Churches trust Lingual with two sensitive things: the live words of your
services, and your Planning Center connection. This page explains in plain
English how we protect both. It's written for the person on your tech team
who has to sign off — if anything here raises a question, email
hello@lingual.services and we'll
get on a call.
Your Planning Center connection
We never see your password. Connecting Planning Center
uses OAuth: you sign in on planningcenteronline.com itself, and Planning
Center hands Lingual a limited-access token. Your PCO password is never
typed into, transmitted through, or stored by Lingual.
We ask for the least access that makes the product work.
Lingual requests exactly one permission:
Services — to read your service plans and plan
times, so your bulletin and captions assemble themselves each week.
What we can never access: your People / member directory,
Giving and donor records, Check-Ins (children's ministry data), and Groups. We
don't request those permissions, so Planning Center itself blocks that data from
us — even in the worst case where Lingual were compromised, your member,
donor, and children's data is not reachable through our connection. Your email
comes from you directly at sign-up, never from Planning Center.
How tokens are stored. Access tokens are encrypted at
rest with authenticated encryption (AES with integrity checking). The
encryption key lives in our hosting provider's secrets manager, separate
from the database — someone with a copy of the database alone cannot
read your tokens. Keys support rotation, and every deploy runs a
self-test: a missing or malformed key fails the health check and the app
never serves traffic. A syntactically valid key that doesn't match
existing data surfaces as loud decryption failures on use — never a
silent fallback to plaintext.
Tokens are never exposed. They are never written to
logs, never appear in URLs, and are never returned by any API endpoint.
Token refresh happens entirely server-side.
Disconnect any time. One click in operator settings
deletes your Planning Center credentials from our systems immediately. If
you want belt and suspenders, you can also revoke Lingual's access from
your Planning Center account's integrations page — that kills the
connection from Planning Center's side too.
What we store — and what we don't
Service plans — cached to render your bulletin,
refreshed from Planning Center.
Captions and translations — retained to power
Sermon Notes and to evaluate translation quality.
Service audio — kept for a 10-day retention window to
evaluate transcription quality, then removed by a daily automated purge shortly after the window ends. Audio capture can be
disabled entirely for your church on request.
Attendees: nothing. Attendees need no app, no
account, and no sign-in — they scan a QR code and read. We do not
collect attendee names, emails, or locations.
Platform security
Encrypted in transit — HTTPS everywhere, edge
to origin; live captions travel over encrypted WebSockets (WSS).
Encrypted at rest — data lives on encrypted
volumes, with the additional application-layer encryption on Planning
Center tokens described above.
Tenant isolation — every request is scoped to
one church; cross-tenant access is explicitly cleared at the middleware
layer, and in production our edge proxy authenticates itself to the
origin with a shared secret so forwarded tenant-routing headers are
only trusted from our own edge.
Standard web hardening — parameterized SQL
throughout, HttpOnly/Secure cookies, origin-checked operator
connections, and per-IP rate limits on attendee connections.
Secrets management — API keys and encryption
keys live in the platform secrets manager, never in code or the
database.
Process
Security audit (May 2026) — an internal audit
covering the full application surface; all 11 findings were fixed and
deployed the same day.
Reviewed before release — every change ships
through a pull request: automated tests must pass, two AI reviewers from
different vendors review each change, and every finding must be resolved
before the merge is allowed.
No mid-service deploys — our deploy tooling
refuses to ship while any church is live in a service. The check is
automatic, not a policy we promise to remember.
If something goes wrong
If we discover a breach affecting your data, we will notify you promptly
at the email address on file, consistent with our
Privacy Policy.
Found a vulnerability? Email
hello@lingual.services with
“Security” in the subject. We read these first and respond
fast — reports are genuinely appreciated.
A note from the founder. Lingual is a small company, and
we'd rather over-share than hide behind boilerplate. If your church's
tech team or elders want to walk through any of this live, email us
— we're happy to get on a call and show you exactly how it works.