The short version: Your ministry data — contacts, visit notes, literature records, addresses — stays on your device, encrypted. Two narrow exceptions: when you view the map, the addresses you've entered are sent to Apple Maps or Google Maps so they can be turned into pins (these are the device's built-in mapping services), and we collect anonymous product analytics and crash diagnostics to improve the app. Diagnostics is on by default and can be turned off anytime in Settings.
Who we are
Field Service Companion ("FSC", "the app") is published by Vineyard Software LLC, doing business as "Return Visits," operating in the United States. You can reach us at support@returnvisits.org.
What stays on your device
Your ministry data never leaves your device through us. Specifically:
| Data |
Purpose |
Where it lives |
| Contacts you create in FSC |
Managing return visits |
Device only |
| Visit notes & literature records |
Logging conversations and placed literature |
Device only |
| Reminders & follow-ups |
Scheduled local notifications for the next visit |
Device only |
| Device contacts (READ_CONTACTS) |
Optional import — only accessed when you choose to import |
Device only |
| Your GPS location |
Showing your current position on the map |
Device only |
| Contact addresses (for map pins) |
Geocoding to convert addresses into map pins |
Sent to Apple Maps / Google Maps when you open the map |
| Encrypted backups |
You create them; you control the recovery phrase |
Device only |
About the map: FSC does not run its own mapping service. When you open the map view, FSC asks your device's built-in mapping service — Apple Maps on iOS, Google Maps on Android — to look up the addresses you've entered and return pin coordinates. That address lookup happens through the same mapping service your phone uses for everything else. We do not see those lookups. Apple's and Google's handling of those lookups is governed by their privacy policies, linked below.
What we collect and send to our servers
FSC collects anonymous product analytics and crash diagnostics to find bugs, fix problems, and understand which features are helpful. This data is processed by PostHog Inc. (United States) on our behalf.
What is collected
- Product events — which features you use (for example: opening the map, logging a visit, tapping a contact card). We collect that an event happened, not its content. We do not collect contact names, visit notes, addresses, phone numbers, or photos.
- App lifecycle events — app opens, backgrounds, crashes, cold-start performance.
- Crash and error reports — the error type, a sanitized error message, and a sanitized stack trace. Our error sanitizer strips contact names, visit notes, addresses, email addresses, and phone numbers before anything is transmitted, and the sanitizer is covered by automated tests that run on every build.
- A stable anonymous identifier — a random identifier generated on your device, used to understand unique-user counts and to link events from the same install. It is not tied to your real identity unless you sign in.
- Device metadata — app version, build channel (production or alpha/beta), operating system and version, device model, locale, available memory, available disk space, network type at launch, battery state, screen size, and whether Low Power Mode (iOS) is on. This is the kind of information that helps us reproduce a bug when you report one.
- If you sign in — your display name, email address, and which sign-in provider you chose. This is how we can reach you if you contact support.
What is NOT collected
- No contact names, addresses, phone numbers, or email addresses from the records you create in FSC
- No visit notes, conversation content, or literature titles you log
- No photos you attach to contacts
- No precise GPS location data
- No advertising identifiers — we don't run ads or share data with advertisers
- No third-party tracking pixels or fingerprinting
How to turn it off
Open Settings → Diagnostics and turn off "Send diagnostic data." When it's off, no analytics events, crash reports, or errors are transmitted. Product events already collected remain on the server unless you request deletion (see "Your rights" below).
Device permissions
Contacts (READ_CONTACTS) — requested only when you use the "Import from device contacts" feature. FSC reads the selected contact's name, phone, email, and address to create a new FSC record. No contact data is transmitted off your device through us.
Location (when in use) — requested only when you open the Map view. Your GPS coordinates are used on your device to display your blue-dot position. We do not transmit your GPS location. (Note: the addresses you've entered for your contacts are sent to your device's mapping service to be geocoded into pins — see the map note above.)
Notifications — requested when you set your first reminder. Used only for local reminders that fire on your device. No notification content is sent to any server.
Photos (NSPhotoLibraryUsageDescription) — requested only when you attach a photo to a contact. Photos stay on your device.
Encryption
- On your device, FSC's database is encrypted at rest using SQLCipher with AES-256.
- Your backups are encrypted with XChaCha20-Poly1305, protected by a six-word recovery phrase that only you know. We cannot read, recover, or restore your backups without that phrase. Choose your phrase carefully and write it down — if you lose it, your backup is unreadable, including by us.
- In transit, analytics and diagnostic data are encrypted using TLS before leaving your device.
Authentication
FSC uses Sign in with Apple or Sign in with Google to authenticate you. When you choose a provider, you interact directly with Apple or Google — not with us. We receive only your email address, display name, and a stable provider identifier. Apple's and Google's use of this data is governed by their own privacy policies:
Third-party services
FSC relies on a small set of third-party services, each performing a narrow function. We do not sell your data to any of them. None of them receive your ministry data (contacts, visit notes, literature records, photos) from us.
- PostHog Inc. (United States) — product analytics and crash diagnostics, processing the data described in "What we collect and send to our servers" above. PostHog privacy policy.
- Apple Maps / MapKit (Apple Inc., United States) — provides the map view and the address-to-pin geocoding on iOS. The addresses you've entered for your contacts are sent to Apple to be turned into pins when you open the map.
- Google Maps (Google LLC, United States) — provides the map view and the address-to-pin geocoding on Android. Same behavior as Apple Maps above.
- Apple Sign In / Google Sign In — identity providers as described above.
- Zendesk Inc. (United States) — runs our help center at help.returnvisits.org and routes any email you send to our support addresses. If you contact support, your email address and the content of your message are stored in Zendesk for as long as we operate.
- Loops (Loops Email Inc., United States) — handles our waitlist and launch-announcement emails. If you sign up on the landing page, your email address is stored in Loops and used only to send the updates you signed up for. You can unsubscribe at any time from any email we send.
We do not sell your data. We do not share your data with advertisers. We do not use your data to build advertising profiles.
Your rights
Regardless of where you live, you have the following rights over your data. Email support@returnvisits.org to exercise any of them. We will respond within 30 days.
- Right to access — request a copy of the data we have associated with your installation or account.
- Right to correction — most data is editable directly in the app. For account-level data, contact us.
- Right to deletion — request deletion of your analytics, diagnostic, and account data from our servers. Uninstalling the app also deletes all on-device data. If you had signed in, email us to have your account identifiers removed from analytics.
- Right to export — your ministry data can be exported from the app via the Backup feature, which produces an encrypted file you control. For analytics data associated with your installation, contact us.
- Right to opt out — turn off "Send diagnostic data" in Settings at any time. No analytics or crash reports are sent while it's off.
- Right to object — you may object to any processing of your data. Contact us to do so.
- Right to unsubscribe — every email we send via Loops includes a one-click unsubscribe link.
If you are in the European Economic Area, United Kingdom, Switzerland, or a U.S. state with comprehensive privacy legislation (California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, and others), the rights above apply with equivalent force under your local law. You may also have the right to lodge a complaint with your local data protection authority.
Children's privacy
FSC is not directed at children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
Changes to this policy
We will update this page when the policy changes. Material changes will be communicated through the app and by email (if you have an account or have signed up for updates) before they take effect. The "Last updated" date at the top of this page always reflects the most recent change.
Contact us
Questions, concerns, or requests about this privacy policy? Email support@returnvisits.org.