Privacy Policy

1. Introduction

Discover Catholic Business (“DCB”, “we”, “our”, or “us”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding your data when you visit or use our website at discovercatholicbusiness.com (“the Service”).

By using the Service, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: Email address and display name when you create an account. We use Google Firebase Authentication to securely manage sign-in. We do not store your password — authentication is handled entirely by Firebase.
• Profile information: Optional details you choose to provide, such as your zip code (used for proximity search) or bio
• Business listing submissions: Business name, description, contact information, category, and other details when you submit a listing
• Reviews and ratings: Content you post when reviewing a business
• Communications: Messages when you contact us via email
• Payment information: When purchasing a paid subscription, payment details are collected and processed directly by Stripe, our payment processor. We do not store credit card numbers, bank account numbers, or other financial data on our servers. We receive only a transaction confirmation, subscription status, and customer ID from Stripe.

2.2 Information Collected Automatically

• Usage data: Pages visited, search queries, categories browsed, listings viewed, and actions taken (e.g., clicking a business website link). This data is collected in aggregate to help us understand how the directory is used and to improve the Service.
• Device information: Browser type, operating system, screen resolution, and device type
• IP address: Used for security purposes (bot detection, rate limiting) and approximate geographic location. We do not use IP addresses for advertising or tracking across other websites.
• Cookies: Small data files stored on your device (see Section 5 for details)

2.3 Information We Do NOT Collect

• We do not collect data on behalf of any third party
• We do not use tracking pixels from ad networks or data brokers
• We do not build advertising profiles or behavioral profiles for external use
• We do not collect biometric data, health information, or financial account details
• We do not engage in cross-site tracking for advertising purposes
• We do not collect sensitive personal information such as race, ethnicity, religious beliefs, sexual orientation, genetic data, or precise geolocation (within 1,750 feet) beyond what you voluntarily provide

2.4 Publicly Available Business Information

Some business listing information in our directory is compiled from publicly available sources on the internet, including business websites, public directories, chamber of commerce listings, diocesan directories, and other public records. This information is limited to business names, addresses, phone numbers, websites, categories, and descriptions that businesses have made publicly available online. We do not scrape personal email addresses, personal social media profiles, or other personal information of individuals. Our data collection is limited to publicly available business information.

If you are a business owner and wish to update, correct, or remove your business listing from our directory, please contact us at hello@discovercatholicbusiness.com. We will process removal requests within thirty (30) days.

3. How We Use Your Information

We use the information we collect for the following purposes only:

• Operating the Service: Displaying the directory, processing searches, showing personalized proximity results, and managing your account
• Security and fraud prevention: Detecting bots, scrapers, and abusive activity; enforcing rate limits; protecting the integrity of our database
• Processing payments: Managing subscriptions and communicating with Stripe for billing purposes
• Communications: Responding to your inquiries, sending transactional emails (account confirmation, ownership claims, billing notifications), and service-related announcements
• Improving the Service: Analyzing aggregate usage patterns to improve search quality, directory organization, and user experience
• Legal compliance: Complying with applicable laws, regulations, and legal processes

We will never use your information to build advertising profiles, sell leads, or enable third-party marketing of any kind.

Legal Basis for Processing

Our legal basis for processing your information includes:

• Contractual necessity: Processing required to operate your account, provide the Service, and process payments
• Legitimate interests: Processing for security, fraud prevention, service improvement, and analytics (where these interests are not overridden by your privacy rights)
• Consent: Where you have explicitly provided consent, such as optional profile information or email communications
• Legal obligation: Processing required to comply with applicable laws and regulations

4. Information Sharing and Disclosure

We do not sell, rent, lease, or trade your personal information to any third party. Period.

We may share limited information only in the following narrow circumstances:

• Service providers (data processors): We use a small number of trusted service providers to operate the Service. These providers process data solely on our behalf and under our instructions:
  • Firebase (Google): Authentication only
  • Supabase: Database hosting
  • Vercel: Website hosting, serverless functions, and edge security (including rate limiting via Vercel KV)
  • Stripe: Payment processing
  • Resend: Transactional email delivery
  • Google Analytics (GA4): Anonymous, aggregate website usage analytics — with IP anonymization enabled
• Legal requirements: When required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others
• Business transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, in which case you will be notified via email and/or a prominent notice on the Service
• Widget analytics: When parishes or organizations use our embeddable directory widget, we may share aggregated, anonymous usage statistics (such as search counts, impression counts, and click counts) with the widget subscriber. No personally identifiable information of end users is shared through the widget.

We do not share data with advertisers, data brokers, analytics companies (other than GA4 as described above), social media platforms, or any other third parties for their own commercial purposes.

5. Cookies and Tracking Technologies

We use a minimal number of cookies, all of which serve functional or security purposes:

Essential Cookies (Required)

These cookies are necessary for the Service to function and cannot be disabled:

• Authentication cookie (dcb-auth): Identifies logged-in users so they can bypass rate limits. Essential for the Service to function properly for registered users.
• Language preference (dcb-language): Remembers your language selection across visits. Set with the Secure flag in production.

Analytics Cookies (Non-Essential)

These cookies help us understand how visitors use the Service:

• Google Analytics cookies (_ga, _gid): Collect anonymous usage statistics to help us understand how the site is used. GA4 is loaded with a 5-second delay to minimize performance impact. You can opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on.

Browser Local Storage

We also use browser local storage to save your location preferences (such as coordinates for proximity search) and other user settings. This data stays on your device and is not transmitted to our servers except when used to personalize search results during your session.

We do not use advertising cookies, third-party tracking pixels, social media tracking cookies, or cross-site tracking technologies. You can control cookies through your browser settings, though disabling essential cookies may affect your ability to use certain features of the Service.

6. Data Security

We take the security of your information seriously and implement industry-standard measures to protect it, including:

• HTTPS encryption (TLS) for all data in transit
• HSTS (HTTP Strict Transport Security) with 2-year duration and preload
• Content Security Policy (CSP) headers to prevent cross-site scripting
• X-Frame-Options DENY to prevent clickjacking
• Rate limiting to prevent automated abuse
• Firebase Authentication for secure sign-in (we never store passwords)
• Stripe PCI-compliant payment processing (we never handle card data)
• Role-based access controls for administrative functions
• Regular security audits of third-party dependencies

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users and relevant authorities as required by applicable law. We will provide notification within thirty (30) days of discovering the breach, including the nature of the breach, the categories of information affected, and recommended steps you can take to protect yourself. We will also report the breach to the appropriate state attorneys general and other regulatory authorities as required by applicable state and federal data breach notification laws.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy:

• Account data: Retained while your account is active. When you delete your account, your personal data is removed from our active database within thirty (30) days.
• Business listings: Retained for as long as the listing is active in the directory. Removed listings may be retained in encrypted backups for up to ninety (90) days before automatic purging.
• Usage analytics: Aggregate, anonymous usage data may be retained indefinitely as it cannot be linked to individual users.
• Payment records: Transaction records are retained as required by tax and accounting laws (typically 7 years).
• Security logs: Access logs used for security monitoring are retained for a limited period and then automatically purged.
• Backups: Encrypted database backups are retained for up to ninety (90) days and then permanently deleted.

When you request deletion, we remove your data from active databases within thirty (30) days. Data may persist in encrypted backups for up to ninety (90) days before automatic purging. Once deleted, your data cannot be recovered.

8. Your Rights and Choices

Regardless of your location, we provide the following rights to all users:

• Access: You can view the personal information associated with your account at any time through your account settings
• Correction: You can update your display name, zip code, and other profile information through your account settings
• Deletion: You can delete your account and associated personal data at any time through your account settings. This action is permanent and cannot be undone.
• Data portability: You may request a copy of your personal data by contacting us
• Opt-out of analytics: You can opt out of Google Analytics using the browser add-on linked in Section 5

To exercise any of these rights or make a data-related request, please contact us at hello@discovercatholicbusiness.com. We will respond to verified requests within thirty (30) days. If we need additional time, we will notify you of the extension and the reason within the initial 30-day period. Extensions shall not exceed an additional forty-five (45) days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). While our business may not currently meet the thresholds that trigger mandatory CCPA compliance, we voluntarily provide the following rights to all California residents:

• The right to know what personal information is collected, used, and shared
• The right to delete personal information held by us
• The right to correct inaccurate personal information
• The right to opt-out of the sale or sharing of personal information — we do not sell or share personal information, so this right is already satisfied
• The right to limit the use of sensitive personal information — we do not collect or process sensitive personal information beyond what is necessary to provide the Service
• The right to non-discrimination for exercising your privacy rights

Authorized agents: California residents may designate an authorized agent to make privacy requests on their behalf. We may require proof of the agent's written authorization and verification of your identity before processing such requests. Authorized agent requests should be submitted to hello@discovercatholicbusiness.com with documentation of authorization.

Residents of Other U.S. States

Residents of states with comprehensive privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Indiana, Kentucky, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Montana, Iowa, Delaware, Maryland, Minnesota, and other states that have enacted or may enact similar legislation — may have additional rights under their state's privacy law. We honor the rights described in this Section 8 for all users regardless of location, including rights of access, correction, deletion, data portability, and opt-out.

Appeal Process

If we deny a privacy request, you may appeal the decision by contacting us at hello@discovercatholicbusiness.com with the subject line “Privacy Appeal.” We will respond to appeals within sixty (60) days with a written explanation of our decision. If you are unsatisfied with the outcome of the appeal, you may contact your state's attorney general to file a complaint.

Do Not Track and Global Privacy Control

Some browsers transmit “Do Not Track” (DNT) signals. Because there is no common industry standard for DNT, we do not currently respond to DNT signals. However, as described throughout this policy, we already minimize tracking and do not engage in cross-site tracking or targeted advertising.

We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid request to opt out of the sale or sharing of personal information. Since we do not sell or share personal information, GPC signals are already satisfied by our default practices.

9. Children's Privacy

Our Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at hello@discovercatholicbusiness.com. If we discover that we have collected personal information from a child under 13, we will delete that information promptly.

We do not knowingly sell or share the personal information of consumers under 16 years of age. Since we do not sell or share any user's personal information, this requirement is satisfied for all users regardless of age.

10. Automated Decision-Making

We do not use automated decision-making technology, including profiling, to make decisions that produce legal or similarly significant effects concerning you. Our automated systems are limited to: (a) bot detection and rate limiting for security purposes; and (b) search result ranking based on your search query and optional proximity preferences. These automated processes do not affect your access to services, pricing, or other material outcomes.

11. Third-Party Links and Services

Our Service contains links to third-party websites, including the websites of listed businesses, Stripe for payment processing, and social media platforms. These external sites have their own privacy policies, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policy of any external site you visit.

Clicking a link to a listed business's website leaves our Service. We are not responsible for any data collection or practices of the linked business.

12. International Users

The Service is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the “Last updated” date at the top of this page. For material changes, we will notify registered users via email at least thirty (30) days before the changes take effect. We encourage you to review this policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: hello@discovercatholicbusiness.com

Website: discovercatholicbusiness.com

We aim to respond to all privacy-related inquiries within 30 days.