help in a crisis shouldn't have to worry about their data being sold." Stanford privacy fellow Jennifer King told Popular Science: "These are people at their worst moments. Using that data to help other people is one thing, but commercializing it just seems like a real ethical line for a nonprofit to cross." On January 31, 2022, Crisis Text Line announced it had ended the data-sharing relationship and requested that Loris delete the data it had received. Founding board member and former chair danah boyd wrote that the organization "concluded that we were wrong to share texter data with Loris.ai."
The same pattern recurs with suicide hotlines' websites. A June 13, 2023 investigation by The Markup found that of 186 local crisis center websites tested under the national 988 Suicide and Crisis Lifeline umbrella, 33 used the Meta Pixel — sending signals to Facebook in cases such as a visitor clicking a "24-Hour Crisis Line" button, and, on at least one site, transmitting hashed first and last names and email addresses from a contact form.
Several FTC actions show that "churchgoer" is not a metaphor — it has been a literal, sellable audience segment.
The FTC sued data broker Kochava in August 2022, alleging its sale of mobile geolocation data could be used to track individuals to places of worship and reveal their religious beliefs; the agency said its analysis of a public Kochava data sample identified devices located at "Jewish, Christian, Islamic, and other religious denominations' places of worship." In a May 4, 2026 announcement, the FTC said a proposed settlement would bar Kochava and its subsidiary Collective Data Solutions from selling or sharing sensitive location data — including visits to places of worship — without affirmative express consent.
The segment names are explicit elsewhere. In a January 18, 2024 order, the FTC found that data aggregator InMarket Media sorted consumers into nearly 2,000 location-based audience segments, including categories "as specific as 'parents of preschoolers,' 'Christian church goers,' and 'wealthy and not healthy.'" And in a December 2024 action against Gravy Analytics and Venntel, the FTC alleged Gravy used geofencing to identify and sell lists of consumers who attended places of worship. The agency's Federal Register analysis of the proposed consent order states that Gravy "created custom audience segments for customers based... on consumers' church attendance," alongside segments from attendance at a cancer charity run and political activities.
A pixel is a snippet of code a website embeds so a platform like Facebook can recognize visitors. It runs quietly, and it has been found in sensitive places.
A June 15, 2022 joint investigation by The Markup and Reveal analyzed nearly 2,500 crisis pregnancy center websites — which it described as "mostly run by religiously aligned organizations" — and found at least 294 shared visitor information with Facebook via the Meta Pixel. More than a third of those sites sent data to Facebook when a visitor booked an "abortion consultation" or "pre-termination screening," and at least 39 sent Facebook the person's name, email, or phone number. Using a test account, researchers found Facebook retained data about interactions with 88% of those sites, linking the behavior to the user's profile. A June 16, 2022 Markup investigation separately found the Meta Pixel on 33 of the top 100 U.S. hospitals' websites, including inside the password-protected patient portals of seven health systems. In response to the crisis-pregnancy-center findings, Meta said it is against its policies to send sensitive information through its Business Tools and that its system is designed to filter out potentially sensitive data.
Some of the clearest evidence is what companies write down themselves. We quote their published policies; we draw no conclusions beyond the text.
The YouVersion Bible App is operated by Life.Church. A June 24, 2026 Exodus Privacy static-analysis report found the Android package contained code signatures for 8 third-party trackers — Amplitude, Branch, Facebook (Analytics, Login, and Share), Google Firebase Analytics, Sentry, and Snowplow — and requested 22 permissions, 4 of them flagged as dangerous (coarse location, contacts, and external storage read/write). Exodus notes such signatures are "not a proof of activity of these trackers." YouVersion's own privacy policy (updated November 16, 2025) states it uses third-party SDKs "to attribute a download of YouVersion to the advertisement placed on the third-party site," and uses precise location, when shared, for features like event check-in. The same policy states YouVersion does not sell users' personal information, does not allow its SDK providers to sell it, and does not share personally identifiable data with third-party advertisers for advertising purposes — while noting it may disclose aggregated, de-identified usage data. (For historical context, a 2013 Slate report documented the app collecting IP addresses and GPS locations, and a 2020 YouVersion blog post stated it does not actively track device location and has no plans to monetize the app or sell data or ads.)
Hallow, a Catholic prayer app, states in its privacy policy (effective February 8, 2026) that it uses personal data for "showing you advertisements, including interest-based or online behavioral advertising," and shares data with "Advertising Partners" who "help us market our services and provide you with other offers." That same policy also affirmatively states Hallow does not sell personal data and does not provide users' personal data to data brokers, and reserves the right to transfer all collected personal data in a merger, acquisition, or bankruptcy. A 2022 BuzzFeed News investigation reported Hallow's policy allowed sharing user data with business partners for targeted advertising and gave the company "sole discretion" over disclosing user information to governments or private parties — though Hallow told BuzzFeed it had not actually exercised those permissions. A Mozilla review (May 2022) found Hallow "seems to particularly be fond of advertising on Facebook."
Pushpay, a church giving and management platform, collects sensitive profile data including age, sex, marital status, "religious affiliation or denomination," photographs, and precise geolocation when enabled (per its policy updated May 15, 2025). Its policy permits sharing user data "with advertisers or other business partners as part of special contests, sweepstakes, and other promotions," producing aggregated and anonymized reports it "may share publicly or with outside parties," and sharing data across its group of companies including Church Community Builder, LLC. In its CCPA section, Pushpay states it "does not sell personal information, so we do not have an opt-out."
Gloo, a Boulder, Colorado data company, works with many churches, so it's worth stating only what's verified.
According to a December 2021 Wall Street Journal investigation (reprinted by Fox Business), Gloo had compiled profiles on about 245 million Americans and worked with more than 30,000 churches — roughly 10% of U.S. congregations — analyzing personal data and online activity to help churches reach people most likely to be receptive to their messages. The WSJ reported that Gloo's own marketing documents said it acquired a list of 30,000 divorced couples, identified shared attributes (high credit-card activity, recent travel bookings, low likelihood to manage health), and used them to find more than 33 million married Americans with similar patterns. Gloo also said in marketing materials it could predict characteristics of people who might have a marriage in trouble, be suffering from depression or anxiety, or have a propensity for drug addiction; after the Journal began reporting, Gloo said it was no longer using mental-health data and had changed some earlier practices. The WSJ and The Christian Post reported Gloo "incorporates thousands of data points from third-party providers" and declined to say where it got the data, citing confidential agreements. A November 2022 Religion Unplugged profile by Steve Rabey reported Gloo analyzes its data "searching for people who are exhibiting signs of crisis, stress, anxiety, divorce, depression, substance abuse or grief," and says it connects more than 300 people to churches every day.
For its part, Gloo states its own position in its Data Privacy FAQ (last revised March 16, 2023): it licenses personal information from data providers but "does not seek to receive names and contact information of data subjects," removes identifying information if a provider includes it, does not share such information in identifiable form with customers, and "does not 'sell' a consumer's personal information... and/or engage in activities that meet the definition of 'data' broker." Its Privacy Statement (effective December 16, 2025) discloses that the data it collects can include sensitive categories such as racial or ethnic origin, religious affiliation, and health information, obtained from data analytics providers, publicly available sources, and third parties. We present both the reporting and the company's own statements and let church leaders weigh them.
AskMyChurch is built by Vision Genesis as the front door of a church — on call around the clock — and it is designed against the failure modes above. These are our design rules, stated plainly.
It is anonymous by default. There are no accounts, no names, and no device tracking. It builds no profile of the person asking. There is nothing to re-identify later, because the identifying data is never collected in the first place.
It answers only from the church's own content, and it says "I don't know" rather than guess. Before any reply, it runs a grounding check against that content. When someone is in crisis, it routes them to a real person before any AI reply.
Care themes surface as themes — never names, never anyone's private words. The church's content stays the church's. AskMyChurch does not sell or broker data, and it has no advertising partners, no audience segments, and no data brokers in the loop.
We say this here because the record above shows how often "we don't sell your data" sits next to a policy that permits exactly that. Our claim is narrower and checkable: the data isn't there to sell.
It depends on the app — read each policy. Some affirmatively say they do not sell personal data: YouVersion, Hallow, and Pushpay each state so in their policies, while still permitting advertising-related sharing or aggregated disclosure. Others have been documented sharing or buying data — a 2022 BuzzFeed News investigation reported Pray.com shared content-consumption data with companies including Facebook. AskMyChurch does not sell or broker data and builds no profile of the person asking.
With AskMyChurch you are anonymous by default — no account, no name, no device tracking — and care needs surface only as themes, never names or private words. With other tools, check the policy: a 2022 BuzzFeed News report found Pray.com said it does not share users' prayers for commercial purposes but did not answer which data it shares with Facebook.
According to a February 2022 Politico report, the nonprofit shared anonymized data from texters' crisis conversations with Loris.ai, a for-profit company it created and held a stake in, which used the insights to build customer-service software. After public backlash and pressure from an FCC commissioner and a U.S. senator, Crisis Text Line ended the arrangement on January 31, 2022 and asked Loris to delete the data.
A November 2020 Vice/Motherboard investigation found the app sent granular location data to the broker X-Mode, which had sold data to defense contractors and ultimately the U.S. military. Muslim Pro said it was terminating its data-partner relationships, including X-Mode. In April 2024 the FTC barred X-Mode and its successor Outlogic from selling sensitive location data.
Yes. The FTC found that InMarket Media maintained nearly 2,000 audience segments including “Christian church goers” (January 2024), and that Gravy Analytics created custom segments based on church attendance (December 2024).
Vision Genesis built AskMyChurch to be private by design: anonymous by default with no accounts or device tracking, answering only from the church's own content with a grounding check before every reply, routing crises to a real person first, surfacing care needs as themes rather than names, and selling or brokering no data. Compare any alternative against the published policies linked in our case study.
Updated 2026-06-26 · AskMyChurch by Vision Genesis · Knoxville, TN
See it answer — try a live demo →