Security & Trust

Your church's conversations stay your church's.

Manna handles prayer requests, pastoral conversations, visitor details and giving information — data that matters. Here's exactly how that data is protected, who can see it, and what your church controls.

POPIA Registered
IR Reg# 2026-024052
Enterprise infrastructure
Built on SOC 2 + ISO 27001 platforms
Encrypted
In transit & at rest
South African
M-Chat (Pty) Ltd · Reg 2013/008001/07
What your church owns

You own the data. Always.

Every conversation, every prayer request, every visitor detail, every sermon and every member record that flows through Manna belongs to your church. M-Chat (Pty) Ltd is the Operator under POPIA; your church is the Responsible Party. That's not just legal phrasing — it's the foundation of how Manna is built.

What your church can request, any time

  • Request export of all your church's data in a portable format
  • Request permanent deletion of any conversation, contact or record
  • Request a Data Subject Access Report for any congregant
  • End the service and take everything with you

What Manna will never do

  • Sell your church's data to anyone, for any reason
  • Serve advertising inside conversations or your dashboard
  • Use your church's message content to train shared AI models
  • Share your church's data with other churches on the platform
POPIA & Information Officer

Registered with the Information Regulator.

M-Chat (Pty) Ltd has registered its Information Officer with the South African Information Regulator, as required under Section 55 of the Protection of Personal Information Act, 2013. This is the only POPIA-related document the Regulator officially issues — and it's verifiable on the public register.

Information Officer
Ehren Bhimsan
Registration Number
2026-024052
Registration Date
04 June 2026
Privacy Contact
Sub-processors

Every partner that touches your data.

POPIA requires us to disclose who else may process your church's personal information on our behalf. Here's the full list. Each one is bound by their commercial data processing terms, and customers can request to be notified of sub-processor changes by emailing privacy@m-chat.ai.

Service Purpose Certifications
WotNot
Conversational platform & WhatsApp Business orchestration SOC 2 Type II ISO 27001 GDPR
Meta (WhatsApp)
WhatsApp Business Platform — message delivery ISO 27001 SOC 2 GDPR
Microsoft Azure
Email delivery, file hosting, identity SOC 2 Type II ISO 27001 ISO 27018
Cloudflare
CDN, edge compute, key-value storage SOC 2 Type II ISO 27001
Anthropic
Language model API for response generation SOC 2 Type II GDPR
Monday.com
Internal church CRM & onboarding pipeline SOC 2 Type II ISO 27001
Payfast
Payment processing (card & EFT) PCI-DSS Level 1
Sensitive ministry content

Prayer requests and pastoral conversations.

Some of what flows through Manna is deeply personal — a member writing about a marriage in crisis, a parent asking for prayer over their child, a teenager reaching out at 2AM. POPIA classifies this as Special Personal Information, and we treat it accordingly.

Routing

  • Prayer requests go only to the team your church nominates — email, WhatsApp prayer team, or both
  • Pastoral escalations route to the pastor or care team designated during setup
  • No other church on the platform can see, search, or access your conversations
  • Our team accesses content only when needed for support or maintenance

Storage & AI use

  • Encrypted in transit and at rest via our infrastructure providers
  • Used only to respond inside your church's conversation, never shared across churches
  • Not used to train shared AI models — your church's voice stays yours
  • Where third-party language model APIs are used, message content is not used to train those providers' models under their standard commercial terms
Access & lifecycle

Who can see what, and for how long.

Internal access

Access to church data inside Manna is restricted to the M-Chat operations team and only when needed to provide support or maintain the service. We operate under a least-privilege access model and protect admin accounts with strong authentication.

Retention

Conversation history is retained for as long as your church remains on the platform. If you cancel, your data is held for a reasonable period to support reactivation, then removed from active systems. Backups follow industry-standard retention windows. Specific timelines are available on request, and you can ask for earlier deletion at any time.

Subject access requests

Under POPIA, every data subject (every congregant) has the right to request a copy of their personal information, request correction, or request deletion. Pastors can raise these requests on behalf of their members by emailing privacy@m-chat.ai. We respond as soon as reasonably possible, in line with POPIA's timelines.

Breach notification

If a security incident affects your church's data, M-Chat (Pty) Ltd will notify the church and the SA Information Regulator as soon as reasonably possible after discovery, in line with POPIA Section 22's "reasonable grounds" standard. Our incident response approach covers detection, containment, notification, and remediation.

Questions or a security review?

Our Information Officer reads every privacy and security email personally.

Last updated: 04 June 2026 · Document owner: Information Officer, M-Chat (Pty) Ltd · Review cycle: Quarterly