Your data. Your control.
A bishop manages sensitive information. Here's exactly what BishOps stores, who can see it, and what we will never do with it.
The design principle: collect as little as possible.
Before building any feature, the first question was: what member data does this actually require? Not what would be convenient to have — what's the minimum needed to do the job?
That question cut out addresses, phone numbers, email addresses, ordinance records, and gender. None of those are needed to track a calling, schedule an interview, or plan a sacrament meeting. So none of them are stored.
What remains is a deliberately small set of fields — and even within those, the least-sensitive version of each.
The exact list of what we store
We only store what you give us. There is no automated access of any kind — no LCR sync, no Church API, no scraping. We only ask for the following, and every field has a specific operational purpose:
Name
So leaders can identify members in the calling pipeline, interview queue, and meeting programs.
Birth year and birth month — not the full date
To route baptism interviews for children approaching age 8, and to spread youth interviews across the calendar year. The day of birth is discarded immediately — only month and year are kept, because the day is the high-value identity credential and isn't needed for any of these purposes.
Calling and sustained date
To track current assignments and manage the calling pipeline.
Temple recommend expiration date
To schedule renewal interviews before recommends lapse. Only the expiration date is stored.
Free-text notes
So leaders can track follow-ups in the calling pipeline and interview log. Visible only to the leaders you authorize. Leaders can delete individual notes at any time.
What BishOps does not store
Addresses, phone numbers, email addresses, ordinance records, and gender are never collected — not because of a policy that could change, but because none of them are needed and they were never built in.
Only the leaders you authorize
Access is controlled at two levels: by you, and by the database itself.
You decide who has access
You invite leaders to your ward and assign roles. A music coordinator, for example, can't see callings or interview records — their role only surfaces what their calling requires.
The database enforces it
At the database level, every query is restricted to your ward's data. Cross-ward access is structurally impossible — not just policy, but an architectural constraint built into how data is stored and queried.
Your data is yours — to keep or remove
No lock-in. No friction. You're in control of the data's lifecycle.
Full ward export
- ✓Download all member records as CSV anytime
- ✓No permission required — you own the data
- ✓Available from ward settings at any time
Account deletion
- ✓Close your ward account anytime
- ✓All records deleted from live systems immediately
- ✓Backup copies expire within 7 days
Where your data lives
US-based infrastructure, encrypted in transit and at rest.
Database
Supabase — US-based PostgreSQL, encrypted at rest.
Encryption
TLS for all data in transit. Database encryption at rest. All connections over HTTPS.
Backups
Automated encrypted backups. Deleted data is purged from backups within 7 days.
What we will never do
Hard commitments, not fine print.
No selling
Member data is never sold, licensed, or shared with any third party for commercial purposes.
No profiling
We don't build member profiles for advertising, marketing, or any purpose beyond operating the platform.
No cross-ward use
Your ward's data never combines with another ward's. Each ward is fully isolated.
Independent. Built for bishoprics, by a bishop.
BishOps is not affiliated with, endorsed by, or reviewed by The Church of Jesus Christ of Latter-day Saints. It's an independent tool that ward leaders choose to use — like a spreadsheet or shared document, but purpose-built for the work.
Ward leaders who import data from LCR do so using their own authorized access to that system. BishOps doesn't access LCR directly, via API, or through any automated means.
This independence means you own your relationship with your data. BishOps serves your ward — not the other way around.
Still have questions about your data?
Reach out directly — a real person reads every message.