Privacy Policy
Freemason Member mobile app — published by JS Technology Group
Effective: · Last updated:
This page explains what personal data the Freemason Member mobile app collects about you, why it is collected, who has access to it, and what your rights are under UK data protection law (the UK GDPR and the Data Protection Act 2018).
This policy applies to the Freemason Member app (com.jstechnologygroup.whitelable on Google Play, and equivalent listings on other stores). It does not apply to other websites you may reach by following links from this page.
1. Who we are
JS Technology Group Ltd (“we”, “us”, “our”) publishes the Freemason Member app and operates the central platform that a lodge uses to deliver content, events and notifications to its members.
- Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
- Company number: 16945230 (registered in England and Wales).
For correspondence about this policy and any data protection request, please use the contact details in section 12.
2. Who controls your data — your lodge or us
Freemason Member is a white-label app: the same install can be activated against many different participating lodges. Two parties handle your personal data, and which one is the “data controller” depends on the type of data:
| Type of data | Controller | Processor |
|---|---|---|
| Your membership account — name, email, lodge role, Masonic degree, RSVPs to your lodge’s events, files and reference content you have read, feedback you submit to your lodge admin team. | Your lodge. | JS Technology Group, acting on the lodge’s instructions under a written processing agreement. |
| Activation, licensing and device records — the device-licence token issued when you activate the app, the device fingerprint used to bind it, the FCM push token used to send you notifications, your app version and platform. | JS Technology Group. | — |
| Server logs and security audit trail — request IDs, IP addresses, sign-in attempts, admin actions performed on the platform. | JS Technology Group, with relevant entries also surfaced to your lodge for actions performed inside your lodge’s tenant. | — |
Where your lodge is the controller, your first point of contact for a data subject request is your lodge’s admin team (typically the Secretary). Your lodge will pass any technical request to us. You may also contact us directly using section 12.
3. What personal data we collect
3.1 Information your lodge gives us about you
When your lodge enrols you as a member of its app, it provides:
- Your username, email address, and display name (typically your initials and surname).
- Optionally, your first name, surname, and other lodge-specific details such as your Masonic degree and lodge role.
3.2 Information you create by using the app
- A password that you set (we never see your password in plain text — it is hashed using Argon2id on receipt and only the hash is stored).
- A multi-factor authentication secret if you choose to enable MFA (a TOTP shared secret, encrypted at rest).
- Your RSVP responses to events your lodge publishes, including any guest names you choose to add.
- Feedback messages you submit to your lodge admin team.
- A record of which encrypted files and books you have downloaded and when, kept in the security audit trail.
3.3 Information your device generates automatically
- A device fingerprint — a one-way identifier derived from your device’s hardware and OS characteristics, used so the app can recognise the same device across activations and avoid consuming an extra licence seat unnecessarily.
- A Firebase Cloud Messaging (FCM) push token, generated by Google’s libraries on your device and shared with our server so that we can deliver notifications from your lodge.
- Your app version and platform (Android / iOS), used for diagnostics and to ensure backwards compatibility.
- If you choose to enable biometric unlock (fingerprint or face), a credential stored in your device’s secure enclave / keystore. We never see your fingerprint or face data, and the credential never leaves your device.
3.4 Information generated when the app talks to our servers
- Standard server logs: request URL, response status, timing, your IP address, a generated request ID, and the user agent reported by your device.
- A security audit trail of privileged actions (admin sign-ins, file uploads, member changes, configuration changes). This trail is essential for accountability and incident response.
3.5 What we do NOT collect
- We do not collect advertising identifiers and we do not run ads in the app.
- We do not perform behavioural tracking or share your usage with analytics or advertising networks.
- We do not collect your contacts, photos, microphone, camera, SMS, call logs, or precise location.
- The contents of your fingerprint or face biometric never leave your device — only an opaque credential reference does, and only on your device’s keystore.
4. Why we collect it — our lawful bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing your lodge’s services to you through the app (sign-in, events, files, books, feedback). | Contract — necessary to deliver the membership benefit your lodge offers you. |
| Issuing and verifying device licences so your lodge’s seat allowance is enforced. | Legitimate interests — protecting your lodge’s subscription and our service from misuse. |
| Multi-factor authentication, account-lockout protection, and the security audit trail. | Legitimate interests — protecting your account and your lodge’s data; legal obligation in respect of incident response. |
| Sending you push notifications about your lodge. | Consent — you grant the OS-level notifications permission, and you can withdraw it at any time in your device settings. |
| Diagnostics and operational logs. | Legitimate interests — ensuring the app and platform are reliable and secure. |
5. Who we share data with
We do not sell your data. We share it only with the following categories of recipient, and only to the extent necessary for the purposes described above:
5.1 Your lodge admin team
The admins of the lodge you are a member of can see and manage your account, your RSVPs, and the audit trail of actions you have performed within their lodge.
5.2 Sub-processors we use to run the platform
| Sub-processor | What they do | Region |
|---|---|---|
| Oracle Cloud Infrastructure | Hosts our servers and databases. | United Kingdom. |
| Cloudflare, Inc. | Provides the network tunnel that carries your encrypted traffic from the public internet to our servers in Oracle Cloud, together with edge protections (DDoS mitigation and TLS termination at the edge). | Global edge network — see Cloudflare’s privacy policy. |
| Google LLC (Firebase Cloud Messaging) | Delivers push notifications from our server to your device. | Global — see Google’s own Firebase privacy information. |
| Google LLC (Google Play) | Distributes the Android version of the app and processes any associated identifiers under their own terms. | Global — see Google’s privacy policy. |
5.3 Legal and regulatory recipients
We will disclose personal data where we are required to do so by law, court order or other lawful demand, and where we reasonably believe disclosure is necessary to protect the rights, property or safety of you, of us, of your lodge, or of others.
6. International transfers
The platform’s primary servers and databases are hosted in the United Kingdom. Some sub-processors (notably Google’s push-notification service) may process data outside the UK and the EEA. Where this is the case, we rely on the relevant transfer mechanisms permitted under the UK GDPR — typically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, together with the receiving party’s own technical safeguards.
7. How long we keep your data
| Category | Retention |
|---|---|
| Your member account in your lodge. | Until your lodge admin team removes your account, or until the lodge ends its subscription. |
| Files, books and events your lodge publishes. | Until your lodge deletes the item. |
| Device licence and FCM push token records. | Until you remove the lodge from the app, your lodge admin revokes the device, or you uninstall the app for an extended period (Google may invalidate the push token). |
| Security audit trail. | 24 months. Audit data is kept in append-only form to support accountability and incident response. |
| Server access logs. | 90 days. |
| Backups. | Encrypted backups are kept on a rolling 35-day window and then overwritten. |
8. How we protect your data
- All traffic between the app and our servers travels over HTTPS / TLS.
- Each lodge’s data is held in an isolated database schema; one lodge’s queries cannot reach another lodge’s data.
- Files and books are encrypted at rest using authenticated encryption (AES-GCM); the keys are wrapped by a master key held separately. Files are decrypted only inside the app on your device.
- Passwords are stored as Argon2id hashes; we never see your password in plain text.
- Multi-factor authentication is supported and may be required by your lodge.
- Repeated failed sign-in attempts trigger a temporary account lockout — indistinguishable from a wrong-password response, so attackers cannot tell whether they have hit a real account.
- Privileged admin actions and security events are written to an append-only audit log.
- Each device that activates the app is bound to your lodge by a cryptographically-signed licence token; lost or revoked devices can be cut off immediately.
9. Your rights
Under the UK GDPR you have the following rights in respect of your personal data:
- The right to be informed about how your data is used (this policy).
- The right of access — to obtain a copy of the personal data we hold about you.
- The right of rectification — to correct data that is inaccurate or incomplete.
- The right of erasure (“right to be forgotten”) — in the circumstances permitted by law.
- The right to restrict processing.
- The right to data portability — to receive your data in a structured, machine-readable form.
- The right to object to processing based on our legitimate interests.
- The right to withdraw consent at any time, where we rely on consent (e.g. push notifications).
- The right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.
To exercise any of these rights, please contact your lodge admin team in the first instance for member-account data, or contact us directly for everything else (see section 12). We aim to respond within one calendar month.
10. Children
The Freemason Member app is intended for adult members of participating Masonic lodges. Membership of a Masonic lodge is itself restricted by the lodge’s own rules to adults; the app is not designed for, marketed to, or knowingly used by children. We do not knowingly collect personal data from anyone under the age of 18. If you become aware that a child has provided us with personal data, please contact us so that we can remove it.
11. Changes to this policy
We may update this policy from time to time — for example to reflect a change in the sub-processors we use, or a change in the law. The “Last updated” date at the top of this page reflects the most recent change. Material changes will also be communicated through the app and through your lodge admin team.
12. How to contact us
For any question about this policy, or to make a data protection request:
- Email: support@jstechnologygroup.co.uk
- Postal address: JS Technology Group Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
For requests that concern your member account, your RSVPs, your feedback messages, or any other data your lodge controls, please contact your lodge’s admin team (typically the Secretary). They will pass any technical request to us.
If you are not satisfied with how we have handled your request, you can complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.