Applications
OCIA Companion

Privacy Policy

Last updated · May 27, 2026

OCIA Companion is account-based software built for catechumens, sponsors, directors, and dioceses walking together through the Order of Christian Initiation of Adults. Because the app is shared software with classrooms, sponsors, and messaging, we do collect and store information beyond what stays on your device. This page describes what we collect, what we do with it, and what others in your parish can see.

i.What We Collect

OCIA Companion is an account-based app. To use it, you create an account with an email address and a password. The information we collect falls into a few categories:

  • Account information. Your email address, password (stored in hashed form by our authentication provider), and the role you select at sign-up (candidate, sponsor, director, or diocese administrator).
  • Profile. A display name, an optional avatar image, and your notification preferences. Directors also provide a parish name, city, and state during sign-up; diocese administrators provide a diocese name and contact email.
  • Formation activity. Things you do inside the app within a classroom — discussion posts, quiz responses, attendance, tasks, poll answers, announcement reads, and your OCIA stage (inquiry, catechumenate, purification, initiation, or mystagogy).
  • Messages. Direct messages between a sponsor and their paired candidate, stored on our backend so both parties can read them across devices.
  • Documents. Files a director uploads to their classroom (study materials, handouts, schedules) and any avatar images you upload.
  • Devices. When you enable push notifications, we store a push token for each device you sign in on (along with a device platform — iOS or Android — and an opaque device identifier so we can replace it when the platform rotates the token).
  • Diagnostic data. Anonymous crash reports and performance traces that help us find and fix bugs. These do not include the content of your entries or messages, and they explicitly exclude personally identifying information by configuration.

ii.How We Use What We Collect

We use the information above to operate the app — to sign you in, place you in the right classroom, deliver messages to the right people, render content for your role, and notify you about things you've opted in to. We do not use any of it for advertising, and we do not build profiles for marketing purposes.

Your email address is used to sign you in, to verify your account, to reset your password if you forget it, to send sponsor invitations when a director invites you to a classroom, and to send occasional transactional messages directly related to your use of the app. We do not send marketing email.

iii.What Others in Your Classroom Can See

OCIA Companion is shared software. Within a classroom you have joined, other members can see content that you contribute to that classroom:

  • Your display name, your role (candidate, sponsor, or director), and your current OCIA stage are visible to other members of the same classroom.
  • Discussion posts, quiz participation, attendance, polls, and announcements are visible to the classroom according to each feature's design.
  • Messages between a sponsor and their paired candidate are visible only to those two people. They are not visible to the director, to other members, or to Credoworks staff except as needed to operate the system.
  • Documents uploaded by a director are visible to members of that classroom.
  • Diocese administrators can see parish-affiliation requests for their diocese; they do not have access to the contents of any classroom.

Email addresses, passwords, and notification preferences are not shown to other members.

iv.Third-Party Services

OCIA Companion is built on a small number of carefully chosen services. Each plays a defined role and is bound by its own terms and privacy practices:

  • Supabase hosts our database, authentication, file storage, and realtime infrastructure. Account data, profile data, classroom content, messages, documents, and push tokens are stored in our Supabase project. See Supabase's privacy policy.
  • Expo Push Notifications delivers push notifications to your device. Push tokens are sent to Expo's service, which in turn delivers messages through Apple Push Notification service (iOS) or Firebase Cloud Messaging (Android). See Expo's privacy policy.
  • Sentry receives anonymous crash reports and a sampled set of performance traces from the mobile and web apps. We configure Sentry to omit personally identifying information by default. See Sentry's privacy policy.
  • Vercel hosts our web application. As with any web host, Vercel sees standard request metadata (IP address, user agent, requested path) at the moment of each request. See Vercel's privacy policy.
  • Apple App Store and Google Play Store distribute the mobile app and handle download statistics, ratings, and reviews. Their own privacy policies govern that activity.

We do not use advertising networks, analytics SDKs that build cross-site profiles, attribution trackers, or any third party whose business model is selling information about users.

v.Push Notifications

If you enable notifications, the app registers a push token with our backend so we can send you alerts for things like announcements, new discussion posts, and direct messages. You can adjust which categories you receive (or silence all notifications with a master switch) at any time in the app's settings. Disabling notifications in your device's system settings also stops them.

vi.Security

Passwords are hashed by our authentication provider — we never see them. Authentication sessions on your device are stored in the platform's secure storage (Apple Keychain on iOS, Android Keystore on Android). Access to your data inside our database is enforced by row-level security policies so that, for example, your direct messages can be read only by you and the person you sent them to.

No system is perfectly secure. If you believe your account has been compromised, please write to us right away.

vii.Retention

We retain your information for as long as you keep an active account. Messages are kept indefinitely so both parties can refer back to them; classroom content (announcements, discussions, attendance, etc.) is kept for the life of the classroom. When a parish discontinues using OCIA Companion, classroom content for that parish may be archived for a reasonable transition period and then deleted.

viii.Account Deletion

You may request deletion of your account and the personal information associated with it by writing to contact@credoworks.net from the email address on the account. Once we verify the request, we will remove your profile and the personal data tied to it within a reasonable period.

A note on shared content: discussion posts, quiz responses, attendance records, and messages you have already exchanged may remain visible to other classroom participants for the integrity of the formation record, even after your profile is removed. Where possible, your contributions will be shown as authored by a removed account rather than by your name.

ix.Children's Privacy

OCIA Companion is designed for adult formation. It is not directed to children under 13, and we do not knowingly collect personal information from them. If a parish enrolls minors in OCIA, that should be done with parental or guardian consent in accordance with local norms and applicable law.

x.Changes to This Policy

If we make material changes to this policy, we will post the revised version on this page along with an updated revision date. For substantial changes, we will also notify active users by email or via an in-app notice.

xi.Contact

Questions about this policy, or requests related to your information, may be sent to contact@credoworks.net.