Mobile Device Privacy Statement (Company Portal for Android and iOS/iPadOS)
Effective date: November 24, 2025

1) Purpose

First Presbyterian Church of Dunn (“the Church”) uses Microsoft Intune (Company Portal) to help members of staff and volunteers securely access church email, calendar, files, and approved applications on mobile devices. Intune applies security and compliance settings and, where necessary, protects church data inside approved apps. Microsoft Intune operates as a data processor for the Church, and does not use collected personal data for profiling, advertising, or marketing.

2) What we collect and why

When you enroll a device or use protected Church apps, Intune and the Company Portal collect required functional data (for the service to work) and may collect optional diagnostic data (to detect and fix problems). Examples include:

  • Account and tenant identifiers (e.g., your Microsoft Entra ID/UPN, Church tenant ID) — used to authenticate you and deliver managed apps and policies.

  • Device and app inventory (managed context) — such as OS version, model, and versions of managed apps, to assess compliance and apply protection policies. (On personal/BYOD devices, app inventory is limited to managed/work apps.)

  • Service events & error information (optional) — e.g., enrollment failures, app crashes, performance timings, pseudonymized session IDs; this helps Microsoft improve reliability and allows the Church to troubleshoot issues. Optional diagnostic collection can be turned off by the user.

Note: Microsoft states it does not sell Intune data to third parties.

3) What the Church can and cannot see

iOS/iPadOS (Apple)

  • Managed/Church data and apps can be configured, monitored, or wiped (for example, Outlook and other approved apps). Corporate and personal data are kept separate; Apple’s management framework is designed to protect user privacy.

  • On personally owned devices using app protection or user enrollment, the Church does not see personal photos, iMessages/SMS, personal app data, or your personal browsing history. Controls are scoped to managed apps and profiles.

Android (Google)

  • With Android Enterprise Work Profile, Intune manages only the work profile (apps and data with the briefcase badge). Your personal apps and data remain private; admins cannot view personal profile data. The Church can deploy, configure, and, if necessary, remove work apps and data without affecting the personal side.

  • Network or location details from work profile apps may be visible to the organization to enforce access and security, but personal profile SMS/MMS and personal apps are not accessible.

Company‑owned devices

  • If the Church issues a device, stronger controls may apply (e.g., enforcing passcode rules, installing required certificates, remote wipe of the device or the work profile). Even on company‑owned Android devices, the work profile is designed to protect user privacy while giving IT the controls needed for corporate data.

4) App Protection (MAM) on personal devices

When the Church requires Mobile Application Management (MAM) without device enrollment, policies apply only inside supported apps (e.g., Outlook, Teams, OneDrive). This can restrict copy/paste, require app PIN/biometrics, and allow a selective wipe of Church data in those apps if you leave or your device is lost—without touching your personal apps or files.

5) Actions the Church (or you) may perform in Company Portal

Depending on policy, the Company Portal enables actions such as device sync, remote lock, reset passcode, retire, or wipe (work profile or full device for company‑owned devices). You can also see available apps, support contact details, and manage your enrolled devices.

6) Your choices and controls

  • Optional diagnostics: Users can turn off optional diagnostic data collection from Intune client apps if they prefer.

  • Unenroll/retire: If you remove the Company Portal or retire your device, Church access is removed and (on BYOD) only Church data inside managed apps is wiped. Personal data remains intact.

7) Data retention, storage, and security

Intune processes and stores personal data within Microsoft’s audited compliance boundary, under the Microsoft Online Services Terms. Data is retained and secured according to Microsoft’s service commitments; the Church does not direct Microsoft to use Intune data beyond delivering the service and meeting compliance requirements.

8) How we share data

The Church may share limited data with Microsoft and integrated services (e.g., Apple or Google for app distribution) only as needed to deliver the service, enforce security, and comply with law. We do not sell your personal data.

9) Children & pastoral sensitivity

Church‑managed mobile access is intended for staff, officers, and designated volunteers. Do not enroll devices of minors. If pastoral care circumstances require mobile access, please consult the Church Office before enrolling any device.

10) Contact

Questions or requests (access, correction, deletion) related to Intune/Company Portal should be sent to:
IT Help Desk — First Presbyterian Church of Dunn
Email: helpdesk@fpcdunn.org

A Congregation of the Presbyterian Church (USA)